User Guide Dell Networking W-ClearPass Guest 6.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide 17 Audience 17 Conventions 17 Contacting Support W-ClearPass Guest Overview 18 19 About Dell Networking W-ClearPass Guest 19 Visitor Access Scenarios 19 Reference Network Diagram 20 Key Interactions 21 AAA Framework 21 Key Features 22 Visitor Management Terminology 24 W-ClearPass Guest Deployment Process 25 Operational Concerns 25 Network Provisioning 25 Site Preparation Checklist 25 Security Policy Considerations 26 AirGroup Deployment Process 2
Exporting Guest Account Information 45 About CSV and TSV Exports 46 About XML Exports 46 MAC Authentication in ClearPass Guest 46 MAC Address Formats 47 Managing Devices 47 Changing a Device’s Expiration Date 48 Disabling and Deleting Devices 49 Activating a Device 49 Editing a Device 50 Viewing Current Sessions for a Device 51 Viewing and Printing Device Details 51 MAC Creation Modes 52 Creating Devices Manually in ClearPass Guest 52 Creating Devices During Self-Registration - M
Network Requirements for Onboard 73 Using Same SSID for Provisioning and Provisioned Networks 73 Using Different SSID for Provisioning and Provisioned Networks 74 Configuring Online Certificate Status Protocol 74 Configuring Certificate Revocation List (CRL) 74 Network Architecture for Onboard Network Architecture for Onboard when Using ClearPass Guest The ClearPass Onboard Process 75 76 76 Devices Supporting Over-the-Air Provisioning 76 Devices Supporting Onboard Provisioning 78 Configuring
Device Restrictions Settings 116 Creating and Editing Device Restrictions Settings 117 Email Settings 118 Creating and Editing Email Settings 119 Exchange ActiveSync 121 Creating and Editing ActiveSync Settings 122 Network Settings 123 Configuring Basic Network Access Settings 124 Configuring 802.
Deleting a Provisioning Profile 158 About iOS Distribution Certificates 158 Creating a Certificate Signing Request 158 Installing a Distribution Certificate 159 Viewing the Distribution Certificate 159 Downloading the Distribution Certificate 160 About Push Certificates 160 Creating a Certificate Signing Request for Device Management 160 Viewing Push Certificate Details 161 Installing a Push Certificate 161 Downloading a Push Certificate 162 About App Policy Templates 162 Viewing App
About the Self-Service Portal Configuration 179 Accessing Configuration 179 Configuring ClearPass Guest Authentication 179 Managing Content 180 Uploading Content 181 Downloading Content 181 Additional Content Actions 181 Customizing Guest Manager 182 Default Settings for Account Creation 182 About Fields, Forms, and Views 186 Business Logic for Account Creation 186 Verification Properties 186 Basic User Properties 186 Visitor Account Activation Properties 187 Visitor Account Exp
Configuring Basic Properties for Self-Registration 220 Using a Parent Page 220 Paying for Access 220 Requiring Operator Credentials 220 Editing Registration Page Properties 221 Editing the Default Self-Registration Form Settings 222 Creating a Single Password for Multiple Accounts 223 Editing Guest Receipt Page Properties 223 Editing Receipt Actions 224 Enabling Sponsor Confirmation for Role Selection 225 Editing Download and Print Actions for Guest Receipt Delivery 227 Editing Email D
Customizing Translated User Interface Text 252 Translation Assistant 252 Managing Web Logins Creating and Editing Web Login Pages Hotspot Manager 253 257 Accessing Hotspot Manager 257 About Hotspot Management 257 Managing the Hotspot Sign-up Interface 258 Captive Portal Integration 259 Web Site Look-and-Feel 260 SMS Services 260 Managing Hotspot Plans Editing or Creating a Hotspot Plan Managing Transaction Processors 260 261 263 Creating a New Transaction Processor 263 Managing Exist
Import Information for Specific Import Items 286 Import Information: Advertising Services 287 Import Information: AirGroup Services 287 Import Information: Cisco IP Phones 287 Import Information: Guest Manager 287 Import Information: High Availability (HA) 288 Import Information: Hotspot Manager 288 Import Information: Onboard 288 Import Information: Operator Logins 288 Import Information: Palo Alto Network Services 289 Import Information: RADIUS Services 289 Import Information: Report
Disclaimer About the SOAP API 313 Architecture Overview 313 Authentication and Access Control 313 HTTP headers 314 Character Set Encoding 314 SOAP Faults 314 Using the SOAP API 314 Accessing SOAP Web Services 315 Configuring SOAP Web Services 315 SOAP Debugging 315 Creating a SOAP API Operator 315 Accessing the WSDL 316 Integration Example 317 Create a New Project 317 Add Service Reference 317 Configuring HTTP Basic Authentication 319 Performing an API Call 319 Securing Web
Testing Connectivity 344 Testing Operator Login Authentication 344 Looking Up Sponsor Names 344 Troubleshooting Error Messages 345 LDAP Translation Rules 345 Custom LDAP Translation Processing 347 Operator Logins Configuration 349 Custom Login Message 349 Advanced Operator Login Options 350 Automatic Logout The XML-RPC Interface and API XML-RPC API Overview 351 353 353 About the XML-RPC API 353 Architecture Overview 353 API Symmetry 354 Access Control 354 Parameter Names 355
Return Values 363 Access Control 363 Example Usage 363 Method amigopod.guest.edit Parameters 364 Return Values 364 Access Control 365 Example Usage 365 Method amigopod.guest.enable 366 Parameters 366 Return Values 366 Access Control 366 Example Usage 366 Method amigopod.guest.get 367 Parameters 367 Return Values 367 Access Control 367 Example Usage 367 Method amigopod.guest.
Reference Basic HTML Syntax Standard HTML Styles Smarty Template Syntax 377 377 378 380 Basic Template Syntax 380 Text Substitution 380 Template File Inclusion 380 Comments 380 Variable Assignment 380 Conditional Text Blocks 380 Script Blocks 381 Repeated Text Blocks 381 Foreach Text Blocks 381 Modifiers 382 Predefined Template Functions 382 dump 382 nwa_commandlink 383 nwa_iconlink 383 nwa_icontext 384 nwa_quotejs 384 nwa_radius_query 385 Advanced Developer Reference 39
| Contents NwaDigitsPassword($len) 399 NwaDynamicLoad 399 NwaGeneratePictureString 399 NwaGenerateRandomPasswordMix 399 NwaLettersDigitsPassword 400 NwaLettersPassword 400 NwaMoneyFormat 400 NwaParseCsv 400 NwaParseXml 401 NwaPasswordByComplexity 401 NwaSmsIsValidPhoneNumber 401 NwaStrongPassword 402 NwaVLookup 402 NwaWordsPassword 403 Field, Form, and View Reference 403 GuestManager Standard Fields 403 Hotspot Standard Fields 411 SMS Services Standard Fields 411 SMTP
Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 18 | About this Guide Dell Networking W-ClearPass Guest 6.
Chapter 2 W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Figure 1 Visitor access using ClearPass Guest In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.
The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points. Key Interactions The following figure shows the key interactions between ClearPass Guest and the people and other components involved in providing guest access.
Figure 4 Sequence diagram for network access using AAA In the standard AAA framework, network access is provided to a user according to the following process: l The user connects to the network by associating with a local access point [1]. l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account. l The NAS authenticates the user with the RADIUS protocol [5].
Table 2: List of Key features Feature Reference Visitor Access Web server providing content delivery for guests "Managing Content" on page 180 Guest self-registration "Customizing SelfProvisioned Access" on page 217 Visitor Management Create and manage visitor accounts, individually or in groups "Using Standard Guest Management Features" on page 32 Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions Management" on page 61 Import and export visitor accounts
Feature Reference Authentication" on page 339 Operators authenticated via LDAP "External Operator Authentication" on page 340 Role based access control for operators "Operator Profiles" on page 334 Plugin-based application features, automatically updated by ClearPass Policy Manager "Plugin Manager " on page 292 User Interface Features Context-sensitive help with searchable online documentation "Documentation and User Assistance" on page 27 Visitor Management Terminology The following table describ
Term Explanation User Database Database listing the guest accounts in ClearPass Guest. View In a user interface, a table displaying data, such as visitor account information, to operators. Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server. Visitor Account Settings for a visitor stored in the user database, including username, password and other fields. Web Login/NAS Login Login page displayed to a guest user.
ü Policy Decision Type of network access? Time of day access? Bandwidth allocation to guests? Prioritization of traffic? Different guest roles? IP address ranges for operators? Enforce access via HTTPS? Operational Concerns Who will manage guest accounts? Guest account self provisioning? What privileges will the guest managers have? Who will be responsible for printing reports? Network Management Policy Password format for guest accounts? Shared secret format? Operator provisioning? Network Provisioning P
Should HTTPS be required in order to access the visitor management server? l AirGroup Deployment Process AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. You use ClearPass Guest to define AirGroup administrators and operators. AirGroup administrators can then use ClearPass Guest to register and manage an organization’s shared devices and configure access according to username, role, or location.
For information about... Refer to...
On some forms and views, the Quick Help icon may also be used to provide additional detail about a field. If You Need More Assistance If you encounter a problem using ClearPass Guest, your first step should be to consult the appropriate section in this Deployment Guide. If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.
| W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.
Chapter 3 W-ClearPass Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.
Figure 5 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login in ClearPass Guest. Once authorized, the guest is able to access the network.
l How to create a single guest account and a guest account receipt l How to create multiple guest accounts and multiple guest account receipts l How to create a single password for multiple accounts l How to list and edit single and multiple guest accounts To customize guest self-registration, please see Configuration on page 179. Creating a Guest Account To create a new account, go to Guest > Create Account, or click the Create New Guest Account command link on the Guest Manager page.
To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent. Sending SMS receipts requires the SMS Services plugin.
To complete the form, you must enter the number of visitor accounts you want to create. A random username and password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The visitor accounts cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of accounts to create. Click the Create Accounts button after completing the form.
l Activation Time – the date and time at which the account will be activated, or N/A if there is no activation time l Expiration Time – the date and time at which the account will expire, or N/A if there is no activation time l Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified l Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the account Creating a Single Password for Multiple Accounts You can creat
2. In the Number of Accounts field, enter the number of accounts you wish to create. 3. In the Visitor Password field, enter the password that is to be used by all the accounts. 4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens. The password and other account details are displayed for each account. Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts.
The Guests Manager Accounts view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields" on page 190 for details about this customization process. The default settings for this view are described below.
To restore the default view, click the Clear Filter link. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account. Use the Create tab to create new visitor accounts using the New Visitor Account form.
Select the appropriate Action radio button, and click Make Changes to disable or delete the account. If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See "Configuring ClearPass Guest Authentication " on page 179. l Activate – Re-enables a disabled guest account, or specifies an activation time for the guest account. Select an option from the drop-down list to change the activation time of the guest account.
l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons, the guest’s password is not displayed on this receipt. To recover a forgotten or lost guest account password, use the Reset password link. Managing Multiple Guest Accounts Use the Edit Accounts list view to work with multiple guest accounts. This view may be accessed by clicking the Edit Multiple Guest Accounts command link.
Table 8: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See "Creating Multiple Guest Account Receipts" on page 35 in this chapter for more information. The More Options tab includes the Choose Columns command link. You can click this link to open the Configuration module’s Customize View Fields form, which may be used to customize the Edit Guest Accounts view.
l n Colon (:) separated values n Semicolon (;) separated values Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected. Click Next Step to upload the account data. In step 2 of 3, ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields are m to the data.
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account. Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation.
The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or removing the existing fields. See "Customizing Self-Provisioned Access" on page 217 for details about this customization process.
To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features, go to Administration > Plugin Manager > List Available Plugins. For information on plugin management, see "Plugin Manager " on page 292. MAC Address Formats Different vendors format the client MAC address in different ways—for example: l 112233AABBCC l 11:22:33:aa:bb:cc l 11-22-33-AA-BB-CC ClearPass Guest supports adjusting the expected format of a MAC address.
All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker.
1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time. 2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 3.
l If you choose Activate at a specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 3. If you need to change the expiration time, choose one of the options in the Account Expiration drop-down list.
Choosing an option in the Open print window using template drop-down list opens a print preview window and the printer dialog. Options include account details, receipts in various formats, a session expiration alert, and a sponsorship confirmation notice.
2. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 3. Enter the name for the device in the Device Name row. 4. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. 5. Choose one of the options in the Account Activation drop-down list.
l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. The maximum is two weeks. l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 7.
When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page. If the guest logs out and reconnects, they should be immediately logged in without being redirected to the captive portal page.
2. In the Device Name field, enter the name used to identify the device. 3. In the Device Type field, use the drop-down list to select the device type. 4. In the MAC Address field, enter the device’s MAC address. 5. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to be shared with all locations, leave this field blank. Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to the registered device.
To view and edit your organization’s shared AirGroup devices: 1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list, or shared roles; print device details; or add a new device. 2. To work with a device, click the device’s row in the list.
2. In the Your Name field, enter your username for your organization. 3. In the Device Name field, enter the name used to identify the device. 4. In the Device Type drop-down list, select the device type. 5. In the MAC Address field, enter the device’s MAC address. 6. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the device. Use commas to separate usernames in the list. You may enter up to ten usernames.
3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device form. You can modify the device’s name, MAC address, and group of users. 4. When your edits are complete, click Save Changes.
6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and Reload to proceed to Policy Manager and apply the network settings. Importing MAC Devices The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth.
Please accept the terms before proceeding. {else} You need to register... {/if}
You can hide the login form by having the final line of the header be: {if !$guest_receipt.u.username}{/if} and the first line of the footer be: {if !$guest_receipt.u.username}
{/if} Active Sessions Management The RADIUS server maintains a list of active visitor sessions.l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 63 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To reauthorize a session that was disconnected, click the session’s row in the list, then click its Reauthorize link.
Session States A session may be in one of three possible states: l Active—An active session is one for which the RADIUS server has received an accounting start message and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client. While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server. This maintains up-to-date traffic statistics and keeps the session active.
You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 11: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may
3. Click Make Changes. The specified sessions are closed and are removed from the Active Sessions list. Sending Multiple SMS Alerts The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number.
| W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.
