User Guide Dell Networking W-ClearPass Policy Manager 6.
Copyright Information © Copyright 2016 Hewlett Packard Enterprise Development LP. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses.
Contents About W-ClearPass Policy Manager About the W-ClearPass Access Management System 21 21 About This Guide 21 Getting Started 21 W-ClearPass Access Management System Overview 22 Key Features 22 Advanced Policy Management 23 W-ClearPass Specifications 24 Accessing Configuration Information 29 Introduction 30 Start Here 30 Services 30 Authentication and Authorization 30 Identity 31 Posture 31 Enforcement 31 Network 31 Policy Simulation 31 Profile Settings 31 Importing
W-ClearPass Admin Access 53 W-ClearPass Admin SSO Login (SAML SP Service) 55 W-ClearPass Identity Provider (SAML IdP Service) 55 Device MAC Authentication 57 EDUROAM Service 58 Encrypted Wireless Access via 802.1X Public PEAP method 60 Guest Access 62 Guest Access Web Login 63 Guest Authentication with MAC Caching 64 Guest Social Media Authentication 66 OAuth2 API User Access 68 Onboard 68 Policy Manager Service Types 70 802.1X Wired 70 802.1X Wired - Identity Only 71 Dell 802.
TACACS+ Accounting Record Details > Auth Sessions Tab 125 TACACS+ Accounting Record Details > Details Tab 126 Live Monitoring: OnGuard Activity 127 About OnGuard Activity 127 Bouncing an Agent Using Non-SNMP 128 Bouncing a Client Using SNMP 131 Broadcasting a Message to Active Endpoints 132 Sending a Message to Selected Endpoints 133 Live Monitoring: Analysis and Trending 133 Live Monitoring: System Monitor 134 System Monitor Page 135 Process Monitor Page 136 Network Monitor Page 13
Modifying an Existing Authentication Service 170 Authorize Authentication Method 171 CHAP and EAP-MD5 171 EAP-FAST 172 EAP-GTC 177 EAP-MSCHAPv2 179 EAP-PEAP 179 EAP-PEAP-Public 182 EAP-PWD 185 EAP-TLS 186 EAP-TTLS 188 MAC-AUTH 191 MSCHAP 191 PAP 192 Adding and Modifying Authentication Sources 193 Generic LDAP and Active Directory 194 Generic SQL DB 207 HTTP 212 Kerberos 217 Okta 220 RADIUS Server 225 Static Host Lists About Static Host Lists 228 Adding a Static Ho
Modifying an Endpoint 251 Managing Static Host Lists 253 About Static Host Lists 253 Adding a Static Host List 254 Static Hosts Lists Configuration Summary 256 Editing a Static Host List 256 Importing and Exporting Static Host Lists 256 Configuring a Role and Role Mapping Policy 257 Identity Roles Architecture and Workflow 257 Adding and Modifying Roles 259 Adding and Modifying Role Mapping Policies 259 Posture Posture Architecture and Flow 263 263 Posture Policy 263 Audit Servers
Modifying an Existing Enforcement Profile 348 Agent Enforcement 348 Aruba Downloadable Role Enforcement 350 Aruba RADIUS Enforcement 360 Cisco Downloadable ACL Enforcement 362 Cisco Web Authentication Enforcement 364 ClearPass Entity Update Enforcement 366 CLI Based Enforcement 368 Filter ID Based Enforcement 370 Generic Application Enforcement 372 HTTP Based Enforcement 374 RADIUS Based Enforcement 375 RADIUS Change of Authorization (CoA) 377 Session Notification Enforcement 379
Results Tab Service Categorization Simulation 411 412 Simulation Tab 412 Attributes Tab 412 Results Tab 413 Import and Export Simulations 414 W-ClearPass Policy Manager Profile W-ClearPass Profile Overview 415 415 Introduction 415 Enabling Endpoint Classification 415 Configuring CoA for an Endpoint-Connected Device 416 How W-ClearPass Profile Classifies Endpoints 417 Fingerprint Dictionaries 418 Viewing Live Endpoint Information for a Specific Device 419 About the Device Profile 420
Managing Admin Privileges Overview 449 Defining Custom Admin Privileges 450 Creating Custom Administrator Privileges 452 Administrator Privilege XML File Structure 452 Administrator Privileges and IDs 453 Sample Administrator Privilege XML File 456 Server Configuration 457 Edit Server Configuration Settings 458 Set Date & Time 497 Change Cluster Password 499 Manage Policy Manager Zones 500 About Policy Manager Zones 500 Managing Policy Manager Zones 500 Mapping Policy Manager Zones
Deleting an SNMP Trap Server Syslog Targets 537 537 Syslog Targets Main Page 537 Adding a Syslog Target 538 Importing a Syslog Target 539 Exporting All Syslog Target 540 Exporting a Syslog Target 540 Deleting a Syslog Target 541 Syslog Export Filters 541 About Syslog Export Filters 542 Syslog Export Filters Page 542 Adding a Syslog Export Filter 542 Importing a Syslog Filter 550 Exporting All Syslog Filter 551 Exporting a Syslog Filter 552 Deleting a Syslog Filter 553 Messaging
Adding a MaaS360 Endpoint Context Server 606 Adding a MobileIron Endpoint Context Server 609 Adding a Palo Alto Networks Firewall Endpoint Context Server 611 Adding a Palo Alto Networks Panorama Endpoint Context Server 613 Adding an SAP Afaria Endpoint Context Server 614 Adding a SOTI Endpoint Context Server 616 Adding a XenMobile Endpoint Context Server 618 File Backup Servers 619 Server Certificate 621 Server Certificate Main Page 621 Server Certificate Type 622 Creating a Certificat
Reinstalling a Patch 651 Uninstalling a Skin, Translation, or Plug-in 651 OnGuard Settings 651 Introduction 651 Accessing OnGuard Agent Support Charts 652 Configuring OnGuard Settings 652 OnGuard Global Agent Settings 654 About Global Agent Settings 654 Global Settings Parameters for OnGuard Agents 655 Global Agent Settings: Run OnGuard As Parameter 656 Contact Support 657 Remote Assistance 658 Remote Assistance Process Flow 658 Adding a Remote Assistance Session 659 Cluster Upgr
Introduction 685 Enabling Insight and Specifying a Master Insight Node 686 Launching Insight 687 About the Insight Dashboard Dashboard Overview 688 Adding a Report Widget to the Dashboard Landing Page 689 Removing a Report Widget from the Dashboard Landing Page 689 Creating a Report or Alert From the Dashboard 690 Specifying the Date Range for Data Collection 691 Authentication Dashboard 692 Endpoints Dashboard 693 Guest Dashboard 694 Network Dashboard 695 Posture Dashboard 695 Sys
Administration Operations 727 Overview 727 File Transfer Settings Configuration 728 Testing File Transfer Configuration 729 Database Settings Configuration 730 Managing Insight Admin Privileges 730 Overview 730 Viewing the Default Insight Admin Privileges 731 Defining Custom Insight Admin Privileges 731 Insight UI Differences for Read-Only Users 733 Command Line Interface Cluster Commands 735 735 cluster drop-subscriber 735 cluster list 736 cluster make-publisher 736 cluster make
alias 753 backup 753 cli session idle timeout 754 dump certchain 754 dump logs 754 dump servercert 755 exit 755 help 756 krb auth 756 krb list 756 ldapsearch 757 quit 757 restore 757 Service Commands service Show Commands 758 760 show all-timezones 760 show date 760 show dns 761 show domain 761 show fipsmode 762 show hostname 762 show ip 762 show license 763 show ntp 763 show sysinfo 764 show timezone 764 show version 765 SSH Timed
system reset-server-certificate 773 system restart 773 system shutdown 774 system sso-reset 774 system start-rasession 774 system status-rasession 775 system terminate-rasession 775 system update 775 system upgrade 776 SNMP Private MIB, SNMP Traps, System Events, Error Codes W-ClearPass SNMP Private MIB 779 779 Introduction 779 System MIB Entries 779 RADIUS Server MIB Entries 780 Policy Server MIB Entries 781 Web Authentication Server MIB Entries 783 TACACS+ Server MIB Entries
Policy Server Events 800 RADIUS/TACACS+ Server Events 800 Service Names 800 SNMP Events 801 Support Shell Events 801 System Auxiliary Service Events 801 System Monitor Events 801 Error Codes 802 Use Cases 807 802.
Guest User Namespaces 853 Host Namespaces 853 Local User Namespaces 853 Posture Namespaces 854 RADIUS Namespaces 854 TACACS Namespaces 855 Tips Namespaces 855 Variables 855 Operators 856 Dell Networking W-ClearPass Policy Manager 6.
| Contents Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 About W-ClearPass Policy Manager This chapter provides an overview of the W-ClearPass 6.6 Policy Manager Access Management System.
l For a list of common configuration tasks and pointers to information about how to perform each task, refer to Accessing Configuration Information on page 29. l If you are planning a new W-ClearPass Policy Manager deployment, refer to the W-ClearPass Deployment Guide. The W-ClearPass Deployment Guide is organized in a way that presents the recommended sequence in which W-ClearPass deployment should take place, and makes the major deployment tasks easy to implement.
l Social network and Cloud application SSO via OAuth2, Facebook, Twitter, LinkdIn, Office365, Google Apps, and so on l Enterprise reporting, monitoring, and alerting l Role-based network access enforcement for multivendor Wi-Fi, wired, and VPN networks l High performance, scalability, High Availability, and load balancing l A Web-based user interface that simplifies policy configuration and troubleshooting l Network Access Control (NAC), Network Access Protection (NAP) posture and health checks,
W-ClearPass Guest simplifies work flow processes so that receptionists, employees, and other non-IT staff can create temporary guest accounts for secure Wi-Fi and wired network access. Self-registration allows guests to create their credentials. l Device health checks W-ClearPass OnGuard, as well as separate OnGuard persistent or dissolvable agents, performs advanced endpoint posture assessments. Traditional NAC health-check capabilities ensure compliance and network safeguards before devices connect.
Dell Networking W-ClearPass Policy Manager 6.
Using the W-Policy Manager Dashboard The W-Policy Manager Dashboard organizes and presents the key information about the status and performance of the current W-ClearPass server or cluster, as well as a set of Quick Links to the most commonly used functions, such as configuring policies, viewing the Access Tracker, and so on. The Dashboard information is illustrated in interactive bar chart, graph, and table formats.
Table 1: Dashboard Widget Summary (Continued) l l Last Replication: Date of the last replication. Status: Indicates the status of the cluster node. To view the chart that shows the graph of all profiled devices categorized into the following categories: l Access Points l Computer l Conflict Indicates a conflict occurred in the categorization of the device.
Table 1: Dashboard Widget Summary (Continued) l l Unhealthy requests are the requests to which the health state was deemed to be quarantined (posture data received but health status is not compliant) or unknown (no posture data received). This includes RADIUS and WebAuth requests. The default data filters Health Requests and Unhealthy Requests are used to plot this graph.
Table 1: Dashboard Widget Summary (Continued) To view the bar chart with each bar representing a categorized W-Policy Manager service request, drag and drop the Service Categorization widget to the Dashboard. l Clicking on a bar drills down to the Access Tracker that shows the requests that were categorized into a specific service. To view a table with the latest successful authentications, drag and drop the Successful Authentications widget to the Dashboard.
Introduction This section provides pointers to information on how to configure the primary configuration tasks in W-ClearPass Policy Manager. You can access all these configuration tasks via the W-ClearPass Configuration menu. To access the W-ClearPass Configuration menu, select Configuration.
l Adding and Modifying Authentication Methods on page 169 l Adding and Modifying Authentication Sources on page 193 l Configuring Authentication Components on page 167 Identity The Identity page provides options on the settings required to configure W-ClearPass Policy Manager Identity settings.
l About the Device Profile on page 420 l Endpoint Information Collectors on page 420 Importing and Exporting Information This section contains the following information: l Importing Information Into W-ClearPass l Exporting Information From W-ClearPass The option to import or export is available from many W-ClearPass components, such as services, authentication methods, authentication sources, and enforcement policies.
5. Click Import. Exporting Information From W-ClearPass Most pages in W-Policy Manager allow you to export configuration and administration-related information. To export multiple items, select the check boxes in the rows of the specific items that you want to export. The configuration and administration information is exported as an XML file; you can set this file to be password protected (see Table 2 for details). To export information from W-ClearPass: 1.
| About W-ClearPass Policy Manager Dell Networking W-ClearPass Policy Manager 6.
Chapter 2 Services This chapter describes the following topics: l Services Architecture and Flow l Creating Service Templates l Viewing the List of Services l Policy Manager Service Types The W-Policy Manager policy model groups policy components that serve a specific type of request into the Services page.
2. Create the associated policy components as and when required, all in the same flow. To help you get started, W-ClearPass provides 17 service types or templates. If these service types do not suit your needs, you can create a new service using custom rules (as described in the next sectionCreating Service Templates).
Service Templates Provided W-ClearPass provides the following service templates: l 802.1X Wired, 802.1X Wireless, and Dell 802.
Authentication Methods Used in HCG Mode The following authentication methods are used in service templates in the HCG mode: l PAP l CHAP l MSCHAP l EAP_MD5 l MAC_AUTH l AUTHORIZE l EAP_PEAP_PUBLIC Viewing the List of Services The Services page shows the current list and order of services that W-ClearPass Policy Manager follows during authentication and authorization. You can use the configured default service types or you can add additional services.
Table 3: Services Page Parameters (Continued) Parameter Description Status Displays the status of the service. A green/red icon indicates enabled/disabled state. Click the icon to toggle the status of a service between Enabled and Disabled. NOTE: If a service is in Monitor mode, an [m] indicator is displayed next to the Status icon.
Figure 7: Details for an Individual Service Adding and Removing Services You can modify a list of services by creating a new service, and modifying or deleting an existing service. Creating a New Service To create a new service: 1. Navigate to Configuration > Services. The Services page opens. Figure 8: Services Page 2. Click Add. The Add Services dialog opens. 40 | Services Dell Networking W-ClearPass Policy Manager 6.
Figure 9: Add Services Page Table 4 describes the Services configuration parameters. Note that the available settings vary, depending upon the service type selected. Table 4: Services Page Parameter Action/Description Type Select the desired service type from the drop-down list. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Table 4: Services Page (Continued) Parameter Action/Description optional. Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validation exchanges to take place between endpoint and Policy Manager, but without enforcement. In Monitor Mode, no enforcement profiles (and associated attributes) are sent to the network device.
To create a service template by making a copying an existing service: From the Services page, select the check box by a service, then click Copy. Modifying a Service For full access in modifying a service, you must log in to the Publisher node. To modify an existing service: 1. From the Services page, click the check box for the service you want to modify. The Configuration > Services > Edit > dialog opens. Figure 10: Edit Services Dialog 2.
To change the order of the services: 1. Navigate to the Configuration > Services page. The Services page appears. Figure 11: Services Page Reorder Button 2. Click the Reorder button (located on the lower-right portion of the page). The Reorder Services page appears. 3. Click the service you want to move to another position in the order (see Figure 12). In this example, we will move Guest Operator Logins at the 5th position to the 2nd position. Figure 12: Selecting the Service to Be Reordered 4.
Services have been reordered successfully. 802.1X Wired, 802.1X Wireless, and Dell 802.1X Wireless The 802.1X Wired template is designed for wired end-hosts connecting through an Ethernet LAN with authentication using IEEE 802.1X. The 802.1X Wired template allows configuration of both identity and posture-based policies. The 802.1X Wireless template is intended for wireless end-hosts connecting through an 802.11 wireless access device or controller with authentication using IEEE 802.1X. The 802.
When you edit or delete the entities of a service, a message is displayed at the top of the entity page stating that the selected entity was created through the service template. Do not delete entities used in service configurations that are not created using the service template. The following table describes the parameters in the 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless service templates: Table 5: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.
Table 5: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Action/Description Name 1. Configure an optional enforcement policy based on the following attributes: n Email n Name n Phone n UserDN n Company n member of n Title For example, you can configure an enforcement policy for a contractor specifying that "If Name equals , then assign the [Contractor] Role." Attribute Value 2.
Table 5: 802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless Service Template Parameters (Continued) Parameter Action/Description Enable RADIUS CoA 5. Select to enable RADIUS initiated CoA on the network device. RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. 6. Change this value only if you defined a custom port on the network device. Posture Settings Enable Posture Checks 7. Select the check box to perform health checks post authentication.
Table 6: W-ClearPass Auto Sign-On Service Template Parameters (Continued) Parameter Action/Description Authentication Select Authentication Source Select an authentication source from the list. The information provided in the Authentication, Enforcement Details, and SP details tabs are auto-populated. Active Directory Name Enter the hostname or the IP address of the Active Directory server. This field is mandatory.
l Creates an enforcement policy for AD-based attributes l Creates a NAD Posture checks are not performed if the High Capacity Guest mode is enabled in the cluster. You can view only the default user role in the Dell User Roles for different access privileges tab if the HCG mode is enabled in the cluster.
Table 7: Dell VPN Access with Posture Checks Service Template Parameters (Continued) Parameter Description Password Enter the account password. Port Enter the TCP port where the server is listening for a connection. Dell Wireless Controller for VPN Access Select Wireless Controller Select a wireless controller from the drop-down list. Wireless controller name Enter the name given to the wireless controller. Controller IP Address Enter the wireless controller's IP address.
The following figure displays the Certificate/Two-Factor Authentication for ClearPass Application Login service template: Figure 18: Certificate/Two-Factor Authentication Service Template Specify the Certificate/Two-Factor Authentication for ClearPass Application Login service template parameters as described in the following table: Table 8: W-ClearPass Certificate/Two-Factor Authentication Service Template Parameters Parameter Action/Description General Select Prefix 1.
Table 8: W-ClearPass Certificate/Two-Factor Authentication Service Template Parameters (Continued) Parameter Action/Description Password 10. Enter the account password. This field is mandatory. NETBIOS 11. Enter the server Active Directory domain name. This field is mandatory. Base DN 12. Enter the Distinguished Name (DN) of the administrator account. This field is mandatory. IdP Details Page Name 13. Select the Web Login pages from the drop-down list.
The following figure displays the W-ClearPass Admin Access service template: Figure 19: W-ClearPass Admin Access Service Template Specify the W-ClearPass Admin Access service template parameters as described in the following table: Table 9: W-ClearPass Admin Access Service Template Parameters Parameter Action/Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the preconfigured information in the Authentication and Role Mapping sections.
Table 9: W-ClearPass Admin Access Service Template Parameters (Continued) Parameter Action/Description Super Admin Condition Defines the various privilege levels. Read Only Admin Condition Help Desk Condition W-ClearPass Admin SSO Login (SAML SP Service) This application service template allows Security Asserting Markup Language (SAML) based Single Sign-On (SSO) authenticated users to access Policy Manager, Guest, Insight, and Operator pages.
The following figure displays the W-ClearPass Identity Provider (SAML IdP Service) service template: Figure 21: Identity Provider (SAML IdP Service) The following table describes the W-ClearPass Identity Provider (SAML IdP Service) service template parameters: Table 11: W-ClearPass Identity Provider (SAML IdP Service) Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 11: W-ClearPass Identity Provider (SAML IdP Service) Service Template Parameters (Continued) Parameter Description SP URL Enter the Service Provider (SP) URL. Attribute Name Enter the name of the attributes and assign values to those names. These name/value pairs are included in SAML responses. Attribute Value Device MAC Authentication This template is designed for authenticating guest devices based on their MAC address.
Table 12: Device MAC Authentication Template Parameters (Continued) Parameter Action/Description Select Device field. If you create a new device, enter the name of the device. Vendor Name The name of the manufacturer of the device is populated automatically based on the device selected from the Select Device field. If you create a new device, enter the name of the manufacturer of the device.
The following figure displays the EDUROAM service template: Figure 23: EDUROAM Service Template The following table describes the parameters used in the EDUROAM service template: Table 13: EDUROAM Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Authentication, Service Rule, Wireless, andFederation Level Radius Server (FLR) tabs. The Name Prefix field is not editable.
Table 13: EDUROAM Service Template Parameters (Continued) Parameter Description Port Enter the TCP port where the server is listening for a connection. This field is mandatory. Wireless Network Settings Select wireless controller Select a wireless controller from the drop-down list. Wireless controller name Enter the name given to the wireless controller. Controller IP Address Enter the IP address of the wireless controller. Vendor Name Select the manufacturer of the wireless controller.
The following figure displays the Encrypted Wireless Access via 802.1X Public PEAP method service template: Figure 24: Encrypted Wireless Access via 802.1X Public PEAP method Service Template The following table describes the parameters used in the Encrypted Wireless Access via 802.1X Public PEAP method service template: Table 14: Encrypted Wireless Access via 802.
Guest Access This template is designed for authenticating guest users who log in using captive portal. Guests must reauthenticate after session expiry. Guest access can be restricted based on day of the week, bandwidth limit, and number of unique devices used by the guest user.
Table 15: Guest Access Service Template Parameters (Continued) Parameter Description RADIUS CoA Port Specifies the default port 3799 if RADIUS CoA is enabled. Change this value only if you defined a custom port on the network device. Posture Settings Enable Posture Checks Select the check box to perform health checks post authentication. This enables the Host Operating System and Quarantine Message fields. Host Operating System Select the operating system: Windows, Linux, or Mac OS X.
The following table describes the Guest Access Web Login service template parameters: Table 16: Guest Web Login Service Template Parameters Parameter Description General Select Prefix Select any one prefix from the existing list of prefixes. This populates the pre-configured information in the Service Rule and Guest Web Login sections. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
The following table describes the Guest MAC Authentication service template parameters: Table 17: Guest MAC Authentication Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes. This populates the pre-configured information in the Wireless Network Settings, MAC Caching Settings, and Guest Access restrictions tabs. The Name Prefix field is not editable. Name Prefix Enter a prefix that you want to append to services using this template.
Table 17: Guest MAC Authentication Service Template Parameters (Continued) Parameter Description Checks Operating System and Quarantine Message fields. Host Operating System Select the operating system: Windows, Linux, or Mac OS X. Quarantine Message Specify the quarantine message that will appear on the client. Initial Role/VLAN Enter the initial role of the client before posture checks are performed. Quarantine Role/VLAN Enter the role of clients that fail posture checks.
The following figure displays the Guest Social Media Authentication service template: Figure 28: Guest Social Media Authentication Service Template The following table describes the Guest Social Media Authentication service template parameters: Table 18: Guest Social Media Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 18: Guest Social Media Service Template Parameters (Continued) Parameter Description Social login Provider Select the social media network options: Google, Facebook, LinkedIn, and Twitter. Days allowed for access Select the duration in number of days to enable on which the guest users are allowed network access. Maximum bandwidth allowed per user Enter a number to set an upper limit for the amount of data in megabytes to which a user is allowed per day.
You cannot view the Onboard service template if the High Capacity Guest mode is enabled in the cluster. The following figure displays the Onboard Authorization service template: Figure 30: Onboard Authorization Service Template The following table describes the Onboard Authorization service template parameters: Table 20: Onboard Authorization Service Template Parameters Parameter Description General Select Prefix Select a prefix from the existing list of prefixes.
Table 20: Onboard Authorization Service Template Parameters (Continued) Parameter Description Device Access Restrictions Days allowed for access Select the duration in number of days to enable on which the guest users are allowed network access. Provisioning Wireless Network Settings Wireless SSID for Onboard Provisioning Enter the SSID of your network. Add new Onboard Network settings Click the Add new Onboard Network settings link to launch the Web UI to modify the Onboard Network settings.
Figure 31: 802.1X Wired Service 802.1X Wired - Identity Only Configure this service for clients connecting through an Ethernet LAN with authentication using IEEE 802.1X. Configuration for the 802.1X Wired - Identity Only service is same as the 802.1X Wired service except that Posture and Audit policies are not configurable, when you use this template. For more information, see 802.1X Wired on page 70. The following figure displays the 802.1X Wired - Identity Only service: Figure 32: 802.
l Audit Tab on page 79 l Profiler Tab on page 80 l Accounting Proxy Tab on page 81 The following figure displays the Dell 802.1X Wireless service configuration fields: Figure 33: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service. The Service Rules section defines a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. You can click on a service rule to modify any of its options.
1. Specify the Service tab parameters as described in the following table: Table 21: Dell 802.1X Wireless Service > Service Tab Parameters Parameter Action/Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify the service. Monitor Mode Check this box to monitor network access activity without enforcement.
Authentication Tab The Authentication tab contains options for configuring authentication methods and authentication sources. The following figure displays the Authentication tab: Figure 35: Dell 802.1X Wireless Service > Authentication Tab 1. Specify the Authentication tab parameters as described in the following table: 74 | Services Dell Networking W-ClearPass Policy Manager 6.
Table 22: Dell 802.1X Wireless Service > Authentication Parameters Parameter Action/Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. W-Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
1. W-ClearPass fetches role-mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user. For a given service, role mapping attributes are fetched from the following authorization sources: n Authorization sources associated with the authentication source n Authorization sources associated with the service The following figure displays the Authorization tab: Figure 36: Dell 802.
1. Specify the Roles parameters as described in the following table: Table 24: Dell 802.1X Wireless Service > Roles Tab Parameters Parameter Action/Description Role Mapping Policy Select a role mapping policy from the drop-down list. W-Policy Manager ships a number of preconfigured roles. NOTE: A service can be configured without a role-mapping policy, but only one role-mapping policy can be configured for each service.
2. Specify the Wireless Service Posture parameters as described in Table 25: Table 25: Dell 802.1X Wireless Service > Posture Parameters Parameter Action/Description Posture Policies Posture Policies Select the posture policy from the Select to Add drop-down list. If you do not have any preconfigured posture policies, click Add new Posture Policy to create a new posture policy. NOTE: Only NAP agent-type posture policies are applicable for this service.
Table 26: Dell 802.1X Wireless Service > Enforcement Parameters Parameter Action/Description Use Cached Results Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy Select the preconfigured enforcement policy from the drop-down list. This is mandatory. If you do not have any preconfigured enforcement policies, click Add new Enforcement Policy to create a new enforcement policy.
Table 27: Dell 802.1X Wireless Service > Audit End-Hosts Parameters Parameter Action/Description Audit Server Select the audit server from the following options: l Nessus Server: Interfaces with W-Policy Manager primarily to perform vulnerability scanning l Nmap Audit: Performs specific audit functions You can click the View Details button to view the Policy Manager Entity Details dialog with the summary of audit server details. To view the Summary tab with audit server details, click the Modify button.
Figure 41: Dell 802.1X Wireless Service > Profile Endpoints Dialog 2. Specify the Profile Endpoints parameters as described in the following table: Table 28: Dell 802.1X Wireless Service > Profile Endpoints Parameters Parameter Action/Description Endpoint Classification Select one or more endpoint classification items from the drop-down list. RADIUS CoA Action Select the RADIUS CoA action from the drop-down list.
Table 29: Dell 802.1X Wireless Service > Accounting Proxy Tab Parameters Parameter Action/Description Accounting Proxy Targets Specify the proxy targets to which the RADIUS server should be forwarded and the attributes to be added in the accounting. Select the accounting proxy target from the Select to Add drop-down list. Add New Accounting Proxy Target Click this link to add a new accounting proxy target.
Figure 44: 802.1X Wireless - Identity Only Service Dell 802.1X Wireless Configure this service for wireless hosts by connecting through a Dell 802.1X wireless access device or controller with authentication using IEEE 802.1X. Service rules are customized for a typical Dell W-Series Controller deployment. By default, the Dell W-Series 802.1X service includes a rule that specifies that a Dell ESSID exists.
The following figure displays the Dell 802.1X Wireless service configuration fields: Figure 45: Dell 802.1X Wireless Service Service Tab The Service tab includes basic information about the service. The Service Rules section defines a set of criteria that supplicants must match to trigger the service. Some service templates have one or more rules predefined. You can click on a service rule to modify any of its options. The following figure displays the Service tab: Figure 46: Dell 802.
Table 30: Dell 802.1X Wireless Service > Service Tab Parameters Parameter Action/Description Type Select a service from the drop-down list that defines what type of service can be configured. Name Enter the name of the service. Description Provide additional information that helps to identify the service. Monitor Mode Check this box to monitor network access activity without enforcement.
Authentication Tab The Authentication tab contains options for configuring authentication methods and authentication sources. The following figure displays the Authentication tab: Figure 47: Dell 802.1X Wireless Service > Authentication Tab 1. Specify the Authentication tab parameters as described in the following table: 86 | Services Dell Networking W-ClearPass Policy Manager 6.
Table 31: Dell 802.1X Wireless Service > Authentication Parameters Parameter Action/Description Authentication Methods Select authentication methods using the Select to Add field used for this service depend on the 802.1X supplicants and the type of authentication methods you choose to deploy. W-Policy Manager automatically selects the appropriate method for authentication, when a user attempts to connect.
1. W-ClearPass fetches role-mapping attributes from the authorization sources associated with the service, regardless of which authentication source was used to authenticate the user. For a given service, role mapping attributes are fetched from the following authorization sources: n Authorization sources associated with the authentication source n Authorization sources associated with the service The following figure displays the Authorization tab: Figure 48: Dell 802.
1. Specify the Roles parameters as described in the following table: Table 33: Dell 802.1X Wireless Service > Roles Tab Parameters Parameter Action/Description Role Mapping Policy Select a role mapping policy from the drop-down list. W-Policy Manager ships a number of preconfigured roles. NOTE: A service can be configured without a role-mapping policy, but only one role-mapping policy can be configured for each service.
2. Specify the Wireless Service Posture parameters as described in Table 34: Table 34: Dell 802.1X Wireless Service > Posture Parameters Parameter Action/Description Posture Policies Posture Policies Select the posture policy from the Select to Add drop-down list. If you do not have any preconfigured posture policies, click Add new Posture Policy to create a new posture policy. NOTE: Only NAP agent-type posture policies are applicable for this service.
Table 35: Dell 802.1X Wireless Service > Enforcement Parameters Parameter Action/Description Use Cached Results Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy Select the preconfigured enforcement policy from the drop-down list. This is mandatory. If you do not have any preconfigured enforcement policies, click Add new Enforcement Policy to create a new enforcement policy.
Table 36: Dell 802.1X Wireless Service > Audit End-Hosts Parameters Parameter Action/Description Audit Server Select the audit server from the following options: l Nessus Server: Interfaces with W-Policy Manager primarily to perform vulnerability scanning l Nmap Audit: Performs specific audit functions You can click the View Details button to view the Policy Manager Entity Details dialog with the summary of audit server details. To view the Summary tab with audit server details, click the Modify button.
Figure 53: Dell 802.1X Wireless Service > Profile Endpoints Dialog 2. Specify the Profile Endpoints parameters as described in the following table: Table 37: Dell 802.1X Wireless Service > Profile Endpoints Parameters Parameter Action/Description Endpoint Classification Select one or more endpoint classification items from the drop-down list. RADIUS CoA Action Select the RADIUS CoA action from the drop-down list.
Table 38: Dell 802.1X Wireless Service > Accounting Proxy Tab Parameters Parameter Action/Description Accounting Proxy Targets Specify the proxy targets to which the RADIUS server should be forwarded and the attributes to be added in the accounting. Select the accounting proxy target from the Select to Add drop-down list. Add New Accounting Proxy Target Click this link to add a new accounting proxy target.
The following figure displays the Cisco Web Authentication Proxy service: Figure 56: Cisco Web Authentication Proxy Service Configuring the Cisco Web Authentication Proxy service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance and Profile Endpoints options are not available. For more information on configuration tabs, see Dell 802.1X Wireless on page 83. MAC Authentication MAC-based authentication service is used for clients without an 802.
The following figure displays the MAC Authentication service: Figure 57: MAC Authentication Service The Posture tab is not available for the MAC-based authentication service. Configuration for the rest of the tabs is similar to the Dell 802.1X Wireless service. For more information on configuration tabs, See Dell 802.1X Wireless on page 83 for details. RADIUS Authorization Configure the RADIUS Authorization service type for services that perform authorization using RADIUS.
RADIUS Enforcement (Generic) Configure the RADIUS Enforcement (Generic) service for any kind of RADIUS request. The [AirGroup Authorization Service] service is the only RADIUS Enforcement (Generic) service that is available by default. The default configuration tabs include Service, Authentication, Roles, and Enforcement. You can also select Authorization, Posture Compliance, Audit End Hosts, and Profile Endpoints in the More Options field on the Service tab.
The following figure displays the RADIUS Proxy service: Figure 60: RADIUS Proxy Service For more information, see RADIUS Enforcement (Generic) on page 97. Dell W-Series Application Authentication This type of service provides authentication and authorization to users of Dell applications: W-Series W-ClearPass Guest and W-Series W-ClearPass Insight. You can send Generic Application Enforcement on page 372 to these or other generic applications for authenticating and authorizing the users.
Configuring the Dell W-Series Application Authentication service is similar to configuring the Dell 802.1X Wireless service except that the Posture Compliance, Audit End-hosts, and Profile Endpoints options are not available. For more information on configuration tabs, see Dell 802.1X Wireless on page 83. Dell W-Series Application Authorization This type of service provides authorization for users of Dell applications: W-Series W-ClearPass Guest and WSeries W-ClearPass Insight.
Adding a W-ClearPass OnConnect Enforcement Service To add an OnConnect Enforcement service: 1. Navigate to Configuration > Services. The Services page opens. 2. To add the service, click Add. The Add Services dialog opens. 3. From the Type drop-down list, select W-ClearPass OnConnect Enforcement (see Figure 63). Figure 63: Specifying W-ClearPass OnConnect Enforcement 4. Enter the name or label of the OnConnect Enforcement service. 5.
Figure 64: Selecting the W-ClearPass OnConnect Enforcement Policy From the Services > Add > Enforcement page, you can either select an existing enforcement policy or create a new one. 2. From the Enforcement Policy drop-down list, select the appropriate OnConnect Enforcement policy. a. If you have not configured an OnConnect-type Enforcement policy, click Add New Enforcement Policy to create a new enforcement policy. 3.
The Services page appears. The Services page provides options to add, modify, and remove a service. 2. To add the service, click Add. The Add Services dialog appears. 3. From the Type drop-down list, select Event-based Enforcement (see Figure 65). Figure 65: Specifying Event -Based Enforcement 4. Enter the name or label of the event-based enforcement service. 5. Enter the values for any other parameters, including service rules, required for this service.
Table 40: Service Enforcement Page Parameters Parameter Description Use Cached Results 1. Select this check box to use cached roles and posture attributes from previous sessions. Enforcement Policy 2. From the drop-down list, select the preconfigured enforcement policy. This is mandatory. Enforcement Policy Details Description Displays additional information about the selected enforcement policy. Default Profile Displays a default profile applied by .
Web-based Authentication Configure this service for guests or agent-less hosts that connect through the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device or by a DNS server that is set up to redirect traffic on a subnet to a specific URL.
The following figure displays the Web-Based Health Check Only service: Figure 69: Web-Based Health Check Only Service For more information on configuration tabs, see Dell 802.1X Wireless on page 83 Web-based Open Network Access Configuration for this service is the same as Web-based Authentication service except that a health check is not performed on the endpoints. A Terms of Service page (as configured on the W-ClearPass Policy Manager Guest Portal page) is presented to the user.
For more information on configuration tabs, see Dell 802.1X Wireless on page 83. 106 | Services Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Monitoring The Monitoring features in W-Policy Manager provide access to live monitoring of components and other functions.
Figure 71: Access Tracker Page Table 41 describes the information in the Access Tracker page: Table 41: Access Tracker Page Columns Column Description Server Displays the IP address of the server. Source Displays the authentication source for the session. For example, TACACS or web authentication (WEBAUTH). Username Displays the username or MAC address of the user. Service Displays the name of the service. Login Status Displays the status of the request, such as Accept, Reject, or Timeout.
