Dell Networking W-ClearPass Policy Manager 6.
Copyright Information Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About Dell Networking W-ClearPass Policy Manager 11 Powering Up and Configuring Policy Manager Hardware 13 Server Port Overview 13 Server Port Configuration 14 Powering Off the System 15 Resetting Passwords to Factory Default 16 Generating Support Key for Technical Support 16 Policy Manager Dashboard 19 Monitoring 23 Access Tracker Viewing Session Details 23 25 Accounting 26 OnGuard Activity 35 Analysis and Trending 37 Endpoint Profiler 37 System Monitor 38 Audit Viewe
ClearPass Onboard 62 HTTP User-Agent 62 Configuration 63 MAC OUI 63 ActiveSync Plugin 63 CPPM OnGuard 63 SNMP 63 802.
Adding and Modifying Authentication Sources 127 Generic LDAP or Active Directory 129 Kerberos 140 Generic SQL DB 141 Token Server 145 Static Host List 147 HTTP 148 Identity: Users, Endpoints, Roles and Role Mapping Architecture and Flow Configuring a Role Mapping Policy Configuring a Role Mapping Policy Adding and Modifying Role Mapping Policies 153 153 154 154 155 Policy Tab 155 Mapping Rules Tab 156 Adding and Modifying Roles Local Users, Guest Users, Onboard Devices, Endpoints, and St
Microsoft NPS Audit Servers 203 Architecture and Flow 203 Configuring Audit Servers 204 Built-In Audit Servers 205 Adding Auditing to a Policy Manager Service 205 Modifying Built-In Audit Servers 206 Custom Audit Servers 207 NESSUS Audit Server 207 NMAP Audit Server 209 Nessus Scan Profiles 211 Post-Audit Rules 215 Enforcement 217 Enforcement Architecture and Flow 217 Configuring Enforcement Profiles 218 RADIUS Enforcement Profiles 221 RADIUS CoA Enforcement Profiles 223 SNMP
Export Admin Privileges 246 246 Import Admin Privileges 246 Export Admin Privileges 247 Export 247 Server Configuration 247 Set Date/Time 248 Change Cluster Password 250 Manage Policy Manager Zones 251 NetEvents Targets 252 Make Subscriber 252 Upload Nessus Plugins 253 Cluster-Wide Parameters 254 Collect Logs 256 Viewing Log Files 257 Backup 258 Restore 259 Shutdown/Reboot 260 Drop Subscriber 260 System Tab 260 Multiple Active Directory Domains 262 Services Control Ta
283 Syslog Targets Add Syslog Target 284 Import Syslog Target 284 Export Syslog Target 285 Export 285 Syslog Export Filters 285 Add Syslog Filter 286 Import Syslog Filter 288 Export Syslog Filter 289 Export 289 Messaging Setup 289 Endpoint Context Servers 291 MDM Servers 292 Server Certificate 293 Create Self-Signed Certificate 294 Create Certificate Signing Request 296 Export Server Certificate 298 Import Server Certificate 298 Certificate Trust List 298 Add Certificate
Upgrade the Image on All Appliances Command Line Configuration 316 317 Available Commands 317 Cluster Commands 319 drop-subscriber 320 list 320 make-publisher 320 make-subscriber 321 reset-database 321 set-cluster-passwd 321 set-local-passwd 322 Configure Commands 322 date 322 dns 323 hostname 323 ip 323 timezone 324 Network Commands 324 ip 324 nslookup 325 ping 325 reset 326 traceroute 326 Service commands 327 327 Show Commands 328 all-timezones 328
install-license 331 restart 331 shutdown 332 update 332 upgrade 332 Miscellaneous Commands ad auth 333 ad netjoin 334 ad netleave 334 ad testjoin 334 alias 334 backup 335 dump certchain 335 dump logs 336 dump servercert 336 exit 337 help 337 krb auth 337 krb list 338 ldapsearch 338 restore 338 quit 339 Rules Editing and Namespaces 341 Namespaces 341 Variables 347 Operators 348 Software Copyright and License Statements 10 333 351 PostgreSQL Copyright 351
Chapter 1 About Dell Networking W-ClearPass Policy Manager The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration, provisioning, profiling, health checks, and guest access.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 2 Powering Up and Configuring Policy Manager Hardware The Policy Manager server requires initial port configuration. Its backplane contains three ports. Server Port Overview Figure 1: Policy Manager Backplane The ports in the figure above are described in the following table: Table 1: Device Ports Key Port Description A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired terminal.
Server Port Configuration Before starting the installation, gather the following information that will need, write it in the table below, and keep it for your records: Table 2: Required Information Requirement Description Hostname) Policy Manager server) Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) Data Port IP Address must not be in the same subnet as the Management Port IP Address Data Port Gateway (optional) Data Port Subnet Mask (opt
3. Configure the Appliance Replace the bolded placeholder entries in the following illustration with your local information: Enter hostname:verne.xyzcompany.com Enter Management Port IP Address: 192.168.5.10 Enter Management Port Subnet Mask: 255.255.255.0 Enter Management Port Gateway: 192.168.5.1 Enter Data Port IP Address: 192.168.7.55 Enter Data Port Subnet Mask: 255.255.255.0 Enter Data Port Gateway: 192.168.7.1 Enter Primary DNS: 198.168.5.3 Enter Secondary DNS: 192.168.5.1 4.
l Connect to the CLI from the serial console via the front serial port and enter the following: login: poweroff password: poweroff This procedure gracefully shuts down the appliance. Resetting Passwords to Factory Default Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the apprecovery user. The password to log in as the apprecovery user is dynamically generated. Perform the following steps to generate the recovery password: 1.
4. When the system restarts it waits at the following prompt for 10 seconds: Generate support keys? [y/n]: Enter ‘y’ at the prompt. The system prompts with the following choices: Please select a support key generation option. 1) Generate password recovery key 2) Generate a support key 3) Generate password recovery and support keys Enter the option or press any key to quit: 5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well). 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 3 Policy Manager Dashboard The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The dashboard elements are listed below: This shows a graph of all requests processed by Policy Manager over the past week.
This chart shows the graph of all profiled devices categorized into built in categories – Smartdevices, Access Points, Computer, VOIP phone, Datacenter Appliance, Printer, Physical Security, Game Console, Routers, Unknown and Conflict. Unknown devices are devices that the profiler was not able to profile. Conflict indicates a conflict in the categorization of the device.
Quick Links shows links to common configuration tasks: l Start Configuring Policies links to the Start Here Page under Configuration menu. Start configuring Policy Manager Services from here. l Manage Services links to the Services page under Configuration menu. Shows a list of configured services. l Access Tracker links to the Access Tracker screen under Reporting & Monitoring menu. l Analysis & Trending links to the Analysis & Trending screen under Reporting & Monitoring menu.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 4 Monitoring The Policy Manager Monitoring menu provides the following interfaces: l Live Monitoring n "Access Tracker" on page 23 n "Accounting" on page 26 n "OnGuard Activity " on page 35 n "Analysis and Trending" on page 37 n "Endpoint Profiler " on page 37 n "System Monitor " on page 38 l "Audit Viewer" on page 40 l "Event Viewer " on page 43 l "Data Filters " on page 44 Access Tracker The Access Tracker provides a real-time display of system activity, with optional auto-ref
Table 3: Access Tracker Display Parameters Container Description Select Server Select server for which to display dashboard data. Select All to display transactions from all nodes in the Policy Manager cluster. Auto Refresh Click to toggle On/Off. Select Filter Select filter to constrain data display. Modify the currently displayed data filter Go to Data Filters page to create a new data filter.
Container Description WebAuth Web authentication transactions (Dissolvable Agent, OnGuard) Application All Dell application authentications (Insight, GuestConnect) Viewing Session Details To view details for a session, click on the row containing any entry. Policy Manager divides the view into multiple tabs. Depending on the type of authentication - RADIUS, WebAuth, TACACS, Application - the view displays different tabs.
Container Description Show Logs Show logs of this session. Error messages are color coded in red. Warning messages are color coded in orange. Close RADIUS response attributes sent to the device Accounting The Accounting display provides a dynamic report of accesses (as reported by the network access device by means of RADIUS/TACACS+ accounting records), at: Monitoring > Live Monitoring > Accounting.
Container Description Show Latest Sets the date to Today in the previous step to Today. Save/Cancel Save or cancel edit operation Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding Accounting Record Details. Figure 4: RADIUS Accounting Record Details (Summary tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 5: RADIUS Accounting Record Details (Auth Sessions tab) 28 Dell Networking W-ClearPass Policy Manager 6.