Chapter 4 Onboard + WorkSpace Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. The Onboard + WorkSpace module provides all the features of ClearPass Onboard and ClearPass WorkSpace together: l ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and ITmanaged devices across wired, wireless, and virtual private networks (VPNs).
l Enables the revocation of unique credentials on a specific user’s device. l Leverages ClearPass profiling to identify device type, manufacturer, and model.
Deployment Step Reference Onboard provisioning server. DNS is required for SSL. l Ensure that hostname resolution will work for devices being provisioned. documentation Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device provisioning for iOS devices. Refer to the ClearPass Policy Manager documentation Configure the Onboard certificate authority. Decide whether to use the Root CA or Intermediate CA mode of operation.
Table 13: Onboard Features Feature Uses l l Automatic configuration of network settings for wired and wireless endpoints. l l l Secure provisioning of unique device credentials for BYOD and IT-managed devices. l l l Support for Windows, Mac OS X, iOS, and Android devices. l l l l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
Platform Example Devices Version Required for Onboard Support Notes Mac OS X 10.5 “Leopard” Android Samsung Galaxy S Samsung Galaxy Tab Motorola Droid Android 2.2 (or higher) 2 Microsoft Windows Laptop Netbook Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 2 Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method.
The Onboard CA issues certificates for several purposes: l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices. n l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s authentication server. n l The identity information in the profile signing certificate is displayed during device provisioning. The identity information in the server certificate may be displayed during network authentication.
This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the device, the revoked certificate must be deleted. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access.
l Configure the network to use both PEAP and EAP-TLS authentication methods. l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role. l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
Network Architecture for Onboard The high-level network architecture for the Onboard solution is shown in the following figure. Figure 11 ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1. Users bring their own device to the enterprise. 2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. 3.
1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device. a.
devices is shown in Figure 14. Figure 14 ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device. 2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a device-specific certificate. 3. Authentication.
3. The user then authenticates with their provisioning credentials – these are typically the user’s enterprise credentials from Active Directory. If the user is authorized to provision a mobile device, the over-the-air provisioning workflow is then triggered (see Figure 16, below). 4. After provisioning has completed, the device switches to EAP-TLS authentication using the newly provisioned client certificate.
Figure 17 ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server.
a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this file will launch the QuickConnect app on the device. b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings. 3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server.
Customizing the Device Provisioning Web Login Page Onboard creates a default Web login page that is used to start the device provisioning process. To edit this page, navigate to Configuration > Start Here, then click the Web Logins command link. Click to expand the Onboard Provisioning row in the list, and then click Edit. The RADIUS Web Login Editor form for Onboard opens. Scroll to the Onboard Device Provisioning rows of the form.
Using the {nwa_mdps_config} Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page. To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter specifies which property should be returned, as described in Table 15.
key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename the new certificate authority and edit any of its attributes. l To delete a certificate authority, you can click its Delete link. You will be asked to confirm the deletion before it commits. l To see if the certificate authority is currently used, click its Show Usage link. The form expands to show a list of provisioning sets that use the certificate authority.
2. In the Name field, give the CA a short name that identifies it clearly. Certificate authority names can include spaces. If you are duplicating a CA, the original name has "Copy" appended to it. You may highlight the name and replace it with a new name. 3. In the Description field, briefly describe the CA. This description is shown in the Certificate Authorities list. The Name and Description fields are used internally to identify this certificate authority for the network administrator.
5. In the Identity area, enter values in the Country, State, Locality, Organization, and Organizational Unit fields that correspond to your organization. These values form part of the distinguished name for the certificate. 6. Enter a descriptive name for the certificate in the Common Name field. This value is used to identify the certificate as the issuer of other certificates, notably the signing certificate. 7. For a root certificate, the Signing Common Name field is included on the form.
MD5 is not recommended for use with root certificates. 12. Click Create Certificate Authority. l If you selected root mode, the root certificate is included in the Certificate Authorities list. l If you selected intermediate mode, the Intermediate Certificate Request page opens with text for the certificate signing request (CSR). You can send the CSR to a certificate authority, who will generate a signed certificate you can install.
l Specify an OCSP responder URL – The Authority Info Access extension is added to the client certificates, with the OCSP responder URL set to a value defined by the administrator. This value may be specified in the “OCSP URL” field. 6. Use the drop-down list in the Validity Period field to specify the maximum length of time for which a client certificate issued during device provisioning will remain valid. 7.
Name Description OID 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32, or 40 characters, respectively). MAC Address IEEE MAC address of this device. This element may be present multiple times, if a device has more than one MAC address (for example, an Ethernet port and a Wi-Fi adapter). mdpsMacAddress (.5) Product Name Product string identifying the device and often including the hardware version information. mdpsProductName (.
l Upload a certificate that has been issued by another certificate authority. This process is required when configuring an intermediate certificate authority. n l A private key is not required, as the certificate authority has already generated one and used it to create the certificate signing request. Upload a certificate and private key to be used as the certificate authority’s certificate. This process may be used to configure a root certificate authority.
l To upload a single certificate, choose a certificate file in PEM (base-64 encoded) or binary format (.crt or PKCS#7). Leave the passphrase fields blank. l To upload a certificate’s private key as a separate file, choose the private key file in PEM (base-64 encoded) format. If the private key has a passphrase, enter it in the Private Key Passphrase and Confirm Passphrase fields. The private key will be automatically matched to its corresponding certificate when uploaded.
To export a certificate: 1. Click the Download Bundle link. The Export Certificate form opens. 2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, then click Export Certificate. Considerations for iOS Devices The server certificate is used by ClearPass to secure Web (HTTPS) and authentication (RADIUS) traffic.
The optimal configuration for Onboard is a server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012. Alternatively, if you only wish to use a single Onboard Certificate Authority, then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process.
Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate. Either the Certificate Pending or the Certificate Issued page is displayed.
If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system. Refer to the instructions in "Installing a Certificate Authority’s Certificate " on page 88 for information on uploading the certificate file to Onboard.
Specifying the Identity of the Certificate Subject In the first part of the Certificate Request Settings form, provide the identity of the person or device for which the certificate is to be issued (the “subject” of the certificate). Together, these fields are collectively known as a distinguished name, or “DN”.
Name Description Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128bit or 160-bit number represented in hexadecimal (16, 32 or 40 characters, respectively). Device IMEI International Mobile Equipment Identity (IMEI) number allocated to this device. Device ICCID Integrated Circuit Card Identifier (ICCID) number from the Subscriber Identity Module (SIM) card present in the device. Device Serial Serial number of the device.
Table 18: Types of Certificate Supported by Onboard Certificate Management Certificate Type “Type” Column Notes Root certificate ca Self-signed certificate for the certificate authority Intermediate certificate ca Issued by the root CA or another intermediate CA Profile signing certificate profile-signing Issued by the certificate authority Certificate signing request tls-client or trusted The type shown depends on the kind of certificate requested Rejected certificate signing request tls-cl
Working with Certificates in the List To work with a certificate in the Certificate Management list, click on a certificate to select it. You can then select from one of these actions: l View certificate – Displays the properties of the certificate. Information includes certificate details, issuer details, and the certificate's "fingerprint" or "thumbprint".
Mark the Revoke this client certificate check box to confirm that the certificate should be revoked, and then click the Revoke Certificate button. Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error.
The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority.
the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager, mark the Include certificate trust chain check box, then click the Export Certificate button. Click the Export Request button to download the certificate signing request file in the selected format. l Sign request – Displays the Sign Request form. Use this action to approve the request for a certificate and issue the certificate.
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. The Delete Request form is displayed.
1. Do one of the following: l Go to Onboard + WorkSpace > Management and Control > View by Certificate and click the Upload a code-signing certificate link in the upper-right corner of the page. l Go to Onboard + WorkSpace > Deployment and Provisioning > Provisioning Settings. You can either click the Create new provisioning settings link at the top of the page, or click the Edit link for a configuration set in the list.
3. Complete the rest of the form with your information. Mark the Issue this certificate immediately check box, then click Create Certificate Request. The test certificate is displayed in the list on the Certificate Management page, and can be selected on the Provisioning Settings form. Importing a Trusted Certificate Onboard’s Certificate Management page supports importing trusted certificates. Certificates may be uploaded in PEM format (*.pem). To import a trusted certificate: 1.
3. You can use the following additional options in the upper-right corner of the Import Trusted Certificate page: l Click the Upload another trusted certificate link to upload additional certificates. l Click the Edit trust settings link to open the Trust tab of the Network Settings form. Requesting a Certificate From the Onboard + WorkSpace > Management and Control > View by Certificate page, click the certificate signing request link to access the Certificate Signing Request form.
Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines.
Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: l TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device. n l TLS Server Certificate – Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server.
Profiles To work with configuration profiles, go to Onboard + WorkSpace > Deployment and Provisioning > Configuration Profiles. The Configuration Profiles list view opens. All configuration profiles that have been created are included in the list. You can click a profile's row in the list for additional options: l To view details for a configuration profile, click its Show Details link.
2. (Required) In the Name field, give the configuration profile a short name that identifies it clearly. Configuration profile names can include spaces. If you are duplicating a profile, the original name has a number appended to it. You may highlight this name and replace it with a new name. 3. (Optional) In the Description field, briefly describe the characteristics of the profile. 4. (Optional) In the App Set field, choose an app set from the drop-down list.
8. (Optional) In the Email field, choose an email setting from the drop-down list. The email settings available in this list were created on the Onboard + WorkSpace > Onboard/MDM Configuration > Email > Create new Email settings form. For more information, see "Creating and Editing Email Settings" on page 119. 9. (Optional) In the Exchange ActiveSync field, choose an ActiveSync configuration from the drop-down list.
All app sets that have been created are included in the list. You can click an app set's row in the list for additional options: l To view details for an app set, click its Show Details link.The form expands to show the app set's name and description, the apps that will be installed, and whether the device should be restarted after the app is installed. l To edit any of an app set's attributes, click its Edit link. The App Set form opens.
2. In the Name field, give the app set a short name that identifies it clearly. App set names can include spaces. If you are duplicating an app set, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the app set. 4. In the Windows Applications area, apps you have downloaded through the Content Manager are listed in the Installers field.
All calendar settings that have been created are included in the list. You can click a calendar setting's row in the list for additional options: l To view details for a calendar setting, click its Show Details link.The form expands to show the calendar setting's name and description, the account description and hostname, port, principal URL, and whether SSL is enabled, as well as additional account details. l To edit any of a calendar setting's attributes, click its Edit link.
2. In the Name field, give this calendar setting a short name that identifies it clearly. Calendar settings names can include spaces. If you are duplicating a calendar setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, you can briefly describe the characteristics of the calendar settings. 4. In the Account Description field, you can enter the display name for the account. 5.
All contacts settings that have been created are included in the list. You can click a contacts setting's row in the list for additional options: l To view details for a contacts setting, click its Show Details link.The form expands to show the contacts setting's name and description, the account description and hostname, port, principal URL, and whether SSL is enabled, as well as additional account details. l To edit any of a contacts setting's attributes, click its Edit link.
2. In the Name field, give this contacts setting a short name that identifies it clearly. Contacts settings names can include spaces. If you are duplicating a contacts setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, you can briefly describe the characteristics of the contacts settings. 4. In the Account Description field, you can enter the display name for the account. 5.
All device restrictions settings that have been created are included in the list. You can click a device restriction setting's row in the list for additional options: l To view details for a device restriction setting, click its Show Details link.The form expands to show the device restriction setting's name and description, and the applications, content settings, security and privacy settings, device functionality settings, iCloud settings, and game center settings that will be enabled or disabled.
l Fraud warning l JavaScript l Pop-ups l Cookies 5. In the Content Settings area, you can mark the check boxes to specify or allow the following items: l Rating region l Explicit music and podcasts l Maximum allowed movie ratings l Maximum allowed TV show ratings l Maximum allowed app ratings l Download of erotic books l In-app purchases l Force iTunes password for each transaction 6.
email settings, go to Onboard + WorkSpace > Onboard/MDM Configuration > Email. The Email Settings list view opens. All email settings that have been created are included in the list. You can click an email setting's row in the list for additional options: l To view details for an email setting, click its Show Details link.
l Provisioning - values acquired during device provisioning l Shared preset values - testing only The remaining fields available in the General Settings area will vary according to your choice in the this dropdown list. 6. In the Email Address field, enter the full email address for the account. 7. In the Email Address Domain field, enter the domain name to append to the username. 8. Choose an option in the When to Add Email Address Domain field.
5. Choose an option from the Account Details drop-down list to indicate how user account information should be supplied. Options available in the list include: l User provided - entered by user on device l Provisioning - values acquired during device provisioning l Shared preset values - testing only 6. If Shared preset values - testing only is selected in the Account Details drop-down list, the Username field is added to the form. Enter the username for connecting to the server for outgoing mail. 7.
l To create a copy of an ActiveSync unit to use as a basis for a new configuration unit, click its Duplicate link. The Exchange ActiveSync Settings form opens with all attributes prepopulated and "Copy" appended to its name. You can rename the new unit, and edit any of its attributes. l To see if the ActiveSync unit is currently used, click its Show Usage link. The form expands to show a list of configuration profiles that use it.
l Identity certificate — created during provisioning. This option uses the device’s TLS client certificate to authenticate the user. Using this option requires configuration of the ActiveSync server to authenticate a user based on the client certificate. l Shared preset values — testing only. This option provides a fixed set of credentials to the device.
All networks that have been provisioned are included in the list. You can click a network's row in the list for additional options: l To view details for a network, click its Show Details link. The form expands to show its name, description, and configuration values for network access, wireless networks, enterprise protocols, enterprise authentication, enterprise trust, Windows networking, and proxy settings. l To edit any of a network's attributes, click its Edit link. The Network Settings form opens.
2. To edit the network’s basic and wireless network access options, click the Access tab. 3. If you need to edit the network’s name, enter the new name in the Name field. 4. (Optional) You may enter additional identifying information in the Description field. 5. The options available in the Network Type drop-down list are: l Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use this option when you have 802.1X configured for all types of network access.
the user, the device will be connected automatically. If multiple networks are available, the user will be able to choose the network to connect to. If the Automatically join network option is not selected on this form, an option to manually connect to the network will be shown to the user. 9. Do one of the following: l Click Next to continue to the Protocols tab. l Click Save Changes to make the new network configuration settings take effect.