Figure 72: Access Tracker Edit Page 2. Modify the Access Tracker Edit page parameters as described in the following table, then click Save: Table 42: Access Tracker Edit Page Parameters Parameter Action Description Select Server/ Domain Displays information for the selected server or domain on the Access Tracker page. To display transactions from all nodes in the W-Policy Manager cluster, select all the servers. Select Filter Select a filter category to filter the displayed data.
Table 42: Access Tracker Edit Page Parameters (Continued) Parameter Action Description Select Date To select a date, click the Show Latest To set the date in the before field to the current date, click Show Latest. Select Columns icon. This section displays the following two fields: Available Columns: Displays the data column available to be displayed in an Access Tracker table. l Selected Columns: Displays the data columns currently selected for display.
The following figure displays the Summary tab: Figure 73: Request Details > Summary Tab Input Tab The Input tab shows protocol-specific attributes that W-Policy Manager received in a transaction request, including authentication and posture details (if available). The Input tab also shows computed attributes that W-Policy Manager derived from the request attributes. All of these attributes can be used in role mapping rules. 1.
Figure 74: Request Details > Input Page Output Tab The Request Details > Output tab shows the attributes that were sent to the network device (switch or controller) and the posture-capable endpoint (for example, MAC devices). You can view the posture response and posture evaluation with accurate results. For example, you can view details such as missing registry keys and the reasons for a failed registry key check. To view the Request Details > Output page: 1.
Figure 75: Request Details > Output Page Access Tracker shows an alert if more than two anti-malware products are installed on a client. Alerts Tab The Request Details > Alerts page shows information about a session that has an error. To view the Request Details > Alerts page: 1. Navigate to the Monitoring > Live Monitoring > Access Tracker page. 2. Click a table row for a session that has an error.
To view the Configuration page: 1. Click any table row in the Monitoring > Live Monitoring > Access Tracker page. The Request Details page opens. 2. Click the Show Configuration button. The Configuration tab appears and the Request Details > Configuration page opens: Figure 77: Request Details > Configuration Page Access Control Capabilities The Access Control Capabilities page shows a summary view of the transaction, including policies that are applied and protocol-specific attributes.
Figure 78: Request Details > Access Control Capabilities Dialog 3. Specify the Request Details > Access Control Capabilities page parameters as described in the following table: Dell Networking W-ClearPass Policy Manager 6.
Table 43: Request Details > Access Control Capabilities Page Parameters Parameter Action/Description Change Status You can view or change to any of the following access control types: . l Agent: This control is available for a session where the endpoint has the OnGuard Agent installed. The following actions are allowed: n Bouncing n Sending Messages n Tagging the status of the endpoint as Disabled or Known.
l RADIUS Accounting Details > Summary Tab l RADIUS Accounting Record Details > Auth Sessions Tab l RADIUS Accounting Record Details > Utilization Tab l RADIUS Accounting Record Details > Details Tab l TACACS+ Accounting Record Details > Request Tab l TACACS+ Accounting Record Details > Auth Sessions Tab l TACACS+ Accounting Record Details > Details Tab The Monitoring > Live Monitoring > Accounting page provides a dynamic report that describes session access, as reported by the network access d
Modifying the Accounting Page Parameters You can filter or modify the information displayed in this table by creating a filter, or selecting a different server, domain, or time range. To filter the data currently displayed in the Accounting page: 1. Navigate to the Monitoring > Live Monitoring > Accounting page. 2. Click Edit. The Edit Accounting Page dialog opens. Figure 80: Edit Accounting Page Dialog 3.
RADIUS Accounting Details > Summary Tab To drill down and display the corresponding Accounting Record Details page for the session, click any row in the Accounting page. The Accounting Record Details > Summary tab shows a summary view of the transaction including session IDs, timestamp, and network details for the RADIUS protocol.
Table 46: RADIUS Accounting Record Details Summary Tab Parameters (Continued) Parameter Description Status Shows the current connection status of the session. Username Username associated with this record. Termination Cause Specifies the reason for termination of this session. Service Type Shows the value of the standard RADIUS attribute service type. Network Details NAS IP Address Shows the IP address of the network device. NAS Port Type Shows the access methods. For example, Ethernet, or 802.
The following table describes the RADIUS Accounting Record Details >Auth Sessions parameters: Table 47: RADIUS Accounting Record Details Auth Sessions Tab Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details Session ID Displays the W-Policy Manager session ID. Type Specifies the type of authentication: Initial authentication or reauthentication.
The following table describes the configuration parameters on the RADIUS Accounting Record Details Utilization tab: Table 48: RADIUS Accounting Record Details > Utilization Tab Parameters Parameter Description Active Time Displays the duration of the session that was active. Account Delay Time Displays how many seconds the network device has been trying to send this record for (subtract from record time stamp to determine the time this record was actually generated by the device).
Figure 84: RADIUS Accounting > Details Page The following table summarizes the configuration information provided on the RADIUS Accounting Record Details > Details page: Table 49: RADIUS Accounting Record > Details Page Summary Parameter Description Accounting Packet Details Shows the details of RADIUS attributes sent and received from the network device during an initial authentication and subsequent reauthentications. Each section in the Details page corresponds to a session in W-Policy Manager.
TACACS+ Accounting Record Details > Request Tab When you navigate to the Monitoring > Live Monitoring > Accounting page and select a TACACS+ Accounting record, the Accounting Record Details page opens to the Request page.
Table 50: TACACS+ Accounting Record Request Page Parameters (Continued) Parameter Description Authentication Method Identifies the authentication method used for network access. Authentication Type Identifies the authentication type used for network access. Authentication Service Identifies the authentication service used for network access.
Table 51: TACACS+ Accounting Record Details > Authentication Sessions Page Parameters Parameter Description Number of Authentication Sessions Specifies the total number of authentications (always 1) and authorizations in this session. Authentication Sessions Details Denotes whether the request is an authentication or authorization request, and the time at which the request was sent for each request ID.
Table 52: TACACS+ Accounting Record > Details Page Parameters Parameter Description Accounting Packet Details Shows command typed (cmd), privilege level of the administrator executing the command (privlvl) and service (shell) for each authorization request, as well as the start time, task ID, and the time zone.
Table 53: OnGuard Activity Parameters Parameter Description User Displays the name of the user. Host MAC Displays the MAC address of the host. Host IP Displays the IP address of the host. Host OS Displays the operating system that runs on the host. Status Displays the online status of the host. Green indicates online and red indicates offline. Date and Time Displays the date and time at which the user was created.
Figure 89: Agent and Endpoint Details The following table describes the configuration parameters on the Agent and Endpoint Details page: Table 54: Agent and Endpoint Details Parameters Parameter Description Host MAC Displays the MAC address of the user. Description Optional description of the endpoint. Status Displays the status of the endpoint. Added by Displays the server name. MAC Vendor Vendor name and OS of the endpoint device. OnGuard Details User Displays the name of the user.
Table 54: Agent and Endpoint Details Parameters (Continued) Parameter Description Registered W-Policy Manager Server Displays the name and IP address of the W-Policy Manager server. Registered at Displays the date and time at which the W-Policy Manager installation was registered. Last Unregistered at Displays the date and time at which the W-Policy Manager installation was last unregistered. Last Seen Health Status Displays the health status of the endpoint. For example, QUARANTINED or HEALTHY.
Table 55: Bounce Agents Page Parameters (Continued) Parameter Action/Description NOTE: You must configure Enforcement Policy Rules to allow access to the endpoints with the status Known. l Block network access: Block network access by blacklisting this endpoint. Clicking Block network access sets the status of the endpoint to Disabled. NOTE: You must configure Enforcement Policy Rules to allow access to the endpoints with the status Disabled.
Figure 91: Bounce Client (Using SNMP) Dialog 3. Enter the client IP or MAC Address. 4. Click Go, then click Bounce. The following table describes the configuration parameters on the Bounce Client (Using SNMP) page: Table 56: Bounce Client (Using SNMP) Page Parameters Parameter Action/Description Client IP or MAC address Enter the client IP address or MAC address of the bounce client. Host MAC Displays the MAC address of the host. Host IP Displays the IP address of the host.
Figure 92: Broadcast Notification to Agents Dialog 4. Display Message: Enter the text of the message you want to send to the selected active endpoints. 5. Web link: Optionally, enter a URL to be included with the Display Message. 6. Click Send. Sending a Message to Selected Endpoints To send a message to selected endpoints: 1. Navigate to Monitoring > OnGuard Activity. The OnGuard Activity page opens. 2. Select one or more devices listed on the OnGuard Activity page. 3. Click the Send Message button.
To access this page, navigate to Monitoring > Live Monitoring > Analysis and Trending. Figure 94: Analysis and Trending Use the following components in the WebUI to customize and filter the Analysis and Trending page: Component Action/Description Select Server Select a node from the cluster for which data will be displayed. Update Now! Click to update the display with the latest available data. Customize This! Click to customize the display by adding filters. You can add a maximum of four filters.
l Process Monitor Page l Network Monitor Page l ClearPass Monitor Page System Monitor Page The System Monitor page displays charts and graphs that display information about CPU load, CPU usage, memory usage, and disk usage for the selected W-ClearPass server. To access the System Monitor page for the selected W-ClearPass server: 1. Navigate to Monitoring > Live Monitoring > System Monitor. 2. From the Select Server drop-down, select the desired W-ClearPass server.
Process Monitor Page The Process Monitor page displays CPU Usage and Main Memory Usage for a selected process or service. To access the Process Monitor page: 1. Navigate to Monitoring > Live Monitoring > System Monitor > Process Monitor. Figure 96: System Monitoring: Process Monitor Page 2. To view CPU Usage and Main Memory usage for the selected process or service, click the Select Process drop-down list. 3.
n System auxiliary services n System monitor service n Tacacs server n Virtual IP service Network Monitor Page The Network Monitor page displays information about the selected network traffic type. To access the Network Monitor page: 1. Navigate to Monitoring > Live Monitoring > System Monitor > Network tab. 2. From the Select drop-down, select the desired traffic type.
ClearPass Monitor Page The ClearPass Monitoring page displays performance monitoring counters and timers for the last 30 minutes of activity for the following W-ClearPass components: l Service Categorization l Authentication (RADIUS, TACACS, or WebAuth) l Authorization l Role Mapping l Posture Evaluation l Audit Scan l Enforcement l End-to-End Request Processing (RADIUS, TACACS, or WebAuth) l Advanced To access the ClearPass Monitor page: 1.
Profiler and Discovery: Endpoint Profiler If the Profile license is enabled, a list of the profiled endpoints are visible in the Endpoints Profiler page. 1. To access the Endpoint Profiler, navigate to the Monitoring > Profiler and Discovery > Endpoint Profiler page. The list of endpoints you view is based on the Device Category, Device Family, and Device Name items that you selected. Figure 99 shows an example of the graphs available on the Endpoint Profiler page: Figure 99: Endpoint Profiler Page 2.
Figure 100: Endpoint Profiler Details 5. To return to the Endpoint Profiler page, select the Cancel button.
Information about endpoints connected to the network device (typically MAC addresses of endpoints connected to switch ports). These are added as discovered endpoints. For more information, see Viewing Discovered Endpoints on page 151. l ARP table The ARP table provides information about MAC address > IP associations for endpoints that were recently seen by this device. These endpoints are probed further in an attempt to profile them. For more information, see Viewing Discovered Endpoints on page 151.
Figure 102: SNMP Configuration Dialog 4. Specify the SNMP Configuration parameters as described in Table 58. When finished, click Save Entry, then click Save. Table 58: SNMP Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas.
1. Navigate to Configuration > Profile Settings. The Profile Settings page opens. Figure 103: Profile Settings Page 2. Select the SSH Configuration tab. Figure 104: SSH Configuration Tab 3. Click Add Configuration. The SSH Configuration page opens. Figure 105: SSH Configuration Page 4. Specify the parameters in the SSH Configuration dialog as described in the following table, then click Save Entry. Dell Networking W-ClearPass Policy Manager 6.
Table 59: SSH Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas. Username 2. Enter the username for the device or subnet specified. Password 3. Enter the password for the device or subnet specified. Enable Password 4. Enter the Enable password, then reenter the password in the Enable Password Verify field. Description 5.
If you provide just one IP address, the WMI login is performed for that particular IP address only. To configure WMI credentials for a network discovery scan: 1. Navigate to Configuration > Profile Settings. The Profile Settings page opens. Figure 107: Profile Settings Page 2. Select the WMI Configuration tab. Figure 108: WMI Configuration Tab 3. Click Add Configuration. The WMI Configuration page opens. Figure 109: WMI Configuration Page 4.
Table 60: WMI Configuration Parameters Field Action/Description IP Subnets/ IP Addresses 1. Enter either one or more IP subnets or one or more IP addresses. For multiple entries, separate multiple IP addresses with commas. NOTE: The WMI configuration can be for a single IP address or a subnet. These credentials are used when a WMI scan is initiated. Domain 2. Enter the name of the Windows domain for logging into the device(s) that you are scanning. Username 3.
1. Navigate to Monitoring > Profiler and Discovery > Network Discovery. The Network Discovery page opens. Figure 111: Network Discovery Page 2. Click Start Network Discovery Scan. The Initiate Scan dialog opens. Figure 112: Initiating the Seed Devices Scan 3. Enter the appropriate information in the Initiate Scan dialog as described in Table 61. Dell Networking W-ClearPass Policy Manager 6.
Table 61: Initiating Network Discovery Scan Parameters Field Action/Description Server 1. From the drop-down list, select the W-ClearPass W-Policy Manager server. If the W-ClearPass server is in a cluster, the list will display the cluster node IP addresses that you can choose. NOTE: Once you select the node, the network discovery scan starts with that node. Scan Depth 2. Specify the Scan Depth by selecting the desired number from 1 to 5.
Figure 114: Network Discovery > Auto Refresh 2. Click the Auto Refresh link. Every Auto-Refresh operation accesses the database and reads the data. When there is no network scan occurring, you can disable Auto-Refresh as there is no need to access the database every time. Importing and Viewing Discovered Network Devices To import and view discovered network devices: 1. Navigate to Monitoring > Profiler and Discovery > Discovered Devices. The Discovered Devices page opens.
Figure 116: Importing a Network Device 3. Enter the appropriate information in the Network Device Details dialog as described in Table 62. Table 62: Specifying Network Device Details for Importing Devices Field Action/Description RADIUS Shared Secret 1. If using RADIUS, enter the RADIUS Shared Secret for the selected discovered device. TACACS+ Shared Secret 2. If using TACACS+, enter the TACACS+ Shared Secret for the selected discovered device. Override Vendor 3.
Viewing Details on a Discovered Device To view detailed information about a discovered network devices, including a list of its neighbors in the network: 1. Navigate to Monitoring > Profiler and Discovery > Discovered Devices. The Discovered Devices page opens. 2. Click the name of the device of interest. The Network Device Details page opens. Figure 118: Viewing Details fora Discovered Device 3. When finished, click Close.
Figure 119: Viewing the Discovered Endpoints Information 3. When finished, click Back to Network Discovery. Audit Viewer This section provides the following information: l Introduction l Audit Viewer l Audit Viewer l Audit Viewer Introduction The Audit Viewer page provides a dynamic report on actions, device name, category of W-Policy Manager component, user, and timestamp. To access the Audit Viewer: 1. Navigate to Monitoring > Audit Viewer. The Audit Viewer page opens.
Figure 120: Audit Viewer Page 2. To display detailed information about the selected event, click any row in the audit viewer. The Audit Row Details page opens (see ). The content in the Audit Row Details page varies, depending upon type of event you select. Add Events To display additional details that are specific to the new policy component, click a row with the Add action type. The Audit Row Details page opens. Figure 121: Audit Row Details for Add Event Dell Networking W-ClearPass Policy Manager 6.
For example, if a TACACS enforcement profile is added, the Audit Row Details page displays detailed information about that profile. If a policy is created, the Audit Row Details page displays information about the policy. Modify Events To display additional details information about the change, including the previous values, the latest, updated values, and the differences between the two, click a row with the Modify action type. Figure 122 shows the Audit Row Details page for a Modify Event.
Table 63: Audit Row Details > Modify Event Page (Continued) Parameter Description l l Moved up Moved down Remove Events To display details about attributes that were removed, click a row with the Remove action type.
The following table describes the Event Viewer parameters: Table 64: Event Viewer Page Parameters Parameter Description Source Displays the source of the event. For example, AdminUI or W-ClearPass Updater. Level Displays the level of the event from the following options: INFO l WARN l ERROR l Category Displays the category of the event. For example, Logged in, System, or AV/AS Updates. Action Displays the status of the event action. For example, Success, Failed, Unknown, and None.
Figure 124: Event Viewer Report with Customized Filter Viewing Report Details To display the System Event Details page, click a row in the Event Viewer page. Figure 125: System Event Details Page The following table describes the System Event Details parameters: Table 65: System Event Details Page Parameters Parameter Description Source Displays the source of the event. For example, AdminUI, RADIUS, and SnmpService.
Table 65: System Event Details Page Parameters (Continued) Parameter Description Action Displays the action of the events. For example, Success, Failed, Unknown, and None. Timestamp Displays the date and time when the event occurred. Description Displays additional information about the event, including the node's IP address when pertinent.
Figure 126: Data Filters Page Adding a Data Filter To add a data filter: 1. Click the Add link in the top-right corner of the page. The Add Data Filters page opens to the Filter tab. Figure 127 shows the Filter dialog when you choose Select Attributes. Figure 127: Add Data Filter > Filter Tab > Select Attributes Dell Networking W-ClearPass Policy Manager 6.
Figure 128 shows the Filter dialog when you choose Specify Custom SQL. Figure 128: Add Data Filter > Filter Tab > Specify Custom SQL 2. Specify the Add Data Filters parameters as described in the following table. Table 66: Add Data Filters Page > Filter Tab Parameters Parameter Action/Description Name Enter a name for the data filter. Description Optionally,enter a description of this data filter (recommended).
Rules Tab The Rules tab displays when you choose the Select Attributes configuration type on the Filter dialog. Figure 129: Add Data Filter > Rules Dialog Table 67 describes the Add Filter > Rules tab parameters: Table 67: Add Filter > Rules Tab Parameter Action/Description Rule Evaluation Algorithm Select ANY match is a logical OR operation of all the rules. Select ALL matches is a logical AND operation of all the rules. Add Rule Add a rule to the filter. Edit Rule Edit an existing rule.
Table 68 describes the Dashboard Filters > Rules Editor parameters: Table 68: Dashboard Filters > Rules Editor Configuration Parameters Parameter Matches Action/Description Specify the match conditions: ANY matches one of the configured conditions. l ALL specifies to match all of the configured conditions. l Type Select the type of data filter. l Common: Attributes common to RADIUS, TACACS, and WebAuth requests and responses.
Figure 131: Blacklisted Users Page 2. To delete a user from this blacklist, select the user row and click Delete. The deleted Blacklisted user is now eligible to access the network. Dell Networking W-ClearPass Policy Manager 6.
| Monitoring Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Authentication and Authorization As a first step in the service-based processing, W-Policy Manager uses an authentication method to authenticate the user or device against an authentication source. After the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the authorization sources associated with this authentication source.
Authentication Method W-Policy Manager initiates the authentication handshake by sending available methods in a priority order until the client accepts a method or until the client rejects the last method (with NAKs) with the following possible outcomes: n Successful negotiation returns a method, which is used to authenticate the client against the authentication source.
Figure 132: Authentication and Authorization Flow of Control Configuring Authentication Components To add or modify an authentication method or source for an existing service, navigate to the Services (Configuration > Services > Add) page and click the Authentication tab) . For a new service, the Policy Manager wizard automatically opens the Authentication tab for configuration.
Figure 133: Authentication Components Table 69: Authentication Options at the Service Level Component Configuration Steps Sequence of Authentication Methods l Select a method, then select Move Up, Move Down, or Remove. Select View Details to view the details of the selected method. l Select Modify to modify the selected authentication method. This displays a popup with the edit widgets for the select authentication method.
Adding and Modifying Authentication Methods This section provides the following information: l Adding a New Authentication Service l Modifying an Existing Authentication Service Adding a New Authentication Service To add a new authentication service: 1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page opens. Figure 134: Authentication Methods Page 2. Click Add Authentication Method page opens. Figure 135: Add Authentication Method Page 3.
4. From the Type drop-down, select the type of service you want to add. Modifying an Existing Authentication Service To modify an existing authentication service: 1. Navigate to Configuration > Authentication > Methods. 2. Click any row in the Authentication Methods page. The Edit Authentication Method page opens. Figure 136: Edit Authentication Method Page 3.
Authorize Authentication Method This is an authorization-only method that you can add with a custom name. The General tab labels the authentication method and defines session details. The following figure displays the Authorization - General tab: Figure 137: Add Authentication - General Tab The following table describes the Authorize General parameters: Table 70: Authorize General Tab Parameters Parameter Description Name Specify the label of the authentication method.
The EAP-MD5 authentication type is not supported if you use W-ClearPass Policy Manager in the FIPS (Administration > Server Manager > Server Configuration > FIPS tab) mode. The following figure is an example of the General tab for the CHAP authentication method: Figure 138: General Tab (CHAP) The following table describes the CHAP and EAP-MD5 - General parameters: Table 71: CHAP and EAP-MD5 - General Tab Parameters Parameter Description Name Specify the name of the authentication method.
1. Navigate to Configuration > Authentication > Methods. The Authentication Methods page appears. 2. Create a new EAP-FAST authentication service or edit an existing one. The following figure displays the EAP-FAST - General tab: Figure 139: EAP-FAST - General Tab 3. Configure the EAP-FAST authentication service as described in Table 72. Table 72: EAP_FAST - General Tab Parameters Parameter Action/Description Name 1. Specify the name of the authentication method. Description 2.
Table 72: EAP_FAST - General Tab Parameters (Continued) Parameter Action/Description n Certificate Comparison Using Client Certificate 7. Specify one of the following Certificate Comparison actions: n Do not compare n Compare Distinguished Name (DN) n Compare Common Name (CN) n Compare Subject Altername Subject Name (SAN) n Compare CN or SAN n Compare Binary 8. When finished, click the Inner Methods tab. Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-FAST method.
Table 73: EAP-FAST - Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order 1. Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select from the Select a method drop-down list. The list can contain multiple inner methods, which W-Policy Manager sends in priority order until negotiation succeeds.
Figure 142: EAP_FAST PAC Provisioning Dialog 1. Configure the PAC Provisioning parameters as described in Table 74. 2. When finished, click Save. Table 74: EAP_FAST PAC Provisioning Tab Parameters Parameter Description Considerations In-Band PAC Provisioning Allow anonymous mode When in anonymous mode, phase 0 of EAP_FAST provisioning establishes an outer tunnel without end-host/W-Policy Manager authentication. NOTE: This mode is not as secure as the authenticated mode.
Table 74: EAP_FAST PAC Provisioning Tab Parameters (Continued) Parameter Description Considerations authentication. The end-host subsequently reauthenticates using the newly provisioned PAC. When this field is enabled, W-Policy Manager accepts the end-host authentication in the provisioning mode itself. The end-host does not have to reauthenticate.
The following figure displays the EAP-GTC - General tab: Figure 143: EAP-GTC - General Tab The following figure displays the EAP-GTC General parameters: Table 75: EAP-GTC General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select EAP-GTC. Method Details Challenge Specify an optional password.
EAP-MSCHAPv2 The EAP-MSCHAPv2 method contains the General tab that labels the method and defines session details. The following figure is an example of the EAP-MSCHAPv2 - General tab: Figure 144: EAP-MSCHAPv2 - General Tab The following table describes the EAP-MSCHAPv2 - General parameters: Table 76: EAP-MSCHAPv2 - General Tab Parameters Parameter Description Name Specify the name of the authentication method.
The exchange of information is encrypted and stored in the tunnel ensuring that the user credentials are kept secure. The EAP-PEAP authentication method contains the following two tabs: l General Tab on page 180 l Inner Methods Tab on page 181 General Tab The General tab labels the authentication method and defines session details.
Table 77: EAP-PEAP - General Tab Parameters (Continued) Parameter Description Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. If session timeout value is set to 0, the cached sessions are not purged.
The following table describes the EAP-PEAP Inner Methods parameters: Table 78: EAP-PEAP Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the Select a method drop-down list.
General The General tab labels the authentication method and defines session details. The following figure is an example of the EAP-PEAP-Public - General tab: Figure 147: EAP-PEAP-Public - General Tab The following table describes the EAP-PEAP-Public - General parameters: Table 79: EAP-PEAP-Public - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method.
Table 79: EAP-PEAP-Public - General Tab Parameters (Continued) Parameter Description Fast Reconnect Enable this check box to allow fast reconnect. When fast reconnect is enabled, the inner method that happens inside the server authenticated outer tunnel is also bypassed. This makes the process of re-authentication faster. For the fast reconnect to work, session resumption must be enabled. Public Username Enter the Guest username. In this context, enter 'public'.
Table 80: EAP-PEAP-Public Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select the inner authentication method available from the drop-down list. In this context, only the EAP-MSCHAPv2 method is available. The following functions are available in this tab: l To append an inner method to the displayed list, select it from the drop-down list.
The following table describes the EAP-PWD - General parameters: Table 81: EAP-PWD - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP-PWD. Method Details Group Select the group from the drop-down list.
Figure 150: EAP-TLS - General Tab The following table describes the EAP_TLS - General parameters: Table 82: EAP_TLS - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Specify the type of authentication. In this context, select EAP_TLS.
Table 82: EAP_TLS - General Tab Parameters (Continued) Parameter Description l l l To skip the certificate comparison, choose Do not compare. To compare specific attributes, choose Compare Common Name (CN), Compare Subject Alternate Name (SAN), or Compare CN or SAN. To perform a binary comparison of the stored (in the client record in Active Directory or another LDAP-compliant directory) and presented certificates, choose Compare Binary.
General Tab The General tab labels the method and defines session details. The following figure is an example of the EAPTTLS - General tab: Figure 151: EAP-TTLS - General Tab The following table describes the EAP-TTLS - General parameters: Table 83: EAP-TTLS - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method. The following figure is an example of the EAP-TTLS - Inner Methods tab: Figure 152: EAP_TTLS - Inner Methods Tab The following table describes the EAP-TTLS - Inner Methods parameters: Table 84: EAP-TTLS - Inner Methods Tab Parameters Parameter Description Specify inner authentication methods in the preferred order Select any method available in the current context from the drop-down list.
MAC-AUTH The MAC-AUTH method contains the General tab that labels the authentication method and defines session details. The following figure is an example of the MAC-AUTH - General tab: Figure 153: MAC-AUTH - General Tab The following table describes the MAC-Auth - General parameters: Table 85: MAC-Auth - General Tab Parameters Parameter Description General Name Specify the name of the authentication method.
The following figure is an example of the MSCHAP - General tab: Figure 154: MSCHAP - General Tab The following table describes the MSCHAP - General parameters: Table 86: MSCHAP - General Tab Parameters Parameter Description Name Specify the name of the authentication method. Description Provide the additional information that helps to identify the authentication method. Type Select the type of authentication. In this context, select MSCHAP.
Table 87 describes the PAP parameters: Table 87: PAP Authentication Method Parameters Parameter Action/Description Name 1. Specify the name of the authentication method. Description 2. Provide the additional information that helps to identify the authentication method. Type 3. Select PAP as the Type of authentication. Method Details Enable ArubaSSO 4. Enable or disable Aruba-SSO (Single Sign-On) by specifying True or False. The default is False.
Figure 157: Add Authentication Source Page Generic LDAP and Active Directory Policy Manager can perform NTLM/MSCHAPv2, PAP/GTC, and certificate-based authentications against Microsoft Active Directory and against any LDAP-compliant directory. For example, Novell eDirectory, OpenLDAP, or Sun Directory Server. Both LDAP and Active Directory based server configurations are similar. You can retrieve role mapping attributes by using filters.
Figure 158: Generic LDAP or Active Directory - General Tab The following table describes the Generic LDAP or Active Directory - General parameters: Table 88: Generic LDAP or Active Directory - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of authentication source. In this context, select General LDAP or Active Directory.
Table 88: Generic LDAP or Active Directory - General Tab Parameters (Continued) Parameter Description Server Timeout Specifies the duration in number of seconds that W-Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that W-Policy Manager waits before attempting to fail over from the primary to backup servers in the order in which they are configured.
The following table describes the Generic LDAP or Active Directory - Primary parameters: Table 89: Generic LDAP or Active Directory - Primary Tab Parameters Parameter Description Hostname Specify the hostname or the IP address of the LDAP or Active Directory server. Connection Security l l l Select None for default non-secure connection (usually port 389). Select StartTLS for secure connection that is negotiated over the standard LDAP port.
Table 89: Generic LDAP or Active Directory - Primary Tab Parameters (Continued) Parameter Description Bind User Enable this checkbox to authenticate users by performing a bind operation on the directory using the credentials (user name and password) obtained during authentication. For clients to be authenticated by using the LDAP bind method, Policy Manager must receive the password in cleartext.
Figure 160: Active Directory Attributes Tab (with Default Data) Figure 161: Generic LDAP Directory - Attributes Tab The following table describes the Active Directory/LDAP Attributes Tab - Filter Listing Screen parameters: Table 90: Active Directory/LDAP Attributes Tab - Filter Listing Screen Parameters Parameter Description Filter Name Specify the name of the filter. Attribute Name Specify the name of the LDAP/AD attributes defined for this filter.
The following table describes the available directories: 200 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Table 91: Active Directory/LDAP Default Filters Directory Active Directory Default Filters l l l l l Generic LDAP Directory Authentication: This filter is used for authentication. The query searches in the objectClass of the type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) After a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
Table 91: Active Directory/LDAP Default Filters (Continued) Directory Default Filters n Add More Filters This query fetches all group records (of objectClass groupOfNames), where the member field contains the DN of the user record (UserDN, which is populated after the authentication filter query is executed. The attribute fetched with this filter query is cn, which is the name of the group (this is aliased to a more readable name: groupName)).
Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. You can define the attributes used in the filter query using this interface. The following image is an example of the AD/LDAP Create Filter Page - Filter tab: Figure 163: Active Directory/LDAP Create Filter Page - Filter Tab Policy Manager is pre-configured with filters and selected attributes for Active Directory and generic LDAP directory.
The following table describes the Configure Filter Page - Filter tab parameters: Table 93: Configure Filter Page - Filter Tab Parameters Parameter Description Find Node Find a node by entering the DN and clicking the Go button. Select the attributes for filter This table has a name and value column. You can enter the attribute name in the following two ways: l By selecting a node, inspecting the attributes, and then manually entering the attribute name by clicking on Click to add... in the table row.
The following figure displays the Active Directory/LDAP Configure Filter - Attributes tab: Figure 164: Active Directory/LDAP Configure Filter - Attributes Tab The following table describes the Active Directory/LDAP Configure Filter Page - Attributes tab parameters: Table 94: Active Directory/LDAP Configure Filter Page - Attributes Tab Parameters Parameter Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab and shown at the top of the Attributes tab)
Configuration Tab The Configuration tab shows the filter and attributes configured in the Filter and Attributes tabs respectively. From this tab, you can also manually edit the filter query and attributes to be fetched. The following figure displays the Configure Filter - Configuration tab: Figure 165: Configure Filter Popup - Configuration Tab Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are populated.
The attributes that are defined for the authentication source display as attributes in role mapping policy rules editor under the authorization source namespace. Then, on the Role Mappings - Rules Editor page, the operator values that display are based on the Data type specified here. For example, if you modify the Active Directory department to be an integer rather than a string, then the list of operator values populate with values that are specific to integers.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Generic SQL DB - General tab: Figure 168: Generic SQL DB - General Tab The following table describes the General SQL DB - General parameters: Table 95: General SQL DB - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 95: General SQL DB - General Tab Parameters (Continued) Parameter Description Authorization Sources Specify additional sources from which to fetch role mapping attributes. Select a previously configured authentication source from the drop-down list and click Add to add to the list of authorization sources. Click Remove to remove the authorization source from the list.
The following table describes the Generic SQL DB - Primary parameters: Table 96: Generic SQL DB - Primary Tab Parameters Parameter Description Server Name Enter the hostname or IP address of the database server. Port (Optional) Specify a port value to override the default port. Database Name Enter the name of the database from which records can be retrieved. Login Username Enter the name of the user used to log into the database.
Figure 170: Generic SQL DB - Attributes Tab The following table describes the Generic SQL DB - Attributes (Filter List) parameters: Table 97: Generic SQL DB - Attributes Tab (Filter List) Parameters Tab Parameter/Description Filter Name Specifies the name of the filter. Attribute Name Specifies the name of the SQL DB attributes defined for this filter. Alias Name Specifies an alias name for each attribute name selected for the filter.
The following table describes the Generic SQL DB - Configure Filter parameters: Table 98: Generic SQL DB Configure Filter Page Parameters Parameter Description Filter Name Enter the name of the filter. Filter Query Specify an SQL query to fetch the attributes from the user or device record in DB. Name Specify the name of the attribute. Alias Name Specify the name for the attribute. By default, this is the same as the attribute name.
l Summary Tab on page 217 General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the HTTP - General tab: Figure 173: HTTP - General Tab The following table describes the HTTP - General tab parameters: Table 99: HTTP - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 99: HTTP - General Tab Parameters (Continued) Parameter Description Use for Authorization Enable this option to request W-Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source if the Use for Authorization field is enabled. This check box is enabled by default.
The following table describes the HTTP - Primary tab parameters: Table 100: HTTP - Primary Tab Parameters Parameter Description Base URL Enter the base URL (host name) or IP address of the HTTP server. For example, http:// or :xxxx, where xxxx is the port to access the HTTP Server. Login Username Enter the name of the user used to log into the database. This account must have read access to all the attributes that need to be retrieved by the specified filters.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the HTTP Filter Configure page: Figure 176: HTTP Filter Configure Page The following table describes the HTTP Configure - Filter parameters: Table 102: HTTP Configure Filter Page Parameters Parameter Description Filter Name Displays the name of the selected filter.
Summary Tab You can use the Summary tab to view configured parameters. The following figure is an example of the HTTP - Summary tab: Figure 177: HTTP - Summary Tab Kerberos Policy Manager can perform standard PAP/GTC or tunneled PAP/GTC (for example, EAP-PEAP[EAP-GTC]) authentication against any Kerberos 5 compliant server such as Microsoft Active Directory server. It is mandatory to pair this source type with an authorization source (identity store) containing user records.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Kerberos - General tab: Figure 178: Kerberos - General Tab The following table describes the Kerberos - General parameters: Table 103: Kerberos - General Tab Parameters Parameter Description Name Specify the name of the authentication source.
Table 103: Kerberos - General Tab Parameters (Continued) Parameter Description Use for Authorization Disable in this context. Authorization Sources Specify one or more authorization sources from which role mapping attributes to be fetched. Select a previously configured authentication source from the drop-down list and click Add to add it to the list of authorization sources. Click Remove to remove the selected authentication source from the list.
The following table describes the Kerberos - Primary parameters: Table 104: Kerberos - Primary Tab Parameters Parameter Description Hostname Specify the name of the host or the IP address of the kerberos server. Port Specify the port at which the token server listens for kerberos connections. The default port is 88. Realm Specify the domain of authentication. In the case, specify Kerberos domain.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure is an example of the Okta - General tab: Figure 181: Okta - General Tab The following table describes the Okta - General parameters: Table 105: Okta - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source.
Table 105: Okta - General Tab Parameters (Continued) Parameter Description Server Timeout Specify the duration in number of seconds that W-Policy Manager waits before considering this server unreachable. If multiple backup servers are available, then this value indicates the duration in number of seconds that W-Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured.
Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters. The following figure displays the Okta - Attributes tab: Figure 183: Okta - Attributes Tab The following table describes the Okta - Attributes parameters: Table 107: Okta - Attributes Tab Parameters Parameter Description Filter Name Displays the name of the filter. You can configure only Group for Okta.