Figure 6: RADIUS Accounting Record Details (Utilization tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 7: RADIUS Accounting Record Details (Details tab) Table 8: RADIUS Accounting Record Details 30 Tab Container Description Summary Session ID Policy Manager session identifier (you can correlate this record with a record in Access Tracker) Account Session ID A unique ID for this accounting record Start and End Timestamp Start and end time of the session Status Current connection status of the session Username Username associated with this record Termination Cause The reason for termin
Tab Auth Sessions Utilization Container Description NAS IP Address IP address of the network device NAS Port Type The access method - For example, Ethernet, 802.11 Wireless, etc. Calling Station ID In most use cases supported by Policy Manager this is the MAC address of the client Called Station ID MAC Address of the network device Framed IP Address IP Address of the client (if available) Account Auth Type of authentication - In this case, RADIUS.
Figure 8: TACACS+ Accounting Record Details (Request tab) 32 Dell Networking W-ClearPass Policy Manager 6.
Figure 9: TACACS+ Accounting Record Details (Auth Sessions tab) Dell Networking W-ClearPass Policy Manager 6.
Figure 10: TACACS+ Accounting Record Details (Details tab) Table 9: TACACS+ Accounting Record Details 34 Tab Container Description Request Session ID Unique ID associated with a request User Session ID A session ID that correlates authentication, authorization and accounting records Start and End Timestamp Start and end time of the session Username Username associated with this record Client IP The IP address and tty of the device interface Remote IP IP address from which Admin is logged i
Tab Container Description Authentication Type Identifies the authentication type used for the access. Authentication Service Identifies the authentication service used for the access.
Container Description l l 36 Manager, and SNMP read and write parameters must be configured. SNMP traps (link up and/or MAC notification) have to enabled on the switch port. In order to specify the IP address of the endpoint to bounce, the DHCP snooper service on Policy Manager must receive DHCP packets from the endpoint. Refer to your network device documentation to find out how to configure IP helper address.
Analysis and Trending Monitoring > Live Monitoring > Analysis & Trending The Analysis and Trending Page displays monthly, bi-weekly, weekly, daily, or 12-hourly, 6-hourly, 3-hourly or hourly quantity of requests for the subset of components included in the selected filters. The data can be aggregated by minute, hour, day or week. The summary table at the bottom shows the per-filter count for the aggregated data. Each bar (corresponding to each filter) in the bar graph is clickable.
Figure 13: Endpoint Profiler You can view endpoint details about a specific device by clicking on a device in the table below the graphs. Select the Cancel button to return to the Endpoint Profiler page. Figure 14: Fig: Endpoint Profiler Details System Monitor The System Monitor is available by navigating to Monitoring > Live Monitoring > System Monitor. l Select Server- Select a node from the cluster for which data is to be displayed.
Figure 15: System Monitor Graphs l Process Monitor. For the selected server and process, provides critical usage statistics, including CPU, Virtual Memory, and Main Memory. Use Select Process to select the process for which you want to see the usage statistics. Dell Networking W-ClearPass Policy Manager 6.
Figure 16: Figure Process Monitor Graphs Audit Viewer The Audit Viewer display provides a dynamic report of Actions, filterable by Action, Name and Category (of policy component), and User, at: Monitoring > Audit Viewer. 40 Dell Networking W-ClearPass Policy Manager 6.
Figure 17: Audit Viewer Table 11: Audit Viewer Container Description Select Filter Select the filter by which to constrain the display of audit data. Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding Audit Row Details: l For Add Actions, a single popup displays, containing the new data.
Figure 19: Audit Row Details (Old Data tab) Figure 20: Audit Row Details (New Data tab) 42 Dell Networking W-ClearPass Policy Manager 6.
Figure 21: Audit Row Details (Inline Difference tab) For Remove Actions, a popup displays the removed data. Event Viewer The Event Viewer display provides a dynamic report of system level (not request-related) Events, filterable by Source, Level, Category, and Action, at: Monitoring > Event Viewer. Figure 22: Event Viewer Table 12: Event Viewer Container Description Select Server Select the server for which to display accounting data.
Container Description Show records Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent logins. Click on any row to display the corresponding System Event Details.
l ClearPass Application Requests - All Application session log requests l Failed Requests - All authentication requests that were rejected or failed due to some reason; includes RADIUS, TACACS+ and Web Authentication results. l Guest Access Requests - All requests - RADIUS or Web Authentication - where the user was assigned the builtin role called Guest.
Figure 25: Add Filter (Filter tab) Table 14: Add Filter (Filter tab) Container Description Name/Description Name and description of the filter (freeform). Configuration Type Custom SQL Choose one of the following configuration types: Specify Custom SQL - Selecting this option allows you to specify a custom SQL entry for the filter. If this is specified, then the Rules tab disappears, and a SQL template displays in the Custom SQL field. Note that selecting this option is not recommended.
Table 15: Add Filter (Rules tab) Container Description Rule Evaluation Algorithm Select first match is a logical OR operation of all the rules. Select all matches is a logical AND operation of all the rules. Add Rule Add a rule to the filter Move Up/Down Change the ordering of rules. Edit/Remove Rule Edit or remove a rule. Save Save this filter Cancel Cancel edit operation When you click on Add Rule or Edit Rule, the Data Filter Rules Editor displays.
Container Description Value The value of the attribute Dell Networking W-ClearPass Policy Manager 6.
Chapter 5 Policy Manager Policy Model From the point of view of network devices or other entities that need authentication and authorization services, Policy Manager appears as a RADIUS, TACACS+ or HTTP/S based Authentication server; however, its rich and extensible policy model allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture services and client technologies within the Enterprise.
Figure 28: Generic Policy Manager Service Flow of Control Table 17: Policy Manager Service Components Component 50 Service: component ratio Description AAuthentication Method Zero or more per service EAP or non-EAP method for client authentication. Policy Manager supports four broad classes of authentication methods: l EAP, tunneled: PEAP, EAP-FAST, or EAP-TTLS. l EAP, non-tunneled: EAP-TLS or EAP-MD5. l Non-EAP, non-tunneled: CHAP, MS-CHAP, PAP, or [MAC AUTH].
Component Service: component ratio Description l l l l CAuthorization Source One or more per Authentication Source and zero or more per service any LDAP compliant directory RSA or other RADIUS-based token servers SQL database, including the local user store. Static Host Lists, in the case of MAC-based Authentication of managed devices. An Authorization Source collects attributes for use in Role Mapping Rules. You specify the attributes you want to collect when you configure the authentication source.
Viewing Existing Services You can view all configured services in a list or drill down into individual services: l View and manipulate the list of current services. In the menu panel, click Services to view a list of services that you can filter by phrase or sort by order. Figure 29: List of services with sorting tool l Drill down to view details for an individual service. In the Services page, click the name of a Service to display its details.
l Create a new service that you will configure from scratch. In the Services page, click Add a Service, then follow the configuration wizard from component to component by clicking Next as you complete each tab. l Remove a service. In the Services page, fill the check box for a service, then click the Delete button. You can also disable/enable a service from the service detail page by clicking Disable/Enable (lower right of page).
Policy Component l Role Mapping Configuration Instructions Illustrative Use Cases "TACACS+ Use Case" on page 83 uses the local Policy Manager repository. Other authentication sources would also be fine. "802.1x Wireless Use Case" on page 67 has an explicit Role Mapping Policy that tests request attributes against a set of rules to assign a role.
l Service Categorization - A service categorization simulation allows you to specify a set of attributes in the RADIUS or Connection namespace and test which configured service the request will be categorized into. The request attributes that you specify represent the attributes sent in the simulated request. l Role Mapping - Given the service name (and associated role mapping policy), the authentication source and the user name, the role mapping simulation maps the user into a role or set of roles.
Add Simulation Test Navigate to Configuration > Policy Simulation and click on the Add Simulation link. Depending on the simulation type selected the contents of the Simulation tab changes. Table 20: Add Policy Simulation (Simulation Tab) Container Description Name/Description Specify name and description (freeform). Type Service Categorization. l Input (Simulation tab): Select Date and Time.
Container Description l l Type Audit. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces relevant to posture evaluation (posture dictionaries) are loaded in the attributes editor. Returns (Results tab): System Posture Status and Status Messages.
Container Description source. For an example of enabling attributes as a role, refer to "Generic LDAP or Active Directory " on page 129for more information. Type Chained Simulations. l Input (Simulation tab): Select Service, Authentication Source, User Name, and Date/Time. l Input (Attributes tab): Use the Rules Editor to create a request with the attributes you want to test. All namespaces that are relevant in the Role Mapping Policy context are loaded in the attributes editor.
Figure 33: Add Simulation (Attributes Tab) In the Results tab, Policy Manager displays the outcome of applying the test request parameters against the specified policy component(s). What is shown in the results tab again depends on the type of simulation. Figure 34: Add Simulation (Results Tab) Import and Exporting Simulations Import Simulations Navigate to Configuration > Policy Simulation and select the Import Simulations link. Dell Networking W-ClearPass Policy Manager 6.
Figure 35: Import Simulations Table 21: Import Simulations Container Description Select file Browse to select name of simulations import file. Import/Cancel Import to commit or Cancel to dismiss popup. Export Simulations Navigate to Configuration > Policy Simulation and select the Export Simulations link. This task exports all simulations. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export.