The Windows EAP options that may be specified include: l Enable Fast Reconnect – Fast Reconnect is a PEAP property that enables wireless clients to move between wireless access points on the same network without being re-authenticated each time they associate with a new access point. If TLS is selected, Fast Reconnect is not available.
l Guest Only – Use guest-only credentials. If TLS was selected, this area includes the Certificate Store field, where you can specify the certificate store where the client certificate will be provisioned. Options available for this field are: l User – This is the default. l Machine l Machine and User 3. Do one of the following: l Click Previous to return to the Protocols tab.
2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. In the Trusted Certificates row, the recommended certificate is selected by default. You may click the field to open the drop-down list and select a different certificate the client should trust.
l Click Save Changes to make the new network configuration settings take effect l Click Cancel to discard your changes and return to the main Onboard configuration user interface. Configuring Windows-Specific Network Settings On the Network Settings form, click the Windows tab to display the Windows Network Settings form.
Select one of these options in the Proxy Type drop-down list: l None– No proxy server will be configured. l Manual– A proxy server will be configured, if the device supports it. Specify the proxy server settings in the Server and Server Port fields. l Automatic– The device will configure its own proxy server, if the device supports it. Specify the location of a proxy auto-config file in the PAC URLtext field. l Do one of the following: n Click Previous to return to the Windows tab.
l To view details for a passcode policy, click its Show Details link. The form expands to show its name, description, and other configuration settings. l To edit any of a passcode policy's attributes, click its Edit link. The Passcode Policy Settings form opens. l To create a copy of a passcode policy configuration to use as a basis for a new configuration, click its Duplicate link. The Passcode Policy Settings form opens with all attributes prepopulated and "Copy" appended to its name.
2. In the Name field, give the passcode policy a short name that identifies it clearly. Passcode policy names can include spaces. If you are duplicating a passcode policy, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the passcode policy. 4. To require the user to create a passcode, mark the check box in the Force PIN field. 5.
10. To specify a maximum duration for the passcode, use the counter in the Max PIN Age field. After the specified number of days, the device is locked and the user must change their passcode. 11. To require that the passcode include complex characters, use the counter in the Min Complex Chars field to specify how many complex characters it must contain. Complex, or special, characters are non-alphanumeric, such as &%$#. 12.
l To view details for a subscribed calendar setting, click its Show Details link.The form expands to show the calendar subscription's name and description, the description and server of the account, whether it SSL is enabled, and additional account details. l To edit any of a subscribed calendar setting's attributes, click its Edit link. Calendar Subscriptions Settings form opens. l To create a copy of a subscribed calendar setting to use as a basis for a new configuration, click its Duplicate link.
7. In the Account Settings area, choose an option from the Account Details drop-down list to indicate how user account information should be supplied. Options available in the list include: l User provided - entered by user on device l Provisioning - values acquired during device provisioning l Shared preset values - testing only 8. If Shared preset values - testing only is selected in the Account Details drop-down list, the Username and Password fields are added to the form.
l To edit any of a VPN configuration's attributes, click its Edit link. The VPN Settings form opens. l To create a copy of a VPN configuration to use as a basis for a new configuration, click its Duplicate link. The VPN Settings form opens with all attributes prepopulated and "Copy" appended to its name. You can rename the new configuration, and edit any of its attributes. l To see if the VPN configuration unit is currently used, click its Show Usage link.
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4.
6. In the Machine Authentication area, you may enter a value in the Shared Secret fields, or leave them blank to prompt the user to create the shared secret. 7. In the User Authentication area of the form, you may enter a value in the Account field, or leave them blank to prompt the user to enter the account. 8. In the User Authentication field, select either Password or RSA SecurID as the authentication type for the connection. 9. You can specify a proxy server to use when the VPN connection is active.
All Web clip settings that have been created are included in the list. You can click a Web clip setting's row in the list for additional options: l To view details for a Web clips setting, click its Show Details link. The form expands to show the Web clips setting's name and description, the icon if one was chosen, the URL, and whether it is enabled for removal. l To edit any of a Web clips setting's attributes, click its Edit link. The Web Clips Settings form opens.
If you are duplicating a Web clip, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the Web clip. 4. In the URL field, enter the URL of the Web clip. 5. To enable the user to remove the Web clip, mark the check box in the Removable field. 6. If you wish to specify an icon for the Web clip, mark the check box in the Choose New Icon field.
3. To view a summary of the device's details, click the Device Details link. The row expands to include the Device Details form. 4. To view and work with a list of users for the device, click its Show Users link. The Device Management list is filtered to show just the users for that device. 5. To change a device's access status, click its Manage Access link. In the Access field, use the drop-down list to select either Allow access to this device or Deny access to this device.
7. To revoke or delete all client certificates for the device, click its Certificate Actions link. Mark the appropriate radio button, then click Manage Certificates. 8. To delete a device, click its Delete link. You will be asked to confirm the deletion. Deleting the device will also delete all user, certificate, and other data associated with the device. Certificates are deleted according to the Certificate Authority's retention policy.
l To create a new provisioning set, click the Create new provisioning settings link in the upper right corner. The Device Provisioning Settings form opens. About Configuring Provisioning Settings On the Provisioning Settings list view, to modify a provisioning set for Onboard captive portal pages, click its Edit link. To create a new provisioning set, click the Create new provisioning settings link in the upper-right corner. The Device Provisioning Settings form opens with the General tab displayed.
2. The Name and Description fields are used internally to identify this set of Onboard settings for the network administrator. These values are never displayed to the user during device provisioning. 3. Use the Organization field to provide the name of your organization; this is displayed to the user during the device provisioning process. 4. The Certificate Authority drop-down list can be used to select a different certificate authority. By default, there is only a single certificate authority. 5.
rather than also known by the user. When a “created by device” option is selected, the generated key is used instead of a username/password authentication defined in Network Settings. 9. To include the username as a prefix in the device's PEAP credentials, mark the check box in the Unique Device Credentials row. 10. In the Authorization area, select the configuration profile to provision to devices.
2. In the Page Name field, enter the page name for the Web login page. In the Login Form area: 1. Mark the Custom Form check box to use your own HTML login form in the header and footer areas. 2. To modify the login form's labels and error messages, mark the Custom Labels check box. The form expands to include the Username Label, Password Label, and Log In Label fields. Complete these fields with your customized label text. 3.
4. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Provisioning Settings for iOS and OS X To specify provisioning settings related to iOS and OS X devices: 1. On the Device Provisioning Settings form, click the iOS & OS X tab. 2. Use the Display Name and Profile Description text fields to control the user interface displayed during device provisioning. 3.
When an iOS device receives a new configuration profile that has the same profile ID as an existing profile, the existing profile will be replaced with the new profile. Changing the profile ID will affect any device that has already been provisioned with the existing profile ID. The default value is automatically generated and is globally unique. You should only change this value during initial configuration of device provisioning. 6.
4. In the Connect Success row, enter the text that will be shown to the user after successful reconnect. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the Connect Failure row, enter the text that will be shown to the user after a failed reconnect or if the device does not support reconnection (for example, for iOS 4 and earlier devices). Enter the text as HTML code. You can use Smarty template functions.
2. In the Code-Signing Certificate drop-down list, select a certificate for signing the provisioning application, or leave the default setting of None-Do not sign the application. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4.
5. In the Before Profile Install text box, enter the instructions that are shown to the user before they install the network profile on their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 6. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions.
4. You may use the Insert content item drop-down list to add an image file or other content item. 5. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Options for Legacy OS X, Windows, and Android Devices The Onboard Client tab is used to edit basic configuration option for Windows, Android, and legacy OS X (10.5 and 10.6) devices.
5. The Validate Certificate drop-down list is used to specify whether the SSL server’s certificate should be validated as trusted. When this option is set to Yes, validate this web server’s certificate (recommended), a certificate validation failure on the client device will cause device provisioning to fail. This is the default option. You should change this option to No, do not validate this web server’s certificate only during testing, or if you are waiting for a commercial SSL certificate. 6.
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices.
administrators were reluctant to allow user-brought devices onto their networks unless a policy was in place that allowed IT control over the device, including the control to wipe the devices should they be lost. This all-or-nothing solution was not satisfactory, either for network administrators or for device users. ClearPass WorkSpace solves this by providing a "sandbox" within which enterprise-enabled apps can operate walled off from the rest of the device and its user-installed apps.
Uploading a Provisioning Profile Provisioning profiles typically have a .mobileconfig extension. To upload a provisioning profile: 1. Go to Onboard + WorkSpace > Initial Setup > iOS Provisioning Profiles. 2. Click Upload Provisioning Profile. 3. Click Browse, then navigate to where you downloaded the provisioning profile file, select it, and click OK. 4. Click Upload. The provisioning profile file is uploaded and added to the provisioning profile list.
2. Click the name of a provisioning profile. 3. Click Certificate Info. Click the Show link to view additional details. See Also: l "About Provisioning Profiles" on page 156 l "Uploading a Provisioning Profile" on page 157 l "Viewing Provisioning Profile Details" on page 157 l "Deleting a Provisioning Profile" on page 158 Deleting a Provisioning Profile To delete a provisioning profile: 1. Go to Onboard + WorkSpace > Initial Setup > iOS Provisioning Profiles. 2.
l "About iOS Distribution Certificates" on page 158 l "Viewing the Distribution Certificate" on page 159 l "Installing a Distribution Certificate" on page 159 l "Downloading the Distribution Certificate" on page 160 Installing a Distribution Certificate Installing the distribution certificate you receive from the Apple Developer Center allows you to digitally sign and distribute the apps you manage.
l "About iOS Distribution Certificates" on page 158 l "Creating a Certificate Signing Request" on page 158 l "Installing a Distribution Certificate" on page 159 l "Downloading the Distribution Certificate" on page 160 Downloading the Distribution Certificate You can download the current distribution certificate and save it to your computer. Distribution certificate files have a default extension of .crt. To download the distribution certificate: 1.
5. Click Create Certificate Request. See Also: l "About Push Certificates" on page 160 l "Installing a Push Certificate" on page 161 l "Viewing Push Certificate Details" on page 161 l "Downloading a Push Certificate" on page 162 Viewing Push Certificate Details To view the push certificate: 1. Go to Onboard + WorkSpace > Inital Setup > iOS MDM Push Certificate 2. Click iOS Push Certificate Details. 3. Click Show to view the certificate code.
Downloading a Push Certificate You can download the contents of the push certificate onto a file on your compuer. Push certificates have a default extension of .crt. To download a push certificate: 1. Go to Onboard + WorkSpace > Inital Setup > iOS MDM Push Certificate 2. Click iOS Push Certificate Signing Request. 3. Click Download the current MDM signed CSR.
l "About App Policy Templates" on page 162 l "Creating an App Policy Template" on page 163 l "Editing App Policy Template Settings" on page 166 l "Pushing an App Policy Template" on page 166 l "Deleting an App Policy Template" on page 166 Creating an App Policy Template To create an app policy template: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > Application Policy Templates. 2. Click Create New Policy Template. 3. Enter a unique Policy Template Name and an optional description. 4.
Field Description Lock & Wipe Select this option to allow individual apps within WorkSpace to be locked or wiped (app data deleted from the device). Action on Policy Failure If Lock & Wipe is enabled, allows you to choose what action to occur automatically upon policy failure. l Lock (default: Locks the app so it cannot be opened or used. l Wipe: Removes all the app's data from the device. l Lock & Wipe: Both.
Field Description Expire Apps After l Expiry Time Required when Expire after selected time is selected. Click the selection button to select a data and time, then click Select Date. Apps using this template will be locked after the selected date and time. App Usage Required when Enable Time Fencing is selected. This option allows you to allow app use in two ways: l Allow app use during the defined time(s). l Disallow app use during the defined time(s).
l "Deleting an App Policy Template" on page 166 Editing App Policy Template Settings To edit an app policy template: 1. Go to Onboard + WorkSpace > WorkSpace Configuration > Application Policy Templates. 2. Click the name of an app policy template. 3. Click Edit. 4. Make any desired changes. See the table in "Creating an App Policy Template" on page 163 for details about template options. 5. Click Save Changes.
l "Creating an App Policy Template" on page 163 l "Viewing App Policy Template Settings" on page 162 l "Editing App Policy Template Settings" on page 166 l "Pushing an App Policy Template" on page 166 About the WorkSpace App The WorkSpace app looks and acts largely like a folder on a user's device, a folder that contains other apps, but with some very important differences: l The WorkSpace app is completely managed by you.
Name Description too "busy" so users can read app names. Background Image In Use Shows the current background image within the @Work app. Company Logo File Click Browse to select an optional company logo file. The logo appears.... Company Logo In Use Shows the current company logo. Provisioning Profile. If you have multiple provisioning profiles, you can choose the one to use. The "About Provisioning Profiles" on page 156 section defines the apps that can be distributed.
App Profile Option Description Require Alphanumeric Available only when the Allow Simple check box is cleared. When selected, users must include at least one letter in their passcode. Minimum Passcode Length Available only when the Allow Simple check box is cleared. Enter a number to define the minimum number of characters a passcode must contain. Minimum Complex Chars Available only when the Allow Simple check box is cleared.
App Profile Option Description Logging Policies Email Logs If you want activity logs emailed to anyone within your organization for analysis, enter valid email addresses here, one per line. You should have at least one email address entered in the "To" field before entering any in the "CC" field. If any email addresses are entered, they are sent once per day at midnight, server time.
l Public: Apps that are not policy wrapped and that you can distribute through volume purchasing programs (VPP). Both WorkSpace and Enterprise apps are hosted on the WorkSpace server and are wrapped with fine-grained security policies defined by the administrator. The behavior of these enterprise apps while they are running on the users' enrolled devices is completely controlled by the security policies defined by the administrator.