Add More Filters The Configure Filter page defines a filter query and the related attributes to be fetched from the SQL DB store. The following figure displays the Okta - Configure Filter page: Figure 184: Okta - Configure Filter Page The following table describes the Okta Configure Filter parameters: Table 108: Okta Configure Filter Page Parameter Description Filter Name Enter the name of the filter. Filter Query Specifies an SQL query to fetch attributes from the user or device record in DB.
Summary Tab You can use the Summary tab to view configured parameters. The following figure displays the Okta Summary tab: Figure 185: Okta - Summary Tab RADIUS Server You can use the RADIUS Server as an authentication source to allow W-ClearPass to query a third-party RADIUS Server for authentication.
The following table describes the Radius Server - General parameters: Table 109: Radius Server - General Tab Parameters Parameter Description Name Specify the name of the authentication source. Description Provide the additional information that helps to identify the authentication source. Type Select the type of source. In this context, select RADIUS Server.
The following table describes the Radius Server - Primary parameters: Table 110: RADIUS Server - Primary Tab Parameters Parameter Description Connection Details Server Names Enter the name of the RADIUS Server. Port The default port number is 1812. You may enter a different port number if required. Secret Enter the secret key for authentication. Attributes Tab The Attributes tab defines the Okta query filters and the attributes to be fetched by using those filters.
Summary Tab You can use the Summary tab to view configured parameters.
The Static Hosts Lists page appears. Figure 190: Static Host Lists Page 2. Click Add. The Add Static Host List dialog appears. Figure 191: Adding a Static Host List 3. Enter the parameters to add a static host list as described in Table 112. Table 112: Add Static Host List Parameters Parameter Action/Description Name 1. Enter the name of the static host list. Description 2. Enter the description that provides additional information about the static host list. Host Format 3.
Table 112: Add Static Host List Parameters (Continued) Parameter Action/Description l l Subnet IP Address MAC Address 5. Enter the subnet address. 6. Click Save. The new static host list is now available to be added as an authentication source (as described in the next section). Adding a Static Host List as an Authentication Source To add a Static Host List as an authentication source: 1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page appears.
Figure 193: Specifying a Static Host List as Authentication Source 3. Enter the name and description of the static host list. 4. In the Type field, select Static Host List. In this context, the Use for Authorization and Authorization Sources fields are not configurable. 5. Click Next. The Static Hosts Lists dialog appears. 6. From the Static Host Lists tab, select a static host list from the drop-down list. The selected static host list is added to the MAC Address Host Lists (see Figure 194).
Static Hosts Lists Configuration Summary You can use the Summary tab to view the static host list's configuration information. Figure 195: Static Hosts Lists Configuration Summary Token Server W-Policy Manager can perform GTC authentication against any token server than can authenticate users by acting as a RADIUS server (for example, RSA SecurID Token Server) and can authenticate users against a token server and fetch role mapping attributes from any other configured authorization source.
General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. The following figure displays the Token Server - General tab: Figure 196: Token Server - General Tab The following table describes the Token Server - General parameters: Table 113: Token Server - General Tab Parameters Parameter Description Name Specify the label of the authentication source.
Table 113: Token Server - General Tab Parameters (Continued) Parameter Description NOTE: You can specify additional authorization sources at the service level. Policy Manager fetches role mapping attributes irrespective of which authentication source the user or device was authenticated against. Server Timeout Specify the duration in seconds that Policy Manager waits before attempting to fail over from primary to backup servers (in the order in which they are configured).
The following figure is an example of the Token Server - Attributes tab: Figure 198: Token Server - Attributes Tab See Configuring a Role and Role Mapping Policy on page 257 for more information. The following table describes the Token Server - Attribute parameters: Table 115: Token Server - Attribute Tab Parameters Parameter Description Type Select the type of authentication source from the drop-down list. Name Specifies the name of the token server attributes.
| Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Configuring Identity Settings This chapter provides information on the following topics: l Configuring Single Sign-On l Managing Local Users l Adding and Modifying Endpoints l Managing Static Host Lists l Configuring a Role and Role Mapping Policy This chapter provides details on the settings required to configure W-ClearPass Policy Manager Identify settings.
Figure 200: Configuring Single Sign-On > SAML Service Provider Parameters 2. Select the application(s) you want users to access with single sign-on. To complete this task, specify the SAML SP Configuration tab parameters as described in Table 116. 3. Create trusted relationships between a Service Provider and Identity Provider by providing the Identity Provider (IdP) URL and IdP certificate. To complete this task, specify the SAML IdP Configuration tab parameters as described in Table 117.
Table 116: Single Sign-On Service Provider Configuration Settings (Continued) Parameter Action/Description Validity Status Signature Algorithm n Public Key Format n Serial Number n Enabled This field only displays certificates that are enabled in the certificate trust list. See also Certificate Trust List on page 633. n n CPPM Service Provider (SP) Metadata SP Metadata: 4. To download and view an XML file containing metadata for the Service Provider Uniform Resource Identifier (URI), click Download.
Table 117: Single Sign-On Identity Provider Configuration Settings (Continued) Parameter Action/Description CPPM Service Provider (SP) Metadata SP Metadata section: 5. To download and view an XML file containing metadata for the Service Provider Uniform Resource Identifier (URI), click Download. The Metadata URI: 6. View the location of this metadata file.
Figure 203: Adding a Local User 3. Specify the Add Local User parameters as described in the following table, then click Add: Table 118: Adding a Local User Parameters Parameter Action/Description User ID 1. Specify a user ID. Name 2. Specify the name for the local user. Password/ Verify Password 3. Specify a password for the local user, then verify the password. Enable User 4. You must enable this check box to enable the local user account. Otherwise, the local user account is disabled.
Table 118: Adding a Local User Parameters (Continued) Parameter Action/Description Role 6. Select a static role to be assigned to the user from the Role drop-down list. Attributes 7. To add attributes for the local users, click Click to add... A new row is created with a drop-down list in the Attribute column. This field is optional. By default, the drop-down list contains the following attributes: n Department n Designation n Email n Location n Phone n Sponsor n Title a.
Figure 204: Modifying a Local User 3. Modify any values as necessary in the Edit Local User dialog. 4. Click Save. Importing and Exporting Local Users You can import or export the admin user accounts by using the Import and Export All links at the top-right corner of the Local Users page. For more information, see Importing and Exporting Information on page 32. After selecting one or more user accounts from the list, you can also export specific user accounts by clicking the Export button .
Figure 205: Account Settings > Password Policy Settings Dialog 3. Specify the Password Policy parameters as described in Table 119. Table 119: Password Policy Parameters Parameter Action/Description Minimum Length 1. Specify the minimum length required for the password. Complexity 2. Select the complexity setting from the Complexity drop-down list.
Table 119: Password Policy Parameters (Continued) Parameter Action/Description Expiry Days 6. Set the password expiry time for the local users. The allowed range is 0 to 500 days. The default value is 0. NOTE: If the value is set to 0, the password never expires. For any other value, local users are forced to reset the expired password when they log in. W-ClearPass alerts users five days before the password expires. History 7.
Figure 206: Disable Accounts Dialog 4. Specify the Disable Accounts parameters as described in Table 120, then click Save. Table 120: Disable Accounts Parameters Parameter Action/Description Days Exceed 1. Specify the number of days before the account is disabled. The range is from 1 to 100 days. Date Exceeds 2. Specify the date when local users are disabled when the current date exceeds the configured date. The configured date can either be the current system date or a future date.
l Manually Adding an Endpoint l Modifying an Endpoint For related information, see: l Configuring Endpoint Context Server Actions on page 563 l Adding Vendor-Specific Endpoint Context Servers on page 568 Viewing List of Authentication Endpoints W-Policy Manager automatically lists all endpoints that are authenticated in the Configuration > Identity > Endpoints page. The following figure shows an example of the Endpoints page.
Viewing Endpoint Authentication Details To view the authentication details of an endpoint, select an endpoint by clicking the check box and click the Authentication Records button from the Endpoints page. This displays the Endpoint Authentication Details page. Figure 208: Endpoint Authentication Details Triggering Actions Performed on Endpoints To trigger actions that are performed on endpoints, select an endpoint by clicking the check box and click the Trigger Server Action button from the Endpoints page.
The following figure displays the Trigger Server Action page parameters: Table 122: Trigger Server Action Page Parameters Parameter Server Action Description Select the server action from the drop-down list. The list includes the following options: Check Point Login l Check Point Logout l Fortinet Login l Fortinet Logout l Handle AirGroup Time Sharing l Nmap Scan l SNMP Scan l Context Server Enter a valid server name. You can enter an IP address or domain name.
The following table describes the Update Device Fingerprint page: Table 123: Update Device Fingerprint parameters Parameter Description Device Category Select the built-in category of the profiled device belongs to. For example, Smartdevices, Access Points, Computer, VOIP phone, and so on. Device OS Family Select the operating system configured on the device. For example, when the category is Computer, you can select Windows, Linux, or Mac OS X. Device Name Enter the name of the device.
Table 124: Add Endpoint Page Parameters (Continued) Parameter Description used in role mapping rules using the Authentication:MacAuth attribute. You can use the Disabled status to block access to a specific endpoint. This status is automatically set when an endpoint is blocked from the Endpoint Activity table (in the Live Monitoring section). Attributes Add custom attributes for this endpoint. Click on the Click to add... row to add custom attributes. You can enter any name in the attribute field.
The following table describes the Edit Endpoint page parameters: Table 125: Edit Endpoint Page Parameters Parameter Description MAC Address Displays the MAC address of the endpoint. Description Specifies the description that provides additional information about the endpoint. Status Mark the status as Known client, Unknown client, or Disabled client. The Known and Unknown status can be used in role mapping rules using the Authentication:MacAuth attribute.
Table 125: Edit Endpoint Page Parameters (Continued) Parameter Description Host User Agent Displays the host user agent of the endpoint. For example, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0). Host OS Type Displays the type of the host operating system. For example, Windows 8. Device Category Displays the category of the device. For example, Computer. Device Family Displays the operating system family of the endpoint. For example, Windows.
l For non-responsive services on the network (for example, printers or scanners), as an authentication source. Only static host lists of type MAC address are available as authentication sources. Internal Relational Database An internal relational database stores the W-ClearPass Policy Manager configuration data as well as locally configured user and device accounts.
Figure 214: Adding a Static Host List 3. Enter the parameters to add a static host list as described in Table 126. Table 126: Add Static Host List Parameters Parameter Action/Description Name 1. Enter the name of the static host list. Description 2. Enter the description that provides additional information about the static host list. Host Format 3. Select a format for expression of the address: l Subnet l Regular Expression l List Host Type 4.
Static Hosts Lists Configuration Summary You can use the Summary tab to view the static host list's configuration information. Figure 215: Static Hosts Lists Configuration Summary Editing a Static Host List To edit a static host list: 1. Navigate to the Configuration > Identity > Static Host Lists page . The Static Hosts Lists page opens. 2. Click on the name of the static hosts list you want to edit. The Edit Static Host List dialog opens. Figure 216: Edit Static Host List Dialog 3.
4. To export a static host list to a file, click the Export All link. For further details, see Importing and Exporting Information on page 32. Configuring a Role and Role Mapping Policy After authenticating a request, a Policy Manager service invokes its role mapping policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of enforcement policy decisions.
Figure 217: Role Mapping Process A role can be: l Authenticated through predefined Single Sign-On rules. l Associated directly with a user in the Policy Manager local user database. l Authenticated based on predefined allowed endpoints. l Associated directly with a static host list, again through role mapping. l Discovered by W-Policy Manager through role mapping. Roles are typically discovered by W-Policy Manager by retrieving attributes from the authentication source.
Adding and Modifying Roles Policy Manager lists all available roles in the Configuration > Identity > Roles page. The following figure displays the Roles page: Figure 218: Roles Page You can configure a role from within a role mapping policy (Add New Role), or independently from the Configuration > Identity > Roles > Add page. In either case, roles exist independently of an individual service and can be accessed globally through the role mapping policy of any service.
The following figure displays the Role Mappings page: Figure 220: Role Mappings Page When you click Add role mapping from any of these locations, Policy Manager displays the Role Mappings page, which contains the following three tabs: l Policy Tab on page 260 l Mapping Rules Tab on page 261 Policy Tab The Policy tab labels the method and defines the default role. The default role is the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request.
Table 128: Role Mappings - Policy Tab Parameters (Continued) Parameter Description a match. View Details Click on View Details to view the details of the default role. Modify Click on Modify to modify the default role. Add new Role Click on Add new Role to add a new role. Mapping Rules Tab The Mapping Rules tab selects the evaluation algorithm to add, edit, remove, and reorder rules.
The following table describes the Role Mappings Page - Rules Editor page parameters: Table 129: Role Mappings Page - Rules Editor Page Parameters Parameter Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to Namespaces on page 845.
Chapter 6 Posture This chapter provides the following information: l Posture Architecture and Flow l Unified Agent System Tray Status Icons l Creating a New Posture Policy l Configuring Posture Policy Agents and Hosts l Configuring Posture Policy Plug-ins l Configuring Posture Policy Rules l Configuring Posture for Services l Configuring Audit Servers Posture Architecture and Flow This section provides the following information: l Posture Policy l Audit Servers l Assessing Client Consi
Figure 224: Posture Evaluation Process Assessing Client Consistency W-ClearPass Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of software components l Peer-to-Peer (P2P) application checks l Services to be running or not running l Processes to be running or not runn
l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown. System Token Upon completion of all configured posture checks, W-Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the enforcement policy.
Table 130: Unified Agent System Tray Icons (Continued) OnGuard Status Network Type VPN Status Unhealthy Trusted Disconnected Healthy Untrusted Connected Healthy Untrusted Disconnected Unhealthy Untrusted Connected Unhealthy Untrusted Disconnected Healthy N/A Error Unhealthy N/A Error Logged Out: No Health Status N/A Error Error Trusted Connected Error Trusted Disconnected Error Untrusted Connected Error Untrusted Disconnected Error No Profile N/A Error N/A Error
Table 130: Unified Agent System Tray Icons (Continued) OnGuard Status Network Type VPN Status Logged Out: No Health Status No Profile N/A Logged Out: No Health Status Trusted Connected Logged Out: No Health Status Untrusted Disconnected Icon OnGuard-Only System Tray Icons Table 131 describes that icons that indicate the possible states for OnGuard-only.
such as devices lacking adequate posture agents or supplicants. For more information on audit servers, see Configuring Audit Servers on page 327. Creating a New Posture Policy From the Posture Policies page, you can create a new policy or edit an existing policy. To create a new Posture Policy: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page displays a list of all existing posture policies. Figure 225: Posture Policies Page 2. Click the Add link.
Configuring Posture Policy Agents and Hosts This section provides the following information: l Introduction l NAP Agent Posture Plug-ins l OnGuard Agent Posture Plug-ins Introduction To configure posture policy agents and hosts: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page displays a list of all existing posture policies. Figure 227: Posture Policies Page 2. Click the Add link. The Posture Policies Add page appears. Figure 228: Posture Policies Add Page 3.
Table 132: Add Posture Policy Parameters Parameter Action/Description Policy Name 1. Enter the name assigned to the policy by the W-ClearPass Policy Manager administrator. Description 2. Specify the description that provides additional information about the posture policy. Posture Agent 3. Select the posture agent type. For for information on these agents, see NAP Agent Posture Plug-ins on page 270 and OnGuard Agent Posture Plug-ins on page 270. Host Operating System 4.
When you select the Posture Agent: OnGuard Agent (Persistent or Dissolvable), you can configure the posture plug-ins for: l Windows (see Table 134) l Macintosh OS X (see Table 135) l Linux (see Table 136) Table 134: OnGuard Agent Validator Posture Plug-in Windows OS Support Plug-in Description Windows Support W-ClearPassWindows Universal System Health Validator The configurable parameter categories for this validator are Services, Processes, Registry Keys, AntiVirus, AntiSpyware, Firewall, Peer To
Table 135: OnGuard Agent (Persistent or Dissolvable) Posture Plug-ins for Mac OS X Plug-in Description W-ClearPass Macintosh OS X Universal System Health Validator The configurable parameter categories for this validator are: n Services n Processes n AntiVirus n AntiSpyware n Firewall n Patch Management n Peer-to-Peer n USB Devices n Virtual Machines n Network Connections n Disk Encryption n Installed Applications n File Check Table 136: OnGuard Agent (Persistent or Dissolvable)
Figure 229: Posture Policies Page 2. Click Add. The Add Posture Policies page appears. 3. In the Policy tab, specify the following: n Policy Name n Description n Posture Agent n Host Operating System 4. Select the Posture Plugins tab . The Add Posture Plugins page appears.
l For Linux: W-ClearPass Linux Universal System Health Validator Plugin on page 304 l For Mac OS X: W-ClearPass Macintosh OS X Universal System Health Validator: OnGuard Agent on page 307 The following figure displays the Posture Policies - Posture Plugins tab: Figure 231: OnGuard Agent Plugin Options for Mac OS X ClearPass Windows Universal System Health Validator - OnGuard Agent To configure the W-ClearPass Windows Universal Health System Health Validator (OnGuard Agent): 1.
2. In the Posture Plugins page, click the check box for ClearPass Windows Universal System Health Validator. 3. Click Configure. The ClearPass Windows Universal System Health Validator page is displayed: Figure 234: ClearPass Windows Universal System Health Validator Page 4. Select the desired version of Windows. 5. To enable checks for the selected version, click the Enable checks for Windows Server check box .
Figure 235: Services Page The following table describes the Services parameters: Table 137: Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop or start services based on the entries in Service to run and Services to stop configuration). User Notification Enable to allow user notifications for service check policy violations.
Figure 236: Processes Configuration Page The following table describes the Process configuration parameters: Table 138: Process Page Parameters Parameter Description Auto Remediation 1. Enable to allow auto-remediation for processes. User Notification 2. Enable to allow user notifications in the event of process policy violations. Processes to be present/ absent 3. To specify a process to be added, either to the Processes to be present or Processes to be absent lists, click Add.
Table 139: Process to be Present Page Parameters Parameter Description Process Location 1. Choose from the following locations: n System Drive n Systemroot n Program Files n HOMEDRIVE n HOMEPATH n None Enter the Process name 2. Specify the path name containing the process executable name. Enter the Display name 3. Enter a user-friendly name for the process. This is displayed in end-user facing messages. 4. Click Save.
The following table describes the Process to be Absent parameters: Table 140: Process to be Absent Page Parameters Parameter Action/Description Check Type 1. Select the type of process check to perform. The agent can look for: n Process Name: The agent looks for all processes that matches with the given name. For example, if notepad.exe is specified, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 240: Registry Keys Page (Overview) The following table describes the Registry Keys page parameters: Table 141: Registry Keys Page Parameters Parameter Action/Description Auto Remediation 1. Enable auto remediation for registry checks. Use this page to automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent fields. User Notification 2. Enable user notifications for registry check policy violations. Monitor Mode 3.
Figure 241: Registry Keys Page (Detail) 2. Enter the Registry Keys - Detail parameters as described in Table 142. Table 142: Registry Keys Page (Detail) Parameter Action/Description Select the Registry Hive 1. Specify the registry hive from the following options: n HKEY_CLASSES_ROOT n HKEY_CURRENT_USER n HKEY_LOCAL_MACHINE n HKEY_USERS n HKEY_CURRENT_CONFIG Enter the Registry key 2. Specify the registry key using the examples given in the GUI. Enter the Registry value name 3.
Table 142: Registry Keys Page (Detail) (Continued) Parameter Action/Description Enter Regex pattern for Registry value 6. Enter the Regular Expression (Regex) pattern for the Registry value. A regular expression is a pattern that the regular expression engine attempts to match in input text. A pattern consists of one or more character literals, operators, or constructs. NOTE: Perl regular expressions are supported. Enter Remediation Message 7.
Click Add to specify product, and version check information. Figure 245: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list.
Table 143: Antivirus Page (Continued) Interface 2) Parameter l l l l l l l Product version check Engine version check Engine version check Datafile version check Data file has been updated in Last scan has been done before Real-time Protection Status Check Description be available for some products. Where checks are not available, they are shown in disabled state on the UI. l Select the antivirus product - Select a vendor from the list.
Figure 249: AntiSpyware Page (Detail 2) Figure 250: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiSpyware configuration instructions. Firewall In the Firewall page, you can specify that a Firewall application must be on and specify information about the Firewall application.
Figure 253: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
The following figure displays the Peer To Peer health class configuration page: Figure 255: Peer to Peer Page The following table describes the Peer to Peer parameters: Table 145: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration).
Figure 257: Patch Management Page (Detail 1) Click Add to specify PM Product Name, Product Version, Status Check, and Install Level Check information. Figure 258: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list. Figure 259: Patch Management Page (Overview - After) 288 | Posture Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Patch Management parameters: Table 146: Patch Management Page Parameters Interface Parameter Patch Management Page l l l l A patch management application is on Auto Remediation User Notification Uncheck to allow any product Description l l l l Patch Management Page (Detail 1) l l Add Trashcan icon l l Patch Management Page (Detail 2) Product/Version Dell Networking W-ClearPass Policy Manager 6.
Table 146: Patch Management Page Parameters (Continued) Interface Parameter Description Notify Before Install - Patch Agent is turned on and will notify user before installing updates. NOTE: The values specific to the selected product are displayed in the Status Check Type field. For example, all the 5 values are displayed for Microsoft Windows Automatic Update. For SCCM, only No Check, Disabled, and Notify Before Install are displayed.
Table 146: Patch Management Page Parameters (Continued) Interface Parameter Description l Scan Interval: Configure the time interval after which OnGuard Agent should check for missing patches. You can configure the time period in hours, days, weeks, or months. The default scan interval is 1 hour. This field is disabled if you selected No Check from the Install Level Check Type field.
Figure 261: USB Devices The following table describes the USB Devices parameters: Table 148: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive). User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices.
The following table describes the Virtual Machines parameters: Table 149: Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint. User Notification Enable to allow user notifications for virtual machine policy violations. Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated.
Figure 263: Network Connections Configuration Page 4. Select the Check for Network Connection Types check box. 5. To specify the type of connection that you want to include, click Configure. The Network Connection Types configuration page appears. Figure 264: Network Connection Types Configuration Page The following table describes the Network Connection Types configuration parameters: 294 | Posture Dell Networking W-ClearPass Policy Manager 6.
Table 150: Network Connection Type Configuration Parameters Parameter Action/Description Allow Network Connections Type 1. Select one of the following options: n Allow Only One Network Connection n Allow One Network Connection with VPN n Allow Multiple Network Connections Network Connection Types 2. To add or remove Others, Wired, and Wireless network connection types, click >> or <<. Remediation Action for Network Connection Types Not Allowed 3.
Figure 265: Disk Encryption Configuration Page The following table describes the Disk Encryption parameters: Table 152: Disk Encryption Parameters Parameter Description User Notification Enable to allow user notifications for virtual machine policy violations. Productspecific checks Clear to allow disk encryption on any product. The Select Disk Encryption product and Product Version is at least fields are disabled after you clear the check box.
In the Installed Applications Configuration page (see Figure 266), you can turn on the installed applications check and specify information about which installed applications you want to monitor.
Table 153: Installed Applications for Windows Configuration Page Parameters (Continued) Parameter Action/Description Applications Allowed (Mandatory) 3. Specify installed applications to be monitored on a mandatory basis. NOTE: Enter the application name as they are shown in Add/Remove Programs. Applications Allowed (Optional) 4. Specify installed applications to be monitored on an optional basis. NOTE: Enter the application name as they are shown in Add/Remove Programs.
Table 154: Mandatory Applications Parameters Parameter Action/Description Enter the Application Name 1. Enter the name of the application. Enable Regular Expression 2. Check (enable) this check box to enable the use of regular expressions in the Application Name. When this field is enabled, W-ClearPass treats the Application Name as regular expression when comparing application names. Remediation Message 3.
The following figure displays the File Check Health Class configuration page: Figure 269: Windows File Check Health Class Configuration The following table describes the File Check Configuration parameters: Table 155: File Check Configuration Parameters Parameter Action/Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification 1.
The following table describes the File Group to be Present > Add parameters: Table 156: File Group to be Present - Add Parameters Parameter Description Enter the File Group Name 1. Enter the name of the file group. File Group Evaluation Rule 2. Select the appropriate File Group Evaluation Rule: l Pass All: Select this evaluation rule if you want the File Check health class to be deemed as 'healthy' only if all the configured file groups are present.
The following table describes the File to be Present > Add parameters: Table 157: File to be Present > Add Parameters Parameter Action/Description File Location 1. Select any location of the file from the drop-down list: n SystemDrive n Systemroot n ProgramFiles n ProgramFiles (x86) n HOMEDRIVE n HOMEPATH n None Enter the File Path 2. Enter the file path as described in the examples from the user interface. Enter the File Name 3. Enter the name of the file.
2. Click Add. The Add Posture Policies dialog appears. Specify the following: a. Policy Name: Enter the name of the posture policy. b. Posture Agent: Onguard Agent c. Host Operating System: Windows 3. Click Next. 4. From the Posture Plugins tab, select Windows System Health Validator, then click the Configure button. The Windows System Health Validator page appears: Figure 272: OnGuard Agent: Windows System Health Validator 5.
The following screen appears: Figure 273: Onguard Agent: Windows Security Health Validator Page 5. To enable support of specific operating systems, click the corresponding check box. 6. Enter the minimum Service Pack level required on the client computer to connect to your network. 7. Click Save. W-ClearPass Linux Universal System Health Validator Plugin The W-ClearPass Linux Universal System Health Validator plugin appears on the Posture Plugins (Configuration > Posture > Posture Policies > Add) tab.
The following table describes the Antivirus parameters: Table 158: Antivirus Configuration Parameters Parameter Description Remediation checks Auto-remediation for the File Check health class is not supported. User Notification A remediation message having a list of files to present/absent will be displayed to end user. Antivirus Shows the name of the Antivirus configured. Click Add to configure the name of the Antivirus. Prd Version Shows the version of the Antivirus.
Table 159: Antivirus Product configuration Parameters (Continued) Parameter Description Engine version check Select to check the engine version from the options: No Check, Is Latest, or In Last N Updates. Data file version check Select to check the data file version from the options: No Check, Is Latest, or In Last N Updates. Services The Services page provides a set of widgets for specifying services to run or stop.
W-ClearPass Macintosh OS X Universal System Health Validator: OnGuard Agent To configure the W-ClearPass Universal System Health Validator for Macintosh OS X: 1. Navigate to Configuration > Posture > Posture Policies, then click Add. The Add Posture Policies dialog appears. Figure 277: Adding a Universal System Health Validator for a Mac OS X Posture Policy 2. Specify the following: a. Policy Name/Description: Enter the name and a description of the posture policy. b. Posture Agent: Select OnGuard Agent.
Figure 279: Configuration Page: Mac OS X Universal System Health Validator Enabling these check boxes display a corresponding set of configuration pages that are described in the following sections.
Figure 280: Services Health Class Configuration Page Processes From the Processes page, you can view and add processes. Clicking Enable checks for Mac OS X provides a set of components to specify the processes that need to be explicitly present or absent on the system. Figure 281: Processes Page Click Add to open the page with options to configure the name, location, and display name of the processes.
Antivirus In the Antivirus page, you can specify information about the antivirus application. Click on An antivirusapplication is on to configure the anti-virus application information. The following figure displays the Antivirus page: Figure 283: Antivirus Page (Detail 1) Click Add to specify product and version check information in the antivirus configuration page. Figure 284: Antivirus Configuration Page (Detail 2) When you save your antivirus configuration, it appears in the Antivirus page list.
In the Antispyware page, click An Antispyware Application is On to configure different configuration elements specific to the antispyware product that you select. When you save the antispyware configuration, it appears in the Antispyware page list. Figure 286: Anti-Spyware Add Page The configuration elements are the same for antivirus and antispyware products. Firewall From the Firewall page, click A Firewall Application is On to configure the firewall application information.
Figure 288: Firewall Add Page When enabled, the Firewall detail page appears. See ClearPass Windows Universal System Health Validator OnGuard Agent on page 274 for firewall page and field descriptions. Patch Management From the Patch Management page, you can view and add the patch management product. Select A patch management application is on to configure auto remediation and user notification features.
The following figure displays the Peer To Peer page: Figure 291: Peer To Peer Page USB Devices Use this page to configure the Auto Remediation and User Notification parameters. You can also configure the options to take remediation action for USB mass storage devices or to remove USB mass storage devices from the Remediation Action for USB Mass Storage Devices drop-down.
Network Connections The Network Connections page provides configuration options to control network connections based on connection type. Enabling the Network Connection Check is on check box provides the options to specify the remediation checks or user notification.
Click A disk encryption application is on from the Disk Encryption page to configure the remediation options. Click Add to configure the product specific encryption checks. You can select the Uncheck to allow any product check box from the Product-specific checks field to not to allow any encryption product to check disk encryption.
The following table describes the Installed Applications for Mac OSX Configuration page parameters: Table 161: Installed Applications for Mac OS X Configuration Page Parameters Parameter Action/Description Remediation checks Auto-Remediation for the Installed Applications health class is not supported. User Notification 1. Enable sending a remediation message with a list of applications to install or uninstall to the user. Monitor Mode 2.
Figure 299: Enabling Regular Expression 4. Configure the Add Mandatory Applications parameters as described in Table 162. Table 162: Add Mandatory Applications Parameters Parameter Action/Description Enter the Application Name 1. Enter the name of the application. Enable Regular Expression 2. Check (enable) this check box to enable the use of regular expressions in the Application Name.
Figure 300: Regular Expression Enabled File Check From the File Check page, you can turn on the file check feature and specify information about which the files you want to check. Use the File Check page to verify the group of files to be present or absent.
1. To open the File Group to be Present > Add page, click Add: You can configure the name of the file group and specify the evaluation rule for the file group. The following figure displays the File Group to Be Present > Add dialog: Figure 302: MacOSX File Group to Be Present > Add Dialog The following table describes the File Group to Be Present > Add parameters: Table 164: File Group to Be Present > Add Parameters Parameter Action/Description Enter the File Group Name 1.
The following table describes the File to Be Present > Add parameters: Table 165: File to Be Present > Add Parameters Parameter Action/Description File Location 1. Select any location of the file from the drop-down list: l Applications l UserBin l UserLocalBin l UserSBin l None Enter the File Path 2. Enter the file path as described in the examples from the GUI. Enter the File Name 3. Enter the name of the file.
The following figure displays the NAP Agent - Posture Plugins tab: Figure 305: NAP Agent - Posture Plugins Options Windows System Health Validator: NAP Agent The Windows System Health Validator NAP (Network Access Protection) Agent checks for the level of Windows Service Packs. To configure the minimum service pack level required, perform the following steps: 1. Navigate to Configuration > Posture > Posture Policies. The Posture Policies page appears. 2. Click Add.
Figure 307: Posture Plugins for Windows Health Validators 5. From the Posture Plugins tab, select Windows System Health Validator, then click the Configure button. The Windows System Health Validator page appears: Figure 308: Onguard NAP Agent: Windows System Health Validator 6. To enable support of specific Windows operating systems, click the corresponding check boxes. 7. Enable the Restrict clients...
Figure 309: Adding Windows Security Health Validator: NAP Agent Posture Policy 3. Specify the following: a. Policy Name: Enter the name of the posture policy. b. Posture Agent: Select NAP Agent. c. Host Operating System: Select Windows. 4. Click Next. The Posture Policies > Posture Plugins page appears. Figure 310: Selecting Posture Plugins for Windows Security Health Validator: NAP Agent 5. From the Posture Plugins page, select Windows Security Health Validator, then click Configure.
Figure 311: Windows Security Health Validator 7. To enable support of specific operating systems, click the corresponding check boxes. 8. Click Save. You return to the Posture Plugins page where the status of the Windows Security Health Validator plug-in is now Configured. Configuring Posture Policy Rules Once you have defined the posture hosts, agents, and plugins, you must configure the rules for the posture policy.
Figure 312: Posture Policy Rules Tab and Rules Editor The following table describes the Rules Editor configuration parameters: Table 166: Posture Policy Rules Editor Parameters Parameter Select Plugin Checks Description Click select one of the following plugin check types for System Health Validators (SHVs): Passes all SHV checks l Passes one or more SHV checks l Fails all SHV checks l Fails one or more SHV checks l Select Plugins Select the plug-in to which the plug-in checks should apply.
l Dell hosted captive portal that performs posture checks through a dissolvable agent The following figure displays an example on how to configure a posture at the service level: The Posture Compliance check box must be selected on the Service tab in order for posture to be enabled.
Table 167: Posture Features at the Service Level (Continued) Configurable Component How to Configure Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a posture server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured posture server, select from the Select dropdown list, then click Add.
Figure 314: Flow of Policy Manager Auditing Control Default Audit Servers When you configure an audit as part of a W-Policy Manager service, you can select the default Nessus (Nessus Server) or NMAP (Nmap Audit) configuration. Adding Auditing to a Policy Manager Service To configure an audit server for a new service: 1. Navigate to Configuration > Services. The Services page opens. 2. Select the Add link in the top-right corner. The Add Services dialog opens. 3.
The Add Services > Audit dialog opens. Figure 315: Add Services > Audit Dialog 5. Complete the fields in the Add Services > Audit tab as described in Table 168, then click Save. Dell Networking W-ClearPass Policy Manager 6.
Table 168: Add Services > Audit Dialog Parameters Parameter Description Audit Server Select a built-in server profile from the list: l Nessus Server: Performs vulnerability scanning and returns a Healthy/Quarantine result. l Nmap Audit: Performs network port scans. The health evaluation always returns a Healthy result. The port scan gathers attributes that allow determination of role(s) through post-audit rules.
Table 168: Add Services > Audit Dialog Parameters (Continued) Parameter Description l l Do SNMP bounce: This option will bounce the switch port or force an 802.1X reauthentication (both done using SNMP). Bouncing the port triggers a new 802.1X/MAC authentication request by the client. If the audit server already has the posture token and attributes associated with this client in its cache, it returns the token and the attributes to Policy Manager.
Adding a Nessus Audit Server W-ClearPass uses the Nessus audit server interface primarily to perform vulnerability scanning. It returns a result of Healthy or Quarantine. To add a Nessus audit server: 1. Navigate to Configuration > Posture > Audit Servers, then click Add. The Add Audit Servers dialog opens to the Audit tab. Figure 317: Add Nessus Audit Server > Audit Tab 2. Specify the Nessus Audit Server > Audit tab parameters as described in Table 169.
Figure 318: Add Nessus Audit Server > Primary and Backup Server Tabs 3. Specify the Nessus Audit Server > Primary Server tab and Backup Server tab parameters as described in Table 170. Table 170: Nessus Audit Server > Primary and Backup Server Tabs Parameters Parameter Action/Description Backup On the Backup Server dialog: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Modifying a Nessus Audit Server To modify an existing Nessus audit server: 1. Navigate to Configuration > Posture > Audit Server. The Audit Servers dialog opens. Figure 319: Selecting a Nessus Audit Server 2. Select the Nessus audit server you wish to modify. The Edit Nessus Server dialog opens to the Summary tab, which displays the configuration settings for the selected Nessus server. Figure 320: Edit Nessus Server > Summary Page 3. Make any necessary configuration changes, then click Save.
2. Restart the Nessus service. For example: centos# service nessusd restart 3. If the external Nessus server has Transport Layer Security (TLS) enabled, add the Nessus CA Certificate to the W-ClearPass Certificate Trust List (see Certificate Trust List on page 633). You can download the Nessus CA certificate from: https://:8834/getcert Nessus Scan Profiles A scan profile contains a set of scripts (plugins) that perform specific audit functions.
Figure 322: Nessus Scan Profile Configuration - Profile Tab l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. 336 | Posture Dell Networking W-ClearPass Policy Manager 6.