Chapter 6 ClearPass Policy Manager Profile Profile is a ClearPass Policy Manager module that automatically classifies endpoints using attributes obtained from software components called Collectors. It can be used to implement “Bring Your Own Device” (BYOD) flows, where access has to be controlled based on the type of the device and the identity of the user.
l HTTP User Agent l MAC OUI - Acquired via various authentication mechanisms such as 802.1X, MAC authentication, etc. l ActiveSync plugin l CPPM OnGuard l SNMP l Subnet Scanner DHCP DHCP attributes such as option55 (parameter request list), option60 (vendor class) and options list from DISCOVER and REQUEST packets can uniquely fingerprint most devices that use the DHCP mechanism to acquire an IP address on the network.
Configuration Navigate to the Administrator > Network Setup > ClearPass page to configure ClearPass Onboard and ClearPass Guest to send HTTP User Agent string to Profile. The screenshot below shows how the CPPM publisher and Profile nodes configured in ClearPass Guest. MAC OUI MAC OUI can be useful in some cases to better classify endpoints. An example is android devices where DHCP fingerprints can only classify a device as generic android, but it cannot provide more details regarding vendor.
The following additional settings have been introduced for Profile support: l Read ARP Table Info - Enable this setting if this is a Layer 3 device, and you want to use ARP table on this device as a way to discover endpoints in the network. Static IP endpoints discovered this way are further probed via SNMP to profile the device. l Force Read - Enable this setting to ensure that all CPPM nodes in the cluster read SNMP information from this device regardless of trap configuration on the device.
Profiling The Profile module uses a two-stage approach to classify endpoints using input attributes. Stage 1 Stage 1 tries to derive device-profiles using static dictionary lookups. Based on the attributes available, it will lookup dhcp, http, active_sync, MAC oui, and SNMP dictionaries and derives multiple matching profiles. When multiple matches are returned, the priority of the source that provided the attribute is used to select the appropriate profile.
used by CPPM: l DHCP l HTTP User-Agent l ActiveSync Attributes l SNMP Attributes l MAC OUI Refer to Fingerprints for more information. Because these dictionaries can change frequently, CPPM provides a way to automatically update fingerprints from a hosted portal. If external access is provided to CPPM, the fingerprints file can be downloaded and imported through CPPM admin. Refer to Update Portal for more information.
Chapter 7 802.1x Wireless Use Case The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802.1X request from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 39: Flow of Control, Basic 802.1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802.1X service: 1. Create the Service Dell Networking W-ClearPass Policy Manager 6.
The following table provides the model for information presented in Use Cases, which assume the reader’s ability to extrapolate from a sequence of navigational instructions (left column) and settings (in summary form in the right column) at each step. Below the table, we call attention to any fields or functions that may not have an immediately obvious meaning. Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 802.1X wireless requests.
Table 23: Configure Authentication Navigation and Settings Navigation Settings Select an Authentication Method and an Active Directory server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (Select a method from the drop-down list) l Add > l Sources (Select drop-down list): [Local User Repository] [Local SQL DB] [Guest User Repository] [Local SQL DB] [Guest Device Repository] [Local SQL DB] [Endpoints Repository] [Local SQL DB] [Onboard Devices Repository] [Local S
Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy. In the event of role-mapping failure, Policy Manager assigns a default role.
Navigation Settings Add the new Role Mapping Policy to the Service: l Back in Roles (tab) > l Role Mapping Policy (selector): RMP_ DEPARTMENT > l Upon completion, click Next (to Posture) 5. Configure a Posture Server NOTE: For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server (external), or an Audit Server (internal or external).
Navigation Setting Add the new Posture Server to the Service: Back in the Posture (tab) > l Posture Servers (selector): PS_NPS, then click the Add button. l Click the Next button. l 6. Assign an Enforcement Policy Enforcement Policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to Evaluation Profiles. Policy Manager applies all matching Enforcement Profiles to the Request. In the case of no match, Policy Manager assigns a default Enforcement Profile.
Chapter 8 Web Based Authentication Use Case This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service. Figure 40: Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service.
Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal , which captures username and password and optionally launches an agent that returns posture data. 2. Create a WebAuth-based Service.
Navigation l Settings to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them. Upon completion, click Next (until you reach Enforcement Policy).
Navigation Setting Configure the Validator: Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Vista, XP Server 2008, Server 2008 R2, and Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) l Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditio
n Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. n Remediation URL. URL of remediation server. 5. Create an Enforcement Policy. Because this Use Case assumes the Guest role, and the Dell Web Portal agent has returned a posture token, it does not require configuration of Role Mapping or Posture Evaluation.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 9 MAC Authentication Use Case This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request.
Figure 41: Flow-of-Control of MAC Authentication for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service. Table 32: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l 80 Dell Networking W-ClearPass Policy Manager 6.
Navigation Settings Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication 2. Set up Authentication Note that you can select any type of authentication/authorization source for a MAC Authentication service.
Table 34: Audit Server Navigation and Settings Navigation Settings Configure the Audit Server: Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable l Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which follo
Chapter 10 TACACS+ Use Case This Service supports Administrator connections to Network Access Devices via TACACS+. The following image illustrates the overall flow of control for this Policy Manager Service. Figure 42: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service. Dell Networking W-ClearPass Policy Manager 6.
Table 36: TACACS+ Navigation and Settings Navigation Settings Create a new Service: Services > l Add Service (link) > l Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): [Policy Manager Admin Network Login Service] > l Name/Description (freeform) > l Upon completion, click Next (to Authentication) 2. Set up the Authentication a. Method: The Policy Manager TACACS+ service authenticates TACACS+ requests internally. b.
4. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 11 Single Port Use Case This Service supports all three types of connections on a single port. The following figure illustrates both the overall flow of control for this hybrid service, in which complementary switch and Policy Manager configurations allow all three types of connections on a single port: Dell Networking W-ClearPass Policy Manager 6.
Figure 43: Flow of the Multiple Protocol Per Port Case 88 Dell Networking W-ClearPass Policy Manager 6.
Chapter 12 Services The Policy Manager policy model groups policy components that serve a particular type of request into Services, which sit at the top of the policy hierarchy.
To help you get started, Policy Manager comes pre-configured with 14 different Service types or templates. If these service types do not suit your needs, you can roll your own service with custom service rules. Start Here Page From the Configuration > Start Here page, you can create a new service by clicking on any of the pre-configured Policy Manager Service Types.
Figure 45: Service Wizard with Clickable Flow The rest of the service configuration flow is as described in Policy Manager Service Types. Dell Networking W-ClearPass Policy Manager 6.
Policy Manager Service Types The following service types come preconfigured on Policy Manager: Table 39: Policy Manager Service Types Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) Template for wireless hosts connecting through a Dell W-Series 802.11 wireless access device or controller, with authentication via IEEE 802.1X.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) To associate a role mapping policy with this service click on the Roles tab. For information on configuring role mapping policies, refer to "Configuring a Role Mapping Policy " on page 154. By default, this type of service does not have Posture checking enabled.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) No Action: The audit will not apply policies on the network device after this audit. Do SNMP bounce: This option will bounce the switch port or to force an 802.1X reauthentication (both done via SNMP). NOTE: Bouncing the port triggers a new 802.1X/MAC authentication request by the client.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) You can enable posture checking for this kind of service if you are deploying Policy Manager in a Microsoft NAP or Cisco NAC framework environment, or if you are deploying aDell hosted captive portal that does posture checks through a dissolvable agent.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) For clients connecting through an Ethernet LAN, with authentication via IEEE 802.1X. 802.1X Wired Except for the service rules shown above, configuration for the rest of the tabs is similar to the 802.1X Wireless Service.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) NOTE: You cannot configure Posture for this type of service. Audit can optionally be enabled for this type of service by checking the Audit End-hosts check box on the Service tab. You can perform audit For known end-hosts only or For unknown end hosts only or For all end hosts.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) this type of service. Note that when you configure posture policies, only those that are configured for the OnGuard Agent are shown in list of posture policies. Refer to the "802.1X Wireless " on page 92 service type for a description of the other tabs.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) Template for any kind of RADIUS request. Rules can be added to handle RADIUS requests that sends any type of standard or vendor-specific attributes. RADIUS Enforcement [Generic] NOTE: No default rule associated with this service type.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) Template for any kind of TACACS+ request. TACACS+ Enforcement NOTE: No default rule is associated with this service type. Rules can be added to filter the request based on the Date and Connection namespaces. See "Rules Editing and Namespaces" on page 341 for more information.
Service Type Description/ Available Policy Components (in tabs)/ Service Rule (in Rules Editor)/ Service-specific policy components (called out with legend below) By default, this service uses the Authentication Method [PAP] [PAP] You can click on the Authorization and Audit End-hosts options to enable additional tabs. Refer to the "802.1X Wireless " on page 92 service type for a description of these tabs. Services You can use these service types as configured, or you can edit their settings.