Viewing App Details App details include its name, icon, vendor, and more. You can only view iTunes App Store app details, but you can also edit enterprise app details. To view iTunes App Store app details: 1. Go to Onboard + WorkSpace > Initial Setup > Apps Management 2. Click the name of an App Store app. 3. Click App Details. To view enterprise app details: 1. Co to Onboard + WorkSpace > Initial Setup > Apps Management. 2. Click the name of an enterprise app. 3. Click View/Edit App Details.
b. Click Next. In both cases, you will see the Customize App page next. The options here not only customize the app's appearance and details, but control how the app and its data are controlled. 4. Customize the app. See the table below for details on each field. 5. Click Save or Update. (If the app is already one you manage, the button will be "update" and the managed app will be updated.
l "Updating an Enterprise App" on page 175 l "Deleting an App" on page 175 Editing Enterprise App Details You can change the following details of an enterprise app you manage: l App Name l Description l Icon l Whether or not it's a browser app l Whether or not it can share documents and data l Mandatory or optional installation l Group l Provisioning profile See "Adding an Enterprise App" on page 172 for more details about each of these options. To edit enterprise app details: 1.
Updating an Enterprise App Apps get updated. Whether it's new features, bug fixes, or redesigns, and whether it's apps obtained from the iTunes Store or developed in-house, you must manage updates for the apps you manage. To update an enterprise app: 1. Go to Onboard + WorkSpace > Initial Setup > Apps Management. 2. Click the name of the enterprise app you want to update. 3. Click Upload New Version. 4. If the app has not been uploaded to WorkSpace, select Upload the app, then a. Click Browse, b.
l "Updating an Enterprise App" on page 175 About Managing Devices WorkSpace can manage entire iOS devices, providing data security for those who want to use their own devices on your network but do not want to install and use the WorkSpace app. Adding a Device to be Managed To add a device to be managed: 1. Go to MDM Configuration > Deployment Options. 2. In the Mode drop-down list, select Selected - Only the following devices are MDM managed. 3. Click a device in the list. 4. Click Add a new Serial#. 5.
To view details of an app on a device: 1. Go to Onboard + WorkSpace > Management and Control > View by Device. 2. Click the name of a device. 3. Click Manage Apps on Device. 4. Click the name of an app. 5. Click View App Details. Locking an App When you lock an app, it will appear grayed out and with a lock icon within the WorkSpace app. If users try to open it, they will receive a message that the app is locked and "unavailable or disabled by policy." To lock an app: 1.
7. Click Wipe Data. The next time the device is used and can connect to the server the specified app's data will be erased from the device. Resetting WorkSpace This option removes all managed devices and apps and restores WorkSpace to its factory defaults. This action: l Removes information about all managed devices l Removes all managed apps. l Deletes managed apps, the WorkSpace app, and all documents and data generated and used by all managed apps from all managed devices. To reset WorkSpace: 1.
Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application.
To configure ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row. This requires a network access server (NAS) type that supports RFC-3576. 3. In the NAS Type row, use the drop-down list to choose the default type for network access servers. 4.
Uploading Content To add a new content item using your Web browser: 1. Go to Configuration > Content Manager, then click the opens. Upload New Content tab. The Add Content form 2. In the File row, click Browse to navigate to the file you wish to upload. The Maximum file size is 15 MB. You can upload single content files, multiple content asset files and folders, or a Web deployment archive. To upload multiple assets, first compress the files as a “tarball” or zip file, then browse to it in the File field.
1. Go to Configuration > Content Manager, then click the item’s row in the list. The row expands to include the Properties, Delete, Rename, Download, View Content, and Quick View options. 2. The Properties link allows you to view and edit the properties of the item. Editable properties include the content item’s filename and description. Read-only properties include the content type, modification time, file size, and other content-specific properties such as the image’s size. 3.
To modify settings for the Guest Manager plugin configuration, go to Configuration and click the Guest Manager Settings command link, or, from the Guest Manager page, click the Guest Manager Settings command link. You can also access this form from Administration > Plugin Manager > Guest Manager > Configuration. Figure 22 Customize Guest Manager Page (upper section) l Site SSID—The Site SSID is the public name of the wireless local area network (WLAN).
l Site WPA Key—The encryption key used to secure the wireless network. If a value is entered in this field, it will appear on guest print receipts. l Username Type—The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field. l l n Username Length—This field is displayed if the Username Type is set to “Random digits”, “Random letters”, “Random letters and digits” or “Sequential numbering”.
Figure 24 Customize Guest Manager Page, Continued (middle section) l Expiration Options—Default values for relative account expiration times. These options are displayed as the values of the “Expires After” field when creating a user account. l Lifetime Options—Default values for account lifetimes. These options are displayed as the values of the “Account Lifetime” field when creating a user account.
l Password Display—Select the “View guest account passwords” to enable the display of visitor account passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege. l Initial Sequence—This field contains the next available sequence number for each username prefix that has been used.
l modify_password: This field controls password modification for the visitor account.
Visitor Account Expiration Properties l do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire. n If modify_expire_time is “none”, then the account has no expiration time set. n If modify_expire_time is “now”, then the account is disabled and has no expiration time set.
The table below lists all the forms and views used for visitor management.
l guest_multi_form form – editing multiple accounts l guest_edit form – editing single account l reset_password form – reset password for a single account These forms are the standard self-registration forms: l guest_register form – self-registration form l guest_register_receipt form – self-registration receipt These standard views are defined in Guest Manager: l guest_export view – view used when exporting guest account information l guest_multi view – displays a list of guest accounts optimi
The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form. The Field Type can be one of String, Integer, Boolean or No data type. The No data type field would be used as a label, or a submit button. You can specify the default properties to use when adding this field to a view.
You can specify the default validation rules that should be applied to this field when it is added to a form. See "Form Validation Properties" on page 209 in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See "View Field Editor" on page 216 in this chapter for more information about advanced properties.
If the field is used on multiple views, you are able to select which view you would like to see. Customizing AirGroup Registration Forms AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them.
The values you enter in the Options text box control both the values stored in the shared_location field in the database as well as the text displayed to the user in the checklist. Use the following format: tag1=value1 | Option 1 tag2=value2 | Option 2 ...where the tag=value pair tag1=value1 represents the value stored in the shared_location field in the database, the pipe character ( | ) is a separator, and Option 1 represents the text displayed in the checklist. 8.
AP-Group=Location-1 | Location One AP-Group=Location-2 | Location Two AP-Location-3 | Location Three The user interface appears as follows: Customizing Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field. To view or customize forms and views, go to Configuration > Forms & Views. The Customize Forms and Views page opens.
Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.
Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens. Form fields have a Rank number, which specifies the relative ordering of the fields when displaying the form. The Customize Form Fields editor always shows the fields in order by rank. The Type of each form field is displayed.
See "Form Display Properties" on page 198 for detailed descriptions of these form sections. Form Display Properties The form display properties control the user interface that this field will have. Different options are available in this section, depending on the selection you make in the User Interface drop-down list. Fields with a green border use their base field's value. If you enter a different value to override the base field's value, a Revert option lets you return to the original value.
l Check box – A check box is displayed for the field, as shown below: The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1). If the check box is not selected, the field is not submitted with the form. l Checklist – A list of check boxes is displayed, as shown below: The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected.
To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma” for Conversion, select “NwaExplodeComma” for Display Function and enter the field’s name for Display Param. The “Vertical” and “Horizontal” layout styles control whether the check boxes are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified.
l Date/time picker – A text field is displayed with an attached button that displays a calendar and time chooser. A date may be typed directly into the text field, or selected using the calendar: The text value typed is submitted with the form. If using a date/time picker, you should validate the field value to ensure it is a date. Certain guest account fields, such as expire_time and schedule_time, require a date/time value to be provided as a UNIX time value.
l File upload – Displays a file selection text field and dialog box (the exact appearance differs from browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields. l Hidden field – If Hidden Field is selected in the User Interface drop-down list, the field is not displayed to the user, but is submitted with the form.
l Multiple Selection List -- A list of selectable options will be displayed. The text displayed for each check box or radio button is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box.
l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static group heading – The label and description of the field is used to display a group heading on the form, as shown below. The field’s value is not used, and the field is not submitted with the form.
The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form. l Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field.
If you select Text or Password as the User Interface type, the Placeholder row is added to this form. You may use this field to enter a temporary value, such as a hint for how to complete the field, that can later be overridden by the user completing the form that uses this field. Form Validation Properties The form validation properties control the validation of data entered into a form.
All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See "Form Field Validation Functions" on page 414 for a description of the built-in validators. The Validator Param is the name of a field on the form, the value of which should be passed to the validator as its argument.
The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties.
Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor. The Conversion, Value Format, and Display Function options can be used to enable certain form processing behavior.
Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on the form and the various conversion and display options. Figure 26 Steps involved in form field processing The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field.
The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation. This may be used in situations where the validator requires the specific type of data supplied on the form, but the stored value should be of a different type. In the expire_time field example, this is not required, and so the value formatter is not used.
Because of the scoping rules of JavaScript, all of the user interface elements that make up the form are available as variables in the local scope with the same name as the form field. Thus, to access the current value of a text field named sample_field in a JavaScript expression, you would use the code sample_field.value. Most user interface elements support the value property to retrieve the current value.
The Type of each field is displayed. This controls what kind of user interface element is used to display the column, and whether the column is to be sortable or not. The Title of the column and the Width of the column are also shown in the list view. Values displayed in italics are default values defined for the field being displayed. Click a view field in the list view to select it. Use the Edit link to make changes to an existing column using the View Field Editor.
l Boolean – Yes/No – The value of the field is converted to Boolean and displayed as “Yes” or “No”. l Boolean – Enabled/Disabled – The value of the field is converted to Boolean and displayed as “Enabled” or “Disabled”. l Boolean – On/Off – The value of the field is converted to Boolean and displayed as “On” or “Off”. l Date – The value of the field is assumed to be a UNIX timestamp value and is displayed as a date and time.
This process is shown below. Figure 27 Sequence Diagram for Guest Self-Registration In this diagram, the stages in the self-registration process are identified by the numbers in brackets, as follows: The captive portal redirects unauthorized users [1] to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account.
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_register” page is accessed using the URL guest_register.php. Click the displayed. Save Changes button to save the self registration page. A diagram of the self registration process is Click the Save and Continue button to proceed to the next step of the setup.
A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest selfregistration.
The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: l 1.2.3.4 – IP address l 1.2.3.4/24 – IP address with network prefix length l 1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied.
2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. Click the Register Page link, or one of the Title, Header, or Footer fields for the Register Page. Figure 29 The Customize Guest Registration Form Template code for the title, header, and footer may be specified. See "Smarty Template Syntax" on page 380 for details on the template code that may be inserted.
Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field. To include the Password field on the Create Multiple Guest Accounts form: 1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link.
Click the Save Changes button to return to the process diagram for self-registration. Editing Receipt Actions To edit the actions that are available once a visitor account has been created: 1. Navigate to Configuration > Guest Self-Registration. 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. In the Receipt Page area of the diagram, click the 224 | Configuration Actions link. The Receipt Actions form opens.
Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self-registered account. To enable role selection by the sponsor: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens. 3.
4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6. Complete the rest of the form with the appropriate information, then click Save Changes. The Customize Guest Registration diagram opens again. 7.
9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button. Editing Download and Print Actions for Guest Receipt Delivery To enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens.
When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address.
l Auto-send guest receipts by SMS with a special field set – If the Auto-Send Field is set to a non-empty string or a non-zero value, an SMS receipt will be generated and sent to the visitor’s phone number. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.
2. In the Receipt Page area of the diagram, click the Title or Login Message fields for the login page to edit the properties of the login page, then mark the Enable guest login to a Network Access Server check box.The form expands to include configuration options. The login page is also a separate page that can be accessed by guests using the login page URL. The login page URL has the same base name as the registration page, but with _login appended.
The login message page is displayed after the login form has been submitted, while the guest is being redirected to the NAS for login. The title and message displayed on this page can be customized. The login delay can be set; this is the time period, in seconds, for which the login message page is displayed. Click the Save Changes button to return to the process diagram for self-registration. Self-Service Portal Properties To edit the properties of the self-service portal: 1.
The portal offers guests the ability to log in with their account details, view their account details, or change their password. Additionally, the Reset Password link provides a method allowing guests to recover a forgotten account password. To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal.
Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk.
Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form. For example, selecting the visitor_name field as the “Required Field” results in a Reset Password form like this: Email Receipts and SMTP Services With SMTP Services, you can configure ClearPass Guest to send customized guest account receipts to visitors and sponsors by email. Email receipts may be sent in plain text or HTML format.
The following options are available in the Enabled drop-down list to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address.
Figure 30 Customize Email Receipt page 1. The Subject Line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field. See "Smarty Template Syntax" on page 380 for more information on template syntax. 2. The Skin drop-down list allows you to specify a skin to be used to provide the basic appearance of the email.
l Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available). l Use ‘cc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be copied. l Use ‘bcc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be blind copied. 5.
l smtp_email_field – This field specifies the name of the field that contains the visitor’s email address. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special value “_None” indicates that the visitor should not be sent any email. l smtp_auto_send_field – This field specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the email receipt configuration is used.
l warn_before_from – This field overrides the Override From field under the Logout Warnings on the email receipt. If the value is “default”, the Override From field under Logout Warnings from the email receipt configuration is used. Managing IP Phone Services The IP Phone Services page in Dell Networking W-ClearPass Guest lists all the IP phone service instances you have created, and lets you edit them, create new ones, enable or disable, and provision them.
l To create a new IP phone service, click the Create new IP phone service link in the upper-right corner of the page. See "Creating and Editing an IP Phone Service" on page 240 for more information. Creating and Editing an IP Phone Service To create or edit an IP phone service, go to Configuration > IP Phones > IP Phone Services, then click the Create new IP phone service link in the upper right corner, or click the Edit link for a service in the list. The Cisco IP Phone Service form opens.
3. (Required) In the Splash Delay drop-down list, choose the length of time the splash screen should be displayed. Available options are 0 - wait for user, and 1, 2, 3, 4, or 5 seconds. If 0 - wait for user is selected, the splash screen is displayed until the user presses a softkey on their phone. 4. In the Default Phone Number field, you may enter a phone number to be used as a default in the application. Defining Behavioral Properties To define the behavior of the service: 1.
6. When you have completed your entries on this page, click Save Changes. The new service is created and displayed in the IP Phone Services list. Customizing Print Templates Print templates are used to define the format and appearance of a guest account receipt. To work with print templates, go to Configuration > Print Templates. The Print Templates view opens. Click a print template’s row in the list to select it.
This section is followed by three other sections: the body, the header and the footer. Each section must be written in HTML. There is provision in each section for the insertion of multiple content items such as logos. You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 380 for further information on Smarty template syntax.