Figure 323: Nessus Scan Profile Configuration Profile Tab - Plugin Synopsis Of special interest is the section of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin, click on the link to change the level to one of HOLE, WARN, or INFO. This action tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields. Figure 326: Nessus Scan Profile Configuration - Preferences Tab After saving the profile, plugin, and preference information for your new (or modified) plugin, you can go to the Primary/Backup Servers tabs and select it from the Scan Profile drop-down list.
Table 171: Audit Tab Parameters Parameter Action/Description Name Enter the name of the NMAP audit server. Description Optionally (and recommended), enter the description of the Nmap audit server. Type Select NMAP. In-Progress Posture Status Specify the posture status during audit. Default Posture Status Select the posture status if evaluation does not return a condition/action match. NMAP Options Tab You can use the NMAP Options tab to specify the type of scan configuration.
Table 172: NMAP Options Tab Parameter Action/Description TCP Scan Specify the type of TCP scan: l TCP SYN scan l TCP Connect scan l TCP Null Scan l TCP FIN scan l TCP Xmas scan l TCP ACK scan l TCP Window scan l TCP Maimon scan Refer to Nmap documentation for more information on the TCP scan options. Nmap option: scanflags. UDP Scan To enable UDP (User Datagram Protocol) scanning, check the UDP Scan check box. Nmap option: sU. Service Scan To enable Service scanning, check the Service Scan check box.
Figure 329: All Audit Server Configurations > Rules Dialog Table 173: All Audit Server Configurations > Rules Dialog Parameters Parameter Action/Description Rules Evaluation Algorithm Select first matched rule and return the role or Select all matched rules and return a set of roles. Add Rule When you add a rule, the Rules Editor opens. See below for details. Move Up/Down Reorder the rules as necessary. Edit Rule Opens the selected rule in Edit mode. Remove Rule Removes the selected rule.
Table 174: All Audit Server Configurations > Rules Editor Parameters Parameter Description Conditions The Conditions list includes five dictionaries: l Audit-Status l Device-Type l Output-Msgs l MAC-Vendor l Network-Apps l Open-Ports l OS-Info For more information, refer to Namespaces on page 845. Actions The Actions list includes the names of the roles configured in W-Policy Manager. Save To commit a Condition/Action pairing, click Save. 342 | Posture Dell Networking W-ClearPass Policy Manager 6.
Chapter 7 Configuring Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an enforcement policy associated with the service. Each enforcement policy contains a rule or set of rules for matching conditions (role, posture, and time) to actions (enforcement profiles).
Figure 332: Add Enforcement Policy > Enforcement tab 2. Specify the Add Enforcement Policy > Enforcement parameters as described in the following table: Table 175: Add Enforcement Policy > Enforcement Tab Parameters Parameter Action/Description Name Enter the name of this enforcement policy. Description Enter a useful description of this enforcement policy (recommended). Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI)/CoA or Application.
4. Specify the Add Enforcement Policy > Rules tab parameters as described in the following table: Table 176: Add Enforcement Policy (Rules tab) Field Action/Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 177: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule.
l HTTP Based Enforcement on page 374 l RADIUS Based Enforcement on page 375 l RADIUS Change of Authorization (CoA) on page 377 l Session Restrictions Enforcement on page 381 l SNMP Based Enforcement on page 386 l TACACS+ Based Enforcement on page 387 l VLAN Enforcement on page 389 Adding an Enforcement Profile To add an enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens: Figure 334: Enforcement Profiles Page 2.
The following table describes the default set of enforcement profiles included with W-Policy Manager: Table 178: Default Enforcement Profiles Profile Available for the following Enforcement Types [Aerohive - Terminate Session] RADIUS_CoA [AirGroup Personal Device] RADIUS [AirGroup Response] RADIUS [AirGroup Shared Device] RADIUS [Allow Access Profile] RADIUS [Allow Application Access Profile] Application [Aruba TACACS read-only Access] TACACS [Aruba TACACS root Access] TACACS [Aruba Termin
Table 178: Default Enforcement Profiles (Continued) Profile Available for the following Enforcement Types [TACACS Network Admin] TACACS [TACACS Read-only Admin] TACACS [TACACS Receptionist] TACACS [TACACS Super Admin] TACACS [Trapeze - Terminate Session] RADIUS_CoA [Update Endpoint Known] Post-Authentication Modifying an Existing Enforcement Profile To modify an existing enforcement profile: 1. Navigate to the Configuration > Enforcement > Profiles page. 2.
Table 179: Add Agent Enforcement > Profile Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Agent Enforcement. Name Enter the name of the enforcement profile. Description Optionally, enter a description of the enforcement profile (recommended). Type This field is populated automatically with type Agent. Action By default, this field is disabled. It is enabled only when RADIUS type is selected.
Specify the Agent Enforcement > Attributes parameters as described in the following table: Table 180: Agent Enforcement > Attributes Tab Parameters Attribute Attribute Name Action/Description Select one of the following attribute names: Bounce Client: To terminate the network connection, set the value to True. l Message: Enter the message that needs to be notified on the endpoint. l Enable to hide Retry button: To set to True, check the check box.
l Role Configuration Tab on page 352 l Summary Tab on page 360 Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list.
Role Configuration Tab The fields on the Role Configuration tab require you to select a link to launch a new page where you set role configuration attributes. For example, adding a Captive Portal profile.
Table 182: Role Configuration - Attributes Page Parameters (Continued) Parameters Configuration Time Range Configuration Select the Manage Time Ranges link to add, edit, and delete time range definitions. NAT Pool Configuration Select the Manage NAT Pool link to add, edit and delete NAT Pool definitions. ACL Type Select from the following ACL types: Ethertype l MAC l Session l Stateless l ACL Name Click the name of the ACL type. Click Add to move the ACL Name to the ACL field.
Policer Profile Click the Add Policer Profile link. Enter a name of the profile and configure the required attributes. The following figure displays the Add Policer Profile pop-up: Figure 342: Add Policer Profile Pop-up 354 | Configuring Enforcement Dell Networking W-ClearPass Policy Manager 6.
QOs Profile Click the Add QoS Profile link. Enter a name of the profile and configure the required attributes. The following figure displays the Add QoS Profile pop-up: Figure 343: Add QosProfle Pop-up Dell Networking W-ClearPass Policy Manager 6.
VoIP Profile Click the Add VoIP Profile link. Enter a name for the profile and configure the required attributes. The following figure displays the Add VoIP Profile pop-up: Figure 344: Add VoIP Profile Pop-up NetService Configuration Click the Manage NetServices link and configure the required attributes. The following figure displays the Manage NetServices pop-up: Figure 345: Manage NetServices Pop-up 356 | Configuring Enforcement Dell Networking W-ClearPass Policy Manager 6.
NetDestination Configuration Click the Manage NetDestinations link and configure the required attributes. The following figure displays the Manage NetDestinations pop-up: Figure 346: Manage NetDestinations Pop-up Time Range Configuration Click the Manage Time Ranges link and configure the required attributes. The following figure displays the Manage Time Ranges pop-up: Figure 347: Time Range Configuration Pop-up Dell Networking W-ClearPass Policy Manager 6.
NAT Pool Configuration Use the NAT Pool Configuration page to configure the start and end of the source NAT range and associate them with session ACLs. The following figure displays the NAT Pool Configuration pop-up: Figure 348: NAT Pool Configuration Pop-up ACL Click the Add Stateless Access Control List link. Enter a name for the Stateless ACL. Click the Add Rule link on the General tab. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel.
down list. For example, if you select the dual-nat action type, you can view the Dual NAT Pool field additionally to specify the action. Enter the required attributes in the Rule Configuration tab and click Save Rule or Cancel. The following figure displays the Session Access Control List Attributes pop-up: Figure 350: Session Access Control List Attributes Pop-up Click the Add Ethernet/MAC Access Control List link. Enter a name for the Ethernet/MAC ACL.
The following figure displays the Ethernet/MAC Access Control List Attributes pop-up: Figure 351: Ethernet/MAC Access Control List Attributes Pop-up Summary Tab The Summary tab summarizes the parameters configured in the Profile and Role Configuration tabs.
l Summary Tab on page 362 Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Aruba RADIUS Enforcement - Profile tab: Figure 353: Aruba RADIUS Enforcement - Profile Tab The following table describes the Aruba RADIUS Enforcement - Profile tab parameters: Table 183: Aruba RADIUS Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
Attributes Tab Use the Attribute tab to configure the attribute type, name, and value for the enforcement profile.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Cisco Downloadable ACL Enforcement - Profile tab: Figure 356: Cisco Downloadable ACL Enforcement - Profile Tab The following table describes the Cisco Downloadable ACL Enforcement - Profile parameters: Table 185: Cisco Downloadable ACL Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the Cisco Downloadable ACL Enforcement - Attributes parameters: Table 186: Cisco Downloadable ACL Enforcement - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 854 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the Cisco Web Authentication Enforcement - Profile tab: Figure 359: Cisco Web Authentication Enforcement - Profile Tab The following table describes the Cisco Web Authentication Enforcement - Profile tab parameters: Table 187: Cisco Web Authentication Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the Cisco Web Authentication Enforcement - Attribute parameters: Table 188: Cisco Web Authentication Enforcement - Attribute Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 854 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the ClearPass Entity Update Enforcement - Profile tab: Figure 362: ClearPass Entity Update Enforcement - Profile Tab The following table describes the ClearPass Entity Update Enforcement - Profile tab parameters: Table 189: ClearPass Entity Update Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list.
The following table describes the ClearPass Entity Update Enforcement - Attributes tab parameters: Table 190: ClearPass Entity Update Enforcement - Attributes Tab Parameters Attribute Type Description Select one of the following attribute types: Endpoint l Expire-Time-Update l GuestUser l Status-Update l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
Profile Tab Use the Profile tab to configure the template, type of the profile, and device group list. The following figure displays the CLI Based Enforcement - Profile tab: Figure 365: CLI Based Enforcement - Profile Tab The following table describes the CLI Based Enforcement - Profile tab parameters: Table 191: CLI Based Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select CLI Based Enforcement.
The following table describes the CLI Based Enforcement - Attributes tab parameters: Table 192: CLI Based Enforcement - Attributes Tab Parameters Attribute Parameter Attribute Name Select Command or Target Device. Attribute Value Displays the options for the Attribute Value depend on the selected Attribute Name. Summary Tab The Summary tab summarizes the parameters configured in the Profile and Attributes tab.
The following table describes the Filter ID Based Enforcement Profile tab parameters: Table 193: Filter ID Based Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Filter ID Based Enforcement Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the Filter ID Based Enforcement - Attributes tab parameters: Table 194: Filter ID Based Enforcement Profile - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 854 l Name The options displayed for the Name attribute depend on the attribute that was selected.
The following table describes the Generic Application Enforcement - Profile tab parameters: Table 195: Generic Application Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select Generic Application Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page.
Summary Tab The Summary tab summarizes the parameters configured in the Profile and Attributes tab. The following figure displays the Generic Application Enforcement - Summary tab: Figure 372: Generic Application Enforcement - Summary Tab HTTP Based Enforcement Use this page to configure profile and attribute parameters for the HTTP based enforcement profile.
Table 197: HTTP Based Enforcement Profile tab Parameters (Continued) Parameter Description Action Disabled. Device Group List Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
The following table describes the RADIUS Based Enforcement Profile tab parameters: Table 199: RADIUS Based Enforcement Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select RADIUS Based Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the RADIUS Based Enforcement - Attributes tab parameters: Table 200: RADIUS Based Enforcement - Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 854 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
The following table describes the Radius Change of Authorization (CoA) - Profile tab parameters: Table 201: Radius Change of Authorization (CoA) Profile Tab Parameters Parameter Template Description Select from: Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l HP - Generic-CoA l Aruba - Change-User-Role l IETF - Terminate-Session-IETF l Aruba - Change-VPN-User-Role l IETF- Generic-CoA-IETF l Type Select one of the following attribute types: l Radius
Attributes Tab The following figure displays the Radius Change of Authorization (CoA) - Attributes tab: Figure 378: Radius Change of Authorization (CoA) - Attributes Tab The following table describes the Radius Change of Authorization (CoA) - Attributes tab parameters: Table 202: Radius Change of Authorization (CoA) Attributes Tab Parameters Parameter RADIUS CoA Template Type Description Select from: Cisco-Disable-Host-Port l Cisco - Bounce-Host-Port l Cisco - Reauthenticate-Session l HP - Change-VLAN l
l Summary Tab on page 381 Profile Tab The following figure displays the Session Notification Enforcement - Profile tab: Figure 379: Session Notification Enforcement - Profile Tab The following table describes the Session Notification Enforcement - Profile tab parameters: Table 203: Session Notification Enforcement Profile Tab Parameters Parameter Description Template Select Session Notification Enforcement. Name Enter the name of the profile.
The following table describes the Session Notification Enforcement - Attributes tab: Table 204: Session Notification Enforcement - Attributes Tab Parameter Type Description Select from: Session-Check l Session-Notify Palo Alto integration is extended to Guest MAC Caching use cases. Configure the following: Session-Check::Username = %{Endpoint:Username} NOTE: Post Auth sends the Guest username instead of the MAC Address in the user id updates.
The Enforcement Profiles page opens. 2. Click Add. The Add Enforcement Profiles > Profile tab opens. 3. From the Template drop-down, select Session Restrictions Enforcement. The Add Session Restrictions Enforcement > Profile dialog opens: Figure 382: Add Session Restrictions Enforcement > Profile Tab 4.
Attributes Tab The following figure displays the Session Restrictions Enforcement > Attributes tab: Figure 383: Session Restrictions Enforcement Profile > Attributes Dialog 1. Specify the Session Restrictions Enforcement > Attributes parameters as described in Table 206: Dell Networking W-ClearPass Policy Manager 6.
Table 206: Session Restrictions Enforcement Attributes Parameters Parameter Description Type Select from the following attribute types: l Bandwidth-Check l Expiry-Check l Post-Auth-Check l Session-Check Name The options displayed for the Name attribute depend on the Type attribute that was selected. l Type: Bandwidth-Check n Allowed-Limit: Defines the total bandwidth limit to be allowed per user or endpoint. n Check-Type: Defines the period/interval for bandwidth-based checks.
Table 206: Session Restrictions Enforcement Attributes Parameters (Continued) Parameter Description Username: Defines the username for which session restrictions are enabled. Used when the client MAC address is to be defined as a username. For configuration examples, see the section below, Examples of Session-Check Enforcement Profile Configurations. n Value The options displayed for the Value attribute depend on the Type and Name attributes that were selected.
n Post-Auth-Check > Action = Disconnect 4. Session Duration: The User/Endpoint is allowed access to the network daily for three hours in a specified time period (between 9:00 a.m. and 5:00 p.m.
Table 207: SNMP Based Enforcement - Profile Tab Parameters (Continued) Parameter Description Action Disabled. Device Group List Select a Device Group from the drop-down list. The list displays all configured Device Groups. All configured device groups are listed in the Device Groups page: Configuration > Network > Device Groups. After you add one or more device group(s), you can select a group and take one of the following actions: l Click Remove to delete the selected Device Group List entry.
Profile Tab The following figure displays the TACACS+ Based Enforcement - Profile tab: Figure 386: TACACS+ Based Enforcement Profile Tab The following table describes the TACACS+ Based Enforcement Profile - Profile tab parameters: Table 209: TACACS+ Based Enforcement Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select TACACS+ Based Enforcement. Name Enter the name of the profile.
Services Tab The following figure displays the TACACS+ Based Enforcement - Services tab: Figure 387: TACACS+ Based Enforcement Services Tab The following table describes the TACACS+ Based Enforcement Profile - Service tab parameters: Table 210: TACACS+ Based Enforcement Services Tab Parameters Parameter Description Privilege Level Select a level between 0 and 15. Selected Services Select a service from the list and add it to the Selected Services: field.
The following table describes the VLAN Enforcement - Profile tab parameters: Table 211: VLAN Enforcement - Profile Tab Parameters Parameter Description Template Select the template from the drop-down list. In this context, select VLAN Enforcement. Name Enter the name of the profile. The name is displayed in the Name column on the Configuration > Enforcement > Profiles page. Description Enter a description of the profile.
The following table describes the RADIUS Based Enforcement - Attributes tab parameters: Table 212: VLAN Enforcement Attributes Tab Parameters Parameter Type Description Select one of the following attribute types: Radius:Aruba l Radius:IETF l Radius:Cisco l Radius:Microsoft l Radius:Avenda For more information, see RADIUS Namespaces on page 854 l Name The options displayed for the Name attribute depend on the Type attribute that was selected.
| Configuring Enforcement Dell Networking W-ClearPass Policy Manager 6.
Chapter 8 Configuring Policy Simulation This chapter describes the following types of simulations: l Active Directory Authentication Simulation l Application Authentication Simulation l Audit Simulation l Chained Simulation l Enforcement Policy Simulation l RADIUS Authentication Simulation l Role Mapping Simulation l Service Categorization Simulation After creating the policies, use the Policy Simulation utility in the Configuration > Policy Simulation page to evaluate those policies before
The Attributes tab is not available for this simulation type. Adding an Active Directory Simulation To add the RADIUS authentication server for the authentication test: 1. Navigate to the Configuration > Policy Simulation > Add page. The Add Policy Simulation dialog appears. 2. Enter the Name of the simulation. 3. From the Type drop-down list, select Active Directory Authentication. The following figure displays the Active Directory Authentication Simulation dialog.
Table 215: Active Directory Authentication Results Tab Parameters Parameter Description Summary Displays the results of the Active Directory Authentication simulation. Status Displays the status message. Application Authentication Simulation This simulation tests authentication requests generated from W-ClearPass Guest.
Table 217: Application Authentication - Attributes Tab Parameters Attribute Parameter Type Select Application or select Application:ClearPass. See Application Namespace on page 846 Name The options displayed for the Name Attribute depend on the Type Attribute that was selected. Value The options displayed for the Value Attribute depend on the Type Attribute and Name Attribute that were selected.
The following figure displays the Audit Simulation tab: Figure 396: Audit Simulation - Simulation Tab The following table describes the Audit Simulation - Simulation tab parameters: Table 219: Audit Simulation Tab Parameters Parameter Description Audit Server Select [Nessus Server] or [Nmap Audit]. Audit Host IP Address Enter the host IP address of the audit host.
Chained Simulation Given the service name, authentication source, user name, and an optional date and time, the chained simulation combines the results of role mapping, posture validation and enforcement policy simulations and displays the corresponding results.
Figure 399: Chained Simulation Attributes Tab The following table describes the Chained Simulation Attributes - Results tab parameters: Table 222: Chained Simulation Attributes tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
Results Tab The following figure displays the Chained Simulation - Results tab: Figure 400: Chained Simulation Results Tab Table 223: Chained Simulation Results Tab Parameters Parameter Summary Description Provides the following information about the chained simulation: Status l Roles l System Posture Status l Enforcement Profiles l Enforcement Policy Simulation Given the service name (and the associated enforcement policy), a role or a set of roles, the system posture status, and an optional date and ti
Simulation Tab The following figure displays the Enforcement Policy Simulation tab: Figure 401: Enforcement Policy Simulation Tab The following table describes the Enforcement Policy Simulation tab parameters: Table 224: Enforcement Policy Simulation tab Parameters Parameter Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Enforcement P
Table 224: Enforcement Policy Simulation tab Parameters (Continued) Parameter Description Values = [Local User Repository] or [Guest Device Repository] if you select Guest Operator Logins Username Roles Enter username.
Attributes tab Enter the attributes of the policy component to be tested. The following figure displays the Enforcement Policy - Attributes tab: Figure 402: Enforcement Policy Attributes Tab Table 225: Enforcement Policy Attributes tab Parameters Attribute Description Type: Select the type of attributes from the drop-down list.
Table 226: Enforcement Policy Results Tab Parameters Parameter Description Deny Access Displays the output of the Deny Access test. Enforcement Profile Displays the name of the Enforcement Profile. RADIUS Authentication Simulation This section provides the following information: l Adding a RADIUS Authentication Simulation l Setting the Attributes to Be Tested l Viewing the Simulation Results Dictionaries in the RADIUS namespace come prepackaged with the W-ClearPass Policy Manager.
Figure 404: RADIUS Authentication Simulation Details Dialog 4. Enter the values for each of the RADIUS Simulation parameters as described in Table 227. Table 227: RADIUS Simulation Tab Parameters Parameter Action/Description Server 1. Specify Local or Remote. CPPM IP Address or FQDN This field is displayed only if Remote Server is selected. 2. Enter the IP address or the fully qualified domain name (FQDN) of the remote W-ClearPass Policy Manager server.
Table 227: RADIUS Simulation Tab Parameters (Continued) Parameter Action/Description Authentication outer method 6. Specify one of the following authentication outer methods: l PAP l CHAP l MSCHAPv2 l PEAP: Authentication inner method: enabled. Select one of the following PEAP Authentication inner methods: n EAP-MSCHAPv2 n EAP-GTC n EAP-TLS l TTLS: Authentication inner method field: enabled.
To set the attributes to be tested: 1. From the Attributes tab, click Click to add. The Add Policy Simulation Attributes dialog opens. 2. From the Type drop-down, select the attribute Type. Figure 405: Specifying Policy Simulation Attributes 3. Select the attribute Name. 4. Select the attribute Value. 5. Repeat these steps for each additional attribute you wish to add. 6. Click Save, or click Next to proceed to the Results tab.
NAS Type: Aruba Wired Switch Controller Figure 407: NAS Type: Aruba Wired Switch Controller Attributes Tab Table 229: NAS Type: Aruba Wired Switch Controller—Required Attribute Settings Attribute Line 1: Type = Radius:IETF l Name = NAS-Port-Type l Value = Ethernet (15) l Line 2: l Type = Radius:IETF l Name = Service-Type l Value = Login-User (1) NAS Type: Cisco Wireless Switch Figure 408: NAS Type: Cisco Wireless Switch Attributes Table 230: NAS Type: Cisco Wireless Switch Required Attribute Settings At
Figure 409: Results Tab Table 231: RADIUS Authentication Results Tab Parameters Parameter Description Summary Displays a summary of the simulation. Authentication Result Displays the outcome of the Authentication test. Details Click this link to open a dialog that provides details about the Authentication test. You can take the following actions: l Click the Summary, Input, or Output tabs. l Click the Change Status, Show Logs, Export, or Close buttons.
Figure 410: Role Mapping Simulation Tab Table 232: Role Mapping Simulation Tab Parameters Parameter Service Description Select from: [Policy Manager Admin Network Login Service] l [AirGroup Authorization Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Guest Access l Guest Access With MAC Caching l Role Mapping Policy Field is disabled if you select: [Policy Manager Admin Network Login Service] l [Aruba Device Access Service] l [Guest Operator Logins] l Field is auto-filled with [Air
Attributes Tab Enter the attributes of the policy component to be tested. The following figure displays the Role Mapping Simulation Attributes tab: Figure 411: Role Mapping Simulation Attributes Tab The following table describes the Role Mapping Simulation Attributes tab parameters: Table 233: Role Mapping Simulation Attributes Tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
The following table describes the Role Mapping Simulation - Results tab parameters: Table 234: Role Mapping Results Tab Parameters Parameter Description Summary Displays the results of the simulation. Service Categorization Simulation A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into.
Table 236: Service Categorization Simulation Attributes Tab Parameters Attribute Parameter Type Select the type of attributes from the drop-down list.
Import and Export Simulations Navigate to Configuration > Policy Simulation and select the Import link. The following figure shows an example of the Import from file page. Figure 416: Import Simulations Table 238: Import from file page Parameters Parameter Description Select file Browse to select name of simulations to import. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here.
Chapter 9 W-ClearPass Policy Manager Profile This chapter contains the following information: l W-ClearPass Profile Overview l About the Device Profile l Endpoint Information Collectors W-ClearPass Profile Overview This section contains the following information: l Introduction l Enabling Endpoint Classification l Configuring CoA for an Endpoint-Connected Device l How W-ClearPass Profile Classifies Endpoints l Fingerprint Dictionaries l Viewing Live Endpoint Information for a Specific Devi
Figure 418: Enable Profile Option 3. If it is not already enabled, select the Enable this server for endpoint classification check box, then click Save. Configuring CoA for an Endpoint-Connected Device After profiling an endpoint, use the Profiler page to configure Change of Authorization (CoA) on the network device to which an endpoint is connected. The Profiler tab is not displayed by default. To access the Profiler tab: 1. Navigate to Configuration > Services, then click Add. 2.
Figure 420: Profiler Page 5. You can select a set of categories and a CoA profile to be applied when the profile matches one of the selected categories. CoA is triggered using the selected CoA profile. You can use any option from Endpoint Classification to invoke CoA on a change of any one of the fields (category, family, and name). Table 240 describes the Profiler page parameters: Table 240: Profiler Page Parameters Parameter Action/Description Endpoint Classification 1.
d. DHCP e. MAC OUI Stage 2: Refining Results W-ClearPass Policy Manager includes a set of rules that evaluates a device profile. The Rules engine uses all input attributes and device profiles from Stage 1. The resulting rule evaluation may or may not result in a profile. Stage 2 refines the results of profiling. Example With DHCP options, Stage 1 can identify an Android device. Stage 2 uses rules to combine this with the MAC OUI to further classify an Android device as Samsung Android and HTC Android.
Figure 422: Device Fingerprint Dictionary Attributes Page 3. To exit, click Close. Viewing Live Endpoint Information for a Specific Device The W-ClearPass Live Monitoring feature allows you to view endpoint information in graphic format for the device category, device family, and device name items you selected. You can also examine the endpoint details and attributes about a specific device . To access the Endpoint Profiler Live Monitoring information: 1.
3. To return to the Endpoint Profiler page, click Cancel. For more information, see: n Profiler and Discovery: Endpoint Profiler on page 139 The Cluster Status Dashboard widget shows basic distribution of device types. For more information, see: n Using the W-Policy Manager Dashboard on page 26 About the Device Profile A device profile is a hierarchical model consisting of three elements that are derived by the endpoint attributes—DeviceCategory, DeviceFamily, and DeviceName.
l SNMP Configuration for Wired Network Profiling l Information Regarding SSH and WMI Configuration DHCP Collector Dynamic Host Configuration Protocol (DHCP) attributes such as option 55 (parameter request list), option 60 (vendor class), and the options list from the Discover and Request packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
Combining this information with MAC OUI, the W-ClearPass Profiler can classify a device as HTC™ Android, Samsung™ Android, or Motorola® Android, etc. The MAC OUI is also useful to profile devices such as printers that might be configured with static IP addresses. ActiveSync Plug-in Collector You can install the ActiveSync plug-in on Microsoft Exchange servers.
1. Navigate to Configuration > Network > Devices. 2. From the Network Devices screen, select the appropriate device for configuration. The Edit Device Details dialog appears. 3. Select the SNMP Read Settings tab. Figure 424: Specifying SNMP v2 with Community Strings a. If not already enabled, enable the Allow SNMP Read check box. b. From the SNMP Read Setting drop-down, select SNMPv2 with community strings. c. Enter the Community String value. d.
Figure 425: Specifying the Device Info Poll Interval 5. In the Minutes field, enter the Device Info Poll Interval, then click Save. Subnet Scan Collector A network subnet scan discovers the IP addresses of devices in the network. The devices discovered in this way are further probed using SNMP to fingerprint and assign a profile to the device. Network subnets to be scanned are configured per W-Policy Manager Zone. This is particularly useful in deployments that are geographically distributed.
Figure 426: Profile Settings: Subnet Scans Dialog 2. In the Subnet Scans section, select a W-Policy Manager Zone by clicking Click to add. If W-Policy Manager Zones have not yet been set up, you can select the default zone, which will allow you to proceed with the configuration procedure. After you select the Policy Manager Zone, the IP Subnet to Scan text field appears. 3.
Figure 428: Initiating an On-Demand Subnet Scan 2. Click On-Demand Subnet Scan. The Initiate On-Demand Subnet Scan dialog opens. Figure 429: Initiate On-Demand Subnet Scan Dialog 3. To discover hosts, specify the IP subnets to be scanned in the Subnets to scan text field. Separate multiple subnets with commas. 4. Click Submit. The subnet scan progress is shown on the Profile Settings page. You can view the subnet scan events in the Monitoring > Event Viewer page.
2. Click the SNMP Configuration tab. Figure 431: Profile SNMP Configuration Page 3. Click Add SNMP Configuration. The SNMP Configuration dialog appears. Figure 432: Configuring SNMP Community Strings 4. Enter the following information in the SNMP Configuration dialog: a. IP Subnets/IP Addresses: Enter one or more IP subnet addresses and their subnet masks. For multiple entries, separate multiple IP addresses with commas. b. SNMP Version: From the drop-down, select the appropriate SNMP version. c.
For Windows device discovery, specify WMI (Windows Management Instrumentation) credentials. For more information, see WMI Credentials Configuration on page 144. 428 | W-ClearPass Policy Manager Profile Dell Networking W-ClearPass Policy Manager 6.
Chapter 10 Network Access Devices This chapter describes the following tasks that you can perform by using the W-Policy Manager user interface: l Adding and Modifying Network Devices on page 430 l Adding and Modifying Device Groups on page 438 l Adding and Modifying Proxy Targets on page 440 l Configuring the Ingress Event Sources on page 678 Introduction A W-Policy Manager device represents a Network Access Device (NAD) that sends network access requests to W-Policy Manager using the supported RAD
l Configure DHCP Relay configuration on the network device to ensure that DHCP requests are forwarded from the clients. For more information, see DHCP Collector on page 421. Adding and Modifying Network Devices A Network Access Device (NAD) must belong to the global list of devices in the W-Policy Manager database in order to connect to W-Policy Manager using any of the supported protocols.
Device Parameters Use the Add Device > Device tab to define the device name, IP address, RADIUS and TACACS+ shared secret, vendor name, and device attributes. Figure 434: Add Device > Device Dialog 3. Enter the Add Device > Device parameters as described in Table 243: Table 243: Add Device > Device Parameters Parameter Action/Description Name Enter the name of the device. IP Address or Subnet Specify the IP address or the subnet of the device.
Table 243: Add Device > Device Parameters (Continued) Parameter Action/Description NOTE: RADIUS:IETF, the dictionary containing the standard set of RADIUS attributes, is always loaded. When you specify a vendor here, the RADIUS dictionary associated with this vendor is automatically enabled. Enable RADIUS CoA To set the UDP port on the device to send CoA (Change of Authorization) actions, enable RADIUS CoA (RFC 3576/5176) for this device. RADIUS CoA Port: The default value is 3799.
Table 244: Add Device > SNMP Read Settings Parameters Parameter Action/Description Allow SNMP Read Toggle to enable or disable SNMP Read operations. SNMP Read Setting Specify the SNMP Read settings for the network device.
Table 244: Add Device > SNMP Read Settings Parameters (Continued) Parameter Action/Description Authentication Key Specify the SNMP v3 with authentication option (SHA or MD5). NOTE: The EAP-MD5 authentication type is not supported if you run W-ClearPass Policy Manager in FIPS mode. NOTE: Authentication Key is available in SNMP v3 only. Privacy Key Specify the SNMP v3 with privacy option. NOTE: Available in SNMP v3 only.
Table 245: Add Device > SNMP Write Settings Parameters (Continued) Parameter Action/Description SNMP v2 with community strings n SNMP v3 with no Authentication n SNMP v3 with Authentication using MD5 and no Privacy n SNMP v3 with Authentication using MD5 and with Privacy n SNMP v3 with Authentication using SHA and no Privacy n SNMP v3 with Authentication using SHA and with Privacy NOTE: The MD5 authentication type is not supported if you use W-ClearPass Policy Manager in FIPS mode.
Table 246: Add Device > CLI Parameters Parameter Action/Description Allow CLI Access Toggle to enable or disable CLI access. Access Type Select SSH or Telnet. W-Policy Manager uses the selected access method to log into the device CLI. Port Specify the SSH or Telnet TCP port number. Username Enter the username to log into the CLI. Password Enter the password to log into the CLI. Username Prompt Regex Specify the regular expression for the username prompt.
Figure 438: Add Device > OnConnect Enforcement Dialog 2. Enter the OnConnect Enforcement parameters as described in Table 247. Table 247: Add Device > OnConnect Enforcement Parameters Parameter Action/Description Enable Select this check box to enable W-ClearPass OnConnect on the network access device being added. Zone From the Zone drop-down, select the zone assigned to the network device that is being added. OnConnect Enforcement is triggered when a trap from a NAD is received by a W-ClearPass node.
1. Click Export. 2. In the Export to File page, specify a file path, then click Export. 3. In the Export to File page, you can choose to encrypt the exported data with a key. This protects data such as shared secret from being visible in the exported file. To import it back, you specify the same key with which you exported. Exporting a Single Device To export a single device from the configuration: 1. Select it (using the check box on the left). 2. click Export. 3.
To add a device group, click Add at the top-right corner of the Network Device Groups page. Complete the fields in the Add New Device Group page as described in the following figure: Figure 440: Add New Device Group Page The following table describes the Add New Device Group page parameters: Table 248: Add New Device Group Page Parameter Description Name Enter the name of the device group. Description Enter the description that provides additional information about the device group.
Table 248: Add New Device Group Page (Continued) Parameter Description Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation). For example, 192.168.5.0/24. Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression. For example, ^192(.[0-9]*){3}$. List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected.
The following figure displays the Add Proxy Target pop-up: Figure 442: Add Proxy Target Pop-up The following table describes the Add Proxy Target pop-up parameters: Table 249: Add Proxy Target pop-up Parameter Description Name Enter the name of the proxy target. Description Enter the description that provides additional information about the proxy target. Hostname/Shared Secret Specify the RADIUS hostname and shared secret.
Figure 443: Adding an Event Source 3. Populate the Add Event Source parameters as described in Table 250. Table 250: Configuring the Event Source Parameters Parameter Action/Description Name 1. Enter the IP address of the device that will send Syslog events to W-ClearPass. Description Optionally, enter a description of this Event Source. IP Address 2. Enter the IP address of the device that will send Syslog events to W-ClearPass. Type 3. From the drop-down, select the Event Source Type.
Chapter 11 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the following Administration menus: l W-ClearPass Portal n l l l l l l l W-ClearPass Guest Portal on page 444 Users and privileges n Managing Admin Users on page 445 n Managing Admin Privileges on page 449 Server Manager n Server Configuration on page 457 n Log Configurati
W-ClearPass Guest Portal The W-ClearPass Guest Portal lets you customize the content for your enterprise. Navigate to the Administration > W-ClearPass Portal page. The following figure displays the W-ClearPass Guest Portal page: Figure 445: W-ClearPass Guest Portal The following table describes the W-ClearPass Guest Portal parameters: Table 251: W-ClearPass Guest Portal Parameters Parameter Action/Description Select Option 1.
Table 251: W-ClearPass Guest Portal Parameters (Continued) Parameter Action/Description Top section 4. Click and enter the text to appear as the header in the default landing page. Bottom section 5. Click and enter the text to appear as the footer in the default landing page. Copyright 6. Click and enter the copyright text to appear in the default landing page. 7. Click Save. Both the HTTP and HTTPS protocols are supported for Guest Portal redirection.
The Edit Admin User dialog opens. Figure 447: Changing the Administration Password 3. Change the administration password, then click Save. Adding an Admin User To add a new admin user: 1. Navigate to Administration > Users and Privileges > Admin Users. 2. Click the Add link at the top-right corner the page. The Add Admin User dialog opens. Figure 448: Adding an Admin User 3.
Table 252: Adding an Admin User Parameters (Continued) Parameter Action/Description Enable User 4. You must enable this check box to enable the admin user account (is is enabled by default). Otherwise, the admin user account is disabled. Privilege Level 5.
3. Specify the Password Policy parameters as described in Table 253, then click Save: Table 253: Password Policy Parameters Parameter Action/Description Minimum Length 1. Specify the minimum length required for the password. Complexity 2. Select the complexity setting from the Complexity drop-down list.