Label Description Export Service Export all currently defined services, including all associated policies Filter Filter the service listing by specifying values for different listing fields (Name, Type, Template, Status) Status The status displays in the last column of the table. A green/red icon indicates enabled/disabled state. Clicking on the icon allows you to toggle the status of a Service between Enabled and Disabled.
Table 41: Service Page (General Parameters) Label Description Type Select the desired service type from the drop down menu. When working with service rules, you can select from the following namespace dictionaries: l Application: The type of application for this service. l Authentication: The Authentication method to be used for this service.
Label Description l l Audit End-hosts: Select an Audit Server - either built-in or customized. Refer to "Configuring Audit Servers" on page 204 for audit server configuration steps. For this type of service you can perform audit Always, When posture is not available, or For MAC authentication requests. You can specify to trigger an audit always, when posture is not available, or for MAC authentication requests.
To modify an existing service, click on its name in the Configuration > Services page. This opens the Services > Edit - form. Select the Service tab on this form to edit the service information. Figure 49: Services Configuration The following fields are available on the Service tab. Table 42: Service Page (General Parameters) Label Description Name Enter or modify the label for a service. Description Enter or modify the service description (optional).
Label Description l l l l l l l l Authentication: The Authentication method to be used for this service. Connection: Originator address (Src-IP-Address, Src-Port), Destination address (Dest-IP-Address, Dest-Port), and Protocol Device: Filter the service based on a specific device type, vendor, operating system location, or controller ID. Date: Time-of-Day, Day-of-Week, or Date-of-Year Endpoint: Filter based on endpoint information, such as enabled/disabled, device, OS, location, and more.
Figure 51: Reordering Services Table 44: Reordering Services Label Description Move Up/Move Down Select a service from the list and move it up or down Save Save the reorder operation Cancel Cancel the reorder operation Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 13 Authentication and Authorization As the first step in Service-based processing, Policy Manager uses an Authentication Method to authenticate the user or device against an Authentication Source. Once the user or device is authenticated, Policy Manager fetches attributes for role mapping policies from the Authorization Sources associated with this Authentication Source.
Figure 52: Authentication and Authorization Flow of Control Configuring Authentication Components The following summarizes the methods for configuring authentication: 110 l For an existing Service, you can add or modify authentication method or source, by opening the Service (Configuration > Services, then select), then opening the Authentication tab. l For a new Service, the Policy Manager wizard automatically opens the Authentication tab for configuration.
Figure 53: Authentication Components From the Authentication tab of a service, you can configure three features of authentication: Table 45: Authentication Features at the Service Level Configurable Component Configuration Steps Sequence of Authentication Methods 1. 2. 3. Sequence of Authentication Sources 1. 2. 3.
Table 46: Policy Manager Supported Authentication Methods EAP Tunneled l l l l NonTunneled l l l Non-EAP EAP Protected EAP (EAP-PEAP) EAP Flexible Authentication Secure Tunnel (EAP-FAST) EAP Transport Layer Security (EAP-TLS) EAP Tunneled TLS (EAP-TTLS) EAP Message Digest 5 (EAP-MD5) EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAP- MSCHAPv2) EAP Generic Token Card (EAP-GTC) l l l l Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) Mic
Depending on the Type selected, different tabs and fields appear. Refer to the following: l "PAP " on page 113 l "MSCHAP " on page 114 l "EAP-MSCHAP v2 " on page 114 l "EAP-GTC " on page 115 l "EAP-TLS " on page 116 l "EAP-TTLS " on page 118 l "EAP-PEAP " on page 119 l "EAP-FAST " on page 121 l "MAC-AUTH " on page 126 l "CHAP and EAP-MD5 " on page 127 PAP The PAP method contains one tab. General Tab The General tab labels the method and defines session details.
Parameter Description Type In this context, always PAP. Encryption Scheme Select the PAP authentication encryption scheme. Supported schemes are: Clear, Crypt, MD5 and SHA1. MSCHAP The MSCHAP method contains one tab. General Tab The General tab labels the method and defines session details. Figure 56: MSCHAP General Tab Table 48: MSCHAP General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always MSCHAP.
Figure 57: EAP-MSCHAPv2 General Tab Table 49: EAP-MSCHAPv2 General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2. EAP-GTC The EAP-GTC method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.
Figure 58: EAP-GTC General Tab Table 50: EAP-GTCGeneral Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-TLS The EAP-TLS method contains one tab. General Tab The General tab labels the method and defines session details. 116 Dell Networking W-ClearPass Policy Manager 6.
Figure 59: EAP_TLS General Tab Table 51: EAP_TLS General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_TLS. Session Resumption Caches EAP-TLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TLS sessions. Authorization Required Specify whether to perform an authorization check.
Parameter Description Override OCSP URL from the Client Select this option if you want to use a different URL for OCSP. After this is enabled, you can enter a new URL in the OCSP URL field. OCSP URL If Override OCSP URL from the Client is enabled, then enter the replacement URL here. EAP-TTLS The EAP-TTLS method contains two tabs. General Tab The General tab labels the method and defines session details.
Inner Methods Tab The Inner Methods tab controls the inner methods for the EAP-TTLS method: Figure 61: EAP_TTLS Inner Methods Tab Select any method available in the current context from the drop-down list. Functions available in this tab include: l To append an inner method to the displayed list, select it from the drop-down list, then click Add. The list can contain multiple inner methods, which Policy Manager will send, in priority order, until negotiation succeeds.
Figure 62: EAP-PEAP General Tab Table 53: EAP-PEAP General Tab 120 Parameter Description Name/Description Freeform label and description. Type In this context, always EAP-PEAP. Session Resumption Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-PEAP sessions on Policy Manager for reuse if the user/client reconnects to Policy Manager within the session timeout interval.
Parameter Description Support enabled client. When enabled, Policy Manager prompts the client for Microsoft Statement of Health (SoH) credentials. Enforce Cryptobinding Enabling the cryptobinding setting ensures an extra level of protection for PEAPv0 exchanges. It ensures that the PEAP client and PEAP server (Policy Manager) participated in both the outer and inner handshakes. This is currently valid only for the client PEAP implementations in Microsoft Windows 7, Windows Vista and Windows XP SP3.
Figure 64: EAP-FAST General Tab Table 54: EAP_FAST General Tab Parameter Description Name/Description Freeform label and description. Type In this context, always EAP_FAST. Session Resumption Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval. Session Timeout Caches EAP-FAST sessions on Policy Manager for reuse if the user/end-host reconnects to Policy Manager within the session timeout interval.
Parameter Description l l To compare specific attributes, choose Compare Common Name (CN), Compare Subject Alternate Name (SAN), or Compare CN or SAN. To perform a binary comparison of the stored (in the end-host record in Active Directory or another LDAP-compliant directory) and presented certificates, choose Compare Binary.
Figure 66: EAP_FAST PACs Tab l To provision a Tunnel PAC on the end-host after initial successful machine authentication, specify the Tunnel PAC Expire Time (the time until the PAC expires and must be replaced by automatic or manual provisioning) in hours, days, weeks, months, or years. During authentication, Policy Manager can use the Tunnel PAC shared secret to create the outer EAP-FAST tunnel.
Figure 67: EAP_FAST PAC Provisioning tab Table 55: EAP_FAST PAC Provisioning Tab Parameter Description Considerations Allow Anonymous Mode When in anonymous mode, phase 0 of EAP_FAST provisioning establishes an outer tunnel without endhost/Policy Manager authentication (not as secure as the authenticated mode). Once the tunnel is established, end-host and Policy Manager perform mutual authentication using MSCHAPv2, then Policy Manager provisions the endhost with an appropriate PAC (tunnel or machine).
Parameter Description Considerations authentication; the end-host subsequently reauthenticates using the newly provisioned PAC. When enabled, Policy Manager accepts the endhost authentication in the provisioning mode itself; the end-host does not have to re-authenticate.
Parameter Description not in a configured authentication source. This setting is enabled, for example, when you want Policy Manager to trigger an audit for an unknown client. By turning on this check box and enabling audit (See "Configuring Audit Servers" on page 204), you can trigger an audit of an unknown client. CHAP and EAP-MD5 In addition the methods listed above, Policy Manager also comes packaged with CHAP and EAP-MD5 methods. These are named [CHAP] and [EAP-MD5], respectively.
Source Description Special Considerations Policy Manager can also use the RADIUS attributes returned from a token server to create role mapping policies. See "Namespaces" on page 341. Internal User Database An internal relational database stores Policy Manager configuration data and locally configured user and device accounts.
When you click Add New Authentication Source from any of these locations, Policy Manager displays the Add page. Figure 70: Add Authentication Source Page Depending on the Authentication Source selected, different tabs and fields appear.