Each of the basic styles provides support for a logo image, title area, subtitle area, notes area, and footer text. These items can be customized by typing in an appropriate value in the Print Template Wizard. As the print template is a HTML template, it is possible to use HTML syntax as well as Smarty template code in these areas. See the "Reference" on page 377 chapter for reference material about HTML and Smarty template code. The print template may also contain visitor account fields.
The permissions defined on this screen apply to the print template identified in the “Object” line. The owner profile always has full access to the print template. To control access to this print template by other entities, add or modify the entries in the “Access” list. To add an entry to the list, or remove an entry from the list, click one of the icons in the row. A Delete icon and an Add icon will then be displayed for that row.
n Full access (ownership) – the print template is visible in the list, and may be edited or deleted. The permissions for the print template can be modified, if the operator has the Object Permissions privilege. Customizing SMS Receipt Navigate to Configuration > SMS Receipts to configure SMS receipt options. These fields are described for the SMS plugin configuration page. Use the SMS receipt page for further customization. For information on standard SMS services, see "SMS Services" on page 299.
n If it is any other value, assume the auto-send field is the name of another guest account field. Check the value of that field, and if it is zero or the empty string then no receipt is sent. l Determine the phone number – if the phone number field is set and the value of this field is at least 7 characters in length, then use the value of this field as the phone number.
5. Remove extraneous data from the User Account HTML field. Example text is shown below.
| Access Details |
 | Access Code | {$u.username|htmlspecialchars} |
{if $u.create_result.Create the Access Code Guest Accounts Once the account fields have been customized, you can create new accounts. 1. Navigate to Guest > Create Multiple. 2. Mark the check box in the Username Authentication row that was added in the procedure above. (If you do not select this check box and if the username is entered on the login screen, the authentication will be denied.
4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure See "Create the Print Template" on page 247 for a description of this procedure. A new window or tab will open with the cards.
l To set the default language, show IDs for labels and messages, and provide a language selector on each page of the user interface, see "Translation Assistant" on page 252. l To view translation plugins and modify some basic settings, see "Configuring the Translations Plugin" on page 298 in the Administration module. Translation Packs To work with individual translation packs, go to Configuration > Translations > Translation Packs. The Language Packs list view opens.
7. In the Locales field, enter a comma-delimited list of locale identifiers for this language pack. Locale identifiers let you customize translation packs for regional differences. 8. Click Save Changes. Customizing Translated User Interface Text You can override the default translations provided for labels and messages in the user interface, customizing these items in each translation pack. To customize label and message text for a translation pack: 1.
To view the list of your Web login pages and work with them, go to Configuration > Web Logins. The Web Logins list view opens. All Web login pages you have created are included in the list. Information shown for each page includes its name for internal identification, title as displayed in the user interface, filename, and the skin assigned to it. You can click a page's row in the list for additional options: l To edit any of a Web login page's attributes, click its Edit link.
2. (Required) Enter a name for the page in the Name field. 3. In the Page Name field, enter the identifier page name that will appear in the URL -- for example, "/guest/page_ name.php". 4. In the Description field, you may enter additional information or comments about the page. 5. Use the drop-down list in the Vendor Settings field to select vendor-specific settings for network configuration. 6. In the Address field, enter the IP address or hostname of the vendor's product. 7.
3. To be able to alter the default labels and error messages, mark the check box in the Custom Labels field. The form includes the Pre-Auth Error field. Complete this field with your customized label text to display if username and password lookup fails. 4. Use the drop-down list in the Pre-Auth Check field to indicate how the username and password should be checked before authentication.
| Configuration Dell Networking W-ClearPass Guest 6.
Chapter 6 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, go to Configuration > Hotspot Manager.
Figure 33 Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created. l On page 2, the customer enters their personal details, including credit card information if purchasing access.
The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 380 in the Reference chapter for details about the template syntax you may use to format this message.
However, in this situation the MAC address of the customer will not be available, and no automatic redirection to the customer's home page will be made. You may want to recommend to your customers that JavaScript be enabled for best results. Web Site Look-and-Feel The skin of a Web site is its external look and feel. It can be thought of as a container that holds the application, its style sheet (font size and color for example), its header and footer, button style, and so on.
l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan" on page 261. l To delete a plan, click the deletion. Delete button in the plan’s row.
2. In the Plan Details area, enter a name for the plan and descriptions to display in the UI and the customer invoice. 3. To enable the plan, leave the Enabled check box marked. To disable the plan, unmark this check box. Disabled plans are not displayed to customers. 4. In the User Account Details area, you can specify the usage of numbers, letters, and symbols in the generated username and password. To use only digits, leave the value in the Generated Username and Generated Password fields set to ######.
Managing Transaction Processors Your hotspot plan must also identify the transaction processing gateway used to process credit card payments. Dell Networking W-ClearPass Guest supports plugins for the following transaction processing gateways: l Authorize.Net AIM l CashNet l CyberSource l eWAY l Micros Fidelio l Netregistry l Paypal l WorldPay ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions.
l Signature l Test Environment URL l Test WSDL l Transaction Key l Transaction Password l Transactions Timeout If your transaction processor requires visitors to enter their address, ClearPass Guest will automatically include address fields in the guest self-registration forms that use that transaction processor. Managing Existing Transaction Processors Once you define a transaction processor, it will appear in the transaction processor list.
2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 377 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page. See "Smarty Template Syntax" on page 380 for further information on these. You can also insert content items such as logos or prepared text. See "Customizing Self-Provisioned Access" on page 217 for details on how to do this. 4. Click Save Changes.
To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens. You can use this form to edit the title, introductory text, and footer of the “Choose Plan” page. The introduction and the footer are HTML text that can use template syntax. See "Smarty Template Syntax" on page 380 in the Reference chapter.
Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page. The example below shows the default “Your Details” page for a customer who chooses the Free Access plan. Dell Networking W-ClearPass Guest 6.
To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens. You can use this form to edit the content displayed when the customer enters their personal details, including credit card information if purchasing access. The progress of the user’s transaction is also shown on this page.
To customize how the “Your Receipt” page is displayed to the guest, go to Configuration > Hotspot Manager > Manage Hotspot Sign-Up, then click the Customize page 3 (Invoice or Receipt) link in the upper-right corner. The Edit Hotspot User Receipt Page form opens. You can use this form to edit the title, introductory text, and footer text of the receipt page. See "Smarty Template Syntax" on page 380 for details about the template syntax you may use to format the content on this page.
Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password. To access either of these user pages, navigate to Configuration > Hotspot manager and select the Self-Provisioning or Self-Service links in the left navigation menu.
Chapter 7 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation. Figure 34 The Administration Module’s Left Navigation Dell Networking W-ClearPass Guest 6.
AirGroup Services This section describes creating and managing AirGroup controllers and configuring the AirGroup plugin, and provides links to other AirGroup steps performed in Dell Networking W-ClearPass Guest. For an overview of AirGroup functionality, see "AirGroup Deployment Process" on page 27. For complete AirGroup deployment information, refer to the AirGroup chapter in the Dell Networking W-Series ArubaOS User Guide and the ClearPass Policy Manager documentation.
l To edit any of an AirGroup controller's attributes, click its Edit link. The Edit AirGroup Controller form opens. For more information, see "Creating and Editing AirGroup Controllers " on page 273 . l To disable an AirGroup controller, click its Disable link. To enable it again at any time, click its Enable link. l To delete an AirGroup controller, click its Delete link. You are asked for confirmation before it is deleted.
2. In the Name field, give the controller a short name that identifies it clearly. AirGroup controller names can include spaces. 3. In the Description field, you may record additional useful information about the controller. 4. To enable Policy Manager's AirGroup notification service for the controller, mark the check box in the Enabled row. With this service enabled, the controller receives change of authorization (CoA) Requests for sharing events from associated MAC addresses and the events are logged. 5.
2. In the Exclusions text field, you may enter any role names, AP group names, or AP names that should not be displayed in the AirGroup user interface. Enter each item on a separate line. Entries are not case-sensitive. To add a comment, enter it on a separate line that begins with the "#" character. 3. To schedule automatic polling of AirGroup controller configuration, mark the check box in the Polling row. The form expands to include scheduling options.
7. Click Save Changes. Creating AirGroup Administrators AirGroup Administrators are users of Dell Networking W-ClearPass Guest who can define and manage their organization’s shared devices. Devices can be shared globally, or shared with restrictions based on the username, role, or location of the user trying to access the device. The AirGroup Administrator profile is automatically created in ClearPass Guest when the AirGroup Services plugin is installed.
l "Creating MACTrac Operators" on page 277 l "Managing MACTrac Devices " on page 277 l "Registering MACTrac Devices " on page 279 l "Automatically Supplying the MACTrac Device Address" on page 280 Creating MACTrac Operators MACTrac operators are users of ClearPass Guest who can register their personal devices on a local network. The MACTrac operator profile and translation rule are already available in ClearPass Guest, and the MACTrac role is available in ClearPass Policy Manager.
MACTrac operators can create and manage multiple device accounts. Options include editing, printing details, disabling, and deleting accounts. To work with MACTrac devices, log in to ClearPass Guest as a MACTrac operator and go to Guest > List Devices. The MACTrac Devices list view opens. All MACTrac devices that have been registered are included in the list. You can click a device account's row in the list for additional options: l To edit any of a device account's attributes, click its Edit link.
l To disable or delete a device account, click its Remove link. A confirmation dialog opens. You may specify either Disable or Delete, then click Make Changes. To enable a disabled account, click its Activate link. Registering MACTrac Devices The Register Device form is used by MACTrac operators to create their device accounts on their local network. There is no limit to the number of accounts an operator can create, and no expiration time is set on device accounts. To register a MACTrac device: 1.
4. (Optional) The Device Type field is prepopulated if detected, and indicates whether it is a computer, printer, or other type of device. 5. (Optional) The Device Platform field is prepopulated if detected, and indicates whether it is a Windows, Mac, Linux, or Android platform, and whether it is a mobile phone. 6. (Optional) The Browser Vendor/Version field is prepopulated if detected, and indicates whether it is an Internet Explorer, Google Chrome, Mozilla Firefox, or other browser. 7.
Data Retention The Data Retention Policy page (Administration > Data Retention) lets you manage historical data by archiving or deleting it. For a data retention policy to take effect, you must schedule and enable database maintenance. To do so, refer to the Dell Networking W-ClearPass Policy Manager documentation.
l Upload a 3.9 configuration backup file to your 6.1 file system, making the items in it available for import. See "Uploading the 3.9 Backup File " on page 282. l Select items from it to import, restoring those configurations in your 6.1 system. See "Restoring Configuration Items " on page 283 l Review details for configuration items after import, including anything that might be different between 3.9 and 6.1 and any actions you might need to take.
This form shows every configuration item in your backup file, and provides options for restoring items or excluding them from the restoration. For more information, see the next section, "Restoring Configuration Items " on page 283. Restoring Configuration Items This section describes how to use the Import Configuration: Step 2 form to import 3.9 configuration items to your 6.1 system after you upload them. To select and restore your configuration items: 1.
l To exclude an item from the import, click the X in the item's row. The X turns red to indicate it will be excluded. You can click the X for a category to exclude all items in that category. l To make it easier to select just a few items, you can scroll to the bottom of the list and click the Unselect All link. All items are then marked with a red X and will be excluded from the import. You can then select the green check marks for just the items you want.
The Import Notices list provides information about items that were handled during the last import. This list includes the following columns: l Status -- The import status of the item in the same row. Possible statuses include Imported, Migrated, Obsolete, Action Required, Error, Processed, Unsupported, and Warning. These statuses are described more fully in the table below. l Operation/Notice -- This column shows the operation performed on the item, and the name of the item.
Status Description Migrated field: schedule_time --> start_time Processed The item was processed for the import but was not applicable and was ignored, as described in Show Details for the item. For example, a disabled network configuration, or a service that is now handled in Policy Manager instead of Guest, or a plugin version that was already up to date.
l "Import Information: SMTP Services" on page 292 Import Information: Advertising Services l Advertising Services is unsupported. Import Information: AirGroup Services l The following AirGroup 3.9 fields are renamed: 3.9 Name 6.1 Name shared_location = airgroup_shared_location shared_role = airgroup_shared_role shared_user = airgroup_shared_user l The definitions of some fields are also updated. l AirGroup controller names default to the hostname.
Print Templates: l Print templates are flagged as Action Required. Print templates might require changes where defaults have changed or fields have been renamed. Review the templates and correct as necessary to fix fields that have been changed. Self Registration: l The user database is the default ClearPass Policy Manager user database. LDAP Sponsor Lookups: l All LDAP operator servers and translation rules are imported. All 6.
Operator Profiles l If the IT Administrators profile is imported, it is updated to keep existing privileges and is migrated. l Any non-default Password Change Policy is removed and the profile is migrated. l Any non-default user skins are reset to the default skin and the profile is migrated. Operator Servers l Operator servers are imported as service handlers. Operator Translation Rules l If there are any new translation rules, the translation rules should be reviewed for correct order.
Non-default RADIUS Server Port settings are obsolete. l l Default RADIUS Server Options are not applicable; they are processed and ignored. l For any non-default RADIUS Server Options, an authentication source must be created in CPPM. l Non-default Case Insensitive Username settings are obsolete. l Non-default Include Active Sessions settings are obsolete. l Non-default EAP Server settings are obsolete. l Non-default AAA Debug settings are obsolete.
For a non-default hosts file, the DNS must be properly configured. l Network Interface Configuration Network interfaces are unsupported. l Security Audit Settings Security audit settings are obsolete. l Server Time Setup Server time settings must be configured in CPPM. l SNMP Configuration If SNMP was enabled, settings must be configured in CPPM. l SSL Certificate Setup l The backup certificate is processed and ignored.
Web Server Configuration Web server configuration is obsolete. l Import Information: SMS Services l SMS gateways are imported as service handlers.
l Kernel plugins—Provide the basic framework for the application l Operator Login plugins—Control access to the Web application l Skin plugins—Provide the style for the application’s visual appearance l Transaction Processor plugins—Provide transaction service handlers for interfacing with various payment solution providers l Translation—Provides configurable language settings for the application The About link displays information about the plugin, including the installation date and update date.