Figure 450: Admin Users > Disable Accounts Dialog 4. Specify the Disable Accounts parameters as described in Table 254, then click Save. Table 254: Admin Users > Disable Accounts Parameters Parameter Action/Description Failed attempts count 1. Specify the number of failed log-in attempts are allowed before the account is disabled. The range is from 1 to 100 attempts. Reset failed attempts count 2.
Customized administrator privileges are defined in an XML file with a specific format and then imported into W-ClearPass Policy Manager on the Admin Privileges page. Defining Custom Admin Privileges When a different set of admin privileges is needed (for example, if you require different admin privileges for the Report module than the admin privileges defined for the other Insight modules), you must create a new admin privileges administrator.
Table 255: Add Admin Privileges Parameters: Basic Information Tab Parameter Action/Description Name 1. Enter the name of the Admin Privileges administrator. Description 2. Provide a description of this new admin privileges administrator. Access Type 3. Select one of the following Access Types: n Give full access to the Admin n Give UI access to the Admin n Give API access to the Admin Allow Passwords 4. Select this check box if you want to allow password access.
Figure 454: Specifying Insight Admin Privileges 2. Specify the admin privileges for each of the Insight modules, then click Save. Creating Custom Administrator Privileges To create a custom admin privilege XML file, you must use a plain text or XML editor. Do not use word processing applications such as Microsoft Word which introduce tags and corrupt the XML file. To create a custom administrator privilege: 1. Create an XML file that defines a privilege. 2. Store the new file. 3.
You can have one or more AdminTask tags inside the AdminPrivilege tag. Each AdminTask tag defines a lace within the W-ClearPass Policy Manager application that a user with that privilege can view or change. The AdminTask tag contains one taskid attribute and a single AdminTaskAction tag. The AdminTaskAction tag contains an attribute, type which can take a value, RO (read only) or RW (read/write).
Table 256: Administrator Privileges and IDs (Continued) Area (W-ClearPass Policy Manager Menu) l Data Filters Configuration Task ID mon.df con l Start Here (Services Wizard) con.sh l Services con.se l Service Templates con.st l Authentication con.au l l l l n Methods con.au.am n Sources con.au.as Identity con.id n Single Sign-On con.id.sso n Local Users con.id.lu n Endpoints con.id.ep n Static Host Lists con.id.sh n Roles con.id.rs n Role Mappings con.id.
Table 256: Administrator Privileges and IDs (Continued) Area (W-ClearPass Policy Manager Menu) n Proxy Targets Task ID con.nw.pr Policy Simulation con.ps Profile Settings con.prs Administration adm l l l l l User and Privileges adm.us n ClearPass Portal adm.po.cp n Admin Users adm.us.au n Admin Privileges adm.us.ap Server Manager adm.mg n Server Configuration adm.mg.sc n Log Configuration adm.mg.ls n Local Shared Folders adm.mg.sf n Licensing adm.mg.
Table 256: Administrator Privileges and IDs (Continued) Area (W-ClearPass Policy Manager Menu) l l Task ID n RADIUS adm.di.rd n Posture adm.di.pd n TACACS+ Services adm.di.td n Fingerprints adm.di.df n Attributes adm.di.at n Applications adm.di.ad Agents and Software Updates adm.po n Onguard Settings adm.po.aas n Software Updates adm.po.es Support adm.su n Contact Support adm.su.cs n Remote Assistance adm.su.ra n Documentation adm.su.
The following sample provides Read/Write access only to Guest, Local and Endpoint Repository: PAGE 458l Make Subscriber on page 517 l Collect Logs on page 518 l Backup on page 519 l Restore on page 520 l Shutdown/Reboot on page 523 l Drop Subscriber on page 523 You can perform numerous server configuration tasks by navigating to Administration > Server Manager > Server Configuration page in W-ClearPass Policy Manager.
Figure 456: Time Zone Settings Synchronizing Cluster Password Use the Synchronize Cluster Password link to synchronize the password of the selected node with cluster. Synchronizing the cluster password will change the appadmin password for all the nodes in the cluster.
Figure 458: Promote to publisher Joining a Server Back to Cluster Use the Join server back to cluster link to join server back to cluster. You can use this option only to a server that is in the Disabled state in the Server Configuration (Administration > Server Manager > Server Configuration) page. The following figure displays the Server Configuration page: Figure 459: Server Configuration Page with Disabled Node For more information on the Service Configuration, see Server Configuration on page 457.
Figure 460: Server configuration - Join server back to cluster 2. Click the Join server back to cluster link at the top-right corner. A warning message appears with a prompt to promote the node to ‘Publisher’. This option can only be triggered from a node that is currently active in the cluster. The following message displays the warning message: Figure 461: Join server back to cluster 3. Click Yes from the warning message pop-up. A progress indicator shows the progress with log entries.
The following figure displays the Join server back to cluster progress indicator: Figure 462: Join server back to cluster - Progress 4. For a failed publisher node, the following message will be displayed in the Dashboard page: Figure 463: Publisher Warning Message System Tab By default, the Server Configuration page opens on the System tab. 462 | Administration Dell Networking W-ClearPass Policy Manager 6.
Figure 464 displays the Server Configuration > System dialog: Figure 464: Server Configuration > System Dialog describes the System dialog parameters: Table 257: Server Configuration > System Dialog Parameters Parameter Action/Description Hostname 1. Specify the hostname of W-Policy Manager server. NOTE: You need not enter the fully qualified domain name in this field. FQDN 2. Enter the Fully-Qualified Domain Name (FQDN) of the W-Policy Manager server. Policy Manager Zone 3.
Table 257: Server Configuration > System Dialog Parameters (Continued) Parameter Action/Description Enable Ingress Events Processing 7. Check this check box to enable ingress events processing on this server. For more information, see Configuring Processing for Ingress Events. Enable as Insight Master 8. To specify the current server in a cluster as an Insight Master, select this check box. NOTE: This option is available only when Insight Setting > Enable Insight is enabled. Span Port 9.
2. Select IP Version: Select the IP version—IPv4 or IPv6. 3. IP Address: Specify the IP address (IPv4 or IPv6) to access the W-ClearPass Policy Manager. 4. Subnet Mask: Specify the management interface subnet mask for an IPv4 address. IPv6 addresses do not require a netmask as they use Classless Inter-Domain Routing (CIDR). 5. Default Gateway: Specify the default gateway for the management interface. 6. Click Update.
A DNS server can be primary for one domain and secondary for another. Only one DNS server should be configured as primary for a domain, but you can have any number of secondary DNS servers. 3. Secondary: Specify one or more secondary DNS servers for name look-up. The recommended practice is to configure the primary and secondary DNS servers on separate machines, on separate Internet connections, and in separate geographic locations. 4.
admin user [Administrator] check box and 2) enter the Administrative username and password in the fields provided. c. Password: Enter the password for the user account that will join W-ClearPass with the domain, then click Save. The Join AD Domain status screen opens. The screen displays the message “Adding host to AD domain,” and the screen displays status during the joining process. When the joining process completes successfully, you see the message “Added host to the domain.” 4. Click Close.
The following figure displays the Join AD Domain window: Figure 469: Join AD Domain The following table describes the Join AD Domain parameters: Table 258: Join AD Domain Parameters Parameter Action/Description Domain Controller Enter the fully qualified name of the Active Directory domain controller. NETBIOS name (optional) Enter the NetBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name.
Add Password Server After W-ClearPass successfully joins an Active Directory domain, you can configure a restricted list of domain controllers to be used for MSCHAP authentication. If this is not configured, then all available domain controllers obtained from DNS will be included. To add a password server: 1. In the AD Domains section of the System tab, click the Add Password Server icon only after W-ClearPass joins at least one Active Directory domain (see Figure 470). .
The following figure displays the Services Control tab: Figure 472: Services Control Tab Service Parameters Tab Navigate to the Administration > Server Manager > Server Configuration > Service Parameters page to change system parameters of the services listed below.
Async Network Services Options Configure the Ingress Event, Command Control, and Post-Auth parameters for the Async network service.
Table 259: Service Parameters > Async Network Services (Continued) Parameter Action/Description Command Control CoA Delay Set the CoA Delay value (in seconds). The default value is 2, and the allowed values are from 0 to 15 seconds. Enable SNMP Bounce Action Set the Enable SNMP Bounce Action value. The default value is FALSE.
l Posture Service l DHCP Snooper Service The following figure displays the Service Parameters tab > W-ClearPass Network Services parameters (partial view): Figure 476: Service Parameters > W-ClearPass Network Services The following figure displays the Service Parameters tab > W-ClearPass Network Services parameters in FIPS mode: Figure 477: Service Parameters > W-ClearPass Network Services in FIPS Mode Dell Networking W-ClearPass Policy Manager 6.
Specify the W-ClearPass Network Services parameters as described in the following table: Table 261: Service Parameters > W-ClearPass Network Services Service Parameters Action/Description SnmpService SNMP Timeout Specify the seconds to wait for an SNMP response from the network device. SNMP Retries Specify the number of retries for SNMP requests. LinkUp Timeout Specify the seconds to wait before processing link-up traps.
Table 261: Service Parameters > W-ClearPass Network Services (Continued) Service Parameters Action/Description OCSP Check Specify one of the following options for initiating an Online Certificate Status Protocol (OCSP) check: l None (the default setting) l Optional l Required WebAuthService Max time to determine network device where client is connected Specifies the maximum time to wait for W-Policy Manager to determine the network device to which the client is connected.
The following figure displays the Service Parameters > W-ClearPass System Services parameters (partial view): Figure 478: W-ClearPass System Services Parameters Specify the Service Parameters > W-ClearPass System Services parameters as described in the following table. Table 262: Service Parameters > W-ClearPass System Services Service Parameter Action/Description PHP System Configuration Memory Limit Specify the maximum memory that can be used by the PHP applications.
Table 262: Service Parameters > W-ClearPass System Services (Continued) Service Parameter Action/Description HTTP Proxy Proxy Server Specify the hostname or IP address of the proxy server. Port Specify the port at which the proxy server listens for HTTP traffic. Username Specify the user name to authenticate with the proxy server. Password Specify the password to authenticate with the proxy server.
Table 262: Service Parameters > W-ClearPass System Services (Continued) Service Parameter Action/Description Maximum Requests Specify a number between 0 and 3000 for the maximum number of requests allowed. The default value is 500. Enable Host Header check Specify whether to enable the host header check. The default value is TRUE. l When you set this value to TRUE, the Host Header Restriction check is enabled and only the allowed or whitelisted host headers are allowed.
Policy Server Options The following figure displays the Service Parameters > Policy Server dialog: Figure 480: Policy Server Service Parameters Specify the Service Parameters > Policy Server parameters. Table 263: Service Parameters > Policy Server Service Service Parameter Action/Description Machine Authentication Cache Timeout 1. Specify the time (in hours) for which machine authentication entries are cached by W-ClearPass Policy Manager. The default is 24 hours.
Table 263: Service Parameters > Policy Server Service (Continued) Service Parameter Action/Description HTTP Thread Pool Size 6. Specify the number of threads allotted for the HTTP thread pool. Authentication Thread Pool Size 7. Specify the number of threads to use for LDAP/AD and SQL connections. 8. Click Save.
Table 264: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description If not, select FALSE. Proxy Maximum Response Delay If the target server has not responded, specify the time delay before retrying a proxy request. The default is 5 seconds. Maximum Reactivation Time Specify the time to elapse before retrying a dead proxy server. Maximum Retry Counts If the target server doesn't respond, specify the maximum number of times to retry a proxy request.
Table 264: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description default is 200. Process Server-Status Request l l TRUE: Send replies to Status-Server RADIUS packets. FALSE: Do not send replies to Status-Server RADIUS packets. This is the default setting. Main Authentication Port Specify the ports on which the RADIUS server listens for authentication requests. Default values are ports 1645 and 1812.
Table 264: Service Parameters > RADIUS Server Service (Continued) Service Parameter Action/Description Include Nonce in OCSP request Specify one of the following: l TRUE: Select if the OCSP (Online Certificate Status Protocol) request should include the nonce. This is the default value. l FALSE: To avoid the EAP-TLS authentication failure, select if the OCSP server does not support the nonce. Enable signing for OCSP Request To enable signing for OCSP request, select TRUE.
Stats Collection Service Options The following figure displays the Service Parameters tab > Stats Collection Service parameters: Figure 482: Stats Collection Service Parameters The following table describes the Service Parameters tab > Stats Collection Service parameter: Table 265: Service Parameters > Stats Collection Service Service Parameter Enable Stats Collection Action/Description Enable or disable statistics collection and aggregation. The Statistics Collection Service is enabled by default (TRUE).
The following table describes the Service Parameters tab > System Monitor Service parameters: Table 266: Services Parameters > System Monitor Service Service Parameter Action/Description Free Disk Space Threshold This parameter monitors the available disk space on the current W-ClearPass server node. Specify the Free Disk Space Threshold (the default is 30%). If the available disk free space falls below the specified threshold, the W-ClearPass server sends SNMP traps to the configured trap servers.
System Monitoring Tab You can configure the SNMP parameters in the System Monitoring tab under the Administration > Server Manager > Server Configuration page. You can edit the system configuration of a server manager by clicking a table entry. By configuring this tab, you can ensure that external Management Information Base (MIB) browsers can browse the system level MIB objects exposed by the W-ClearPass Policy Manager appliance. The options in this page vary based on the SNMP version that you select.
Table 268: System Monitoring tab Parameters (Continued) Parameter Description Security Level Select any of the following options: l NOAUTH_NOPRIV (no authentication or privacy) - If you select this security level, only the SHA authentication protocol is available. l AUTH_NOPRIV (authenticate, but no privacy) - If you select this security level, the MD5 and SHA authentication protocols are available.
The following figure displays the Network page: Figure 486: Network Interfaces Page Adding an SSH Public Key W-ClearPass supports public key-based SSH logins. This includes public key management and the ability to enable public key authentication in W-ClearPass on a node-by-node basis. When you add the SSH public key to the clients, W-ClearPass allows passwordless SSH public key-based authentication to the appadmin W-ClearPass console.
5. In the SSH Public Key window, copy and paste the SSH public key of the client, then click Save. If the SSH public key is regenerated on the client, passwordless public key-based SSH authentication will cease to work. The existing entry for that client must be deleted. Then copy and paste the new SSH public key. 6. From the Server Configuration page, click Save.
Table 269: Create Tunnel Parameters (Continued) Parameter Action/Description Remote Inner IP 4. Enter the remote IP address of the tunnel network interface. Enter a value to automatically create a route to this address through the tunnel. Local Outer IP (Optional) 5. Optionally, enter the local IP address of the tunnel endpoint. Create/Cancel 6. Commit or dismiss your changes. Creating IPsec Tunnels To create VLAN interfaces, navigate to the Network page and click Create IPSec Tunnel.
The following table describes the Create IPSec Tunnel parameters: Table 270: Create IPSec Tunnel Parameters Parameter Action/Description Local Interface 1. Specify the local (management) port. Remote IP Address 2. Specify the IP address of the remote host. IPSec Mode 3. Select the IPsec mode from the options: n Tunnel n Transport IKE Version 4. Specify the version of the Internet Key Exchange (IKE) protocol from the options: 1 or 2. IKE Phase 1 Mode 5.
Table 270: Create IPSec Tunnel Parameters (Continued) Parameter Action/Description IKE Shared Secret 11. Enter the secret key. Verify IKE Shared Secret 12. Verify the secret key. Enabled 13. Specify whether the IPsec tunnel is enabled or not. 14. Click Create. Creating VLANs To create VLAN interfaces: 1. From the Server Configuration > Network Interfaces page, select the Network tab. 2. From the VLANS option, click Create VLAN.
Table 271: Server Configuration > Create VLAN Parameters Parameter ACtion/Description Physical Interface 1. Enter the physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. NOTE: Your network infrastructure must support tagged 802.1Q packets on the physical interface selected. VLAN Name 2. Enter the ame for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 3. Specify the 802.
Figure 491: Restrict Access Configuration Dialog The following table describes the Restrict Access parameters: Table 272: Restrict Access Parameters Parameter Action/Description Resource Name 1. Select the application to which you want to allow or deny access. Access 2. Select one of the access control options: n Allow: Allows access to the selected application. n Deny: Denies access to the selected application. Network 3. Enter one or more hostnames, IP addresses, or IP subnets per line.
When running in FIPS Approved mode, W-ClearPass Policy Manager utilizes a FIPS 140-2 validated cryptographic module. Support is not available for non-approved authentication methods such as EAP-MD5 and MD5 digest algorithms. For details on the Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules, see: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.
After enabling FIPS mode using the CLI commands, you can verify whether FIPS mode is enabled or not in the Configuration Summary page. Figure 493: FIPS Mode > Configuration Summary Enabling FIPS Mode in the W-ClearPass User Interface Alternatively, you can enable or disable the FIPS mode in the W-ClearPass user interface: 1. Navigate to Administration > Server Manager > Server Configuration. 2. From the Server Configuration page, select the server of interest.
l The server will be removed from the cluster if FIPS mode is enabled. l All nodes in a cluster must be either in FIPS or non-FIPS mode. The W-ClearPass Policy Manager nodes in FIPS mode cannot be connected to the cluster whose nodes are in the non-FIPS mode. l The legacy authentication method such as EAP-MD5 and MD5 digest algorithm are not supported in FIPS mode.
Date & Time Tab You can set the date and time for the server using this tab. The following figure displays the Date & Time tab of the Change Date and Time pop-up: Figure 496: Change Date and Time - Date & Time tab The following table describes the Date and Time tab parameters: Table 273: Change Date and Time - Date & Time tab Parameters Parameter Description Date in yyyy-mmdd format To specify date and time, use the indicated syntax.
The following figure displays the Time zone on publisher tab of the Change Date and TIme pop-up: Figure 497: Time zone on publisher tab Change Cluster Password To change the cluster-wide password, follow the procedure below: 1. Navigate to the Administration > Server Manager > Server Configuration page and click the Change Cluster Password link. The Change Cluster password pop-up appears. 2. Enter the new password, then verify the password. 3. Click Save.
The following figure displays the Change Cluster Password pop-up: Figure 498: Change Cluster Password Dialog Manage Policy Manager Zones This section provides the following information: l About Policy Manager Zones l Managing Policy Manager Zones l Mapping Policy Manager Zones About Policy Manager Zones W-ClearPass Policy Manager shares a distributed cache of runtime states across all nodes in a cluster.
Figure 499: Policy Manager Zones Dialog 3. To add a new W-Policy Manager Zone, click Click to add... and enter the name of the W-Policy Manager Zone to be added, click the Save icon, then click Save. 4. To delete a zone, click the trash can icon— . Mapping Policy Manager Zones To configure the W-Policy Manager Zone you created: 1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings page opens. 2. Click Policy Manager Zones.
Table 274: OnGuard Settings > W-Policy Manager Zones Parameters Parameter Action/Description W-Policy Manager Zone Lists the W-Policy Manager zones with radial buttons for selection. Client Subnets Displays the client subnet addresses specific to the W-Policy Manager zone. Server IPs Displays the server IP addresses specific to the W-Policy Manager zone. Zone Network Details W-Policy Manager Zone 1.
Figure 501: NetEvents Target Link on Server Configuration Page 2. Click the NetEvents Targets link. The NetEvents Targets configuration dialog opens. Figure 502: NetEvents Targets Configuration Dialog 3. Specify the NetEvents Targets parameters as described in the following table: Table 275: NetEvents Targets Parameters Parameter Action/Description Target URL 1. Enter the HTTP URL for the service that supports posting to the NetEvents target and requires authentication using username and password. 2.
Virtual IP Settings You can configure two nodes in a cluster to share a virtual IP address. The virtual IP address is bound to the primary node by default. The secondary node takes over when the primary node is unavailable. In a virtual machine deployment of W-ClearPass Policy Manager, you must enable forged transmits on the VMWare distributed virtual switch for the Virtual IP feature to be effective. To configure a virtual IP address: 1.
Figure 504: Server Configuration Page > Clear Machine Authentication Cache 2. Click the Clear Machine Authentication Cache link. The following prompt is displayed: Are you sure you want to clear machine authentication cache? 3. To proceed with the operation, click Yes.
Figure 505: Cluster-Wide Parameters > General Tab 2. Configure the Cluster-Wide Parameters > General parameters as described in the following table. 506 | Administration Dell Networking W-ClearPass Policy Manager 6.
Table 277: Cluster-Wide Parameters > General Tab Parameters Parameter Action/Description Policy result cache timeout 1. Specify the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation. A value of 0 disables caching. This result can then be used in subsequent evaluation of policies associated with a service, if the Use cached Roles and Posture attributes from previous sessions option is turned on for the service.
Table 277: Cluster-Wide Parameters > General Tab Parameters (Continued) Parameter Action/Description Multi Master Cache Durability 9. For the Multi Master Cache to survive most abrupt shutdowns, set this to Normal or Full. The default value is OFF. NOTE: Enabling this feature may result in some performance degradation. CLI Session Idle Timeout 10. Specify the maximum idle time permitted for CLI users, beyond which the session times out. The default value is 30 minutes.
Cleanup Intervals The following figure displays the Cluster-Wide Parameters > Cleanup Interval dialog: Figure 506: Cluster-Wide Parameters > Cleanup Interval Tab Specify the Cluster-Wide Parameters > Cleanup Interval parameters as described in the following table: Table 278: Cluster-Wide Parameters > Cleanup Interval Tab Parameters Parameter Action/Description Maximum inactive time for an endpoint 1.
Table 278: Cluster-Wide Parameters > Cleanup Interval Tab Parameters (Continued) Parameter Action/Description Unknown entries are deleted based on the last Updated At value for each Endpoint. For example, if this value is 7, then unknown Endpoints that do not have the Updated At value within the last 7 days (stale endpoints) are deleted. The default value is 0 days. This indicates that no cleanup interval is specified. Expired guest accounts cleanup interval 6.
The following table describes the Cluster-Wide Parameters > Notifications tab parameters: Table 279: Cluster-Wide Parameters > Notifications Parameters Parameter Description System Alert Level 1. Specify the alert notifications that are generated for system events logged at this level or higher. n INFO: Alerts for INFO, WARN, and ERROR messages are generated. n WARN: Alerts for WARN and ERROR messages are generated. n ERROR: Alerts for ERROR messages only are generated. The default value is WARN.
The following table describes the Standby Publisher tab parameters of Cluster-Wide Parameters: Table 280: Cluster-Wide Parameters > Standby Publisher Tab Parameters Parameter Description Enable Publisher Failover 1. To authorize a node in a cluster on the system to act as a publisher if the primary publisher fails, select TRUE. The default value is FALSE. Designated Standby Publisher 2. Select the server in the cluster to act as the standby publisher. The default value is 0.
Enterprises (PFE) environment, where a large volume of unique endpoints need wireless access.
The following figure displays the Cluster-Wide Parameters > Mode dialog: Figure 510: Cluster-Wide Parameters > Mode Tab The following table describes the Cluster-Wide Parameters > Mode parameter: Table 282: Cluster-Wide Parameters > Mode Parameter Parameter Action/Description High Capacity Guest Mode To enable or disable High Capacity Guest mode, select TRUE or FALSE. The default is FALSE.
Table 283: Cleanup Interval Values in High Capacity Guest Mode (Continued) Parameter Description Profiled endpoints cleanup interval The default value of the Profiled endpoints cleanup interval is 3 days. Old Audit Records cleanup interval The default value of the Old Audit Records cleanup interval is 10 days.
l EAP_PEAP_PUBLIC Database The following figure displays the Cluster-Wide Parameters > Database tab: Figure 511: Cluster-Wide Parameters > Database Tab The following table describes the Cluster-Wide Parameters > Database parameters: Table 284: Cluster-Wide Parameters > Database Parameters Parameter Action/Description Auto backup configuration options 1. Select any of the following auto-backup configuration options: n Off: Select this to not to perform periodic backups.
Table 284: Cluster-Wide Parameters > Database Parameters (Continued) Parameter Action/Description Store Password Hash for MSCHAP authentication 4. To store passwords for admin and local users to Hash and NTLM hash formats (which enables RADIUS MSCHAP authentications against admin or local repositories), set this to TRUE. If you set this to FALSE, RADIUS MSCHAP authentications are not possible because the NTLM hash passwords are removed for all the users.
The following table describes the Add Subscriber Node parameters: Table 285: Add Subscriber Node Parameter Description Publisher IP Publisher Password Specify publisher address and password. NOTE: The password specified here is the password for the CLI user appadmin Restore the local log database after this operation Select the check box to restore the log database following addition of a subscriber node.
The following figure displays the Collect Logs pop-up: Figure 513: Collect Logs Backup Navigate to the Administration > Server Manager > Server Configuration page and click the Back Up button. The following figure displays the Backup Policy Manager Database pop-up: Figure 514: Backup Popup Dell Networking W-ClearPass Policy Manager 6.
The following table describes the Backup Policy Manager Database parameters: Table 286: Backup Policy Manager Database Parameter Description Generate filename Select the check box to enable W-Policy Manager to generate a filename; otherwise, specify a filename. Backup files are in the gzipped tar format (tar.gz extension). The backup file is automatically placed in the Shared Local Folder under folder type Backup Files (See Local Shared Folders).
The following table describes the Restore Policy Manager Database parameters: Table 287: Restore Policy Manager Database Parameter Description Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file. NOTE: This option is available only when the Upload file to server option is selected. Shared backup files present on the server If the files is on a server, select a file from the files in the local shared folders.
1. Navigate to the Administration > Server Manager > Server Configuration page and click the Cleanup button. The Force Cleanup Files pop-up is displayed. 2. Enter a number to cleanup files that are older than the specified number of days. The allowed range is 0-15. 3. Click Start to initiate the cleanup process.
The following figure displays the cleanup progress: Figure 518: Cleanup Progress Screen Shutdown/Reboot Navigate to the Administration > Server Manager > Server Configuration page and click the Shutdown or Reboot buttons to shutdown or reboot the node. Drop Subscriber Navigate to the Administration > Server Manager > Server Configuration page and click the Drop Subscriber button to drop a subscriber from the cluster. This option is not available in a single node deployment.
Service Log Configuration The following figure displays the Service Log Configuration dialog: Figure 519: Log Configuration > Service Log Configuration Tab The following table describes the Service Log Configuration parameters: Table 288: Log Configuration > Service Log Configuration Parameters Parameter Action/Description Select Server 1. From the Select Server drop-down, specify the server for which you want to configure logs. All nodes in the cluster appear in the drop-down list. Select Service 2.
Table 288: Log Configuration > Service Log Configuration Parameters (Continued) Parameter Action/Description WARN n ERROR n FATAL NOTE: Set this option first, and then override any specific modules as necessary. n Restore Defaults/Save 5. Click Save to save changes. n To restore the default settings, click Restore Defaults.
Table 289: Log Configuration > System Level Parameters (Continued) Parameter Action/Description Syslog Settings Syslog Server 4. Specify the name of the syslog server. W-Policy Manager sends the configured module logs to this syslog server. Syslog Server Port 5. Specify the syslog server port number. The default is 514. Enable Syslog 6. To override the Syslog Filter Level for a service, select the Enable Syslog check box. Syslog Filter Level 7. If desired, change the Syslog Filter Level.
4. You can either browse to an application to open the selected folder or save the tar.gz file to your hard disk: a. To open the folder, click Browse, select the application to open the tar.gz file, then click OK. b. To save the file, select Save File, then click OK. The file is downloaded to your system.
License Summary Tab You can add and activate OnGuard, Guest, Onboard, and Enterprise licenses. The License Summary tab displays the number of purchased licenses for W-Policy Manager, OnGuard, Guest, Onboard, and W-ClearPass Enterprise.
Figure 525: Add License Page 3. Product: Choose a product from the Product drop-down list: n OnGuard n Guest n Onboard n W-ClearPass Enterprise 4. License Key: Enter the license key. 5. Click the I agree to the above terms and conditions check box. The Add button is now enabled. 6. Click Add. You return to the Licensing > License Summary page, where the new application license is now listed.
Figure 526: Activate License Page 4. In the Online Activation section, click Activate Now. The W-ClearPass W-Policy Manager server license is now activated. The Applications tab > Activation Status column shows a green circle next to the keyword Activated. If You Are Not Connected to the Internet If you are not connected to the Internet: 1. In the Offline Activation section, click Download to download an activation request token from the W-Policy Manager server. 2.
Figure 528: Activate License Page 4. In the Online Activation section, click Activate Now. The selected application license is now activated. The Applications tab > Activation Status column shows a green circle next to the keyword Activated. If You Are Not Connected to the Internet If you are not connected to the Internet: 1. In the Offline Activation section, click Download to download an activation request token from the W-Policy Manager server. 2.
Figure 529: Update License Dialog 4. Enter the new license key. 5. Click the I agree to the above terms and conditions check box. The Update button is now activated. 6. Click Update. Updating an Application License Application licenses typically require updating after they expire, for example, after the evaluation license expires, or when capacity exceeds its licensed amount. To update an application license: 1. Navigate to Administration > Server Manager > Licensing. The Licensing page opens. 2.
SNMP Trap Receivers This section provides the following information: l SNMP Trap Receivers Main Page on page 533 l Adding an SNMP Trap Server on page 533 l Importing an SNMP Trap Server on page 534 l Exporting All SNMP Trap Servers on page 535 l Exporting an SNMP Trap Server on page 536 l Deleting an SNMP Trap Server on page 537 W-ClearPass W-Policy Manager sends SNMP traps that expose the following server information: l System up-time: Provides information about how long the W-ClearPass server
2. Click the Add link on the top right section of the page. Enter the details based on Table 290. 3. Click Save. The following figure displays the Add SNMP Trap Server pop-up: Figure 532: Add SNMP Trap Server Pop-up The following table describes the Add SNMP Trap Server parameters: Table 290: Add SNMP Trap Server Parameters Parameter Description Host Address Enter the trap destination hostname or IP address. NOTE: This server must have an SNMP trap receiver or trap viewer installed.
The following figure displays the Import from file pop-up: Figure 533: Import from file Pop-up The following table describes the Import from file parameters: Table 291: Import from file Parameters Parameter Description Select File Browse to the SNMP Trap Server configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the secret key here. Exporting All SNMP Trap Servers This link exports all configured SNMP Trap Receivers.
The following figure displays the Export to file pop-up: Figure 534: Export to file Pop-up The following table describes the Export to file parameters: Table 292: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Exporting an SNMP Trap Server To export a single SNMP trap server: 1.
The following table describes the Export to file parameters: Table 293: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting an SNMP Trap Server To delete a single SNMP trap server: 1. Navigate to Administration > External Servers > SNMP Trap Receivers. 2. Click the check box next to the Host Address entry and click Delete. 3.
The following table describes the Syslog Targets parameters: Table 294: Syslog Targets Parameters Parameter Description Add Opens the Add Syslog Target pop-up. Import Opens the Import from file pop-up. You can import the syslog target from a file. Export All Opens the Export to file pop-up. You can export all the syslog target entries to a file. Export Opens the Export to file pop-up. With this option, you can export individual syslog targets. Delete Deletes a syslog target server.
The following table describes the Add Syslog Target parameters: Table 295: Add Syslog Target Parameters Parameter Description Host Address Syslog server hostname or IP address. Description Enter a short description of the syslog server. Protocol Select one of the following options: l UDP: This option reduces overhead and latency. l TCP: this option provides error checking and packet delivery validation. Server Port Port number for sending the syslog messages. Default port number is 514.
The following table describes the Import from file parameters: Table 296: Import from file Parameters Parameter Description Select File Browse to the Syslog Target configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Syslog Target To export all syslog targets: 1. Navigate to Administration > External Servers > Syslog Targets. 2.
3. Enter the name of the XML file in the Save As dialog. 4. Click Save. The following figure displays the Export to file pop-up: Figure 540: Export to file Pop-up The following table describes the Export to file parameters: Table 298: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Target To delete a syslog target: 1.
About Syslog Export Filters W-Policy Manager can export session data (see Live Monitoring: Access Tracker on page 107), audit records (see Audit Viewer on page 152), and event records (see Event Viewer on page 155). You configure syslog export filters to instruct W-Policy Manager where to send this information, and what kind of information should be sent through data filters. Syslog Export Filters Page To configure syslog export filters: 1.
Figure 542: Add Syslog Export Filters Page > General Tab The Filter and Columns tab shown in the figure above is only visible if you select Insight Logs or Session Logs as the export template. For more information, see Filter and Columns Tab on page 547. The following table describes the Add Syslog Export Filters > General tab parameters: Table 300: Add Syslog Export Filters > General Tab Parameters Parameter Action/Description Name Enter the name of the syslog export filter.
Table 300: Add Syslog Export Filters > General Tab Parameters (Continued) Parameter Action/Description Export Event Format Type Select any one of the export event formats from the following options: l Standard: Select this event format type to send the event types in raw syslog format. This is the default event format type. l LEEF: Select this event format type to send the event types in Log Enhanced Event Format (LEEF).
10.20.23.178,Category=Logged in,Action=None,Level=INFO,src=10.17.5.228,Component=Support Shell,Timestamp=Jan 20, 2015 16:45:59 IST Mar 21 16:49:10 10.17.5.228 2015-01-20 16:50:05,210 10.17.5.228 System Events 1 1 0 TimestampFormat=yyyy-MM-dd HH:mm:ss,S,Description='Failed to start ClearPass Virtual IP service',Category=start,Action=Failed,Level=WARN,src=10.17.5.228,Component=ClearPass Virtual IP service,Timestamp=Jan 20, 2015 16:48:53 IST 2015-01-20 16:50:05,210 [pool-6-thread-1] [R:] DEBUG com.avenda.tips.
LEEF Event Format Type > Insight Logs The following example describes the LEEF event format type for the Insight Logs syslog export filter template: Dec 03 2014 16:50:44.085 IST 10.17.4.208 LEEF:1.0|Dell|ClearPass|6.5.0.69058|0-10|Auth.Username=host/Asif-Test-PC2 Auth.Authorization-Sources=null Auth.Login-Status=216 Auth.Request-Timestamp=2014-12-03 16:48:41+05:30 Auth.Protocol=RADIUS Auth.Source=null Auth.Enforcement-Profiles=[Allow Access Profile] Auth.NAS-Port=null Auth.
CEF Event Format Type > Session Logs The following example describes the CEF event format type for the Session Logs syslog export filter template: Dec 01 2014 15:28:40.540 IST 10.17.4.206 CEF:0Dell|ClearPass|6.5.0.68878|1604-1-0|Session Logs|0|RADIUS.Acct-Calling-Station-Id=00:32:b6:2c:28:95 RADIUS.Acct-Framed-IPAddress=192.167.230.129 RADIUS.Auth-Source=AD:10.17.4.130 RADIUS.Acct-Timestamp=2014-12-01 15:26:43+05:30 RADIUS.Auth-Method=PAP RADIUS.Acct-Service-Name=Authenticate-Only RADIUS.
The data collection interval for Insight logs is -4 to -2 minutes from the current time. The following table describes the Syslog Export Filters - Filter and Columns (Insight Logs) tab parameters: Table 301: Syslog Export Filters - Filter and Columns (Insight Logs) Tab Parameters Parameter Description Columns Selection Determine the group of reports that you want to include in the syslog filters. The column selection limits the type of records sent to the syslog filters.
The following figure displays the Syslog Export Filters - Filter and Columns (Session Logs) tab. Figure 544: Syslog Export Filters - Filter and Columns (Session Logs) Tab The following table describes the Syslog Export Filters - Filter and Columns (Session Logs) tab parameters: Table 302: Syslog Export Filters - Filter and Columns (Insight Logs) Tab Parameters Parameter Description Data Filter Specify the data filter. The data filter limits the type of records sent to the syslog target.