Figure 71: Generic LDAP or Active Directory (General Tab) Table 58: Generic LDAP or Active Directory (General Tab) 130 Parameter Description Name/Description Freeform label and description. Type In this context, General LDAP or Active Directory. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Parameter Description Backup Servers Priority To add a backup server, click Add Backup. When the Backup 1 tab appears, you can specify connection details for a backup server (same fields as for primary server, specified below). To remove a backup server, select the server name and click Remove. Select Move Up or Move Down to change the server priority of the backup servers. This is the order in which Policy Manager attempts to connect to the backup servers if the primary server is unreachable.
Parameter Description NetBIOS Domain Name The AD domain name for this server. Policy Manager prepends this name to the user ID to authenticate users found in this Active Directory. NOTE: This setting is only available for Active Directory. Verify Server Certificate Select this checkbox if you want to verify the Server Certificate as part of the authentication. Base DN Enter DN of the node in your directory tree from which to start searching for records.
Attributes Tab The Attributes tab defines the Active Directory or LDAP Directory query filters and the attributes to be fetched by using those filters. Figure 73: Active Directory Attributes Tab (with default data) Figure 74: Generic LDAP Directory Attributes Tab Table 60: AD/LDAP Attributes Tab (Filter Listing Screen) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enable as Role Listing column descriptions: l Filter Name: Name of the filter.
Table 61: AD/LDAP Default Filters Explained Directory Active Directory Default Filters l Authentication: This is the filter used for authentication. The query searches in objectClass of type user. This query finds both user and machine accounts in Active Directory: (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) When a request arrives, Policy Manager populates %{Authentication:Username} with the authenticating user or machine.
The Filter Creation popup displays when you click the Add More Filters button on the Authentication Sources > Add page. With this popup, you can define a filter query and the related attributes to be fetched. AD/LDAP Configure Filter Browse tab The Browse tab shows an LDAP Browser from which you can browse the nodes in the LDAP or AD directory, starting at the base DN. This is presented in read-only mode.
Figure 76: AD/LDAP Create Filter Popup (Filter Tab) NOTE: Policy Manager comes pre-populated with filters and selected attributes for Active Directory and generic LDAP directory. New filters need to be created only if you need Policy Manager to fetch role mapping attributes from a new type of record NOTE: Records of different types can be fetched by specifying multiple filters that use different dynamic session attributes.
Parameter Description The following tables describes the steps used in creating a filter. Table 64: Filter Creation Steps Step Description Step 1 Select filter node The goal of filter creation is to help Policy Manager understand how to find a user or device connecting to the network in LDAP or Active Directory. From the Filter tab, click on a node that you want to extract user or device information from.
Figure 77: AD/LDAP Configure Filter Attributes Tab Table 65: AD/LDAP Configure Filter Popup (Attributes Tab) Parameter Description Enter values for parameters Policy Manager parses the filter query (created in the Filter tab and shown at the top of the Attributes tab) and prompts to enter the values for all dynamic session parameters in the query. For example, if you have %{Authentication:Username} in the filter query, you are prompted to enter the value for it.
Figure 78: Configure Filter Popup (Configuration Tab) Modify Default Filters When you add a new authentication source of type Active Directory or LDAP, a few default filters and attributes are pre-populated. You can modify these pre-defined filters by selecting a filter on the Authentication > Sources > Attributes tab. This opens the Configure Filter page for the specified filter. NOTE: At least one filter must be specified for the LDAP and Active Directory authentication source.
NOTE: At least one This functionality that allows you to modify the Data type exists for Generic SQL DB, Generic LDAP, Active Directory, and HTTP authentication source types. When you are finished editing a filter, click Save. Kerberos The Kerberos authentication source contains three tabs: General, Primary, and Summary. General The General tab labels the authentication source and defines session details, authorization sources, and backup server details.
Parameter Description authentication source the user or device was authenticated against. Backup Servers To add a backup kerberos server, click Add Backup. When the Backup 1 tab appears, you can specify connection details for a backup server (same fields as for primary server, specified below). To remove a backup server, select the server name and click Remove. Select Move Up or Move Down to change the server priority of the backup servers.
l Clear Cache: Clears the attributes cached by Policy Manager for all entities that authorize against this server. l Copy: Creates a copy of this authentication/authorization source. General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. Figure 82: Generic SQL DB (General Tab) Table 68: General SQL DB (General Tab) 142 Parameter Description Name/Description Freeform label and description.
Parameter Description connection details for a backup server (same fields as for primary server, specified below). To remove a backup server, select the server name and click Remove. Select Move Up or Move Down to change the server priority of the backup servers. This is the order in which Policy Manager attempts to connect to the backup servers. Cache Timeout Policy Manager caches attributes fetched for an authenticating entity.
Figure 84: Generic SQL DB (Attributes Tab) Table 70: Generic SQL DB Attributes Tab (Filter List) Tab Parameter/Description Filter Name / Attribute Name / Alias Name / Enabled As Listing column descriptions: l Filter Name: Name of the filter. l Attribute Name: Name of the SQL DB attributes defined for this filter. l Alias Name: For each attribute name selected for the filter, you can specify an alias name. l Enabled As: Indicates whether the filter is enabled as a role or attribute type.
Parameter Description Name / Alias Name / Data Type/ Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute. By default, this is the same as the attribute name. Data Type: Specify the data type for this attribute, such as String, Integer, Boolean, etc. Enabled As: Specify whether this value is to be used directly as a role or attribute in an Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy.
Parameter Description attributes) from this authentication source. If a user or device successfully authenticates against this authentication source, then Policy Manager also fetches role mapping attributes from the same source (if this setting is enabled). This check box is enabled by default Authorization Sources You can specify additional sources from which to fetch role mapping attributes.
Attributes Tab The Attributes tab defines the RADIUS attributes to be fetched from the token server. These attributes can be used in role mapping policies. (See "Configuring a Role Mapping Policy " on page 154for more information.) Policy Manager load all RADIUS vendor dictionaries in the type drop down to help select the attributes. Figure 88: Token Server (Attributes Tab) Static Host List The Static Host List authentication source contains three tabs.
Table 74: Static Host List (General Tab) Parameter Description Name/ Description Freeform label Type Static Host List, in this context. Use for Authorization/Authorization Sources Not configurable Static Host ListsTab The Static Hosts List tab defines the list of static hosts to be included as part of the authorization source.
Figure 91: HTTP (General Tab) Table 76: HTTP (General Tab) Parameter Description Name/Description Freeform label and description. Type In this context, HTTP. Use for Authorization This check box instructs Policy Manager to fetch role mapping attributes (or authorization attributes) from this authentication source.
Figure 92: HTTP (Primary Tab) Table 77: HTTP (Primary Tab) Parameter Description Server Name Enter the hostname or IP address of the database server. Login Username/Password Enter the name of the user used to log into the database. This account should have read access to all the attributes that need to be retrieved by the specified filters. Enter the password for the user account entered in the field above.
Configure Filter Popup The Configure Filter popup defines a filter query and the related attributes to be fetched from the SQL DB store. Figure 94: HTTP Filter Configure Popup Table 79: HTTP Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query A SQL query to fetch the attributes from the user or device record in DB Name / Alias Name / Data Type / Enabled As Name: This is the name of the attribute Alias Name: A friendly name for the attribute.
Dell Networking W-ClearPass Policy Manager 6.
Chapter 14 Identity: Users, Endpoints, Roles and Role Mapping A Role Mapping Policy reduces client (user or device) identity or attributes associated with the request to Role(s) for Enforcement Policy evaluation. The roles ultimately determine differentiated access. Architecture and Flow Roles range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination of a user group with some dynamic constraints (e.g.
Figure 95: Role Mapping Process Configuring a Role Mapping Policy After authenticating a request, an Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. NOTE: A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions. NOTE: A Service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for each service.
Figure 97: Role Mapping (Policy Tab) Table 80: Role Mapping (Policy tab) Parameter Description Policy Name /Description Freeform label and description. Default Role Select the role to which Policy Manager will default when the role mapping policy does not produce a match. View Details / Modify / Add new Role Click on View Details to view the details of the default role. Click on Modify to modify the default role. Click on Add new Role to add a new role.
Figure 99: Rules Editor Table 81: Role Mappings Page (Rules Editor) Label Description Type The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on context. (Refer to "Namespaces" on page 341.
NOTE: The Operator values that display for each Type and Name are based on the data type specified for the Authentication Source (from the Configuration > Authentication > Sources page). If, for example, you modify the UserDN Data type on the Authentication Sources page to be an Integer rather than a string, then the list of Operator values here will populate with values that are specific to Integers. When you save your Role Mapping configuration, it appears in the Mapping Rules tab list.
Table 82: Add New Role Parameter Description Role Name /Description Freeform label and description. Local Users, Guest Users, Onboard Devices, Endpoints, and Static Host List Configuration The internal Policy Manager database ([Local User Repository], [Guest User Repository]) supports storage of user records, when a particular class of users is not present in a central user repository (e.g.