To undo any changes to the plugin’s configuration, click the plugin’s plugin’s configuration is restored to the factory default settings. Restore default configuration link. The In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.
1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. The Kernel plugin’s Debug Level and Application URL options should not be modified unless you are instructed to do so by Dell support. 3. To turn off autocomplete on forms, mark the check box in the Form Auto Complete row. This disables credentials caching. 4.
2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page. 4. In the Font Family row, to change the font, delete the current selection and enter the list of fonts to use. 5.
Figure 36 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format. l Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. This field is used to determine the SMS recipient address.
n Never include the country code: When you select this option, any country code specified by the visitor is removed before the SMS message is sent. ClearPass Guest 3.9 and earlier used www.amigopod.com for a number of actions, including updates, SMS, and network diagnostics. The address used now is clearpass.arubanetworks.com. If you have opened host-specific openings in your firewall for the ClearPass appliance, please update them to the new name.
For more information about translation services in ClearPass Guest, see "About Translations" on page 250. SMS Services With SMS Services, you can configure ClearPass Guest to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You can also use SMS Services to send an SMS from your Web browser. To use the SMS features, you must have the SMS Services plugin installed.
l Make Default—Click this link in a gateway’s row to make it the default gateway for SMS messages. l Send SMS—Click this link in a gateway’s row to send an SMS message via that gateway. The row expands to include the New SMS Message form, where you can enter the recipient’s mobile phone number and the message text, then send the message. 3. To add a carrier to the list, click the Create a new SMS gateway link in the upper-right corner. The Create SMS Gateway opens.
5. If you selected the SMS over SMTP option in the SMS Gateway field, most of the fields on this form are removed and the Service Settings area includes the Display Name, Carrier Selection, and Debug fields. a. Enter the gateway’s name in the Display Name field. b. In the Carrier Selection drop-down list, choose how the carrier will be determined.
Complete the fields with the appropriate information, then click either The new configuration settings will take effect immediately. Send Test Message or Save and Close. Editing an SMS Gateway To edit an SMS gateway: 1. Go to Administration > SMS Services > Gateways. The SMS Gateways list view opens. 2. Click the gateway’s row in the list, then click its Edit link. The Edit SMS Gateway form opens. 3. The SMS Gateway field displays the gateway service that was selected when the gateway was created.
n SMS Address—You may choose to use a template to determine the email address, or to use a fixed address. n Address Template or Address—If you chose to use a template to determine the address, the next field is Address Template. Enter an example email address that will be used as the pattern for the address format. If you chose to use a fixed email address, the next field is Address. Enter the email address to which all messages will be sent.
About SMS Credits Most SMS providers use a system of credits when for sending messages. In Dell Networking W-ClearPass Guest SMS Services, one credit is used for each sent message. The credit is used when the message is sent, regardless of whether the recipient actually receives the message. Please review your provider’s details and pricing. To determine the number of remaining SMS credits, navigate to the Administration > SMS Gateways window.
Working with the Mobile Carriers List If you have included SMS over SMTP gateways in your SMS gateways list, you can manage the list of SMTP carriers that are included in the Mobile Carrier drop-down list on the SMS Services > SMS Gateways > Edit SMS Gateway form. To view or work with the Mobile Carriers list: 1. Go to Administration > SMS Services > Mobile Carriers. The Mobile Carrier List view opens.
l To edit an existing carrier, click the carrier’s row in the list, then click its Edit link. The row expands to include the Mobile Carrier Editor form for that carrier. l When creating or editing a gateway, to include the Mobile Carrier field in the visitor’s registration form, choose Registration form will have the visitor_carrier field in the Carrier Selection drop-down list. The Mobile Carrier field is also added to the Test SMS Settings area of the forms. 5.
13. (Optional) In the Subject Line field, you may enter text for the message’s subject line. This field supports Smarty template syntax, and the number is available as {$number}. For example: Sent to: {$number} in the year {‘Y’|date} ...would produce: Sent to: 15555551234 in the year 2012 For a Smarty template syntax description, See "Smarty Template Syntax" on page 380. 14. When all fields are completed appropriately, click Save Changes. The Mobile Carrier List is updated with the changes.
To view in-depth information about an event, click the event’s row. The form expands to show details. Click the event’s row again to close it. To view the logs for a different server when in a cluster, use the Server drop-down list above the table. To search for a particular log record, use the Keywords field above the table to enter search terms. You can use the hyphen character (-) in front of a keyword to exclude items, and you can use quotes (“ “) to group words as a key phrase.
2. In the Format drop-down list, choose the format you want the file saved as. The available formats are CommaSeparated Values (.CSV), HTML document (.html), Tab-Separated Values (.tsv), Text file (.txt), and XML document (.xml). 3. In the Range drop-down list, select the range of pages to save. Options include the current page only, all pages starting from the current page, or all pages starting from the first page that matched any keyword or filter criteria you entered. 4.
6. Click a result link. The online help opens in a separate browser tab with the destination displayed. SOAP Web Services and API SOAP Web services provide a way of transferring data across the Internet to integrate Web-based applications. Web services let businesses share data and processes programmatically, and can be added to a user interface to provide functionality. To access this feature in Dell Networking W-ClearPass Guest, you must have the SOAP Web Services plugin installed.
2. To view details for a service, click its image in the Web Service field. The row expands to include the Service URL and Service Info fields for that Web service. 3. The Service Info field briefly describes the processes this Web service provides.In the Service URL field, you can click the link to view the Web Service Description Language (WSDL) that defines that service. The WSDL opens in a new tab. 4. When you have finished reviewing the available Web services, click Done.
2. To allow operators to make WSDL requests without being logged in, mark the check box in the WSDL Access field. 3. Use the counter in the Maximum Request Size field to set the maximum size in kilobytes that will be allowed for a SOAP request. 4. In the SOAP Debugging row, use the drop-down list to set the debugging level for SOAP service requests.
About the SOAP API The ClearPass Guest SOAP API provides direct access to the underlying functionality of Dell Networking W-ClearPass Guest. Developers wishing to provide integrated applications can make use of this API to programmatically perform actions that would otherwise require manual operation of the user interface. Architecture Overview The ClearPass Guest software is built using multiple layers: l At the lowest level, the kernel provides basic functions common to the entire system.
HTTP headers When making a SOAP API request, the SOAPAction HTTP header is required. The value of this header indicates the type of request being made. The Content-Type header must be specified as either text/xml or the application/soap+xml MIME type. The Authorization header must contain a valid HTTP Basic authentication string, as specified in RFC 2617. Character Set Encoding ClearPass Guest supports the Unicode character set, using the UTF-8 encoding.
Accessing SOAP Web Services Use the List Web Services command link available from the Administration page, or go to Administration > Web Services, to access the SOAP Web Services user interface. Configuring SOAP Web Services Use the Configure Web Services command link to make changes to system settings affecting the SOAP API. SOAP Debugging Select a higher level for the SOAP Debugging configuration option to log additional details to the application log.
After you have created a suitable operator profile, create the operator login. See "Local Operator Authentication" on page 339 and "External Operator Authentication" on page 340, or refer to the "Configuring LDAP Operator Logins" article on Arubapedia. Accessing the WSDL Use the List Web Services command link to browse the available Web services and obtain additional details about each one. 316 | Administration Dell Networking W-ClearPass Guest 6.
In the Web Service field, click the icon for GuestManager Web Services to view the Service URL and additional information about the service. If the "Allow anonymous access to WSDL" option is specified in the SOAP Web Services configuration, accessing the WSDL through the specified Service URL does not require logging in to the ClearPass Guest user interface. For more information, see "Configuring Web Services " on page 311.
The Add Service Reference dialog box appears. Enter the Service URL for the GuestManager Web Services into the Address box, and click the Go button. The WSDL is downloaded, and a list of the Web services and operations found is displayed. In the Namespace text field, type in a name. This name is used to organize the automatically generated code that interfaces with the Web service. Click the OK button to create the Web service reference.
Configuring HTTP Basic Authentication Performing a simple API call, such as the “Ping” operation described in "Operations" on page 324, can be used to verify that the Web service is correctly configured and ready for use. Because the SOAP API requires HTTP Basic authentication, ensure that you have a suitable operator profile and operator login credentials, as explained in"Using the SOAP API" on page 314. Configuring the Web service reference to use authentication requires editing the app.
When invoked, this performs the Ping operation and displays the following output: Securing Web Services Using HTTPS Because HTTP Basic authentication is insecure, it is strongly recommended that the HTTPS transport be used for all SOAP API calls. To use HTTPS as the transport for SOAP API requests, the following changes should be made to the application configuration file: l The mode attribute of the tag must be changed to “Transport”.
root CA known to all parties, and use the built-in server certificate validation procedures. This will ensure the security of the transaction cannot be compromised by a man-in-the-middle attack. API Documentation This section describes the following: l "XML Namespaces" on page 321 l "SOAP Addressing" on page 321 l "Types" on page 321 l "Operations" on page 324 XML Namespaces The XML namespace for the GuestManager Web Services is: http://www.amigopod.com/go/GuestManager.
ErrorFlagType The error flag indicates if the operation completed successfully. Only the values zero (0) and one (1) are supported. l A successful operation is indicated with: l A failed operation is indicated with: IdResultType Standard result type), with an optional element. l Example: l Example: IdType Specifies a user ID. The user ID is a positive integer value, starting at 1. l Example: ResultType Operations return a standard result type.
UserResultType Standard result type, with an optional element. l Example of a successful operation: l Example of an unsuccessful operation: UserType The User type defines a visitor account, which consists of a number of fields. The fields available may be customized in Guest Manager. Navigate to Guest Manager > Configuration > Fields to create new fields or modify existing fields. Adding or removing fields will update the UserType schema in the WSDL for GuestManager Web Services.
Operations CreateUser Creates a new user account. l The standard business logic for visitor account creation applies to visitor accounts created with the SOAP API. For details, refer to the section “Business logic for account creation” in the ClearPass Guest Deployment Guide, or search for this term in the online help. l The creator_accept_terms field must be set to the Boolean value “true” in order to create an account. l A value for the role_id field must be specified to create a visitor account.
Example request for CreateUser: Successful response: Failure response: DeleteUser Deletes a user account by ID or matching fields Dell Networking W-ClearPass Guest 6.
l This operation deletes a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned and no visitor accounts will be deleted. Example code implementing visitor account deletion: Example request for DeleteUser: Successful response: 326 | Administration Dell Networking W-ClearPass Guest 6.
Failure response: EditUser Modifies properties of a user account by ID. l This operation modifies the properties of a visitor account to match the field values specified in the user parameter. l The id field must be specified to indicate the ID of the visitor account to modify. This field is assigned by the system when the visitor account is created and cannot be changed. Example code implementing visitor account modification: Example request for EditUser: Dell Networking W-ClearPass Guest 6.
Successful response: Failure response: FindUser Returns properties of a user account by matching fields. 328 | Administration Dell Networking W-ClearPass Guest 6.
l This operation locates a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned. l If a visitor account was found, its properties will be returned in the element of the result. Example code implementing search for a visitor account based on a username.
Failure response: GetUser Returns properties of a user account by ID. l Returns a element corresponding to the visitor account with the specified ID. l If the specified ID is invalid, no element is returned and the flag is set to 1. 330 | Administration Dell Networking W-ClearPass Guest 6.
Example code implementing a guest lookup operation: Example request for GetUser: Successful response: Failure response -- for example, user ID not found: Ping Checks that the SOAP server is alive. Dell Networking W-ClearPass Guest 6.
l Returns a standard result type with the message set to "pong". Example code implementing a Ping test operation. Example request for Ping: Successful response: 332 | Administration Dell Networking W-ClearPass Guest 6.
Chapter 8 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in ClearPass Guest, or externally in an LDAP directory server.
Role-Based Access Control for Multiple Operator Profiles Using the operator profile editor, the forms and views used in the application may be customized for a specific operator profile, which enables advanced behaviors to be implemented as part of the role-based access control model. This process is shown in the following diagram. Figure 37 Operator profiles and visitor access control See "About Operator Logins" on page 333 for details on configuring different forms and views for operator profiles.
The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1. In the Enabled row, the Allow Operator Logins check box is selected by default. To disable a profile, unmark the Allow Operator Logins check box.
If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option. 4. The Operator Filter may be set to limit the types of accounts that can be viewed by operators.
6. In the Account Limit row, you can enter a number to specify the maximum number of accounts an operator can create. Disabled accounts are included in the account limit. To set no limit, leave the Account Limit field blank. When you create or edit an AirGroup operator, the value you enter in the Account Limit field specifies the maximum number of devices an AirGroup operator with this profile can create.
To specify that an operator profile should use a different form when creating a new visitor account: 1. (Optional) In the Customization row, select the Override the application’s forms and views check box. The form expands to show the forms and views that can be modified. If alternative forms or views have been created, you may use the drop-down lists to specify which ones to use. 2. When you have selected the custom forms and views to use, click operator profile.
l Listing guest accounts l Managing customization of guest accounts l Managing print templates l Removing or disabling guest accounts l Resetting guest passwords Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be. Managing Operator Profiles Once a profile has been created you are able to view, to edit and to create new profiles.
Creating a New Operator To create a new operator or administrator for ClearPass Guest or AirGroup, some steps are performed in ClearPass Policy Manager (CPPM), and some steps are performed in ClearPass Guest, as described below: 1. Create an operator profile in ClearPass Guest, or use an existing one. See "Operator Profiles" on page 334. l To create an AirGroup user, choose either the AirGroup Administrator or AirGroup Operator profile, as appropriate.
Manage LDAP Operator Authentication Servers Dell Networking W-ClearPass Guest supports a flexible authentication mechanism that can be readily adapted to any LDAP server’s method of authenticating users by name. There are built-in defaults for Microsoft Active Directory servers, POSIX-compliant directory servers, and RADIUS servers. When an operator attempts to log in, each LDAP server that is enabled for authentication is checked, in order of priority from lowest to highest.
