Dell Networking W-ClearPass Policy Manager 6.
Copyright Information Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Configuring Policy Manager 5 Installing Policy Manager 5 Server Port Overview 5 Server Port Configuration 5 A Subset of Useful CLI Commands Accessing Policy Manager Accessing Help 7 9 10 Checking Basic Services 11 802.1x Wireless Use Case 13 Configuring the Service 13 Web Based Authentication Use Case Configuring the Service MAC Authentication Use Case Configuring the Service Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 1 Configuring Policy Manager This Quick Start Guide for the Dell Networking W-ClearPass Policy Manager System (Policy Manager) describes the steps for installing the appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required services are running. Installing Policy Manager The Policy Manager server requires initial port configuration.
Required Item Item Information Hostname (Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) Data Port IP Address must not be in the same subnet as the Management Port IP Address Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional) To set up the Policy Manager appliance: 1. Connect and power on.
Enter Secondary DNS: 192.168.5.1 4. Change your password. Use any string of at least six characters: New Password:************ Confirm Password:************ Going forward, you will use this password for cluster administration and management of the appliance. 5. Change system date/time. Do you want to configure system date time information [y|n]: y Please select the date time configuration options.
Flag/Parameter ip l Description l l Network interface type: mgmt or data Server ip address. netmask Netmask address. gateway Gateway address.
Chapter 2 Accessing Policy Manager Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 1. Open the administrative interface. Navigate to https:///tips (where is the hostname you configured during the initial configuration). 2. Enter License Key. 3. Click on the Activate Now link. 4. Activate the product. If the appliance is connected to the Internet, click on the Activate Now button.
5. Login. Username: admin, Password: eTIPS123 6. Change the password. Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration password. Accessing Help The Policy Manager User Guide (in PDF format) is built within the help system here: https:///tipshelp/html/en/ (where is the hostname you configured during the initial configuration.) All Policy Manager user interface screens have context-sensitive help.
Chapter 3 Checking Basic Services To check the status of service, navigate to Administration > Server Configuration, then click on a row to select a server: l The System tab displays server identity and connection parameters. l The Service Control tab displays all services and their current status. If a service is stopped, you can use its Start/Stop button (toggle) to restart it.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 802.1x Wireless Use Case The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802.1X request from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 1: Flow of Control, Basic 802.1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802.1X service: 1.
Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests. Table 1: 802.1X - Create Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): 802.
Navigation l l Settings [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local SQL DB] > [Admin User Repository] [Local SQL DB] > AmigoPod AD [Active Directory> Add > Upon completion, Next (to configure Authorization) The following field deserves special mention: n Strip Username Rules: Optionally, check here to pre-process the user name (to remove prefixes and suffixes) before sending it to the authentication source.
Table 4: Role Mapping Navigation and Settings Navigation Settings Create the new Role Mapping Policy: Roles (tab) > l Add New Role Mapping Policy (link) > l Add new Roles (names only): Policy (tab) > l Policy Name (freeform): ROLE_ENGINEER > l Save (button) > l Repeat for ROLE_FINANCE > l When you are finished working in the Policy tab, click the Next button (in the Rules Editor) l Create rules to map client identity to a Role: Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select al
NOTE: For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server (external), or an Audit Server (internal or external).
Enforcement Policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to Evaluation Profiles. Policy Manager applies all matching Enforcement Profiles to the Request. In the case of no match, Policy Manager assigns a default Enforcement Profile.
Chapter 5 Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service. Figure 2: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service.
2. Create a WebAuth-based Service. Table 7: Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): Dell Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next. 3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b.
Table 9: Posture Policy Navigation and Settings Navigation Setting Create a Posture Policy: l Posture (tab) > l Enable Validation Check (check box) > l Add new Internal Policy (link) > Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable
Navigation l Setting When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions (Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
Table 10: Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): SNMP_POLICY l Upon completion, click Save. 6. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 6 MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request.
Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service. Table 11: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2.
(NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity.
Dell Networking W-ClearPass Policy Manager 6.