Table 83: Add Local User Parameter Description User ID/ Name /Password/ Verify Password Freeform labels and password. Enable User Uncheck to disable this user account. Role Select a static role for this local user. Attributes Add custom attributes for this local user. Click on the “Click to add...” row to add custom attributes. By default, four custom attributes appear in the Attribute dropdown: Phone, Email, Sponsor, Designation. You can enter any name in the attribute field.
Adding and Modifying Guest Users An administrator with the Policy Manager Receptionist role provisions users specifically as Guests (local users with a pre-defined role of Guest). From the menu, select Configuration > Identity > Guest Users. Figure 104: Guest Users Listing Table 84: Guest Users Listing Parameter Description User Name Guest user name. Sponsor Name Sponsor who sponsored the guest. Guest Type USER (for guest users) and DEVICE (for devices registered from the GuestConnect product).
Figure 105: Add New Guest User Figure 106: Add New Guest Device Table 85: Add New Guest User/Device 162 Parameter Description Guest Type Add a guest user or a guest device User ID/ Name /Password/ Verify Password (Guest User only) Freeform labels and password. Click Auto Generate to auto-generate a password for the guest user. Dell Networking W-ClearPass Policy Manager 6.
Parameter Description MAC Address (Guest Device only) MAC address of the guest device. Enable Guest Check to enable guest user. Expiry Time Use the date widget to select the date and time on which this Guest User’s access expires. Attributes Add custom attributes for this guest user. Click on the “Click to add...” row to add custom attributes. By default, six custom attributes appear in the Attribute dropdown: Company-Name, Location, Phone, Email, Sponsor, Designation.
Click on a device name within a row to drill down and view detailed information about the device, including the device password, start and expiry times, owner, serial number, UUID, product name, and product version. You can also use the Enable Device check box to enable or disable the device.
Figure 110: Endpoint Authentication Details To manually add an endpoint, click Add Endpoint to display the Add Endpoint popup. Figure 111: Add Endpoint Table 86: Add Endpoint Parameter Description MAC Address MAC address of the endpoint. Status Mark as Known, Unknown or Disabled client. The Known and Unknown status can be used in role mapping rules via the Authentication:MacAuth attribute. The Disabled status can be used to block access to a specific endpoint.
Notice that the Policy Cache Values section lists the role(s) assigned to the user and the posture status. Policy Manager can use these cached values in authentication requests from this endpoint. Clear Cache clears the computed policy results (roles and posture). Figure 112: Endpoint Popup To delete an endpoint, in the Endpoints listing page, select it (via check box) and click the Delete button. To export an endpoint, in the Endpoints listing page, select it (via check box) and click the Export button.
To add a Static Host List, click the Add Static Host List link. This opens the Add Static Host List popup. Figure 114: Add Static Host List Table 87: Add Static Host List Parameter Description Name/ Description Freeform labels and descriptions. Host Format Select a format for expression of the address: subnet, IP address or regular expression. Host Type Select a host type: IP Address or MAC Address (radio buttons).
Dell Networking W-ClearPass Policy Manager 6.
Chapter 15 Posture Policy Manager provides several posture methods for health evaluation of clients requesting access. These methods all return Posture Tokens (E.g., Healthy, Quarantine) for use by Policy Manager for input into Enforcement Policy. One or more of these posture methods may be associated with a Service. Posture Architecture and Flow Policy Manager supports three different types of posture checking: l Posture Policy.
Figure 115: Posture Evaluation Process Policy Manager uses posture evaluation to assess client consistency with enterprise endpoint health policies, specifically with respect to: l Operating system version/type l Registry keys/services present (or absent) l Antivirus/antispyware/firewall configuration l Patch level of different software components l Peer to Peer application checks l Services to be running or not running l Processes to be running or not running Each configured health check ret
l Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. l Unknown. The posture token of the client is unknown. Upon completion of all configured posture checks, Policy Manager evaluates all application tokens and calculates a system token, equivalent to the most restrictive rating for all returned application tokens. The system token provides the health posture component for input to the Enforcement Policy.
Configurable Component How to Configure endpoints. Remediation URL This URL defines where to send additional remediation information to endpoints. Sequence of Posture Servers Select a Posture Server, then select Move Up, Move Down, Remove, or View Details. l To add a previously configured Posture Server, select from the Select dropdown list, then click Add. l To configure a new Posture Server, click Add New Posture Server (link) and refer to "Adding and Modifying Posture Servers " on page 199.
n ClearPass Linux Universal System Health Validator. Configurable checking for present/absent services. n ClearPass Mac OS X Universal System Health Validator. Configurable checking for product-/version-/updatespecific checking for Antivirus/Antispyware application, and Firewall configuration. Note that ClearPass OnGuard Agent - both persistent and dissolvable forms - can be used in the following scenarios: l An environment that does not support 802.
Parameter Description supported by the OnGuard Agent: Microsoft Windows 8, Microsoft Windows 7, Microsoft Windows Vista, Microsoft Windows XP SP3, Microsoft Windows Server 2008, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2003, Apple Mac OS X 10.5 or above, and Linux OSes supported by ClearPass Linux NAP Agent. Host Operating System l Select Linux, Windows or Mac OS X. Note that Mac OS X is not available if the Posture Agent is NAP.
Figure 121: Add Posture Policy (Posture Plugins Tab) - Linux OnGuard Agent Figure 122: Add Posture Policy (Posture Plugins Tab) - Mac OS X OnGuard Agent Refer to the following sections for plugin-specific configuration instructions: l "ClearPass Windows Universal System Health Validator - NAP Agent " on page 176 l "Windows System Health Validator - NAP Agent " on page 199 l "Windows Security Health Validator - NAP Agent " on page 197 l "ClearPass Windows Universal System Health Validator - OnGuard
l Unknown. The posture token of the client is unknown. 4. Click Save when you are finished. Figure 123: Fig: Add Posture Policy (Rules Tab) ClearPass Windows Universal System Health Validator - NAP Agent The ClearPass Windows Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration. Figure 124: ClearPass Windows Universal System Health Validator - NAP Agent 176 Dell Networking W-ClearPass Policy Manager 6.
Select a version of Windows and click the check box to enable checks for that version. Enabling checks for a specific version displays the following set of configuration pages.These pages are explained in the sections that follow.
Parameter Description Insert To add a service to the list of available services, enter its name in the text box adjacent to this button, then click Insert. Delete To remove a service from the list of available services, select it and click Delete. Processes The Processes page provides a set of widgets for specifying specific processes to be explicitly present or absent on the system.
Processes to be Present Figure 127: Process to be Present Page (Detail) Table 92: Process to be Present Page (Detail) Parameter Process Location Enter the Process name Enter the Display name Description Choose from one of the pre-defined paths, or choose None. SystemDrive - For example, C: l SystemRoot - For example, C:\Windows l ProgramFiles - For example, “C:\Program Files” l HOMEDRIVE - For example, C: l HOMEPATH - For example, \Users\JohnDoe l None - By selecting None, you can enter a custom path n
Processes to be Absent Figure 128: Process to be Absent Page (Detail) Table 93: Process to be Absent Page (Detail) Parameter Check Type Description Select the type of process check to perform. The agent can look for Process Name - The agent looks for all processes that matches with the given name. For example, if notepad.exe is speicfied, the agent kills all processes whose name matches, regardless of the location from which these processes were started.
Figure 129: Process Page (Overview - Post Add) Registry Keys The Registry Keys page provides a set of widgets for specifying specific registry keys to be explicitly present or absent.
Registry Keys to be Absent Figure 131: Registry Keys Page (Detail) Table 95: Registry Keys Page (Detail) Parameter Description Hive/Key/value (name, type, data) Identifying information for a specific setting for a specific registry key. When you save your Registry details, the key information appears in the Registry page list.
Figure 134: Antivirus Page (Detail 1) Click Add to specify product, and version check information. Figure 135: Antivirus Page (Detail 2) After you save your Antivirus configuration, it appears in the Antivirus page list.
Interface Parameter Antivirus Page (Detail 1) l Antivirus Page (Detail 2) Product/Version/Last Check l Add Trashcan icon Description l l To configure Antivirus application attributes for testing against health data, click Add. To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Configure the specific settings for which to test against health data. All of these checks may not be available for some products.
Figure 139: AntiSpyware Page (Detail 2) Figure 140: AntiSpyware Page (Overview After) When you save your AntiSpyware configuration, it appears in the AntiSpyware page list. The configuration elements are the same for antivirus and antispyware products. Refer to the previous AntiVirusconfiguration instructions Firewall In the Firewall page, you can specify that a Firewall application must be on and allows drill-down to specify information about the Firewall application.
Figure 143: Firewall Page (Detail 2) When you save your Firewall configuration, it appears in the Firewall page list.
Figure 145: Peer to Peer Page Table 98: Peer to Peer Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks (Automatically stop peer to peer applications based on the entries in Applications to stop configuration). User Notification Enable to allow user notifications for peer to peer application/network check policy violations.