Table 28: Server Type Parameters Server Type Required Configuration Parameters l l Microsoft Active Directory l l l l POSIX Compliant: l l l l l l l Custom l l l l l l RADIUS l l l Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind. Bind Password: If your LDAP server does not use anonymous bind, you must supply the required credentials to bind to the directory. (Leave this field blank to use an anonymous bind.
an error message will be displayed. See "LDAP Operator Server Troubleshooting" on page 344 for information about common error messages and troubleshooting steps to diagnose the problem. Click the Save Changes button to save this LDAP Server. If the server is marked as enabled, subsequent operator login attempts will use this server for authentication immediately.
l Test Lookup—Adds a Test Operator Lookup form in the LDAP servers list that allows you to look up sponsor names. This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page. LDAP Operator Server Troubleshooting You can use the LDAP Operator Servers list to troubleshoot network connectivity, operator authentication, and to look up operator usernames.
1. To look up a sponsor, select a server name in the LDAP Server table, then click the Operator Lookup area is added to the LDAP servers list. Test Lookup link. The Test 2. In the Lookup field, enter a lookup value. This can be an exact username, or you can include wildcards.If you use wildcards, the search might return multiple values. 3. In the Search Mode field, use the drop-down list to specify whether to search for an exact match or use wildcard values. 4.
LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator. To create a new LDAP translation rule: 1. Go to Administration > Operator Logins > Translation Rules, then click the The Edit Translation Rule form opens. Create new translation rule link. 2. In the Name field, enter a self-explanatory name for the translation rule. In the example above, the translation rule is to check that the user is an administrator, hence the name MatchAdmin. 3.
n Assign custom value to operator field – uses a template to assign a value to a specific operator field. If you choose this option, the form expands to include the Custom text box for you to enter your custom template code. See "Custom LDAP Translation Processing" on page 347. n Apply custom processing – evaluates a template that may perform custom processing on the LDAP operator. If you choose this option, the form expands to include the Custom text box for you to enter your custom template code.
Table 30: Template Variables Variable Description $attr The name of the LDAP attribute that was matched. $user Contains settings for the operator, including all LDAP attributes returned from the server. For a Smarty template syntax description, See "Smarty Template Syntax" on page 380. These may be used to make programmatic decisions based on the LDAP attribute values available at login time.
Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups. The operator field “enabled” will determine if the user is permitted to log in or not. The custom template uses the {strip} block function to remove any whitespace, which makes the contents of the template easier to understand.
{if $current_language == 'da'}
Indtast brugernavn og password for at
få adgang til ClearPass Guest
Kontakt Airwire (Norden) for at få demoadgang
{elseif $current_language == 'es'} Para entrar en el web demo de ClearPass Guest,
necesitas un nombre y contraseña.
Si no tienes un login, puedes obtener uno
contactando con Aruba Networks.
Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended. The value for Logout After should be specified in hours. You can use fractional numbers for values less than an hour; for example, use 0.25 to specify a 15 minute idle timeout. Dell Networking W-ClearPass Guest 6.
| Operator Logins Dell Networking W-ClearPass Guest 6.
Chapter 9 The XML-RPC Interface and API This chapter describes the XML-RPC interface available to third-party applications that will integrate with the Dell Networking W-ClearPass Guest Visitor Management Appliance. Audience: l Developers of integrated applications. Some familiarity with HTTP based web services and XMLRPC is assumed. l System administrators of the ClearPass Guest application. System Requirements: l ClearPass Guest 6.1.
At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the VMA. The services layer provides one or more implementations of application services that are used by the layers above.
Parameter Names The parameter names passed to the XML-RPC interface are the same as the field names in the HTML user interface. Parameter Validation Each field of the forms in the HTML user interface is subject to validation according to the rules defined for that field. The same rules also apply to XML-RPC parameters. If a required field is missing, or an invalid value for a field is supplied, an error is generated by the presentation layer and returned to the XML-RPC client.
Table 32: XML-RPC Faults Name Type Description error Flag Set to 1 for an XML-RPC Fault faultCode Integer Status code indicating the cause of the fault faultString String Description of the fault This type of return might appear as: 'error' => 1, 'faultCode' => 401, 'faultString' => 'Invalid username or password', These are the predefined XML-RPC Fault codes: Table 33: XML-RPC Faults Code Description 401 Authentication problem -- invalid username or password 404 File implementation of XML-
7. Click Save Changes. The profile is added to the Operator Profiles list. Creating the Role After you create the profile, the next step is to create the role: 1. In ClearPass Policy Manager, go to Configuration > Identity > Roles and click the Add User link. The Add New Role form opens. 2. Enter a name and description that clearly identify the role. 3. Click Save. The role is added to the Roles list. Creating the Local User After you create the role, you create the local user: 1.
2. In the Role drop-down list, choose the XML-RPC Operator role you created. 3. Complete the rest of the fields appropriately, then click Add. The new XML-RPC operator is added the Local Users list. Creating the Translation Rule After you have created the profile, role, and local user (operator), create a translation rule to map the role name to the operator profile. 1. In ClearPass Guest, go to Administration > Operator Logins > Translation Rules and click the Create new translation rule link.
SSL Security Different levels of certificate validation checks may be necessary, depending on the SSL certificate that has been installed. This corresponds to the user interface provided by Web browsers for certificate trust and verification. The examples presented in this document assume a self-signed certificate has been installed, and reduce the level of SSL verification accordingly.
l "Method amigopod.mac.edit" on page 372 l "Method amigopod.mac.list" on page 374 Method amigopod.guest.change.expiration Change the expiration time of a guest account.
Method amigopod.guest.create Create a new guest account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the guest account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email addresss. This will become their username to log in to the network. expire_after Numeric Amount of time before the account will expire. Specified in hours.
'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'expire_after' => 4, 'expire_time' => '', 'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.
Return Values This function might return a Boolean false value if some input parameters are invalid.
Parameters Name Type Description uid Integer ID of the guest account to edit username String Name of the guest account password String May be: random_password to indicate the guest account's password should be set to a random password password_value to indicate the guest account's password should be set to the value in the password_value field The empty string to leave the password unmodified password_value String Optional password to set the guest account's password (if the password field is
Name Type Description uid Integer ID of the guest account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Editor). Example Usage Sample parameters for the call: 'uid' => 162, 'username' => 'demo@example.
'enabled_error_flag' => 1, 'simultaneous_use_error' => 'Please enter a non-negative integer value.
'error' => 0, 'message' => 'Guest account has been re-enabled', 'item' => array ( 'id' => 162, 'enabled' => 1, 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.guest.get List one or more guest accounts.
'username' => '44454318', 'enabled' => '1', 'role_id' => '2', 'email' => '', 'notes' => 'GuestManager account 22 of 30 created by root from 192.168.2.3', 'do_expire' => '0', 'expire_time' => '', 'simultaneous_use' => '1', 'expire_postlogin' => '0', 'do_schedule' => '0', 'schedule_time' => '', 'ip_address' => '', 'netmask' => '', ), 1 => array ( 'id' => '162', 'username' => 'demo@example.com', 'enabled' => '1', 'role_id' => '2', 'email' => 'demo@example.
Return Values Name Type Description ids Array Array of guest account IDs (if details was 0) users Array Array of guest account structures (if details was 1) Access Control Requires the guest_users privilege (Guest Manager > List Guest Accounts in the Operator Profile Editor). Example Usage Sample parameters: 'details' => 0, Sample successful call: 'ids' => array ( 0 => '37', 1 => '141', 2 => '40', ... ), Method amigopod.guest.reset.password Reset a guest account's password to a random value.
Access Control Requires the reset_password privilege (Guest Manager > Reset Password in the Operator Profile Editor). Example Usage Sample parameters for the call: 'uid' => 162, Sample successful call: 'error' => 0, 'message' => 'Guest account password reset for Password changed to 37172833', 'item' => array ( 'id' => 162, 'password' => '37172833', 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.mac.create Create a new MAC device account.
Return Values Name Type Description error Flag Set to 1 if the device account was not created id Integer Set to the ID of the device account if the account was created password String Set to a randomly-generated value (default behavior only) *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the mac_create privilege (Guest Manager > Create New MAC Authentication in the Operator Profile Editor).
'visitor_name_error' => 'You cannot leave this field blank.', 'visitor_name_error_flag' => 1, 'visitor_company_error' => 'You cannot leave this field blank.', 'visitor_company_error_flag' => 1, 'email_error' => 'Please enter a valid email address.', 'email_error_flag' => 1, 'expire_after_error' => 'Please choose from one of the available options.', 'expire_after_error_flag' => 1, 'expire_time_error' => 'Please enter a valid date and time.
Name Type Description expire_time String Time at which the device account will expire expire_postlogin Integer Time period for which the device account will be valid after the first login, or 0 for indefinitely Name Type Description error Flag Set to 1 if the device account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the device account *_error String Field-spe
'do_schedule' => 0, 'do_expire' => 4, 'expire_postlogin' => 0, 'role_name' => 'Guest', 'expire_time' => 1196431200, ), Sample failed call: 'uid' => 162, 'random_password' => '59447116', 'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.
Access Control Requires the mac_list privilege (Guest Manager > List MAC Authentication Accounts in the Operator Profile Editor). Example Usage Sample parameters: 'details' => 0, Sample successful call: 'ids' => array ( 0 => '37', 1 => '141', 2 => '40', ... ), Dell Networking W-ClearPass Guest 6.
| The XML-RPC Interface and API Dell Networking W-ClearPass Guest 6.
Chapter 10 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 377 l "Standard HTML Styles" on page 378 l "Smarty Template Syntax" on page 380 l "Date/Time Format Syntax" on page 395 l "Programmer’s Reference" on page 397 l "Field, Form, and View Reference" on page 403 l "LDAP Standard Attributes for User Class" on page 421 l "Regular Expressions" on page 422 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to
Item HTML Syntax Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style
Uses CSS formatting
Uses predefined style
Hypertext Link text to click on 
– XHTML equivalent Table 36: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at
Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built. When customizing template code that is used within the user interface, you have the option of using Smarty template syntax within the template. Using the programming features built into Smarty, you can add your own logic to the template.
The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.
Modifiers Smarty provides modifiers that can be used to gain greater control over the formatting of data. Modifiers can be included by following a variable with a vertical bar | and the name of the modifier. Any arguments to the modifier can be specified using a colon : followed by the arguments.
The contents of the variable are printed in a
block. Use the attribute “export=1” to use PHP’s var_export() format, or omit this attribute to get the default behavior – PHP’s var_dump() format. Use the attribute “html=1” to escape any HTML special characters in the content. This can also be done with attribute “export=html”, and is recommended for use in most situations (so that any embedded HTML is not interpreted by the browser).
l The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image. l The “onclick” parameter, if specified, provides the contents for the onclick attribute of the link. l The “target” parameter, if specified, provides the contents for the target attribute of the link. l The “alt” parameter, if specified, sets the ALT attribute of the icon. If not specified, the default alt text used is the icon text.
Smarty registered block function. Quotes its content in a string format suitable for use in JavaScript. This function also translates UTF-8 sequences into the corresponding JavaScript Unicode escape sequence (\uXXXX) Usage example: {nwa_quotejs}String with ' and "{/nwaquote_js} The output of this will be: 'String with \' and \"' The “body” parameter, if set, indicates that the string quotes are already supplied; in this case the beginning and ending quotes are not included in the output.
Changes the RADIUS role assigned to the user. If the user currently has active sessions, this function will trigger an RFC 3576 Change-of-Authorization (CoA) Request to the network access server. The $username parameter specifies the user account to modify; use the expression GetAttr('User-Name') to use the value from the RADIUS User-Name attribute. The $role_name parameter specifies the name of the RADIUS User Role to apply to the user.
Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified. This should be a sprintf-style format string that accepts 6 arguments (the octets of the MAC address). The default if not specified is the IEEE 802 standard format, %02X-%02X-%02X-%02X-%02X-%02X – that is, uppercase hexadecimal with each octet separated with a hyphen. This string matches what ClearPass Guest sees from the NAS.
'acctterminatecause' => NULL, 'servicetype' => '', 'framedipaddress' => '192.168.2.3', 'framedprotocol' => '', 'acctauthentic' => '', 'nastype' => 'cisco_3576', 'nas_name' => 'centos', 'total_traffic' => 0, 'state' => 'stale', 'traffic_input' => 0, 'traffic_output' => 0, 'traffic_usage' => 0, 'session_time' => 29641260, ) GetIpAddressCurrentSession() GetIpAddressCurrentSession($ip_addr = null) Looks up the current (most recent) active session for the specified client IP address.
This is a multi-purpose function that has a very flexible query interface. For ease of use, consider using one of the related functions "GetCallingStationSessions()" on page 386, "GetIpAddressSessions()" on page 388, "GetUserActiveSessions()" on page 390, or "GetUserSessions()" on page 390. $criteria is the criteria on which to search for matching accounting records. As well as the criteria specified, the time interval specified by $from_time and optionally $to_time is also used to narrow the search.
Calculate the sum of traffic counters for accounting records in the database. Revoking access for a device is only possible This is a multi-purpose function that has a very flexible query interface. For ease of use, consider using one of the related functions "GetCallingStationTraffic()" on page 386, "GetIpAddressTraffic()" on page 388, or "GetUserTraffic()" on page 391. $criteria is the criteria on which to search for matching accounting records.
GetUserTime($username, $from_time, $to_time = null) Calculate sum of session times in a specified time interval. See "GetTraffic()" on page 389 for details on how to specify the time interval. GetUserTraffic() GetUserTraffic($username, $from_time, $to_time = null, $in_out = null) Calculate sum of traffic counters in a time interval. Sessions are summed if they have the same User-Name attribute as that specified in the RADIUS Access-Request.
Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation. Usage example: {nwa_makeid var=some_id} The “var” parameter specifies the page variable that will be assigned. Alternative usage: {nwa_makeid var=some_id file=filename} The “file” parameter specifies a file which contains a unique ID. This allows issued IDs to be unique across different page loads.
l enter_level1_item l enter_level2_item l enter_level3_item l exit_level1_item l exit_level2_item l exit_level3_item l between_level1_items l between_level2_items l between_level3_items l level1_active l level1_inactive l level2_active l level2_inactive l level2_parent_active l level2_parent_inactive l level3_active l level3_inactive l enter_level1 l enter_level2 l enter_level3 l exit_level1 l exit_level2 l exit_level3 nwa_plugin {nwa_plugin …} Smarty registere
{nwa_privilege access=create_user} .. content .. {/nwa_privilege} The “access” parameter specifies the name of a privilege to check for any access. {nwa_privilege readonly=create_user} .. content .. {/nwa_privilege} The “readonly” (synonym “ro”) parameter specifies the name of a privilege to check for read-only access. Be aware that an operator with read-write access also has read-only access.