Summary Tab This section describes the parameters in the Summary tab of the Administration > External Servers > Syslog Export Filters > Add page. The following figure displays the Syslog Export Filters - Summary tab. Figure 545: Syslog Export Filters - Summary Tab The following table describes the Syslog Export Filters - Summary tab parameters: Table 303: Syslog Export Filters - Summary Tab Parameters Parameter Description General Name Displays the name of the syslog export filter.
1. Navigate to Administration > External Servers > Syslog Export Filters. 2. Click the Import link on the top right section of the page. Enter the details based on Table 304. 3. Click Import. The following figure displays the Import from file pop-up: Figure 546: Import from file Pop-up The following table describes the Import from file parameters: Table 304: Import from file Parameters Parameter Description Select File Browse to the Syslog Filter configuration file to be imported.
The following figure displays the Export to file pop-up: Figure 547: Export to file Pop-up The following table describes the Export to file parameters: Table 305: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Exporting a Syslog Filter To export a syslog filter: 1. Navigate to Administration > External Servers > Syslog Export Filters.
The following table describes the Export to file parameters: Table 306: Export to file Parameters Parameter Description Export file with password protection Choose Yes to export the file with password protection. Secret Key Enter the secret key. Verify Secret Re-enter the secret key. Deleting a Syslog Filter To delete a syslog filter: 1. Navigate to Administration > External Servers > Syslog Export Filters. 2. Click the check box next to the syslog filter entry and click Delete. 3. Click Yes.
The following table describes the Messaging > SMTP Server page parameters: Table 307: Messaging > SMTP Server Page Parameters Parameter Action/Description Server name 1. Enter the Fully Qualified Domain Name (FQDN) or the IP address of the SMTP server. User Name 2. Enter the username if your email server requires authentication for sending email messages. Password 3. Enter the password for the specified username, then verify the password. Default From address 4.
4. Click Send Email. Sending a Test SMS Message To send a test SMS message to the preferred email address: 1. Click Send Test SMS. The Send Test SMS dialog opens. Figure 551: Send Test SMS Dialog 2. Recipient in International format: Enter the mobile phone number of the recipient in international format. The recipient's mobile number must be entered in the international format consisting of a + sign, followed by the country code and the mobile phone number (without the first ‘0′ of the number). 3.
Information gathered from mobile devices can include policy breaches, data consumption, and existing configuration settings. Endpoint Context Servers Page 1. To access the Endpoint Context Servers page, navigate to Administration > External Servers > Endpoint Context Servers.
Figure 553: Adding an Endpoint Context Server 3. In the Add Endpoint Context Server dialog, specify the parameters as described in Table 309. 4. Click Save. Table 309 describes the Add Endpoint Context Servers parameters: Table 309: Add Endpoint Context Server Parameters Parameter Description Select Server Type 1. Choose one of the Server Types (endpoint context server vendors) from the following options. The Server Type you select determines the configuration parameters.
Table 309: Add Endpoint Context Server Parameters (Continued) Parameter Description Username 4. Enter the username. Password 5. Enter the password of the server or host, then verify the password. API Key 6. Enter the API key that was provided by the vendor, then verify the API key. This field is not displayed for all endpoint context servers. Validate Server 7. Select the Enable to validate the server certificate check box to validate. By default, this field is disabled.
Figure 554: Import from File Dialog The following table describes the Import from file parameters: Table 310: Import from File Dialog Parameters Parameter Description Select File Browse to the Endpoint Context Server configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Exporting All Endpoint Context Servers To export all endpoint context servers: 1.
Table 311 describes the Export to file parameters: Table 311: Export to File Dialog Parameters Parameter Action/Description Export file with password protection 1. To export the file with password protection, choose Yes. Secret Key 2. Enter the secret key. Verify Secret 3. Re-enter the secret key. Modifying an Endpoint Context Server To modify an endpoint context server: 1. Navigate to Administration > External Servers > Endpoint Context Servers. 2.
The following table describes the Modify Endpoint Context Server > Server parameters: Table 312: Modify Endpoint Context Server > Server Parameters Parameter Action Description Server Type The Server Type cannot be modified. Server Name 1. Enter the name of the server or host. Server Base URL 2. Enter the full URL for the server. The default is the name you entered above with "https://" prepended. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.
Figure 557: Modify Endpoint Context Server > Actions Tab Polling an Endpoint Context Server To poll an endpoint context server: You can poll only one server at a time. You cannot poll multiple server entries. Also, you can only poll MDM-type servers. 1. Navigate to Administration > External Servers > Endpoint Context Servers. 2. In the Endpoint Context Servers main page, click the check box next to the server name entry. Figure 558: Selecting the Trigger Poll Option 3. Click Trigger Poll.
Configuring Endpoint Context Server Actions This section contains the following information: l Filtering an Endpoint Context Server Action Report l Configuring Endpoint Context Server Actions l Adding machine-os and host-type Endpoint Attributes Filtering an Endpoint Context Server Action Report Use the Filter controls to configure a search for a subset of Endpoint Context Server Action items. To filter an endpoint context server action report: 1.
Table 313: Endpoint Context Server Actions Page Settings Settings Description Server Type Indicates the server type configured when the server action was configured. Action Name Indicates the name of the context server action. The available server actions vary depending on what Server Type is specified. HTTP Method Specifies the HTTP method selected when the server action was configured. Description Provides the description of the server action. 2.
Table 314: Action Parameters—Endpoint Context Server Details Parameter Description Server Type Specifies the server type configured when the server action was configured. You can select the server type from the drop-down list. Server Name Lists the context servers specific to the server type selected in the Server Type field. This field is visible only if you selected the service type Generic HTTP. Action Name Specifies the name of the action configured.
Content Tab Use the Content tab to specify a content type and add non-default context server attributes (see Figure 562). The information in the Content window is the template of what will be posted to the server. The fields preceded by the % sign are replaced with their corresponding values.
Attributes Tab Parameters Use the Attributes tab to specify the mapping for attributes used in the content to parameterized values from the request. Figure 563: Attributes Tab—Endpoint Context Server Details Table 317 describes the Endpoint Context Server Details—Attributes parameters: Table 317: Attributes Parameters—Endpoint Context Server Details Parameter Description Attribute Name Enter attribute names and assign values to those names. These name/value pairs are included in context server actions.
Figure 564: Selecting the Check Point Login Server Action The Endpoint Context Server Details dialog appears. 3. Select the Content tab (see Figure 565). 4. In the Content field, add the following attributes (see Figure 565): n "machine-os":" %{device_family}" n "host-type":"%{device_type}" Figure 565: Adding Endpoint Context Server Attributes 5. Click Save.
l Adding an Aruba Activate Endpoint Context Server l Adding a ClearPass Cloud Proxy Endpoint Context Server l Adding a Generic HTTP Endpoint Context Server l Adding a Google Admin Console Endpoint Context Server l Integrating W-ClearPass with Infoblox l Adding a JAMF Endpoint Context Server l Integrating ClearPass with Juniper Networks SRX l Adding a MaaS360 Endpoint Context Server l Adding a MobileIron Endpoint Context Server l Adding a Palo Alto Networks Firewall Endpoint Context Server
Server Tab The following figure displays the Airwatch Add Endpoint Context Server - Server dialog: Figure 566: Adding an Airwatch Endpoint Context Server - Server Dialog You can add more than one endpoint context server of the same type. The following table displays the Add Endpoint Context Server - Server (AirWatch) tab parameters: Table 318: Adding an Airwatch Endpoint Context Server - Server Tab Parameters Parameter Description Select Server Type Choose AirWatch from the drop-down list.
Table 318: Adding an Airwatch Endpoint Context Server - Server Tab Parameters (Continued) Parameter Description Validate Server Enable to validate the server certificate. Checking this option activates the Certificate tab. Enable Server Select the Enable to fetch endpoints from the server check box to enable the endpoint context server. By default, this field is disabled. The Bypass Proxy field will be enabled only if you enable this field.
The following table describes the Airwatch Add Endpoint Context Server - Actions dialog parameters: Table 319: Adding an Airwatch Endpoint Context Server - Actions Tab Parameters Parameter Description Clear Passcode Reset passcode on the device. Enterprise Wipe Delete only stored corporate information. Get Apps Get application information for the device. Lock Device Lock the associated device. Remote Wipe Delete all stored information. Send Message Send message to the device.
4. Enter the appropriate values for each of the AirWave Add Endpoint Context Server parameters described in Table 320. 5. When satisfied with the settings, click Save. Table 320: Adding an AirWave Endpoint Context Server > Server Parameters Parameter Action/Description Select Server Type 1. Choose AirWave from the Select Server Type drop-down list. Server Name 2. Enter a valid server name. You can enter an IP address or hostname. Server Base URL 3. Enter the full URL for the AirWave server.
Adding an Aruba Activate Endpoint Context Server For more information about Activate, refer to Aruba Activate documentation.
Table 321: Adding an Aruba Activate Endpoint Context Server > Server Parameters (Continued) Parameter Action/Description Disable Stale Enpoints 6. To disable stale endpoints in the Endpoint database, enable this option. Validate Server 7. Enable Validate Server to validate the server certificate. Checking this option enables the Certificate tab. For information on certificate configuration, see Certificates Tab on page 575. Enable Server 8. Enable Enable Server to fetch endpoints from the server.
Figure 571: Add ClearPass Cloud Proxy Endpoint Context Server tab Table 322: Add ClearPass Cloud Proxy Endpoint Context Server Parameters Parameter Description Select Server Type ClearPass Cloud Proxy Server Name The hostname of the cloud instance that will proxy all requests directed to the CPPM server in the enterprise. Server Base URL Enter the full URL for the server. The default is the name you entered above with "https://" prepended.
Adding a Google Admin Console Endpoint Context Server Consult Google Developer documentation for information about the parameters that you must enter to configure this endpoint. Server Tab The following figure displays the Add Endpoint Context Server - Server (Google Admin Console) tab: Figure 572: Add Endpoint Context Server - Server (Google Admin Console) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 323: Add Endpoint Context Server - Server (Google Admin Console) Tab Parameters (Continued) Parameter Description Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. For more information on certificate, see Certificates Tab on page 578. Enable Server Enable this field to fetch endpoints from the server. Bypass Proxy Select the Enable to bypass proxy server check box to bypass the proxy server.
Adding a Generic HTTP Endpoint Context Server The following figure displays the Generic HTTP Add Endpoint Context Server > Server tab: Figure 574: Adding a Generic HTTP Endpoint Context Server You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 324: Add Endpoint Context Server - Server (Generic HTTP) Tab Parameters (Continued) Parameter Action/Description Validate Server 6. Enable Validate Server to validate the server certificate. Checking this option enables the Certificate tab. Bypass Proxy 7. Enable Bypass Proxy to bypass the proxy server. 8. Click Save to save your changes.
The Add Endpoint Context Server dialog opens. This dialog opens in the Server page. Figure 576: Adding an Infoblox Endpoint Context Server 3. Enter the following information: a. Select Server Type: From the drop-down list, select Generic HTTP. b. Server Name: Enter the IP address of the Infoblox server. c. Server Base URL: As you enter the IP address in the Server Name field, the Server Base URL is populated automatically with the same IP address. d.
2. Select the Infoblox Login endpoint context server action. The Endpoint Context Server Details dialog for the selected action is displayed. For descriptions of the parameters in the Endpoint Context Servers Details tabs, refer to Configuring Endpoint Context Server Actions on page 563. Figure 577: Selecting the Infoblox Server for the Endpoint Context Server Action 3. Server Name: Select the IP address of the Infoblox server. 4.
Creating an Infoblox Enforcement Profile This section describes how to create a a simple HTTP-based enforcement profile named "Infoblox Notify" that acts against the Infoblox Login action. For details on configuring enforcement profiles, see Configuring Enforcement Profiles on page 345. To create an Infoblox enforcement profile: 1. Navigate to Configuration > Enforcement > Profiles. The Enforcement Profiles page opens. Figure 579: Enforcement Profiles Page 2. Click Add.
b. Name: Enter Infoblox Notify. c. Description: Optionally, enter a description of this enforcement profile. d. Click Next. The Enforcement Profiles Attributes page appears. Figure 581: Specifying the Target Server and Enforcement Action 4. Configure the Enforcement Profile Attributes page as follows: a. Target Server: Select the IP address of the Infoblox server. b. Action: Select Infoblox Login. c. Click Save.
Figure 582: Adding a RADIUS-Based Enforcement Profile 3. Enter the following information: a. Template: Select RADIUS Based Enforcement. b. Name: Enter Infoblox RADIUS Enforcement. c. Description: Optionally, enter a description of this profile. d. Click Next. The Enforcement Profiles Attributes page opens. In the following steps, you will add the four RADIUS Enforcement attributes illustrated in Figure 583. Figure 583: Adding Attributes to the RADIUS Enforcement Profile Tunnel-Private_Group-Id 4.
c. Value: Enter 21600 (which equals six hours in seconds). Tunnel-Type 6. Click Click to add.... a. Type: Select Radius:IETF. b. Name: Select Tunnel-Type. c. Value: Select VLAN. Termination-Action 7. Click Click to add.... a. Type: Select Radius:IETF. b. Name: Select Termination-Action. c. Value: Select RADIUS-Request. 8. Click Save. You return to the Enforcement Profiles page.
4. Click Add Rule. The Rules Editor dialog appears. Figure 585: Configuring Infoblox Enforcement Policy Rules 5. In the Conditions panel, click Click to add, then enter the following information: a. Type: Select Tips. b. Name: Select Role. c. Operator: Select EQUALS. d. Value: Select User Authenticated. 6. In the Enforcement Profiles panel: a. Click Select to Add. You must add the enforcement profies in the order specified here. b. Select [RADIUS] Infoblox RADIUS Enforcement. c. Click Select to Add. d.
Defining an Infoblox Service This section describes how to create a Generic RADIUS Enforcement wireless service named "Infoblox Service" for the policy "Infoblox Policy." To create the wireless service: 1. Navigate to Configuration > Services. The Services page opens. 2. Click Add. The Add Services page opens. Figure 587: Adding an Infoblox Wireless Service 3. Enter the following information: a. Type: Select 802.1X Wireless. b. Name: Enter Infoblox Wireless Service. c.
4. Enter the following information: a. Authentication Methods: Select the authentication method. This example uses EAP MSCHAPv2. b. Authentication Sources: Select the authentication source(s). This example uses Local SQL DB. 5. Select the Enforcement tab. Figure 589: Specifying the Enforcement Policy for the Service 6. From the Enforcement Policy drop down, select Infoblox Policy, then click Next. The Infoblox Wireless Service Summary page is displayed. 7.
Figure 590: Infoblox Server Initial Page 2. Select the Data Management tab, then select the DHCP tab. The DHCP Networks page appears. Figure 591: Adding an IPv4 Network 3. To add a new network, click the Plus icon. The Add IPv4 Network Wizard begins. Figure 592: Adding an IPv4 Network 4. With Add Network selected by default, click Next. The following screen appears. 590 | Administration Dell Networking W-ClearPass Policy Manager 6.
Figure 593: Specifying the Netmask 5. In the Netmask field, specify the netmask for the new network. The netmask is set by default to /24 (that is, a Class C IP address), but you can set the netmask to any appropriate netmask value for your network. 6. To add an IPv4 network, in the Networks panel, click the Plus sign (see Figure 593). 7. In the Networks field, enter the IP address of the network, then click Next. The Members screen appears. Figure 594: Adding Members 8. Click the Plus sign.
Figure 595: Specifying the Lease Time (Session-Timeout Value) 10.In the Lease Time Override panel, click Override. 11.In the Lease Time field, enter 21600; from the drop-down, select Seconds. Then click Next. The Lease Time value you enter here must correspond to the Session-Timeout value defined under Infoblox RADIUS Enforcement (see Figure 583). The Extension Attributes screen opens. No changes are required here. 12.Click Next. The Create IPv4 Network screen opens.
Figure 597: New IPv4 Network Created Creating a Filter to Accept Information from the W-ClearPass Server To create a filter to accept information from the W-ClearPass server: 1. From the Data Management > DHCP tab, select the newly created network. The Networks page opens. 2. Select the IPv4 Filters tab. 3. To add a filter, click the Plus sign. The Add IPv4 MAC Address Filter dialog opens. 4. In the Name field, enter W-ClearPass. Note.
Figure 599: Specifying the MAC Address Expiration in the IPv4 MAC Address Filter 7. For the Default MAC Address Expiration setting: a. Select the Automatically Expires in button. b. Specify 21600 Seconds. c. Then click Next. The Extensible attributes screen appears. 8 No changes are required for this step, so click Next. In Step 5, the Schedule Change dialog appears. Figure 600: 8. Specify the Schedule Change settings: a. If you wish to run the MAC address filter now, select Now. b.
l Defining a Juniper SRX Wireless Service For more information about the parameters that you must enter to configure this endpoint context server, consult Juniper Network's documentation. Integrating W-ClearPass with Juniper Networks SRX typically tags the username context, as well as the external devices being authenticated, along with its respective MAC address, which further simplifies IP address management on the Juniper SRX server side.
Table 325: Specifying Juniper Networks SRX Endpoint Context Server - Server Page Parameters Parameter Description Select Server Type Choose Juniper Networks SRX from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or a host name. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber Username Enter the username. Password Enter and verify the password.
Adding a Context Server Action to the Juniper SRX Server Figure 602 displays the Juniper Network SRX Add Endpoint Context Server - Actions page: Figure 602: Adding a Juniper Networks SRX Endpoint Context Server - Actions Page Table 326 describes the Endpoint Context Server Actions that are available: Table 326: Juniper Networks SRX Endpoint Context Server Actions Action Description Juniper Networks SRX Login Endpoint Context Server action to send a user or device login context to a Juniper SRX server.
Figure 603: Endpoint Context Server Details for the Juniper SRX Action For descriptions of the parameters in the Endpoint Context Servers Details pages, refer to Configuring Endpoint Context Server Actions on page 563. 3. If necessary, modify the parameters in the Action page, then click Save. 4. To specify a content type and add non-default context server attributes, select the Content tab.
Figure 605: Content for the Juniper Networks SRX Logout Action 5. Make any necessary changes to the Content page, then click Save. You return to the Endpoint Context Servers page, where the endpoint context server you added is now listed. Creating a Juniper SRX Enforcement Profile This section describes how to create a a session-notification enforcement profile named "Juniper SRX Notify" that acts against the Juniper SRX Login action.
Figure 607: Adding the Juniper SRX Enforcement Profile 3. Configure the Add Enforcement Profile page as follows: a. Template: Select Session Notification Enforcement. For details on configuring session notification enforcement profiles, see Session Notification Enforcement on page 379 b. Name: Enter Juniper SRX Notify. c. Description: Optionally, enter a description of this enforcement profile. d. Click Next. The Enforcement Profiles Attributes page appears.
c. Value: Select the IP address of the Juniper SRX server. Login Action 6. Click Click to add.... a. Type: Select Session-Notify. b. Name: Select Login Action. c. Value: Select Juniper Networks SRX Login. Logout Action 7. Click Click to add.... a. Type: Select Session-Notify. b. Name: Select Logout Action. c. Value: Select Juniper Networks SRX Logout. 8. Click Save. You return to the Enforcement Profiles page, where the Juniper Networks SRX Notify enforcement profile is now listed.
Figure 610: Configuring Juniper SRX Enforcement Policy Rules Specify Conditions 5. In the Conditions panel, click Click to add, then enter the following information: a. Type: Select Tips. b. Name: Select Role. c. Operator: Select EQUALS. d. Value: Select User Authenticated. Specify the Enforcement Profile 6. In the Enforcement Profiles panel: a. Click Select to Add. b. Select [Post Authentication] Juniper SRX Notify. 7. Click Save. 8.
To create the Juniper SRX wireless service: 1. Navigate to Configuration > Services. The Services page appears. 2. Click Add. The Add Services page appears. Figure 612: Adding a Juniper SRX Wireless Service 3. Specify the following information: a. Type: Select 802.1X Wireless. b. Name: Enter Juniper SRX Wireless Service. c. Description: Optionally, enter a description of this service. d. In the Service Rule panel, set Matches to ANY, then click Next. The Authentication page appears.
This example uses EAP MSCHAPv2 as the authentication method. b. Authentication Sources: Select the authentication source(s). This example uses [Local User Repository] [Local SQL DB].as the authentication source. 5. Select the Enforcement tab. Figure 614: Specifying the Enforcement Policy for the Juniper SRX Wireless Service 6. From the Enforcement Policy drop-down, select Juniper SRX Policy, then click Next. The Juniper SRX Wireless Service Summary is displayed. 7.
The following table describes the Add Endpoint Context Server - Server (JAMF) tab parameters: Table 327: Add Endpoint Context Server - Server (JAMF) Tab Parameters Parameter Description Select Server Type Choose JAMF from the drop-down list. Server Name Enter a valid server name. You can enter an IP address or hostname. Server Base URL Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber.
Adding a MaaS360 Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. Server Tab The following figure displays the Add Endpoint Context Server - Server (MaaS360) tab: Figure 616: Add Endpoint Context Server - Server (MaaS360) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Table 328: Add Endpoint Context Server - Server (MaaS360) Tab Parameters (Continued) Parameter Description Password Enter and verify the password. Verify Password Application Access Key Enter the application access key (API key). Application ID Enter the application ID. Application Version Enter the application version number. Platform ID Enter the platform version number. Billing ID Enter the billing ID. Validate Server Enable to validate the server certificate.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (MaaS360) tab: Figure 617: Add Endpoint Context Server - Actions (MaaS360) Tab The following table describes the Add Endpoint Context Server - Actions (MaaS360) tab parameters: Table 329: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters Parameter Description Approve Device in Messaging System Approve the device in Messaging System. Block Device in Messaging System Block the device in Messaging System.
Table 329: Add Endpoint Context Server - Actions (MaaS360) Tab Parameters (Continued) Parameter Description Revoke Selective Wipe Cancel Selective Wipe executed on the device. Search Action History Search action history by Device ID. Selective Wipe Device Execute a Selective Wipe on a device. Wipe Device Delete all information stored on a device.
Table 330: Adding a MobileIron Endpoint Context Server - Server Page Parameters Parameter Description Select Server Type 1. Choose MobileIron from the drop-down list. Server Name 2. Enter a valid server name. You can enter an IP address or host name. Server Base URL 3. Enter the full URL for the server. You can append a custom port, such as for an MDM server: https://yourserver.yourcompany.com:customerportnumber Username 4. Enter the username. Password 5. Enter and verify the password.
Table 331: Adding a MobileIron Endpoint Context Server - Actions Page Parameters Parameter Description Get Labels Get label information of the device. Lock Device Lock the device. Remote Wipe Delete all information stored on the device. Send Message Send message to the device. Unlock Device Unlock the device. 9. When satisfied with the Action settings, click Save.
You can add multiple endpoint context servers of the same type. 4. Enter the appropriate values for each of the Palo Alto Networks Firewall Add Endpoint Context Server parameters described in Table 332. 5. When satisfied with the settings, click Save. Table 332: Add Endpoint Context Server: Palo Alto Networks Firewall Parameters Parameter Description Select Server Type Choose Palo Alto Networks Firewall from the drop-down list. Server Name Enter a valid server name.
Adding a Palo Alto Networks Panorama Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint. The following figure displays the Add Endpoint Context Server - Server (Palo Alto Networks Panorama) tab: Figure 621: Add Endpoint Context Server - Server (Palo Alto Networks Panorama) Tab You can add more than one endpoint context server of the same type.
Table 333: Add Endpoint Context Server - Server (Palo Alto Networks Panorama) Tab Parameters (Continued) Parameter Description l l Prefix NETBIOS name - Prefix NETBIOS name in UID updates. Use Full Username - Use full username in UID updates. GlobalProtect Enable to send HIP report to firewall. GlobalProtect license should be enabled on firewall for this to work. Send Posture Data Enable to send posture data on Palo Alto Networks firewall after authentication.
Server Tab The following figure displays the Add Endpoint Context Server - Server (SAP Afaria) tab: Figure 622: Add Endpoint Context Server - Server (SAP Afaria) Tab You can add more than one endpoint context server of the same type. For example, you can add more than one AirWatch endpoint context server.
Actions Tab The following figure displays the Add Endpoint Context Server - Actions (SAP Afaria) tab: Figure 623: Add Endpoint Context Server - Actions (SAP Afaria) Tab The following table describes the Add Endpoint Context Server - Actions (SAP Afaria) tab parameters: Table 335: Add Endpoint Context Server - Actions (SAP Afaria) Tab Parameters Parameter Description Enterprise Wipe Delete corporate information related data. Lock Device Lock the associated device.
Figure 624: Adding a SOTI Endpoint Context Server > Server (SOTI) Dialog You can add more than one endpoint context server of the same type. The following table describes the SOTI Add Endpoint Context Server > Server parameters: Table 336: Adding a SOTI Endpoint Context Server > Server Parameters Parameter Action/Description Select Server Type 1. Choose SOTI from the Select Server Type drop-down list. Server Name 2. Enter a valid server name. You can enter an IP address or a hostname.
Table 336: Adding a SOTI Endpoint Context Server > Server Parameters (Continued) Parameter Action/Description Enable Server 8. Enable Enable Server to fetch endpoints from the server. Bypass Proxy 9. Enable Bypass Proxy to bypass the proxy server. 10. To save your changes, click Save. Adding a XenMobile Endpoint Context Server Consult the endpoint manufacturer's documentation for information about the parameters that you must enter to configure this endpoint.
Table 337: Add Endpoint Context Server - Server (XenMobile) Tab Parameters (Continued) Parameter Description /api/?type=keygen&user={username}&password={password} Username Enter the username. Password Enter and verify the password. Verify Password Validate Server Enable to validate the server certificate. Checking this option enables the Certificate tab. Enable Server Enable to fetch endpoints from the server. Bypass Proxy Enable to bypass proxy server.
The following figure displays the Add File Backup Server page: Figure 626: File Backup Servers - Add File Backup Server Page The following table describes the Add File Backup Server page parameters: Table 338: Add File Backup Server Page Parameters Parameter Description Host Enter the name or IP address of the host. Description Enter the description that provides additional information about the File Backup server.
Table 338: Add File Backup Server Page Parameters (Continued) Parameter Description Password Enter the user name of the host server. Verify Password Enter the password of the host server. Timeout Specify the timeout value in seconds. The default value is 30 seconds. Remote Directory Specify the location in this field to which the files to be copied. A folder will be automatically created in the file path that you specify based on the selected ClearPass servers in the ClearPass Servers field.
The following table describes the Server Certificate parameters: Table 339: Server Certificate Parameters Parameter Description Create SelfSigned Certificate Opens the Create Self-Signed Certificate page where you can create and install a Self-Signed Certificate. For more information, see Creating a Self-Signed Certificate on page 627. Create Certificate Signing Request Opens the Create Certificate Signing Request page where you can create and install a Certificate Signing Request.
The following table describes the RADIUS Server Certificate parameters: Table 340: RADIUS Server Certificate Parameters Parameter Description Subject Displays Organization and Common Name. Issued by Displays Organization and Common Name. Issue Date Displays the date the self-signed certificate is installed. Expiry Date Displays the date (in days) when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate.
Table 341: HTTPS Server Certificate Parameters (Continued) Parameter Description Expiry Date Displays the date (in days) when the self-signed certificate expires. Validity Status Displays the validity status of the self-signed certificate. Details Click the View Details button to view details about the certificate, such as Signature Algorithm, Subject Public Key Info, and more.
The following figure displays the Create Certificate Signing Request page in the FIPS mode pop-up: Figure 631: Create Certificate Signing Request - FIPS Mode Pop-up The following table describes the Create Certificate Signing Request parameters: Table 342: Create Certificate Signing Request Parameters Parameter Description Common Name (CN) Enter the name associated with this entity. This can be a host name, IP address, or other name. The default is the fully-qualified domain name (FQDN).
Table 342: Create Certificate Signing Request Parameters (Continued) Parameter Description Name (SAN) l email: email_address l URI: uri l IP: ip_address l dns: dns_name l rid: id This field is optional. Private Key Password Enter and re-enter the Private Key password. Verify Private Key Password Private Key Type l Select the length for the generated private key types from the following options: 1024-bit RSA l 2048-bit RSA l 4096-bit RSA l X9.
Figure 632: Create Certificate Signing Request Pop-up Creating a Self-Signed Certificate After you select a server and a certificate type, you can create and install a self-signed certificate. To create a self-signed certificate: 1. Navigate to Administration > Certificates > Server Certificate. 2. Select a server, for example, localhost. 3. Click the Create Self-Signed Certificate link. Configure the parameters based on Table 343. 4. Click Submit. 5.
The following figure displays the Create Self-Signed Certificate pop-up: Figure 633: Create Self-Signed Certificate Pop-up 628 | Administration Dell Networking W-ClearPass Policy Manager 6.
The following figure displays the Create Self-Signed Certificate page in the FIPS mode pop-up: Figure 634: Create Self-Signed Certificate Page - FIPS Mode Pop-up The following table describes the Create Self-Signed Certificate parameters: Table 343: Create Self-Signed Certificate Parameters Parameter Description Selected Server Displays the name of the selected server on the Server Certificate page. Selected Type Displays the selected certificate type for the server on the Server Certificate page.
Table 343: Create Self-Signed Certificate Parameters (Continued) Parameter Description Location (L) Enter the name of the location, state, country, and/or other meaningful name. These fields are optional. State (ST) Country (C) Subject Alternate Name (SAN) Enter the alternative names for the specified Common Name. NOTE: Enter the SAN in the following formats: l email: email_address l URI: uri l IP: ip_address l dns: dns_name l rid: id This field is optional.
The following figure displays the Create Self-Signed Certificate pop-up. Figure 635: Create Self-Signed Certificate Pop-up The following table describes the Create Self-Signed Certificate parameters configured: Table 344: Self-Signed Certificate Parameters Parameter Description Selected Server Displays the name of the server selected on the Server Certificate page. Selected Type Displays the selected certificate type for the server.
Table 344: Self-Signed Certificate Parameters (Continued) Parameter Description Validity Status Displays the validity status of the certificate. Signature Algorithm Displays the Digest Algorithm and Private Key Type selected during certificate configuration. Public Key Format Displays the public key format in use for the self-signed server certificate. Exporting a Server Certificate Navigate to Administration > Certificates > Server Certificates, and click the Export Server Certificate link.
Table 345: Import Server Certificate Parameters (Continued) Parameter Description Private Key File Browse to the private key file to be imported. Private Key Password Specify the private key password that was entered when the server certificate was configured. Certificate Trust List The Certificate Trust List page displays a list of trusted Certificate Authorities (CA). On this page, you can add, view, or delete a certificate.
The following table describes the Certificate Trust List parameters: Table 346: Certificate Trust List Parameters Parameter Description Subject Displays the Distinguished Name (DN) of the subject field in the certificate. Validity Indicates whether the CA certificate is valid or expired. Enabled Indicates whether the CA certificate is enabled or disabled. Adding a Certificate 1. Navigate to Administration > Certificates > Trust List. 2. Click the Add link on the top right section of the page. 3.
Certificate Revocation Lists This section provides the following information: l About Certificate Revocation Lists l Adding a Certificate Revocation List l Deleting a Certificate Revocation List About Certificate Revocation Lists A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.
Table 348: Add Certificate Revocation List Parameters Parameter Action/Description File Enable the File button to use a distribution file as the CRL distribution point. File is enabled by default. Distribution File To select the distribution file to fetch the certificate revocation list, click Browse and select the CRL distribution file. URL Enable the URL button to use a URL as the CRL distribution point. Selecting URL enables the Distribution URL option.
RADIUS Dictionary This page includes the list of available vendor dictionaries. To configure RADIUS dictionaries, navigate to Administration > Dictionaries > RADIUS. The following figure displays the RADIUS Dictionaries page: Figure 641: RADIUS Dictionaries Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type.
The following table describes the RADIUS Attributes parameters: Table 349: RADIUS Dictionary Attributes Parameters Parameter Description Export Click to save the dictionary file in XML format. You can make modifications to the dictionary and import the file back into W-Policy Manager. Enable/Disable Enable or disable this dictionary. Enabling a dictionary makes it appear in the W-Policy Manager rules editors (Service rules, Role mapping rules, etc.).
Import link. To add or modify attributes in an existing service dictionary, select the dictionary, export it, make edits to the XML file, and import it back into W-Policy Manager. The following figure displays the TACACS+ Services Dictionaries page: Figure 644: TACACS+ Services Dictionaries Page The following table describes the TACACS+ Services Dictionaries parameters: Table 351: TACACS+ Services Dictionaries Parameters Parameter Description Import Click to open the Import Dictionary pop up.
The following figure displays the TACACS+ Service Dictionary Attributes pop-up: Figure 645: TACACS+ Service Dictionary Attributes Pop-up Fingerprints Dictionary The Device Fingerprints page shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell W-ClearPass Update Portal (see Updating Policy Manager Software on page 646 for more information).
You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. The following figure displays the Device Fingerprint Dictionary Attributes pop-up.
The dictionary Attributes page appears: Figure 648: Dictionary Attributes Page Table 352 describes the dictionary Attributes parameters: Table 352: Dictionary Attributes Parameters Parameter Description Filter Use the Filter drop-down list to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Indicates whether the attribute applies to a Local User, Guest User, Device, or Endpoint.
Figure 649: Add Attribute Dialog 2. Enter the information in the fields described in the following table. The following table describes the Add Attribute parameters: Table 353: Attribute Setting Parameters Parameter Description Entity Specify whether the attribute applies to a Device, Endpoint, Guest User, Local User, or Onboard. Name Enter a unique ID for this dictionary attribute. Data Type From the drop-down, specify the data type.
Figure 650: Importing Dictionary Attributes 2. Enter the Import from File parameters as described in Table 354. Table 354: Import From File Parameters Parameter Description Select File Browse to select the file that you want to import. Enter secret for the file (if any) If the file that you want to import is password protected, enter the secret here. 3. When finished, click Import. The imported file is in XML format.
Table 355: Export to File Parameters Parameter Description Export file with password protection The Yes option is enabled by default. If you wish to disable password protection when exporting a file, select No. Secret Key If the file that you want to import is password protected, enter the secret here. Then verify the secret key. 3. When finished, click Export. The TagDictionary.xml file is created. 4. Download the file.
2. To see the application attributes, click the name of an application. The Application Attributes dialog box appears. Figure 653: Application Attributes Dialog Deleting an Application Dictionary In general, there is no need to delete an application dictionary. They have no effect on W-Policy Manager performance. To delete an application dictionary: 1. Navigate to Administration > Dictionaries > Applications. 2. Click the check box next to an application name. 3. Click Delete.
Introduction This section describes the W-ClearPass Policy Manager server software update process. Use the Software Updates page to register for and receive live updates for: l Posture updates, including antivirus, antispyware, and Windows updates l Profile data updates, including Fingerprint l Software upgrades for the W-ClearPass family of products n Patch binaries, including Onboard, Guest Plug-ins, and Skins You can also: l Reinstall a patch in the event the previous installation attempt fails.
Table 356 describes the Software Updates parameters: Table 356: Software Updates Parameters Parameter Description Subscription ID Subscription ID 1. Enter the Subscription ID provided to you. This text box is enabled only on a Publisher node. You can opt out of automatic downloads at any time by saving an empty Subscription ID. Save 2. To save the Subscription ID, click Save. This button is enabled only on a Publisher node.
Table 356: Software Updates Parameters (Continued) Parameter Description Needs Restart The Needs Restart link appears when an update needs a reboot of the server in order to complete the installation. Clicking this link displays the Install Update dialog box, which shows the log messages generated during the installation. Installed The Installed link appears when an update has been successfully installed.
The following figure displays the Install Update pop-up: Figure 655: Install Update Pop-up The following table describes the Install Update parameters: Table 357: Install Update Parameters Parameter Action/Description Reboot 1. To initiate a reboot of the server, click Reboot. The Reboot button appears only for updates that require a reboot to complete the installation. Clear & Close 2. To delete the log messages and close the dialog, click Clear & Close.