Click Add to specify product, and version check information. Figure 148: Patch Management Page (Detail 2) When you save your patches configuration, it appears in the Patch Management page list.
Windows Hotfixes The Windows Hotfixes page provides a set of widgets for checking if specific Windows hotfixes are installed on the endpoint. Figure 150: Windows Hotfixes Page Table 100: Windows Hotfixes Parameter Description Auto Remediation Enable to allow auto remediation for hotfixes checks (Automatically trigger updates of the specified hotfixes). User Notification Enable to allow user notifications for hotfixes check policy violations.
Table 101: USB Devices Parameter Description Auto Remediation Enable to allow auto remediation for USB mass storage devices attached to the endpoint (Automatically stop or eject the drive). User Notification Enable to allow user notifications for USB devices policy violations. Remediation Action for USB Mass Storage Devices l l l No Action - Take no action; do not eject or disable the attached devices. Remove USB Mass Storage Devices - Eject the attached devices.
Figure 153: Network Connections Select the Check for Network Connection Types check box, and then click Configure to specify type of connection that you want to include.
Parameter Description Storage Devices l devices. Disable Network Connections - Disable network connections for the configured network type. Click Save when you are finished. This returns you to the Network Connections Configuration page. The remaining fields on this page are described below.
Figure 155: Fig: ClearPass Linux Universal system Health Validator - NAP Agent Select a Linux version and click the Enable checks check box for that version. The Services view appears automatically and provides a set of widgets for specifying specific services to be explicitly running or stopped for the different Linux versions.
Figure 156: General Configuration Section Select Firewall Check to display a view where you can specify Firewall parameters, specifically with respect to which ports may be open or blocked. Figure 157: Firewall view Select Antivirus Check, then click Add in the view that appears to specify Antivirus details. Figure 158: Antivirus Check view When you save your Antivirus configuration, it appears in the Antivirus page list. 194 Dell Networking W-ClearPass Policy Manager 6.
Figure 159: Antivirus Check Table 106: Antivirus Check Interface Parameter Description Antivirus Main view Add To configure Antivirus application attributes for testing against health data, click Add. Trashcan icon To remove configured Antivirus application attributes from the list, click the trashcan icon in that row. Product/Version/Last Check Configure the specific settings for which to test against health data.
Figure 160: ClearPass Mac OS X Universal System Health Validator - OnGuard Agent Select a check box to enable checks for Mac OS X. Enabling these check boxes displays a corresponding set of configuration pages: l In the Antivirus page, you can specify that an Antivirus application must be on and allows drill-down to specify information about the Antivirus application. Click on An Antivirus Application is On to configure the Antivirus application information.
Figure 163: Antivirus Page (Detail 2) When you save your Antivirus configuration, it appears in the Antivirus page list. See "ClearPass Windows Universal System Health Validator - NAP Agent " on page 176 for antivirus page and field descriptions. l In the Antispyware page, an administrator can specify that an Antispyware application must be on and allows drill-down to specify information about the Antispyware application.
Figure 164: Windows Security Health Validator Windows Security Health Validator - OnGuard Agent This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Figure 165: Windows Security Health Validator 198 Dell Networking W-ClearPass Policy Manager 6.
Windows System Health Validator - NAP Agent This validator checks for current Windows Service Packs. An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level. Figure 166: Windows System Health Validator (Overview) Windows System Health Validator - OnGuard Agent This validator checks for current Windows Service Packs.
Server evaluates the posture data and returns Application Posture Tokens. From the Services page (Configuration > Service), you can configure a posture server for a new service (as part of the flow of the Add Service wizard), or modify an existing posture server directly (Configuration > Posture > Posture Servers, then click on its name in the Posture Servers listing).
Figure 170: Microsoft NPS Settings (Primary and Backup Server tabs) Table 108: Microsoft NPS Settings (Primary and Backup Server tabs) Parameter Description RADIUS Server Name/Port Hostname or IP address and RADIUS server UDP port Shared Secret Enter the shared secret for RADIUS message exchange; the same secret has to be entered on the RADIUS server (Microsoft NPS) side Timeout How many seconds to wait before deeming the connection dead; if a backup is configured, Policy Manager will attempt to con
Dell Networking W-ClearPass Policy Manager 6.
Chapter 16 Audit Servers Audit Servers evaluate posture and/or role for unmanaged or unmanageable clients; that is, clients that lack an adequate posture agent or 802.1X supplicant (for example, printers, PDAs, or guest users may not be able to send posture credentials or identify themselves.) A Policy Manager Service can trigger an audit by sending a client ID to a pre-configured Audit Server, which returns attributes for role mapping and posture evaluation.
Figure 171: Flow of Control of Policy Manager Auditing Refer to "Configuring Audit Servers" on page 204for additional information. Configuring Audit Servers The Policy Manager server contains built-in Nessus (version 2.X) and NMAP servers. For enterprises with existing audit server infrastructure, or otherwise preferring external audit servers, Policy Manager supports these servers externally.
Built-In Audit Servers When configuring an audit as part of an Policy Manager Service, you can select the default Nessus ([Nessus Server ]) or NMAP ([Nmap Audit]) configuration. Adding Auditing to a Policy Manager Service 1. Navigate to the Audit tab l To configure an audit server for a new service (as part of the flow of the Add Service wizard), navigate to Configuration > Services. Select the Add Services link. In the Add Services form, select the Audit tab.
Parameter Audit Trigger Conditions Description l l l Reauthenticate client Always: Always perform an audit When posture is not available: Perform audit only when posture credentials are not available in the request. For MAC Authentication Request, If you select this option, then Policy Manager presents three additional settings: n For known end-hosts only. For example, when you want to reject unknown end-hosts, but audit known clients for.
Figure 174: Upload Nessus Plugins Popup l In the Rules tab, you can create post-audit rules for determining Role based on identity attributes discovered by the audit. Refer to Post-Audit Rules. Custom Audit Servers For enterprises with existing audit server infrastructure, or otherwise preferring custom audit servers, Policy Manager supports NESSUS (2.x and 3.x) (and NMAP scans using the NMAP plugin on these external Nessus Servers). To configure a custom Audit Server: 1. Open the Audit page.
Figure 175: NESSUS Audit Server (Audit Tab) Table 110: NESSUS Audit Server (Audit tab) Parameter Description Name/Description Freeform label and description. Type For purposes of an NESSUS-type Audit Server, always NESSUS. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list.
Figure 176: Fig: NESSUS Audit Server (Primary & Backup Tabs) Table 111: NESSUS Audit Server - Primary and Backup Server tabs Parameter Description Server Name and Port/ Username/ Password Standard NESSUS server configuration fields. NOTE: For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box.
Figure 177: Audit Tab (NMAP) Table 112: Audit Tab (NMAP) Parameter Description Name/Description Freeform label and description. Type For purposes of an NMAP-type Audit Server, always NMAP. In Progress Posture Status Posture status during audit. Select a status from the drop-down list. Default Posture Status Posture status if evaluation does not return a condition/action match. Select a status from the drop-down list. The NMAP Options tab specifies scan configuration.
Figure 178: Options Tab (NMAP) Table 113: Options Tab (NMAP) Parameter Description TCP Scan To specify a TCP scan, select from the TCP Scan drop-down list. Refer to NMAP documentation for more information on these options. NMAP option --scanflags. UDP Scan To enable, check the UDP Scan check box. NMAP option -sU. Service Scan To enable, check the Service Scan check box. NMAP option -sV. Detect Host Operating System To enable, check the Detect Host Operating System check box. NMAP option -A.
Figure 179: Nessus Scan Profile Configuration Page You can refresh the plugins list (after uploading plugins into Policy Manager, or after refreshing the plugins on your external Nessus server) by clicking Refresh Plugins List.
Figure 180: Nessus Scan Profile Configuration (Profile Tab) l The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. Dell Networking W-ClearPass Policy Manager 6.
Figure 181: Nessus Scan Profile Configuration (Profile Tab) - Plugin Synopsis NOTE: Of special interest is the secton of the synopsis entitled Risks. To delete any listed plugin, click on its corresponding trashcan icon. To change the vulnerability level of any listed plugin click on the link to change the level to one of HOLE, WARN, INFO, NOTE. This tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status.
For each selected plugin, the Preferences tab contains a list of fields that require entries. In many cases, these fields will be pre-populated. In other cases, you must provide information required for the operation of the plugin. By way of example of how plugins use this information, consider a plugin that must access a particular service, in order to determine some aspect of the client’s status; in such cases, login information might be among the preference fields.
Table 114: All Audit Server Configurations (Rules Tab) Parameter Description Rules Evaluation Algorithm Select first matched rule and return the role or Select all matched rules and eturn a set of roles. Add Rule Add a rule. Brings up the rules editor. See below. Move Up/Down Reorder the rules. Edit Rule Brings up the selected rule in edit mode. Remove Rule Remove the selected rule.