Smarty registered block function. Provides simple support for embedding a YouTube video in the body of a page. The content of this block is the initial “alternate content” that will be presented until the YouTube player can be embedded (if it can be embedded). Not all devices are capable of playing back YouTube video content. Usage example: {nwa_youtube video=Y7dpJ0oseIA width=320 height=240} YouTube is the world’s most popular online video community.
Preset Name Date/Time Format Example rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %l:%M %p 2:13 PM recent – 2 minutes ago The % items on the right hand side are the same as those supported by the php function strftime(). The string “?:”, if present will return the string following the “?:” if the time value is 0. Otherwise, the format string up to the “?:” is used.
Format Result %B Full month name for the current locale %c Preferred date and time representation for the current locale %C Century number (2-digit number, 00 to 99) %d Day of the month as a decimal number (01 to 31) %D Same as %m/%d/%y %e Day of the month as a decimal number; a single digit is preceded by a space (‘ 1’ to ‘31’) %h Same as %b %H Hour as a decimal number (00 to 23) %l Hour as a decimal number (01 to 12) %m Month as a decimal number (01 to 12) %M Minute as a decimal num
l "NwaByteFormatBase10" on page 398 l "NwaComplexPassword" on page 399 l "NwaCsvCache" on page 399 l "NwaDigitsPassword($len)" on page 399 l "NwaDynamicLoad" on page 399 l "NwaGeneratePictureString" on page 399 l "NwaGenerateRandomPasswordMix" on page 399 l "NwaLettersDigitsPassword" on page 400 l "NwaLettersPassword" on page 400 l "NwaMoneyFormat" on page 400 l "NwaParseCsv" on page 400 l "NwaParseXml" on page 401 l "NwaPasswordByComplexity" on page 401 l "NwaSmsIsValidPhoneNumbe
NwaComplexPassword NwaComplexPassword($len = 8) Generates complex passwords of at least $len characters in length, where $len must be at least 4. A complex password includes at least 1 each of a lower case character, upper case character, digit, and punctuation (symbol). NwaCsvCache NwaCsvCache($csv_file, $use_cache = true, $options = null) Loads and parses the contents of a CSV file, using a built-in cache. The cache may be cleaned for a specific file by setting $use_cache to false.
NwaLettersDigitsPassword NwaLettersDigitsPassword($len) Generates an alpha-numeric password of $len characters in length consisting of lowercase letters and digits. NwaLettersPassword NwaLettersPassword($len) Generates a password of $len characters in length consisting of lowercase letters. NwaMoneyFormat NwaMoneyFormat($amount, $format = null) Formats a monetary amount for display purposes. The current page language is used to adjust formatting to the country specified.
Function Description max_records maximum number of records to return max_fields maximum number of fields per record skip_records number of records to skip at start of input skip_fields number of fields to skip at start of each record sort post-processing option; order string for NwaCreateUsortFunc to sort the records by the specified column(s) slice_offset post-processing option: starting offset of slice to return; see array_slice() function slice_length post-processing option: length of slic
l If the first character is a plus sign (+), the phone number is assumed to be in E.164 format already and the plus sign is removed; otherwise, if the SMS service handler national prefix is set and the phone number starts with that prefix, then the prefix is replaced with the country code. l The phone number must contain no fewer than 5 and no more than 15 digits. l The phone number is validated for a valid country code prefix.
NwaWordsPassword NwaWordsPassword($len) Generates a password consisting of two randomly-chosen words, separated by a small number (1 or 2 digits); that is, in the format word1XXword2. The random words selected will have a maximum length of $len characters, and a minimum length of 3 characters. $len must be at least 3.
Field Description security code functionality. change_of_ authorization Boolean flag indicating that any existing sessions for a visitor account should be disconnected or modified using RFC 3576. If this field is not specified on a form that modifies the visitor account, the default value is taken from the configuration for the RADIUS Services plugin. Set this field to a non-zero value or a non-empty string to enable RFC 3576 updates for active sessions.
Field Description dynamic_session_time Integer. The maximum session time that would be allowed for the account, if an authorization request was to be performed immediately. Measured in seconds. Set to 0 if the account is either unlimited (dynamic_is_expired is false), or if the account has expired (dynamic_is_expired is true). This field is available when modifying an account using the change_expiration or guest_edit forms. email String. Email address for the account.
Field Description the value for the attribute to:
Field Description “now” to activate the account immediately; “schedule_time” to use the activation time specified in the schedule_time form field (normally a UNIX time, but may be 0 to disable activation time); l “schedule_after” to set the activation time to the current time plus the number of hours in the schedule_after field; l “plus X”, where X is a time measurement, to extend the activation time by X.
Field Description password2 String. Password for the account. If this field is set, its value must match the value of the password field for the account to be created or updated. This can be used to verify that a password has been typed correctly. This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts. password_action String. Controls the password changing behavior for a guest account.
Field Description l l l l l nwa_strong_password to create a password using a combination of digits, uppercase letters, lowercase letters, and some punctuation. Certain characters are omitted from the password. The length of the password is specified by the random_password_length field. nwa_complex_password to create a complex password string which contains uppercase letters, lowercase letters, digits and symbol characters.
Field Description random_username_ picture String. The format string to use when creating a username, if the random_ username_method field is set to nwa_picture_password. See "Format Picture String Symbols" on page 414 for a list of the special characters that may be used in the format string. remote_addr String. The IP address of the guest at the time the guest account was registered.This field may be up to 20 characters in length. The value of this field is not currently used by the system.
Hotspot Standard Fields The table below describes standard fields available for the Hotspot form. Table 44: Hotspot Standard Fields Field Description address String. The visitor’s street address. card_code String. The 3 or 4 digit cardholder verification code printed on the credit card. This field is only used during transaction processing. card_expiry String. Credit card expiry date. This field is only used during transaction processing. card_name String. Name shown on the credit card.
Table 45: SMS Services Standard Fields Field Description auto_send_sms Boolean. Flag indicating that a SMS receipt should be automatically sent upon creation of the account. sms_auto_send_field String. This field specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the SMS plugin configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively.
Field Description smtp_email_field String. This field specifies the name of the field that contains the visitor’s email address. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special value _None indicates that the visitor should not be sent any email. smtp_enabled String. This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.
Field Description warn_before_from String. This field overrides the Override From field under the Logout Warnings on the email receipt. If the value is “default”, the Override From field under Logout Warnings from the email receipt configuration is used.
l IsArrayValue – Checks that the value is one of the values in the array supplied as the argument to the validator. l IsEqual – Checks that the value is equal to the value supplied as the argument to the validator, allowing for standard type conversion rules. l IsGreaterThan – Checks that the value is strictly greater than a specified minimum value supplied as the argument to the validator.
n Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix. A ‘*’ component can also be used inside the hostname, and will match zero or more domain name components. n If the ‘allow’ list is empty or unset, the default behavior is to accept ALL domains other than those listed in the ‘deny’ list. n If the ‘deny’ list is empty or unset, the default behavior is to deny ALL domains other than those listed in the ‘allow’ list.
l n no_zero – if set to true, zero is not accepted as a valid value. n only_integer – if set to true, decimal numbers are not accepted and only integer values are valid. IsValidPassword2 – Checks that the value is a valid password that satisfies certain requirements. The validator argument must be an array describing which of the following requirements to check. To perform any password checking, the “minimum_length” and “complexity_mode” fields must be specified.
Form Field Conversion Functions The Conversion and Value Format functions that are available are listed below: l NwaConvertOptionalDateTime – Converts a string representation of a time to the UNIX time representation (integer value). The conversion leaves blank values unmodified. l NwaConvertOptionalInt – Converts a string representation of an integer to the equivalent integer value. The conversion leaves blank values unmodified.
Function Description unchanged in this case). NwaDateFormat Format a date like the PHP function strftime(), using the argument as the date format string. Returns a result guaranteed to be in UTF-8 and correct for the current page language.
View Display Expression Technical Reference A page that contains a view is displayed in an operator’s Web browser. The view contains data that is loaded from the server dynamically. Because of this, both data formatting and display operations for the view are implemented with JavaScript in the Web browser. For each item displayed in the view, a JavaScript object is constructed. Each field of the item is defined as a property of this object.
Value Description Nwa_NumberFormat(value[, if_undefined]) Nwa_NumberFormat( value, decimals)Nwa_NumberFormat( value, decimals, dec_point, thousands_sep[, if_ undefined]) Converts a numerical value to a string. If the value has an undefined type (in other words, has not been set), and the if_undefined parameter was provided, returns if_undefined.
Regular Expressions The characters shown in Table 52 can be used to perform pattern matching tasks using regular expressions. Table 52: Regular Expressions for Pattern Matching Regex Matches a Any string containing the letter “a” ^a Any string starting with “a” ^a$ Only the string “a” a$ Any string ending with “a” . Any single character \. A literal “.
Chapter 11 Glossary 802.1X IEEE standard for port-based network access control. Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.
EAP Extensible Authentication Protocol (RFC 3748). An authentication framework that supports multiple authentication methods. EAP-PEAP Protected EAP. A widely-used protocol for securely transporting authentication data across a network. EAP-TLS Extensible Authentication Protocol – Transport LayerSecurity (RFC 5216). A certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints.
public key The part of a public/private key pair that is made public. The public key is used to encrypt a message; the recipient’s private key is required to decrypt the message. A large part of a digital certificate is the certificate owner’s public key. QuickConnect App Application used to securely provision an Android, Windows, or OS X device and configure it with network settings. RFC Request For Comments; a commonly-used format for Internet standards documents. role Type of access being granted.
| Glossary Dell Networking W-ClearPass Guest 6.
Index viewing 307 1 1024-bit RSA 145 authentication 21, 24, 32, 46 authorization 21, 24, 32 2 access, role-based 21 2048-bit RSA 145 dynamic 63 A B AAA 21 Base-64 encoded 98 access control, print templates 244 binary certificate 98 account filters, creating 336 accounting 21, 24 C accounts caching, CSV 399 passwords, multiple 223 CAPTCHA security code 198 visitor account 25 captive portal 24, 218 Active Directory LDAP authentication 341 active sessions 61, 63 administration 271, 307 pl
plugins 293 customizing provisioning settings 144 content 180 receipts 304 email receipt 235 self-service portal, display functions 418 fields 190 shared_location field 193 Guest Manager 182 shared_role field 193 hotspot invoice 264 skin 295 hotspot receipt 269 skin plugin 295 hotspot selection interface 266, 268-269 SMS services 299 login message 231 Windows provisioning 150 login page 229 contacting support 309 receipt actions 224 content receipt page 223 deleting 182 Register Sha
disabling SMTP carrier 305 F fields 24, 186 disconnecting session 62-63 account_activation 403 documentation, viewing 309 address 411 downloading content 181-182 auto_send_sms 412 duplicating auto_update_account 186 fields 192 card_code 411 forms and views 196 creating 190 SMS gateways 299 creator_accept_terms 186 dynamic authorization 61, 63 customizing 190 deleting 192 E duplicating 192 editing base field 197, 216 carrier settings 301 devices 58 expiration time, guest account 39 fields
hotspot_plan_id 411 sms_warn_before_message 412 hotspot_plan_name 411 smtp_auto_send_field 238 id 405 smtp_cc_action 238 ip_address 405 smtp_email_field 238 last_name 411 smtp_enabled 237 modify_expire_postlogin 406 smtp_receipt_format 237 modify_password 187, 406 smtp_subject 237, 413 modify_schedule_time 406 smtp_template_id 237, 413 multi_initial_sequence 407 smtp_warn_before_cc_action 238, 413 multi_prefix 186, 407 smtp_warn_before_cc_list 238, 413 netmask 407 smtp_warn_before_recei
Value formatter 214 creating 33 Visible If 214 creating multiple 34, 45 form fields delete 39 advanced properties 212 disable 39 CAPTCHA 198 editing expiration 39 check box 199 email receipt 34 checklist 199 export 45 conversion functions 418 exporting 45 Date/time picker 201 filtering 38-39, 41 display functions 197, 418 importing 43 group heading 207 list 37 initial value 209 paging 39 validator functions 414 print 41 value format functions 418 receipts 34 formats, certificate
hotspot management 257 logging captive portal 259 passwords 185 creating plan 261 customer information 264 customizing invoice 264 M MAC address formats 47 customizing receipt 269 advanced features 60 customizing selection interface 266, 268-269 authentication 46-47 editing plan 261 registering devices 59 invoice 264 plans 260 Hotspot Manager 257 HTML Smarty templates 380 standard styles 378 Maximum Passcode Age 169 message, sending SMS 303 Minimum Complex Chars 169 Minimum Passcode Length 169
Operator logins LDAP 340 operator profiles 24, 333-334 Q quick start, Smarty template syntax 380 quick view, content 182 automatic logout 351 creating 334 R privileges 338 RADIUS server 21 accounting query 385 operators 24 creating 340 active sessions 61 local 339 disconnecting session 62-63 login message 349 reauthorizing session 62-63 reauthorizing P session 62-63 Passcode Authentication 169 receipt page 217 Passcode Authentication Timeout 169 Passcode History 169 editing 223 receipts 304
self-registration modifiers 382 creating device 54 Onboard 82 editing 222 section block 381 self-service portal 231 auto login 232 variables 380 SMS password generation 232 alert for session 65 resetting passwords 232 alerts 65 secret question 233 character limit 242 self registration credits 304 creating page 218 guest account receipts 34 sending guest self-registration receipts 228 SMS alert 65 receipts 65 SMS message 303 subject line 236 sequence diagram SMS gateway AAA 22 guest
translation rules 346 X translation services 250 XML troubleshooting application integrity check 293 guest account list 46 parsing 401 Onboard 154 TSV 45 U uploading code-signing certificate 102 content 181 user database 25 V viewing application log 307 content 182 devices 58 documentation 309 plugins 292 sessions, device 51 SMS gateways 299 SMTP carriers 305 views 25, 186, 190 column format 216 customization 195 duplicating 196 editing 196, 215 field editor 216 guest_export 46, 190 guest_multi 41, 19
| Index Dell Networking W-ClearPass Guest 6.