The Webservice itself is refreshed with the Antivirus and Antispyware data hourly, with Windows Updates daily. Fingerprint data and Firmware & Patches are refreshed as and when new ones are available. An event is generated and displayed in the Event Viewer with the list of new updates that are available. If the event affects an SMTP server, Alert Notification email addresses are configured, and an email from the Publisher is sent with the list of downloaded images.
Accessing OnGuard Agent Support Charts For information about the OnGuard Agent Support Charts that are included with W-ClearPass Policy Manager, navigate to Administration > Support > Documentation > OnGuard Agent Support Charts. Configuring OnGuard Settings To configure the OnGuard settings: 1. Navigate to Administration > Agents and Software Updates > OnGuard Settings. The OnGuard Settings main page appears: Figure 656: OnGuard Settings Main Page 2.
Table 358: OnGuard Settings Parameters (Continued) Parameter Action/Description n Install and enable Aruba VIA component Windows 4. Use the download link to download OnGuard Agent for Windows. This binary file is provided in .exe and .msi formats. Mac OS X 5. Use the download link to download OnGuard Agent for Mac OS X. This binary file is in .DMG format. Ubuntu 6. Use the download link to download Ubuntu Agent for Linux. This binary file is in .tar.gz format.
Table 358: OnGuard Settings Parameters (Continued) Parameter Action/Description Agent action when an update is available Determines what the agent does when an update is available. 12. Select one of the following options: n Ignore: W-ClearPass Policy Manager ignores the available update. n Notify User: W-ClearPass Policy Manager notifies the user that an update is available. n Download and Install: W-ClearPass Policy Manager automatically downloads and installs an update when it is available.
4. Name: Select the desired Global Agent Setting (see Table 359). 5. Value: Specify the appropriate value. 6. Repeat these steps as necessary for each additional setting, then click Save. Global Settings Parameters for OnGuard Agents Table 359 describes the Global Settings parameters for OnGuard agents: Table 359: Configure Global Settings Parameters Parameter Action/Description Name Allowed Subnets for Wired access: Add a comma-separated list of IP addresses or subnet addresses.
Table 359: Configure Global Settings Parameters (Continued) Parameter Action/Description This parameter is valid only for wired and wireless interface types. n This parameter is not applicable for the OnGuard Dissolvable Agent, VPN, and Other interface types. You can also specify the health check interval in the Agent enforcement (Configuration > Agent enforcement > New attribute) profile to create different Agent Enforcement Profiles for different users.
Table 360: Global Agent Settings: Run OnGuard As Parameters Value Description Agent Health checks are performed by the OnGuard Agent after the user logs in to the client. Service OnGuard Agent performs health checks as soon as the client boots up, that is, even before the user logs in to the client. When a user logs in to the client, the user can view the most recent health check results via the OnGuard Agent user interface. The user can perform health checks again by clicking the Retry button.
Remote Assistance This section provides the following information: l Remote Assistance Process Flow l Adding a Remote Assistance Session The Remote Assistance feature enables the W-ClearPass Policy Manager administrator to allow an support engineer to remotely log in using Secured Shell (SSH) to the W-ClearPass Policy Manager server and perform the following tasks: l View the W-ClearPass Policy Manager user interface to debug any issues the customer is experiencing.
Table 361: Remote Assistance Session Parameters (Continued) Parameter Description Saving l Scheduled l Initiated l Running l Terminated l Failed NOTE: You can edit and save a session in Scheduled, Terminated, and Failed states. Only a session in Running state can be terminated by selecting that session and clicking Terminate. You can delete a session in Scheduled, Terminated, and Failed states by selecting that session and clicking Delete.
Table 363: Add Session Parameters Parameter Action/Description Session Name 1. Enter the name of the Remote Assistance session. Session Type 2. Specify the Session Type: l One Time Now l One Time Future: Initiates a session at a specified date and time. l Weekly: Initiates a session on a specified weekday at the selected time. l Monthly: Initiates a session on a specified day of every month at the selected time. Duration 3. Specify the duration of the Remote Assistance session in hours and minutes.
Chapter 12 Cluster Upgrade/Update Tool This chapter contains the following information: l Cluster Update Tool l Cluster Upgrade Tool Cluster Update Tool This section provides instructions for updating a W-ClearPass cluster with Patch and Skin releases using the Cluster Update feature. The Cluster Update feature automates the process of updating your W-ClearPass cluster. The cluster Publisher is updated first.
Before Updating the Cluster l Confirm that Relevant Patch updates are available under software updates before starting the cluster update. Please download the patches either from Webservice or by uploading directly to Software Updates. l Only patches listed under Software Updates will be shown in Cluster Update. l Confirm that your Cluster sync and replications are fine before starting the Cluster Update.
Figure 663: Cluster Update Page This page includes the information described below in Table 364. Table 364: Information on the Cluster Update Page Field Description Update Info Describes the patch update details, provides a link to the Release Notes, includes release-specific comments, and specifies if a reboot is required for the patch. Database Info Shows the size of the Configuration database. Publisher Details Information for the Publisher and for all Subscriber nodes in the cluster.
Figure 664: The Start Cluster Update Window You can update the entire cluster or just a subset of Subscriber nodes. 6. In the Start Cluster Update window, use the check boxes to select the Subscriber nodes to update. 7. To force the update, select Force install patch update under Install Option. 8. Click Update. This initiates the automated update process. No further manual steps are required until all selected Subscriber nodes have been updated. The Publisher is always updated and rebooted first.
Figure 665: Status Indicators in the Update Steps Area If you navigate to another page, and then navigate back to the Software Updates page, a status link will be provided. Figure 666: In Progress Status Link Clicking the link takes you back to the Cluster Update page. 2. For detailed progress information, click the View Logs button in the Publisher’s or subscriber’s row. The Logs window opens. This window includes tabs for the Download, Upgrade, Reboot, and Onboot logs.
Figure 667: Details Displayed on the Logs Window Cluster Upgrade Tool This section includes the following information: l Cluster Upgrade Process Overview l Before You Upgrade l Installing the Cluster Upgrade Tool 666 | Cluster Upgrade/Update Tool Dell Networking W-ClearPass Policy Manager 6.
l Opening the Cluster Upgrade Tool l Upgrading the W-ClearPass Cluster l Viewing Upgrade Status l Steps in the Upgrade Tool’s Automated Workflow l Troubleshooting Introduction This section provides instructions for upgrading a W-ClearPass cluster using the Cluster Upgrade Tool. The Cluster Upgrade Tool is a simple user interface that automates the upgrade procedure for a W-ClearPass cluster.
n Port 22 (SSH) l Confirm that the Publisher and all Subscriber nodes in the cluster are in sync before starting the upgrade. l On the Publisher, download the W-ClearPass 6.6 upgrade image from the Software Updates portal (see Updating Policy Manager Software on page 646). The Upgrade tool automates the process of copying over the upgrade image to the selected subscribers in the cluster.
Figure 668: The Link to the Cluster Upgrade Tool Release Notes If the Publisher Is Not Set Up To install the Upgrade Tool if the publisher is not set up to display available updates: 1. On the Dell Support Site (https://download.dell-pcw.com), manually download the Cluster Upgrade Tool. 2. On the Publisher’s Software Updates portal, use the Import Updates link to upload it. 3. Install the Upgrade Tool as described above.
Opening the Tool Via Your Web Browser To open the Cluster Upgrade Tool directly through your Web browser: 1. Enter https:///upgrade in your browser’s address bar. 2. If you are prompted to log in, use your W-ClearPass Policy Manager administrator credentials. The Cluster Upgrade Utility page opens. Figure 670: The Cluster Upgrade Utility Page This page includes the information described below in Table 365.
Figure 671: Special Characters Note Figure 672: More Information > Special Characters Note Upgrading the W-ClearPass Cluster To upgrade the W-ClearPass cluster: 1. Navigate to Administration > Agents and Software Updates > Software Updates > Cluster Upgrade. 2. Before you start the upgrade, verify that the W-ClearPass 6.6 Upgrade Image is downloaded and available in the Software Updates portal. If the upgrade image is not available, the Cluster Upgrade page displays a message advising you to download it.
3. When you open the Cluster Upgrade Tool, it immediately prepares the subscribers for upgrade by automatically installing the required additional API support. This is a background process and does not require any actions from the user. A progress indicator is shown during this stage.
No further manual steps are required until all selected subscribers have been upgraded. For information on the automated process, see Steps in the Upgrade Tool’s Automated Workflow on page 674. The Publisher is always upgraded and rebooted first. The Upgrade Tool will not be available while the publisher is rebooted and data migration is in progress. 8.
2. For detailed progress information, click the View Logs button in the Publisher’s or Subscriber’s row. The Logs window opens. This window includes tabs for the Patch, Download, Upgrade, Reboot, and Onboot logs. You can view detailed status in these logs during and after the upgrade. This option is not available while the Publisher is rebooted and data migration is in progress. It is available again when the Publisher upgrade is complete.
4. The Publisher is the first to be upgraded and rebooted. Configuration database and Insight database migration is performed on reboot. 5. When the Publisher upgrade is complete, you can use the Cluster Upgrade Utility page to review log messages. 6. When the Publisher upgrade is complete, upgrade is initiated on each selected Subscriber node. When possible, multiple Subscribers are upgraded in parallel. When each Subscriber node is complete, the Subscriber is rebooted. 7.
Troubleshooting Troubleshooting tips: l If you encounter errors while upgrading a Subscriber, use a manual upgrade procedure to upgrade the Subscriber after the root cause for the upgrade failure has been fixed. l If you need to revert to the previous version of W-ClearPass, you can do so manually from the CLI for individual Subscribers. Be aware that all status and progress information will be reset when the Publisher is reverted to a previous version.
Chapter 13 Configuring Processing for Ingress Events This chapter includes the following information: l Enabling Ingress Event Dictionaries l Configuring the Ingress Event Sources l Configuring an Event-Based Enforcement Service l Configuring the Ingress Receiving Ports l Enabling Ingress Events Processing Overview This chapter provides the procedures for configuring W-ClearPass Policy Manager to process ingress threatrelated events.
Figure 679: Enabling an Ingress Events Dictionary 3. To enable the selected ingress events dictionary, click Enable. You return to the Ingress Events Dictionaries page. The dictionary information is no longer displayed in red and the Enabled column is set to True. Configuring the Ingress Event Sources The Event Source is the device that sends Syslog events to W-ClearPass. Any events sent that are not from configured event sources are ignored.
Figure 680: Adding an Event Source 3. Populate the Add Event Source parameters as described in Table 367. Table 367: Configuring the Event Source Parameters Parameter Action/Description Name 1. Enter the IP address of the device that will send Syslog events to W-ClearPass. Description Optionally, enter a description of this Event Source. IP Address 2. Enter the IP address of the device that will send Syslog events to W-ClearPass. Type 3. From the drop-down, select the Event Source Type.
Configuring the Ingress Receiving Ports The ingress receiving ports are the TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports on the W-ClearPass server where the events source sends threat-related events. By default, the ingress receiving port is 514 for both TCP and UDP. You can modify the ingress receiving ports to a custom value as necessary. To confirm or change the ingress receiving ports on the W-ClearPass server: 1.
1. Navigate to Configuration > Services. The Services page opens. The Services page provides options to add, modify, and remove a service. 2. To add the event-based enforcement service, click Add. The Add Services dialog opens. 3. From the Type drop-down list, select Event-based Enforcement (see Figure 683). Figure 683: Specifying Event -Based Enforcement For configuration information for each of the available service types, see Policy Manager Service Types on page 70. 4.
From the Add Services > Enforcement page, you can either select an existing enforcement policy or create a new one. 2. From the Enforcement Policy drop-down list, select the appropriate Event Enforcement policy. 3. If you have not configured Event-type Enforcement policies, click Add New Enforcement Policy to create a new enforcement policy. 4. Specify the values for the remaining parameters as described in Table 368, then click Save.
The following warning dialog is displayed, alerting you to the impact on system performance that may occur when you enable ingress events processing. Figure 686: Warning Dialog for Enabling Ingress Events Processing 5. To proceed with ingress events processing on this server, click Yes. For details on the Server Configuration > System Tab parameters, see System Tab on page 462. Dell Networking W-ClearPass Policy Manager 6.
| Configuring Processing for Ingress Events Dell Networking W-ClearPass Policy Manager 6.
Chapter 14 W-ClearPass Insight Reports This chapter describes how to use the W-ClearPass 6.6 Insight Reporting tool. This chapter includes the following information: l About W-ClearPass Insight l About the Insight Dashboard l Searching the Insight Database l Creating Alerts l Creating Reports l Insight Report Categories Reference l Administration Operations l Managing Insight Admin Privileges About W-ClearPass Insight This section presents an overview of W-ClearPass Insight.
Browsers Supported W-ClearPass Insight uses a Web-based management interface. The following browsers are supported: l Apple Safari 6.2.x, 7.1.x, 8.0 l Google Chrome 47.x, 48.x l Microsoft Edge 25.x l Microsoft Internet Explorer 11.0 l Mozilla Firefox 43, 44 Enabling Insight and Specifying a Master Insight Node Before you can use Insight, you must enable it on the current W-ClearPass server. If multiple nodes in a cluster have Insight enabled, one node should be configured as an Insight Master.
4. Click Save. Launching Insight To launch W-ClearPass Insight: 1. Use one of the following methods to launch W-ClearPass Insight. n Log in to W-Policy Manager, and then select Insight in the Dashboard > Applications widget. This opens Insight in a new tab. n Access W-Policy Manager by pointing the browser to https:///tips, then select the ClearPass Insight link (see Figure 688). n Point the browser to https:///insight. 2.
About the Insight Dashboard This section provides the following information: l Dashboard Overview l Adding a Report Widget to the Dashboard Landing Page l Removing a Report Widget from the Dashboard Landing Page l Creating a Report or Alert From the Dashboard l Specifying the Date Range for Data Collection l Authentication Dashboard l Endpoints Dashboard l Guest Dashboard l Network Dashboard l Posture Dashboard l System Dashboard l System Monitor Dashboard Dashboard Overview The Dash
l Top 10 MAC Address Authentications Adding a Report Widget to the Dashboard Landing Page When you add a report widget to the Dashboard Landing page, that widget will appear in the Landing page, and the widget will also continue to be available on its Dashboard category page (for example, if you added the Top 10 Restarted Services widget from the System Dashboard, the Top 10 Restarted Services widget would be present in both the Dashboard Landing page and the System Dashboard).
Figure 691: Removing a Widget From the Dashboard When you refresh the page, that widget will disappear from the Dashboard. Creating a Report or Alert From the Dashboard The widgets on the Dashboard include links to the Creat Reports and Create Alerts pages. To define and to receive a regular report of data for that Dashboard: l To open the Create Reports wizard from the Dashboard, click the down-arrow icon in the widget title bar and select Create Report.
Figure 692: Opening the Reports or Alerts Wizard from the Dashboard For detailed procedures to create reports and alerts, see Creating Reports on page 706 and Creating Alerts on page 699. Specifying the Date Range for Data Collection By default, the Insight widgets, including those on the Dashboard page as well as all the other Insight widgets, such as Endpoints, Guest, Posture, and so on, display information collected over the previous seven days.
Figure 693: Specifying a Custom Date Range 3. Select the Start Date and End Date from the calendar, then click Apply. The Dashboard widgets then display the information for the specified range of dates. Authentication Dashboard Authentication Dashboard widgets focus on authentication analytics and include widgets on trends, distribution, status, service, alerts, and statistics. To access the Authentication Dashboard, navigate to Dashboard > Authentication.
For more information about the Authentication reports and the widgets provided for each report, see Authentication Category Reports on page 714. Endpoints Dashboard The Endpoints Dashboard widgets provide analytics that focus on Endpoint trends, distribution, device profile, and bandwidth usage. To access the Authentication Dashboard, navigate to Dashboard > Endpoints.
Guest Dashboard To access the Guest Dashboard, navigate to Dashboard > Guest. Figure 696: Guest Dashboard The following widgets are included by default on the Guest Dashboard: l Guests Authentication Trend l Unique Guest Authentication l Guests Provisioned l Guest Device Category l Guest Device Family l Guest Device Name l Top 20 Bandwidth Guest Users For more information about the Guest reports and the widgets provided for each report, see Guest Authentication Category Reports on page 718.
Network Dashboard To access the Network Dashboard, navigate to Dashboard > Network. Figure 697: Network Dashboard: NAD Vendor Distribution The following widget is included on the Network Dashboard: l NAD Vendor Distribution This widget displays the list of all the NAD (Network Access Device) vendors, including the number of NADs by each vendor.
The following widgets are included by default on the Posture Dashboard: l Health Status l Unhealthy Devices For more information about the Posture-related reports, see OnGuard Category Reports on page 721. System Dashboard To access the System Dashboard, navigate to Dashboard > System.
Figure 700: System Monitor Dashboard The following widgets are included by default on the System Monitor Dashboard: l Authentication Health l End-to-End Request Processing Time l Memory Usage l Swap Memory Usage l Disk Usage l CPU Usage l CPU Load The System Monitor Dashboard differs from the other Dashboard pages in that it can show data for two hours only (2h). To define a custom two-hour time slot: 1. Click the Custom drop-down list.
Searching the Insight Database This section provides the following information: l About Insight Search l Search Example About Insight Search Use the Insight Search feature to query the Insight database. You can search for the following entities: l Clients by MAC address, hostname, or IP address l Usernames l W-ClearPass servers by name or IP address l Network access devices by name or IP address You can add clients and users to the Watchlist from Search results.
Figure 704: Locating and Identifying the Search Object 3. Select the search object. The Endpoint MAC Address report is automatically displayed (see Figure 705).
l Irregular network device access activity l Users attempting privileged commands on network devices l Irregular activity on the W-ClearPass servers Reports and alerts include templates for easy configuration. These templates allow you to quickly configure and monitor network activity. In addition to email notifications, you can also send alerts to mobile devices via SMS, providing the capability to receive mission-critical information on the go.
Table 369: Create New Alert Parameters Alert Field Action/Description Alert Name 1. Enter the name of the alert. Description 2. Optionally, enter a summary description of the alert. Category 3. Select the alert Category, then specify the desired alert type in the selected category: n Authentication a. Failed Authentication b. Total Authentication n n System TACACS a. TACACS Commands b. TACACS Failures Notifications 4. Specify report notifications. n Notify by Email.
or to mobile devices via SMS. This allows the authentication failure to be resolved proactively before the problem is reported by the user. The Watchlist generates an alert only when an unsuccessful authentication for a specific device occurs. Default Watchlist Trigger Settings The default Watchlist trigger settings are as follows: l Severity = Critical l Threshold = 1 l Interval = 30 seconds You cannot edit the The Watchlist trigger settings. To modify the User Watchlist: 1.
Figure 709: Modifying the User Watchlist 3. Enter the desired settings for each User Watchlist parameter as described in Table 370. Table 370: Modify User Watchlist Parameters Alert Field Action/Description Alert Name 1. Optionally, you can modify the name of the User Watchlist. Description 2. Optionally (and recommended), enter a summary description of the User Watchlist. Category The Category is set to Alert > User Watchlist. This is not an editable field. Notifications 3.
Table 370: Modify User Watchlist Parameters (Continued) Alert Field Action/Description Alert Summary When you have configured the Watchlist settings, the Alert Summary displays the settings for your review. Save your changes 5. Click Save. Adding or Removing Users from the Watchlist You can use the Insight Search function to add users to or remove users from the Watchlist. Adding a User to the Watchlist To add a user to the Watchlist: 1. In the Insight Search window, enter the name of the user.
2. To add a user to the Watchlist, click the star icon next to the username as shown in Figure 710. The User Information page now displays the following information: Figure 711: User Successfully Added to Watchlist The star icon color is now set to orange, indicating the user has been added to the Watchlist. The following message is displayed: added to User Watchlist successfully. Please configure SMS and email notifications.
Creating Reports This section provides the following information: l Overview l Settings Configuration l Report Filters Configuration l Specifying the Logo and Branding l Report Summary Page l Configured Reports Page l Viewing Reports Overview The Reports page provides a method for creating reports with data filters and customized time ranges up to the previous two months.
Deleting a configured report deletes both the report configuration and all related report output. Settings Configuration To create a new report: 1. From the Insight navigation panel, click Reports. 2. Select Create New Report. The Settings page of the Create New Report Wizard appears. Figure 714: Create New Report Wizard: Settings 3. Enter the appropriate information as described in Table 371. Table 371: Specifying the Report Settings Parameters Report Parameter Action/Description Report Name 1.
Table 371: Specifying the Report Settings Parameters (Continued) Report Parameter Action/Description System n TACACS NOTE: For detailed information about what report types are provided for each report category, see Insight Report Categories Reference on page 713. n Notifications 4. Optionally, specify report notifications. n Notify by Email. When you select this option, enter the list of email addresses to be notified. n Notify by SMS.
Table 371: Specifying the Report Settings Parameters (Continued) Report Parameter Action/Description Preset Date Range 6. You can choose to specify a Preset Date Range for this report: n Custom Date When you select Custom Date, specify the Start Date and Time and the End Date and Time.
Specifying the Logo and Branding When you complete the report filters configuration, scroll to the Logo and Branding section on the same page. Figure 716: Logo and Branding Section To specify the logo and branding information: 1. Enter the information as described in Table 372, then click Next. Table 372: Specifying Logo and Branding Parameters Report Parameter Action/Description Select Template 1. From the drop-down, select the logo and branding template. Page Title 2. Enter the page title.
Table 372: Specifying Logo and Branding Parameters (Continued) Report Parameter Action/Description Logo Image 4. To browse to the appropriate logo image, click Replace Image. Bottom Section 5. Enter the footer text. Copyright 6. Enter the copyright information. For example, "Copyright 2016 NewSales, Inc." Save Template 7. To save the new branding and logo settings, click Save Template. 8. Click Next.
Configured Reports Page To see the set of configured reports, select Reports > Configuration. The Configured Reports page opens. Figure 718: Configured Reports Page The blue dot next to a report name indicates that the report generation is complete. From this view, you can edit, copy, or delete a configured report. This page also provides two report widgets: l Top 10 Reports Time to Run 30 Days This widget lists the ten reports that took the longest (in seconds) to run over the last 30 days.
Figure 719: Created Reports 3. To download the zip file that contains the reports in PDF and CSV formats, click the Download icon (as shown in Figure 719). 4. To view the desired report in HTML format (which opens in new tab), click the name of the report. The generated report is displayed (see Figure 720). Figure 720: Report Displayed in HTML Format Insight Report Categories Reference This section provides the following information: Dell Networking W-ClearPass Policy Manager 6.
l Introduction l Authentication Category Reports l Endpoint Category Reports l Guest Authentication Category Reports l Network Category Reports l OnGuard Category Reports l Onboard Category Report l RADIUS Authentication Category Reports l System Category Reports l TACACS Category Reports Introduction This section provides detailed information about each of the report types and their associated widgets available for each Insight Report category.
Table 373: Authentication Category Reports Report Type Report Widgets Accounting—Bandwidth and Session This report type includes the following bandwidth and session information: l Bandwidth Statistics l Upstream Bandwidth and Downstream Bandwidth Trend l Total Bandwidth and Average Bandwidth Trend l Average Session Time Trend l Unique Session Trend l Top 10 Device Categories with Most Bandwidth Consumed l Top 10 Device Categories with Most Sessions l Top 10 Device Categories with Most Duration l Top 10 D
Table 373: Authentication Category Reports (Continued) Report Type Report Widgets Provides statistics in general for the report duration, such as total authentications per day, unique devices authentications trend by day, unique users authentication trend by day, authentication distribution based on authentication status, service, W-ClearPass server, SSID, VLAN, enforcement profile, authentication source, and top 10 users with most authentications, and so on.
Table 373: Authentication Category Reports (Continued) Report Type Report Widgets NOTE: This report allows you to filter the report data by W-ClearPass Policy Manager host name, Network Access Device (NAD) IP address, SSID, and Error Code. Endpoint Category Reports The Endpoint category provides information on endpoints discovered during the report duration.
Table 374: Endpoint Category Reports (Continued) Report Type Report Widgets Top 10 Users with Most Endpoints Top 10 Device Categories with Most Endpoints l Top 10 Device Names with Most Endpoints l Top 10 Device Families with Most Endpoints NOTE: This report also allows you to filter the report data by Network Access Device (NAD) IP address, Device Category, Device Family, Device name, and SSID.
Table 375: Guest Authentication Category Reports Report Type Report Widgets Guest—Authentication by W-ClearPass This report type includes the following information guest authentication by W-ClearPass: l Authentication Statistics l Total Authentication Trend l Failed Authentication Trend l Authentication Distribution—Error Types l Authentication Distribution Across Service l Top 10 W-ClearPass with Most Authentications l Top 10 W-ClearPass with Most Failed Authentications l Top 10 W-ClearPass with Most MA
Table 375: Guest Authentication Category Reports (Continued) Report Type Report Widgets Total Authentication for 1 Month Sponsor List NOTE: This report also allows you to filter the report data by W-ClearPass Policy Manager host name and Network Access Device (NAD) IP adress.
Table 376: Network Category Reports Report Type Report Widgets Authentication by NAD This report type includes the following information for Network Access Devices (NADs) using guest authentication.
Table 377: OnGuard Category Reports Report Type Report Widgets Apple Mac Endpoint Posture This report type includes the following posture information for Apple/Macintosh endpoints: l OnGuard Statistics l OnGuard Device Authentication Trend l OnGuard Device Distribution Across Health Status l Antispyware Product Name l Antspyware Dat File Version l Antispyware Engine Version l OnGuard Device Distribution Across Antispyware Real-Time Protection Status l Antispyware Version l Antivirus Product Name l Antivi
Table 377: OnGuard Category Reports (Continued) Report Type Report Widgets OnGuard Device Distribution Across Health Status Antivirus Product Name l Antivirus Dat File Version l Antivirus Engine Version l OnGuard Device Distribution Across Antivirus RealTimeProtection Status l Antivirus Version NOTE: This report also allows you to filter the report data by System Posture Token (SPT).
Table 378: Onboard Report Content Report Type Onboard Certificate Report Widgets This report type includes the following certificate information: Onboard statistics for numbers of revoked devices, active devices, and users l Latest Onboard Device Distribution l Active Onboard Device Distribution l Top 10 Users with Most Active Devices l RADIUS Authentication Category Reports The reports available in the RADIUS Authentication provide detailed analysis on authentication trends on successful and failed RADIU
Table 379: RADIUS Authentication Category Reports (Continued) Report Type Report Widgets Authentication statistics, including numbers and percentages of authentications successes and failures, and numbers of users, endpoints, network devices, roles, W-ClearPass servers and enforcement profiles l Total Authentication Trend l Authentication Status Trend l Unique Devices Authentication Trend l Unique Users Authentication Trend l Authentication Distribution Across Auth Status l Authentication Distribution Acro
Table 379: RADIUS Authentication Category Reports (Continued) Report Type Report Widgets Top 10 Users with Most Failed Authentications Top 10 Endpoints with Most Failed Authentications l Top 10 Services with Most Failed Authentications NOTE: This report also allows you to filter the report data by W-ClearPass Policy Manager host name, Network Access Device (NAD) IP, SSID, and Error Code.
Table 380: System Category Reports (Continued) Report Type Report Widgets Event Level Timestamp l Description NOTE: This report also allows you to filter the report data by W-ClearPass Policy Manager host name. l l TACACS Category Reports The reports available in the TACACS category provide TACACS authentication trends such as successful and failed TACACS authentication and command authorizations.
The Administration page appears. Figure 721: Administration Page Support Information l Insight database migration is supported. l Configuration migration is not supported. l Database retention default: 30 days l Report retention default: 60 days l CSV report limit: 50,000 rows File Transfer Settings Configuration You can specify the file transfer settings for uploading generated Insight reports to a FileStore. To configure the File Transfer settings: 1. Navigate to the Administration page.
3. When finished, click Save. Table 382: Insight File Transfer Parameters Parameter Action/Description Host 1. Specify the IP address of the destination host FTP server. Protocol 2. Specify the protocol to be used to upload the generated reports to a FileStore. You can select from the following protocols: n SCP (Session Control Protocol) n SFTP (SSH File Transfer Protocol) Port 3. Specify the destination port number. The default destination port is 22. Username/Password 4.
Database Settings Configuration To configure the Insight database parameters: 1. Navigate to the Administration page. The Database Settings section is at the bottom of the Administration page. Figure 724: Specifying the Insight Database Settings 2. In the Database Settings section, enter the appropriate values as described in Table 383. 3. When finished, click Save. Table 383: Insight Database Parameters Parameter Action/Description Database Retention 1.
l Read, Write, and Delete In the case of a user with no Insight admin privileges, the navigation panel on the left side of the Insight user interface is not visible. Viewing the Default Insight Admin Privileges The settings for the default admin privileges cannot be modified. To view the default Insight admin privileges defined in W-ClearPass: 1. Navigate to Administration > Users and Privileges > Admin Privileges. The Admin Privileges page opens. Figure 725: Admin Privileges Page 2.
When a different set of admin privileges is needed (for example, if you require different admin privileges for the Report module than the admin privileges defined for the other Insight modules), you must create a new admin privileges administrator. Insight privileges can be defined from two locations: l Operator Profiles in W-ClearPass Guest l Admin Privileges in W-ClearPass To define custom admin privileges for Insight: 1. Navigate to Administration > Users and Privileges > Admin Privileges.
1. When you complete the Basic Information parameters, select the Insight tab. The Add Admin Privileges > Insight dialog opens. Figure 728: Add Admin Privileges > Insight Dialog You must configure the admin privileges for W-Policy Manager also, otherwise the changes to the Insight admin privileges cannot be saved. 2. Specify the desired admin privileges for each of the Insight modules, then click Save.
| W-ClearPass Insight Reports Dell Networking W-ClearPass Policy Manager 6.
Appendix A Command Line Interface Refer to the following sections to perform various tasks using the Command Line Interface (CLI): l Cluster Commands on page 735 l Configure Commands on page 738 l Miscellaneous Commands on page 750 l Network Commands on page 743 l Service Commands on page 758 l Show Commands on page 760 l SSH Timed Account Lockout l System Commands on page 769 Cluster Commands The Policy Manager command line interface includes the following cluster commands: l cluster drop
[appadmin]# cluster drop-subscriber -f -i 192.xxx.1.1 -s cluster list Use the cluster list command to list all the nodes in the cluster. Syntax cluster list Example The following example lists all the nodes in a cluster: [appadmin]# cluster list cluster make-publisher Use the cluster make-publisher command to promote a specific subscriber node to be the publisher node in the same cluster. When running this command, do not close the shell or interrupt the command execution.
Example The following example converts the node with IP address 192.xxx.1.1 to a subscriber node: [appadmin]# cluster make-subscriber –i 192.xxx.1.1 -l cluster reset-database Use the reset-database command to reset the local database and erase its configuration. Running this command erases the W-Policy Manager configuration and resets the database to its default configuration—all the configured data will be lost. When running this command, do not close the shell or interrupt the command execution.
INFO - Password changed on local (publisher) node Cluster password changed cluster sync-cluster-passwd Use the cluster sync-cluster-passwd command to synchronize the cluster (appadmin) password currently set on the publisher with all the subscriber nodes in the cluster.
Table 387: Configure Date Command Parameters Flag/Parameter Description -s Synchronizes time with the specified NTP server name (see Example 2 below). This field is optional. NOTE: You can specify a destination node with an IPv6 address enabled. -d Specifies the date with the syntax: yyyy-mm-dd. This field is mandatory. -t
Running this command erases the ClearPass Policy Manager configuration settings and returns the database to the default configuration. All configured data will be lost. This command also shuts down all running applications and reboots the system. Syntax configure fips-mode [0|1] The following table describes the required and optional parameters for the configure fips-mode command: Table 388: Configure fips-mode Command Parameters Flag/Parameter Description 0 To disable FIPS mode, enter 0.
Syntax [appadmin]# configure ip netmask gateway The following table describes the parameters used in the configure ip command: Table 389: Configure IP Command Parameters Flag/Parameter Description ip Specifies the network interface type: management port interface or data poirt interface. specifies the IPv4 address of the host. netmask Specifies the netmask for the IP address.
configure mtu Use the configure mtu command to set the MTU (Maximum Transmission Unit) for the management and data port interfaces. Running this command might cause the W-ClearPass server to lose network connectivity. Syntax configure mtu The following table describes the configure mtu command parameters: Table 391: Configure mtu Command Parameters Flag/Parameter Description mtu Specifies the network interface types: management port interface or data port interface.
IPv4 Address : 10.2.xx.86 Subnet Mask Gateway : : 255.255.255.0 10.2.xx.
l nslookup l Network Commands on page 743 l network ping6 l network reset l network traceroute6 l network traceroute network ip6 Use the network ip6 command to add, delete, or list custom routes to the data or management interface routing table in IPv6 networks.
network ip6 list Example: Listing All IPv6 Custom Routing Rules The following example lists all custom routing rules: [appadmin]# network ip6 list =============================================== IP Rule Information ----------------------------------------------0: from all lookup local 13000: from all to fe82::20c:99ff:fe7e:d3e1 lookup mgmt 13001: from all to fe82::20c:99ff:fe7e:d3e4 lookup mgmt 13002: from all to fe82::20c:99ff:fe7e:d3e7 lookup mgmt 13003: from all to fe82::20c:99ff:fe7e:d3e8 lookup mgmt 1
Table 393: Network IP Add Command Parameters (Continued) Flag/Parameter Description -d Specifies the destination IP address or network. For example, 192.168.xx.0/24 or 0/0 (for all traffic). You must specify only one destination IP address. This parameter is optional. -g Specifies the via or gateway IP address through which the network traffic should flow. A valid IP address is allowed. This parameter is optional.
Syntax: network nslookup network nslookup -q The following table describes the required and optional parameters for the nslookup command: Table 395: Network Nslookup Command Parameters Flag/Parameter Description Specifies the type of DNS record. The record types available are: A l AAAA l CNAME l PTR l SRV l Specifies the host or domain name to be queried.
The following table describes the required and optional parameters for the network ping6 command: Table 396: Network Ping6 Command Parameters Flag/Parameter Description -i Specifies the originating IPv6 address for the ping. This field is optional. -t Use this parameter to ping indefinitely. This field is optional. Specifies the host to be pinged.
Table 398: Network Reset Command Parameters Flag/Parameter Description data [v4|v6] Specifies the name of network data port to reset, as well as whether it is an IPv4 or IPv6 address. This parameter is mandatory. mgmt Specifies the name of network management port to reset. Example The following example resets the IPv6 network data port: [appadmin]# network reset data v6 network traceroute6 Use the network traceroute6 command to print the route taken to reach the IPv6 network host.
Miscellaneous Commands The W-Policy Manager command line interface includes the following miscellaneous commands: l ad auth on page 750 l ad netjoin on page 751 l ad netleave on page 751 l ad passwd-server l ad testjoin on page 752 l alias on page 753 l backup on page 753 l cli session idle timeout l dump certchain on page 754 l dump logs on page 754 l dump servercert on page 755 l exit on page 755 l help on page 756 l krb auth on page 756 l krb list on page 756 l ldapsearch o
ad netjoin Use the ad netjoin command to join the host to the domain. Syntax ad netjoin [domain NetBIOS name] [domain REALM name] [ou=
Example The following example removes the host from the domain: [appadmin]# ad netleave balsamcollege.edu -f ad passwd-server Use the ad passwd-server command to do the following tasks: l Set the password servers. l List the configured password servers. l Reset the password servers. Syntax ad passwd-server Table 404: AD passwd-server Command Parameters Flag/Parameter Description set Sets the password servers. The -n parameter specifies the domain name.
alias Use the alias command to create or remove aliases. Syntax alias = The following table describes the required and optional parameters for alias command: Table 406: Alias Command Parameters Flag/Parameter Description = Sets as the alias for . = Removes the association.
Example [appadmin]# backup -f PolicyManager-data.tar.gz Continue? [y|Y]: y cli session idle timeout Use the cli session idle timeout command to configure the amount of Idle time allowed before a CLI session timeout occurs. Syntax cli session idle timeout Table 408: CLI Session Idle Time Command Parameters Flag/Parameter Description
Table 410: Dump Logs Command Parameters Flag/Parameter Description -f Specifies the target for concatenated logs. -s yyyy-mm-dd Specifies the start date range. The default value is today's date. This field is optional. -e yyyy-mm-dd Specifies the end date range. The default value is today's date. This field is optional. -n Specifies the duration in days (from today). This field is optional. -t Specifies the type of log to collect. This field is optional.
[appadmin]# exit help Use the help command to display the list of supported commands: Syntax help Example The following example displays the list of supported commands: [appadmin]# help alias backup cluster configure dump exit help netjoin netleave network quit restore service show system help Create aliases Backup Policy Manager data Policy Manager cluster related commands Configure the system parameters Dump Policy Manager information Exit the shell Display the list of supported commands Joi
Syntax krb list Example The following example lists the cached Kerberos tickets: [appadmin]# krb list ldapsearch Use the Linux ldapsearch command to find objects in an LDAP directory. Note that only the W-Policy Manager-specific command line arguments are listed. For other command line arguments, refer to ldapsearch man pages on the Internet.
Syntax 3 restore [-l] [-i] [-b] [-c] [-e] [-n|-N] [-s] The following table describes the parameters for the restore command: Table 414: Restore Command Parameters Flag/Parameter user@hostname:/ http://hostname/ l l l Description Specifies the filepath of the the restore source. -b Does not backup the current configuration data before the restore operation starts. -c Restores W-ClearPass W-Policy Manager configuration data.
Syntax service Table 415: Service Action Command Parameters Service Parameter Description action 1. Choose an action: n list n restart n start n status n stop service-name 2.
Stats aggregation service [ cpass-carbon-server ClearPass IPsec service [ cpass-ipsec-service ] AirGroup notification service [ airgroup-notify Micros Fidelio FIAS [ fias_server ] Ingress logger service [ cpass-igslogger-server Ingress syslog service [ cpass-igssyslog-server ] ] ] ] Show Commands The W-Policy Manager command line interface includes the following show commands: l show all-timezones l show date l show dns l show domain l show fipsmode l show fipsmode l show hostname l show ip
[appadmin]# show date Wed Jan 27 14:33:39 UTC 2016 show dns Use the show dns command to view DNS (Domain Name System) servers. Syntax show dns Example The following example of show dns command output displays the DNS servers configured for the current W-ClearPass server: [appadmin]# show dns =========================================== DNS Information ------------------------------------------Primary DNS : 192.xxx.5.
show fipsmode Use the show fipsmode command to find whether FIPS (Federal Information Processing Standard) mode is enabled or disabled. Example The following example shows that FIPS mode is enabled: [appadmin]# show fipsmode FIPS Mode: Enabled show hostname Use the show hostname command to view the hostname of the current W-ClearPass server. Syntax show hostname Example The following displays an example of the show hostname command: [appadmin]# show hostname cppm.chicago.
Hardware Address : 00:0C:29:70:27:4A MTU : 1498 =========================================== DNS Information ------------------------------------------Primary DNS : 10.2.xx.30 Secondary DNS : 10.1.xx.50 Tertiary : 10.1.xx.200 DNS =========================================== show license Use the show license command to view the W-Policy Manager license information.
Syntax show ntp Example The following displays an example of the show ntp command output: [appadmin]# show ntp =========================================== NTP Server Information ------------------------------------------Primary NTP : 10.xx.x.
show version Use the show version command to view the W-Policy Manager software version and the hardware model. Syntax show version Example The following displays an example of the show version command output: [appadmin]# show version ======================================= Policy Manager software version : 6.6(1).
SSH Account Lockout Configuration The SSH Timed Lockout options are exposed as a part of the ssh command set. Figure 730: SSH Command Set SSH Lockout The ssh lockout command set provides ability to configure SSH lockout configuration options. This command exposes three options : l count l duration l reset Figure 731: SSH Lockout Command Set SSH Lockout Count Sets the maximum number of failed login attempts before the account is locked out. The default is 5.
SSH Lockout Duration Sets the amount of time in minutes that the account will remain locked after the number of SSH password login attempts exceeds the SSH lockout count. Figure 733: SSH Lockout Duration Command Syntax ssh lockout duration Example ssh lockout duration 3 SSH Lockout Reset Resets the SSH lockout count and duration to factory defaults and disables this feature. The SSH timed account lockout feature is disabled by default.
Show SSH Shows the SSH lockout configuration settings and the active SSH client sessions. Figure 736: Show SSH Command SSH Account Lockout Alerts Alerts for SSH lockout events are logged in to the Event Viewer when any of the following conditions are present: n SSH lockout configurations are performed n Account is locked n Account is unlocked n Failed SSH login attempts SSH Account Lockout Behavior The SSH account lockout feature is disabled by default. 1.
System Commands The W-Policy Manager command line interface (CLI) includes the following system commands: l system apps-access-reset l system boot-image l system cleanup l system create-api-client l system gen-recovery-key l system gen-support-key l system install-license l system morph-vm l system refresh-license l system reset-server-certificate l system restart l system shutdown l system sso-reset l system start-rasession l system status-rasession l system terminate-rasessi
Table 416: Boot-Image Command Parameters Flag/Parameter Description -l Lists the boot images installed on the system. -a Sets the active boot image version in A.B.C.D syntax. This field is optional.
INFO - Purging diagnostic dumps INFO - Detected empty core directory INFO - Performing system cleanup tasks INFO - Purging platform logs INFO - Purging application logs INFO - Performing database cleanup tasks INFO - Completed system cleanup system create-api-client Use the system create-api-client command create a new API client.
Table 418: System Install-License Command Parameter Flag/Parameter Description Specifies the newly issued license key. This field is mandatory. Example The following example replaces the current license key with a new one: [appadmin]# system install-license API11-3117-90982-007 system morph-vm Use the system morph-vm command to convert an evaluation virtual machine (VM) to a production virtual machine .
[appadmin]# system morph-vm CP-VA-25K system refresh-license Use the system refresh-license command to refresh the license count information.
Syntax system restart Example The following example restarts the system with a confirmation before proceeding: [appadmin]# system restart system restart ********************************************************* * WARNING: This command will shut down all applications * * and reboot the system * ******************************************************** Are you sure you want to continue? [y|Y]: y system shutdown Use the system shutdown command to shut down the current W-ClearPass server.
Table 420: System Start Remote Assistance Session Command Parameters Flag/Parameter Action/Description duration_hours 1. Specify the session duration in hours. You can specify values from 0 to 12. duration_mins 2. Specify the session duration in minutes. You can specify values from 0 to 59. contact_id 3. Enter the username ID part of the Dell TAC or Engineering contact. cppm_server_ip 4. Specify the W-ClearPass W-Policy Manager server IP address.
Table 421: System Update Command Parameters Flag/Parameter Description -i user@hostname:/ | http://hostname/ Installs the specified patch on the system. This field is optional. -f Reinstalls the patch in the event of a problem with the initial installation attempt. This field is optional. -l Lists the patches installed on the system. This field is optional. This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads.
Table 422: System Upgrade Command Parameters (Continued) Flag/Parameter Description Enter the filepath using the syntax provided in the two examples below. This field is mandatory. This command supports Secure Copy (SCP), HTTPS, HTTP, and local uploads. If none of these system upgrade command options are specified, Access Tracker records are backed up, but they are not restored by default. Example 1: Upgrading from a Linux Server To upgrade the W-Policy Manager image from a Linux server: 1.
8. Initiate the upgrade process by entering the following command: system upgrade [-w] [-l] [-L] For example: [appadmin]# system upgrade CPPM-upgradeimage.bin 9. After the upgrade process is complete, restart the machine by issuing the following command in the CLI: system restart The W-Policy Manager restarts and boots up to the most recent version of W-ClearPass Policy Manager. 778 | Command Line Interface Dell Networking W-ClearPass Policy Manager 6.
Appendix B SNMP Private MIB, SNMP Traps, System Events, Error Codes This appendix contains the following information: l W-ClearPass SNMP Private MIB l SNMP Trap Details l Important System Events l Error Codes W-ClearPass SNMP Private MIB This section contains the following information: l Introduction l System MIB Entries l RADIUS Server MIB Entries l Policy Server MIB Entries l Web Authentication Server MIB Entries l TACACS+ Server MIB Entries l Network Traffic MIB Entries Introductio
Table 423: CPPMSystemTableEntry System MIB Objects (Continued) MIB Object Description cppmNwMgmtPortMACAddress W-ClearPass server management port MAC address cppmSystemDiskSpaceFree Amount of disk space free (in bytes) in the W-ClearPass server cppmSystemDiskSpaceTotal Total amount of disk space available (in bytes) in the W-ClearPass server cppmSystemHostname W-ClearPass server host name cppmSystemMemoryFree Amount of memory free (in bytes) in the W-ClearPass server cppmSystemMemoryTotal Total
RadiusServerAuthTableEntry RadiusServerAuthTableEntry exposes the following counters that refer to authSourceName wherever applicable (see Table 425). Counters and delays reflect details that are logged into Graphite.
Table 426: PolicyServerTableEntry Objects (Continued) MIB Object Description psRolemappingPolicyEvalTime Role mapping policy evaluation time psPosturePolicyEvalTime Posture policy evaluation time psRestrictionPolicyEvalTime Restriction policy evaluation time psServicePolicyEvalCount Service policy evaluation count psServicePolicyEvalTime Service policy evaluation time psSessionlogTime Policy Server session logging time PolicyServerProtoTableEntry PolicyServerProtoTableEntry exposes MIB objects
Web Authentication Server MIB Entries WebAuthProtoTableEntry exposes MIB objects for the WebLogin, AppLogin, SamlIdp, and SamlSp web authentication protocols.
Table 431: TacacsAuthTableEntry Objects MIB Object Description tacAutzCounterCount Total number of TACACS+ server authorizations tacAutzCounterFailure Number of failed TACACS+ server authorizations tacAutzCounterSuccess Number of successful TACACS+ server authorizations tacAutzCounterTime Total time taken for TACACS+ authorizations Network Traffic MIB Entries NetworkTrafficTableEntry exposes MIB objects for network protocol and applications.
W-ClearPass SNMP Traps Table 433: SNMP Traps Supported by the SNMP Private MIB SNMP Trap Description and OID cppmLicenseExpiry l l cppmActivationExpiry l l cppmNodeCertExpiry l l cppmLowDiskSpace l l cppmLowMemory l l cppmClusterNodeAddNotification l l cppmClusterNodeDelNotification l l cppmClusterNodePromNotification l l cppmClusterNodeDbldNotification Dell Networking W-ClearPass Policy Manager 6.
Table 433: SNMP Traps Supported by the SNMP Private MIB (Continued) SNMP Trap Description and OID indicates the IP address of the disabled node. OID: .1.3.6.1.4.1.14823.1.6.1.1.200.1009 n l cppmClusterNodeNSyncNotification l l cppmClusterPwdChangedNotification l l cppmConfigReset l l cppmConfigRestore l l cppmUpdateNotification l l cppmUpgradeNotification l l cppmClusterLicenseUsage l l Indicates the W-ClearPass node in the cluster that is in the outof-sync state.
l W-ClearPass Processes Stop and Start Events on page 788 l Network Interface up and Down Events on page 787 l Disk Utilization Threshold Exceed Events on page 788 l CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds on page 796 l SNMP Daemon Traps on page 787 l Process Status Traps on page 788 l Network Interface Status Traps on page 787 l Disk Space Threshold Traps on page 788 l CPU Load Average Traps on page 796 SNMP Daemon Traps This section contains OIDs for various tra
W-ClearPass Processes Stop and Start Events OIDs: .1.3.6.1.4.1.2021.8.1.2.X ==> Process Name .1.3.6.1.4.1.2021.2.1.101.X ==> Process Status Message Disk Space Threshold Traps .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag indicating the disk or partition is under the minimum required space configured for it. Value of 1 indicates the system has reached the threshold and 0 indicates otherwise. .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition which has met the above condition.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.5 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.5: cpass-radius-server .1.3.6.1.4.1.2021.8.1.101.5: Radius server [ cpass-radius-server ] is running Admin Server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.1 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.1: cpass-admin-server .1.3.6.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.2 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.2: cpass-system-auxiliary-server .1.3.6.1.4.1.2021.8.1.101.2: System auxiliary service [ cpass-system-auxiliary-server ] is running Policy server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.3 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.6 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.6: cpass-dbwrite-server .1.3.6.1.4.1.2021.8.1.101.6: Async DB write service [ cpass-dbwrite-server ] is running DB replication service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.7 .1.3.6.1.2.1.88.2.1.5.0: 1 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.8 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.8: cpass-dbcn-server .1.3.6.1.4.1.2021.8.1.101.8: DB change notification server [ cpass-dbcn-server ] is running Async netd service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.9 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.10 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.10: cpass-multi-master-cache-server .1.3.6.1.4.1.2021.8.1.101.10: Multi-master cache [ cpass-multi-master-cache-server ] is running AirGroup Notification service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.11 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.12 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.12: fias_server .1.3.6.1.4.1.2021.8.1.101.12: Micros Fidelio FIAS [ fias_server ] is running TACACS server stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0: .1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.4 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.4: cpass-tacacs-server .1.3.6.1.4.1.
.1.3.6.1.2.1.88.2.1.3.0: .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.13 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.13: cpass-vip-service .1.3.6.1.4.1.2021.8.1.101.13: ClearPass Virtual IP service [ cpass-vip-service ] is running Stats Collection service stop SNMP trap snmpTrapOID: .1.3.6.1.2.1.88.2.0.2 .1.3.6.1.2.1.88.2.1.1.0: extTable .1.3.6.1.2.1.88.2.1.2.0 .1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.15 .1.3.6.1.2.1.88.2.1.5.0: 3 .1.3.6.1.4.1.2021.8.1.2.
.1.3.6.1.2.1.88.2.1.3.0 .1.3.6.1.2.1.88.2.1.4.0: .1.3.6.1.4.1.2021.8.1.100.14 .1.3.6.1.2.1.88.2.1.5.0: 0 .1.3.6.1.4.1.2021.8.1.2.14: cpass-carbon-server .1.3.6.1.4.1.2021.8.1.101.14: Stats aggregation service [ cpass-carbon-server ] is running. CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds OIDs .1.3.6.1.4.1.2021.9.1.100.1 ==> Error flag for disk partition .1.3.6.1.4.1.2021.9.1.2.1 ==> Name of the partition CPU Load Average Traps OIDs .1.3.6.1.4.1.2021.10.1.100.
Important System Events This section provides the following information: l Admin User Interface Events l Admin Server Events l Async Service Events l W-ClearPass/Domain Controller Events l W-ClearPass System Configuration Events l W-ClearPass Update Events l Cluster Events l Command Line Events l Database Replication Services Events l Licensing Events l Policy Server Events l RADIUS/TACACS+ Server Events l Service Names l SNMP Events l Support Shell Events l System Auxiliary S
"Admin UI", "INFO", "Server Certificate", "Subject:“, "Updated" "Install Update", "INFO", "Installing Update", "File: ", "Success" "Admin UI", “INFO” “Email Successful”, “Sending email succeeded” "Admin UI", “INFO” “SMS Successful”, “Sending SMS succeeded” Admin Server Events Info Events “Admin server”, “INFO”, “Performed action start on Admin server” Async Service Events Info Events “Async DB write service”, “INFO”, “Performed action start on Async DB write service” “Multi-master cache”, “INFO”, “P
“DNS”, “INFO”, “configuration”, “Successfully configured DNS servers - ” “Time Config”, “INFO”, “Remote Time Server”, “Old List: \nNew List: ” “timezone”, “INFO”, “configuration”, “” “datetime”, “INFO”, “configuration”, “Successfully changed system datetime.\nOld time was ” W-ClearPass Update Events Critical Events “Install Update”, “ERROR”, “Installing Update”, “File: ”, “Failed with exit status - ” “ClearPass Firmware Update Checker”, “ERROR”, “Firmware Update Checker”, “No subscription
Info Events “Admin UI”, “INFO”, “Add License”, “Product Name: Policy Manager\nLicense Type: \nUser Count: ” Policy Server Events Info Events “Policy Server”, “INFO”, “Performed action start on Policy server” “Policy Server”, “INFO”, “Performed action stop on Policy server” RADIUS/TACACS+ Server Events Critical Events “TACACSServer”, “ERROR”, “Request”, “Nad Ip= not configured” “RADIUS”, “WARN”, “Authentication”, “Ignoring request from unknown client :” “RADIUS”, “ERROR”, “Authentication
SNMP Events Critical Events “SNMPService”, “ERROR”, “ReadDeviceInfo”, “SNMP GET failed for device with error=No response received\nReading sysObjectId failed for device=\nReading switch initialization info failed for ” "SNMPService","ERROR", "Error fetching table snmpTargetAddr. Request timed out. Error reading SNMP target table for NAD=10.1.1.1 Maybe SNMP target address table is not supported by device? Allow NAD update. SNMP GET failed for device 10.1.1.
Error Codes Table 434 describes the W-ClearPass Policy Manager error codes: Table 434: W-ClearPass Policy Manager Error Codes Code Description Type 0 Success Success 101 Failed to perform service classification Internal Error 102 Failed to perform policy evaluation Internal Error 103 Failed to perform posture notification Internal Error 104 Failed to query authstatus Internal Error 105 Internal error in performing authentication Internal Error 106 Internal error in RADIUS server Inter
Table 434: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 218 Authentication source timed out Authentication failure 219 Bad search filter Authentication failure 220 Search failed Authentication failure 221 Authentication source error Authentication failure 222 Password change error Authentication failure 223 Username not available in request Authentication failure 224 CallingStationID not available in request Authentication failure 225 User account disable
Table 434: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 6101 Not enough inputs to perform authentication TACACS Authentication 6102 Authentication privilege level mismatch TACACS Authentication 6103 No enforcement profiles matched to perform authentication TACACS Authentication 6201 Authorization failed as session is not authenticated TACACS Authorization 6202 Authorization privilege level mismatch TACACS Authorization 6203 Command not allowed TACACS Authoriza
Table 434: W-ClearPass Policy Manager Error Codes (Continued) Code Description Type 9015 Client does not support configured EAP methods RADIUS Protocol 9016 Client did not send Cryptobinding TLV RADIUS Protocol 9017 Failed to contact OCSP Server RADIUS Protocol 9018 RADIUS protocol error RADIUS Protocol 9019 Client sent conflicting identities RADIUS Protocol Dell Networking W-ClearPass Policy Manager 6.
| SNMP Private MIB, SNMP Traps, System Events, Error Codes Dell Networking W-ClearPass Policy Manager 6.
Appendix C Use Cases This appendix contains several specific W-ClearPass Policy Manager use cases. Each one explains what it is typically used for, and then describes how to configure W-Policy Manager for that use case. l 802.1X Wireless Use Case on page 807 l Web Based Authentication Use Case on page 813 l MAC Authentication Use Case on page 820 l TACACS+ Use Case on page 823 l Single Port Use Case on page 824 802.
Policy Manager ships with fourteen preconfigured services. In this use case, you select a service that supports 802.1X wireless requests. Follow the steps below to configure this basic 802.1X service that uses [EAP FAST], one of the pre-configured Policy Manager authentication methods, and Active Directory Authentication Source (AD), an external authentication source within your existing enterprise.
Creating a New Role Mapping Policy To create a new Role Mapping policy: 1. Click the Roles tab. 2. Click Add new Role Mapping Policy. The Role Mappings page opens. Figure 744: Role Mapping Navigation and Settings 3. Add a new role, navigate to the Policy tab. Enter the Policy Name, For example, ROLE_ENGINEER and click Save. Repeat the same step for ROLE_FINANCE. The following figure displays the Policy tab: Figure 745: Policy Tab 4. Click the Next button in the Rules Editor. 5.
Figure 746: Mapping Rules Tab 6. Select the Select all matches radio button. 7. Match the conditions with the role name. Click the Add Rule button. The Rules Editor pop-up opens. Upon completion of each rule, click the Save button in the Rules Editor. 8. Click the Save button. 9. Add the new role mapping policy to the service from the Roles tab. The following figure displays the Roles tab: Figure 747: Roles Tab 810 | Use Cases Dell Networking W-ClearPass Policy Manager 6.
10.Select Role Mapping Policy, for example, RMP_DEPARTMENT. Click Next. 11.Add an Micrsoft NPS external posture serverto the 802.1X service. Click the Posture tab. The following figure displays the Posture tab: Figure 748: Posture Tab 12.Click Add new Posture Server to add a new posture server. 13.
Figure 750: Primary Server Tab 16.Click Next from primary server to backup server. Click Save. 17.Add the new posture server to the service. From the Posture tab, enter the Posture Servers, for example, PS_NPS, then click the Add button. The following figure displays the Posture tab: Figure 751: Posture Tab 18.Click the Next button. Assign an enforcement policy. 19.Enforcement policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to evaluation profiles.
20. From the Enforcement tab, select the Enforcement Policy. For instructions about how to build an enforcement policy, refer to Configuring Enforcement Policies on page 343. 21.Save the service. Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service.
Table 436: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l l Name/Descriptio n (freeform) > Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 437: Local Policy Manager Database Navigation and Settings Navigation Settings Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase “user” representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them.
Table 438: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab 816 | Use Cases Dell Networking W-ClearPass Polic
Table 438: Posture Policy Navigation and Settings (Continued) Navigation Setting Select a Validator: l Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) > Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l l Enable Service Pack levels for Windows 7, Windows Vista®, Windows XP Windows Server® 2008, Windows Server 2008 R2, and Windows Server 2003 (check boxes) > Save (button) > Dell Networking W
Table 438: Posture Policy Navigation and Settings (Continued) Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished work
Table 438: Posture Policy Navigation and Settings (Continued) Navigation Setting Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: n Default Posture Token. Value of the posture token to use if health status is not available. n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL.
MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device.
Table 440: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication. You can select any type of authentication/authorization source for a MAC Authentication service.
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 754: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Navigate to Configuration > Services. 2. Click the icon to add a service. The Configuration > Services > Add window opens. 3.
4. Define the Authentication settings for the service. Authentication methods can be left to their default values, as the Policy Manager TACACS+ service authenticates TACACS+ requests internally. a. In the Authentication Sources section, click the Select to Add drop-down list. b. Select AD (Active Directory). For this use case example, Network Access Device authentication data will be stored in the Active Directory. 5. Click the Enforcement tab and select an Enforcement Policy. a.
Appendix D OnGuard Dissolvable Agent This appendix includes the following information: l Introduction l Native Agents Only Mode l Native Agents with Java Fallback Mode l Configuring Web Agent Flow - Java Only Mode l Native Dissolvable Agent Supported Operating Systems and Browsers l OnGuard Dissolvable Agent Supported Browsers and Java Versions Introduction W-ClearPass OnGuard controls compromised devices by detecting and blocking access to unsecure or unhealthy devices.
Native Dissolvable Agent supports the following browsers and operating systems: Table 444: Supported Operating Systems and Browsers OS Windows Browsers l l l Mac OS X l Safari FireFox Google Chrome l FireFox l l Linux Internet Explorer FireFox Google Chrome W-ClearPass Policy Manager hosts the Native Dissolvable Agent binary files with OnGuard Persistent Agent installers. You can use the links to download the binaries in the OnGuard Settings page for Windows (.exe) and Mac OS X (.DMG).
2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network. Select the Native agents only mode in the Client Agents field: Figure 757: Native Agents Only Mode End-to-End Flow in Native Agents Only Mode The following steps describe the end-to-end flow of the OnGuard Dissolvable Agent running on Native agents only mode: 1.
The figure shows an example of the OnGuard Windows Health Checker binary download window: Figure 760: Native Dissolvable Agent Binary Downloader 5. To download the OnGuard agent, click Save File. 6. To install the OnGuard agent, click Run. Figure 761: Native Dissolvable Agent Installation If you are running Windows OS, Internet Explorer provides options to Run or Save. FireFox and Chrome browsers provide option to save the .exe files.
Figure 762: Native Dissolvable Agent Application Launcher 9. The following progress screen appears and shows the progress: Figure 763: Native Dissolvable Agent Installation Progress 10.After the successful installation, the health check scanning is initiated. The following figure shows an example of the progress indicator: Figure 764: Health Check Progress 11.
Figure 765: Health Check Results 12.Take the appropriate actions to fix the issues listed in remediation and agent enforcement messages, then click Scan Again. Repeat this step until the client becomes healthy. Once the client is healthy, you can access the destination URL. 13.You can track the events with the end-to-end flow in the Access Tracker page.
1. Select the Policy-initiated - An enforcement policy will control a change of authorization option from the drop-down list in the Login Method field. The following figure shows an example configuration of the Policy-initiated Login method: Figure 767: Policy-initiated Login Method 2. Select the Require a successful OnGuard health check option in the Health Check field. If you select this field, the guest needs to pass a health check before accessing the network.
Figure 769: Native Dissolvable Agents with Java Fallback Configuring Web Agent Flow - Java Only Mode You can configure a new web agent flow in two different locations (W-ClearPass Policy Manager and W-ClearPass Guest) to perform health scan on endpoints. Configuring Web Agent Flow in W-ClearPass Policy Manager Use the following steps to configure a new web agent flow in W-ClearPass Policy Manager: 1. Create a 802.
Figure 771: Web Agent Flow - Health Only 3. Create a simple Web Auth service to authenticate users against W-ClearPass Guest user database to accept or perform App authentication request after completing a sandwich flow. The following figure shows an example of the Web Agent Flow - Services Web Auth page: Figure 772: Web Agent Flow - Services Web Auth Configuring Web Agent Flow in W-ClearPass Guest Use the following steps to create a web agent flow in W-ClearPass Guest: 1.
Figure 773: Web Login Editor 2. Select the Anonymous - Do not require a username or password option from the drop-down. 3. Check the Enable bypassing the Apple Captive Network Assistant option in the Prevent CNA field. 4. Select the Local - match a local account option in the Pre-Auth Check field. 5. Check the Require Terms and Conditions confirmation option in the Terms field. 6. Specify the destination URL to which the client must be redirected after health checks in the Default destination field.
7. Select the Local - match a local account option in the Post Authentication field. The following figure shows an example of the Web Login - Post-Authentication page: Figure 775: Web Login - Post-Authentication The following figure shows an example of the final web agent flow: For more information, refer to W-ClearPass Guest Online Help.
Table 445: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Windows 7 64-bit Windows 8 64-bit Windows 8 32-bit Windows 2008 64-bit Windows XP SP3 Browser Test Results Firefox Passed W-ClearPass Policy Manager 6.6.0.79875 , Firefox 44.X Internet Explorer Passed W-ClearPass Policy Manager 6.6.0.79875 , IE-11.x Chrome Passed W-ClearPass Policy Manager 6.6.0.79875, Chrome 48.X Firefox Passed None W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.
Table 445: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Windows 2003 32-bit Windows Vista Browser Test Results Known Issues Tested Versions Chrome Not supported W-ClearPass Policy Manager 6.6.0.79875, Chrome 35.X Firefox Not supported W-ClearPass Policy Manager 6.6.0.79875, Firefox 30.X IE Not supported W-ClearPass Policy Manager 6.6.0.79875, IE-8.x Chrome Passed W-ClearPass Policy Manager 6.6.0.79875, Chrome 48.
Table 445: Native Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Mac OS X 10.7.5 Mac OS X 10.11 Browser Test Results Known Issues Tested Versions Firefox Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox-43.x Chrome Passed W-ClearPass Policy Manager 6.6.0.79875, Chrome-47.x Safari Passed W-ClearPass Policy Manager6.6.0.79875, Safari-6.x Firefox Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox-44.
OnGuard Dissolvable Agent Supported Browsers and Java Versions This section provides information on supported browsers and Java versions for the OnGuard Dissolvable Agent. The versions given in the following table are tested and are up-to-date at the time of this release: Table 446: OnGuard Dissolvable Agent Supported Browsers and Java Versions Operating System Browser Java Version Test Results Chrome 8u73 Failed Firefox 44.x 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.
Table 446: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Windows 7 32bit Windows 8 64bit Windows 8 32bit Windows 8.1 64-bit Browser Java Version Test Results Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Chrome 44.X Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X IE 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, IE11.X Chrome 8u73 Failed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.
Table 446: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Windows 8.1 32-bit Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.80940, Chrome 49.X Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.80940, Firefox 45.X IE 8u73 Passed W-ClearPass Policy Manager 6.6.0.80940, IE11.x Chrome 8u73 Failed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.
Table 446: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Known Issues Tested Versions 8.X Windows XP 32-bit Chrome 8u73 Not supported W-ClearPass Policy Manager 6.6.0.79875, Chrome 35.X Firefox 8u73 Not supported W-ClearPass Policy Manager 6.6.0.79875, Firefox 30.X IE 8u73 Not supported W-ClearPass Policy Manager 6.6.0.79875, IE8.x Safari 8u73 Passed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.
Table 446: OnGuard Dissolvable Agent Supported Browsers and Java Versions (Continued) Operating System Browser Java Version Test Results Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Chrome-44.x Safari 8u73 Passed Firefox 8u73 Passed W-ClearPass Policy Manager 6.6.0.79875, Firefox 44.X Chrome 8u73 Failed W-ClearPass Policy Manager 6.6.0.79875, Chrome-44.
| OnGuard Dissolvable Agent Dell Networking W-ClearPass Policy Manager 6.
Appendix E Rules Editing and Namespaces The W-Policy Manager administration User Interface allows you to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular interface with the same column h
l Authentication Namespaces on page 847 l Authorization Namespaces on page 849 l Certificate Namespaces on page 850 l Connection Namespaces on page 851 l Date Namespaces on page 852 l Device Namespaces on page 852 l Endpoint Namespaces on page 853 l Guest User Namespaces on page 853 l Host Namespaces on page 853 l Local User Namespaces on page 853 l Posture Namespaces on page 854 l RADIUS Namespaces on page 854 l TACACS Namespaces on page 855 l Tips Namespaces on page 855 Applica
l Page-Name l Provisioning-Settings-ID l SAMLRequest l SAMLResponse l Session-Timeout l User-Email-Address Audit Namespaces The dictionaries in the audit namespace come pre-packaged with the product. The Audit namespace has the notation Vendor:Audit, where Vendor is the name of the company that has defined attributes in the dictionary. Examples of dictionaries in the audit namespace are AvendaSystems:Audit or Qualys:Audit. The Audit namespace appears when editing post-audit rules.
Authentication Namespace Editing Context The following table describes the Authentication Namespace Attributes parameters: Table 448: Authentication Namespace Attributes Attribute Name InnerMethod Values CHAP EAP-GTC l EAP-MD5 l EAP-MSCHAPv2 l EAP-TLS l MSCHAP l PAP NOTE: The EAP-MD5 authentication type is not supported if you use the W-ClearPass Policy Manager in the FIPS mode.
Table 448: Authentication Namespace Attributes (Continued) Attribute Name MacAuth Values l AuthSource-Unreachable - The authentication source was unreachable l NotApplicable - Not a MAC Auth request Known Client - Client MAC address was found in an authentication source Unknown Client - Client MAC address was not found in an authentication source l l Username The username as received from the client (after the strip user name rules are applied).
attributes names defined when you created an instance of this authentication source. The attribute names are pre-populated for administrative convenience. Sources This is the list of the authorization sources from which attributes were fetched for role mapping. Authorization namespaces appear in Role mapping policies. SQL Instance Namespace For each instance of an SQL authentication source, there is an SQL instance namespace that appears in the rules editing interface.
Table 449: Certificate Namespace Attributes (Continued) Attribute Name l l l l l l l l l l l l Values Issuer-O Issuer-OU Issuer-SN Issuer-ST Issuer-UID Subject-AltNameDirName Subject-AltName-DNS Subject-AltNameEmailAddress Subject-AltNameIPAddress Subject-AltName-msUPN Subject-AltNameRegisterdID Subject-AltName-URI Attributes associated with the subject (user or machine, in this case) alternate name. Not all of these fields are populated in a certificate.
Table 450: Connection Namespace Pre-defined Attributes (Continued) Attribute Description Client-Mac-Address MAC address of the client. l l l l Client-Mac-Address-Colon Client-Mac-Address-Dot Client-Mac-Address-Hyphen Client-Mac-Address-Nodelim Client-IP-Address Client MAC address in different formats. IP address of the client (if known).
Endpoint Namespaces Use these attributes to look for attributes of authenticating endpoints, which are present in the Policy Manager endpoints list. The Endpoint namespace has the following attributes: l Disabled By l Disabled Reason l Enabled By l Enabled Reason l Info URL Guest User Namespaces The GuestUser namespace has the attributes associated with the guest user (resident in the Policy Manager guest user database) who authenticated in this session.
l Email l Phone l Sponsor Custom attributes also appear in the attribute list if they are defined as custom tags for the local user. These attributes can be used only if you have pre-populated the values for these attributes when a local user is configured in Policy Manager. Posture Namespaces The dictionaries in the posture namespace are pre-packaged with the product. The administration interface provides a way to add dictionaries into the system (see Posture Dictionary.
l RADIUS Enforcement profiles: All RADIUS namespace attributes that can be sent back to a RADIUS client (the ones marked with the OUT or INOUT qualifier) l Role mapping policies l Service rules: All RADIUS namespace attributes that can appear in a request (the ones marked with the IN or INOUT qualifier) TACACS Namespaces The TACACS (Terminal Access Controller Access-Control System) namespace has the attributes associated with attributes available in a TACACS+ request.
The following built-in variables are supported in W-Policy Manager: Table 451: W-Policy Manager Variables Variable Description %{attributename} attribute-name is the alias name for an attribute that you have configured to be retrieved from an authentication source. See Adding and Modifying Authentication Sources on page 193.
The following table lists the operators presented for common attribute data types: Table 452: Attribute Operators Attribute Type String Operators l l l l l l l l l l l l l l l l Integer l l l l l l l l l l Time or Date l l l l l l l Dell Networking W-ClearPass Policy Manager 6.
Table 452: Attribute Operators (Continued) Attribute Type Operators Day l l List (Example: Role) l l l l l l l l Group (Example: Calling-Station-Id, NAS-IPAddress) l l BELONGS_TO NOT_BELONGS_TO EQUALS NOT_EQUALS MATCHES_ALL NOT_MATCHES_ALL MATCHES_ANY NOT_MATCHES_ANY MATCHES_EXACT NOT_MATCHES_EXACT BELONGS_TO_GROUP NOT_BELONGS_TO_GROUP and all string data types The following table describes all operator types: Table 453: Operator Types Operator Description BEGINS_WITH For string data type, t
Operator Description Printers. CONTAINS For string data type, true if the run-time value of the attribute is a substring of the configured value. Example: RADIUS:IETF:NAS-Identifier CONTAINS "VPN" ENDS_WITH For string data type, true if the run-time value of the attribute ends with the configured value. Example: RADIUS:IETF:NAS-Identifier ENDS_WITH "DEVICE" EQUALS True if the run-time value of the attribute matches the configured value. For string data type, this is a case-sensitive comparison.
Operator Description the run-time values of Tips:Role are HR,ENG,FINANCE,MGR,ACCT the condition evaluates to true. MATCHES_ANY For list data types, true if any of the run-time values in the list match one of the configured values. Example: Tips:Role MATCHES_ANY HR,ENG,FINANCE MATCHES_EXACT For list data types, true if all of the run-time values of the attribute match all of the configured values. Example: Tips:Role MATCHES_ALL HR,ENG,FINANCE.