Chapter 17 Enforcement Policy Manager controls network access by sending a set of access-control attributes to the request-originating Network Access Device (NAD). Policy Manager sends these attributes by evaluating an Enfocement Policy associated with the service. The evaluation of Enforcement Policy results in one or more Enforcement Profiles; each Enforcement Profile wraps the access control attributes sent to the Network Access Device.
Figure 187: Flow of Control of Policy Manager Enforcement Configuring Enforcement Profiles You configure Policy Manager Enforcement Profiles globally, but they must be referenced in an enforcement policy that is associated with a Service to be evaluate, From the Enforcement Policies page (Configuration > Enforcement > Policies), you can configure an Enforcement Profile for a new enforcement policy (as part of the flow of the Add Enforcement Policy wizard), or modify an existing Enforcement Profile directl
Figure 188: Enforcement Profiles Page Policy Manager comes pre-packaged with the following system-defined enforcement profiles: l [Allow Access Profile]. System-defined RADIUS profile to allow network access; Policy Manager sends a RADIUS AccessAccept message with no attributes. l [Deny Access Profile]. System-defined RADIUS profile to deny network access; Policy Manager sends a RADIUS AccessReject message with no attributes. l [Drop Access Profile].
Figure 189: Add Enforcement Profile Page Policy Manager comes pre-packaged with several enforcement profile templates: 220 l VLAN Enforcement - All RADIUS attributes for VLAN enforcement are pre-filled in this template. l Dell RADIUS Enforcement - RADIUS tempate that can be filled with attributes from the Dell RADIUS dictionaries loaded into Policy Manager.
l Generic Application Enforcement - Application specific enforcement profile with customization attribute-value pairs for authorization of generic applications. l CLI Based Enforcement - Enforcement profile that encapsulates CLI commands to be issued to the network device. The “Target Device” attribute specifies the device on which the “Command” attribute is executed. l Agent Enforcement - Enforcement profile that encapsulates attributes sent to Dell OnGuard agent.
A - VLAN Enforcement; B - Filter ID Based Enforcement; C - Cisco Downloadable ACL Enforcement; D - Cisco We Authentication Enforcement; E - Generic RADIUS Enforcement; F - Figure 190: RADIUS Enforcement Profile (Attributes Tab) Figure 191: RADIUS Enforcement Profile (Attributes Tab) - Generic RADIUS Enforcement Profile 222 Dell Networking W-ClearPass Policy Manager 6.
Table 117: RADIUS Enforcement Profile (Attributes tab) Enforcement Profile Template Description A— VLAN Enforcement Enforcement profile template to set IETF RADIUS standard VLAN attributes. B—Filter ID Based Enforcement Enforcement profile template to set IETF RADIUS standard filter ID attribute. C—Cisco Downloadable ACL Enforcement Enforcement profile template for Cisco IOS downloadable ACLs. D—Cisco Web Authentication Enforcement Enforcement profile template to set Cisco Web Authentication ACLs.
SNMP Enforcement Profiles The SNMP tab contains a VLAN identifier and timeout. Figure 192: Fig: SNMP Enforcement Profile (SNMP Tab) The SNMP Enforcement Profile SNMP tab loads the SNMP dictionary attributes supported by Policy Manager. Table 118: SNMP Enforcement Profile (SNMP tab) Interface Description VLAN Id VLAN ID to be sent to the device Session Timeout Session timeout in seconds.
Figure 193: TACACS+ Enforcement Profiles (Services Tab) Table 119: TACACS+ Enforcement Profile (Services tab) Container Description Privilege Level Enter a value, from 0 to 15. NOTE: Refer to your network device documentation for definitions of the different privilege levels. Selected Services To add supported services, click Add. To remove a service, select it and click Remove.
Figure 194: TACACS+ Enforcement Profiles (Commands tab) Table 120: Commands tab (TACACS+ Enforcement Profiles) Container Description Service Type Select Shell or PIX shell radio button. Subsequent selections in this tab configure commands and arguments allowed/disallowed for this selection. Unmatched Commands Enable to permit commands that are not explicitly entered in the Commands field. Commands Contains a list of the commands recognized for the specified Service Type: To add a command, click Add.
l Generic Application Enforcement - Attributes for users of any generic application. Figure 195: Application Enforcement Profiles (Attributes Tab) Table 121: Application Enforcement Profiles (Attributes tab) Container Description PrivilegeLevel Enter a predefined value: Admin, Sponsor, Helpdesk; or enter an application-specific custom value. NOTE: Sponsor is only valid for the GuestConnect application SponsorProfileName Valid only for GuestConnect application.
Agent Enforcement Profiles Agent Enforcement Profiles contain attribute-value pairs related to enforcement actions sent to Dell OnGuard Agent. Figure 197: Agent Enforcement Profile (Attributes Tab) Table 123: Agent Enforcement Profiles (Attributes tab) Container Description Bounce Client If checked, the endpoint is bounced by the OnGuard agent (this feature is only available with the persistent agent) Message A custom message to send to the endpoint.
Table 124: Post Authentication Enforcement Profiles Enforcement Profile Template Description A— ClearPassEntity Update Enforcement Enforcement profile template used to update tags in endpoints and guest users. Type is any endpoint, guest user, or a session update. Name is the name of an attribute associated with an endpoint, guest user, or a session update. If the type is session update, the tags are updated for either an endpoint or a guest user. Value is the value of the attribute.
Figure 200: Add Enforcement Policy (Enforcement tab) Table 125: Add Enforcement Policy (Enforcement tab) Parameter Description Name/Description Freeform label and description. Type Select: RADIUS, TACACS+, WebAuth (SNMP/CLI) or Application. Based on this selection, the Default Profile list shows the right type of enforcement profiles in the dropdown list (See Below).
Figure 202: Add Enforcement Policy (Rules Editor) Table 126: Add Enforcement Policy (Rules tab) Field Description Add/Edit Rule Bring up the rules editor to add/edit a rule. Move Up/Down Reorder the rules in the enforcement policy. Remove Rule Remove a rule. Table 127: Add Enforcement Policy (Rules Editor) Field Description Conditions/Enforcement Profiles Select conditions for this rule. For each condition, select a matching action (Enforcement Profile).
Dell Networking W-ClearPass Policy Manager 6.
Chapter 18 Network Access Devices A Policy Manager Device represents a Network Access Device (NAD) that sends network access requests to Policy Manager using the supported RADIUS, TACACS+, or SNMP protocol.
Figure 204: Device Tab Table 128: Device tab 234 Container Description Name/ Description Specify identity of the device. IP Address or Subnet Specify the IP address or the subnet (E.g., 192.168.5.0/24) of the device. RADIUS/TACACS+ Shared Secret Enter and confirm a Shared Secret for each of the two supported request protocols. Vendor Optionally, specify the dictionary to be loaded for this device.
Figure 205: SNMP Read/Write Settings Tabs Figure 206: SNMP Read/Write Settings Tabs - SNMP v3 Details Table 129: SNMP Read/Write Settings tabs Container Description Allow SNMP Read/Write Toggle to enable/disable SNMP Read/Write. Default VLAN (SNMP Write only) VLAN port setting after SNMP-enforced session expires. SNMP Read/Write Setting SNMP settings for the device.
Container Description Username (SNMP v3 only) Admin user name to use for SNMP read/write operations Authentication Key (SNMP v3 only) SNMP v3 with authentication option (SHA & MD5) Privacy Key (SNMP v3 only) SNMP v3 with privacy option Add/Cancel Click Add to commit or Cancel to dismiss the popup. NOTE: In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices.
Container Description Username/Password Credentials to log into the CLI. Username Prompt Regex Regular expression for the username prompt. Policy Manager looks for this pattern to recognize the telnet username prompt. Password Prompt Regex Regular expression for the password prompt. Policy Manager looks for this pattern to recognize the telnet password prompt. Command Prompt Regex Regular expression for the command line prompt.
Figure 208: Device Groups Page To add a Device Group, click Add Device Group. Complete the fields in the Add New Device Group popup: 238 Dell Networking W-ClearPass Policy Manager 6.
Figure 209: Add New Device Group Popup Table 131: Add New Device Group popup Container Description Name/ Description/ Format Specify identity of the device. Dell Networking W-ClearPass Policy Manager 6.
Container Description Subnet Enter a subnet consisting of network address and the network suffix (CIDR notation); for example, 192.168.5.0/24 Regular Expression Specify a regular expression that represents all IPv4 addresses matching that expression; for example, ^192(.[0-9]*){3}$ List: Available/Selected Devices Use the widgets to move device identifiers between Available and Selected. Click Filter to filter the list based on the text in the associated text box.
Figure 210: Proxy Targets Page Add a Proxy Target To add a Proxy Target, click Add Proxy Target, and complete the fields in the Add Proxy Target popup. You can also add a new proxy target from the Services page (Configuration > Service (as part of the flow of the Add Service wizard for a RADIUS Proxy Service Type). Figure 211: Add Proxy Target Popup Table 132: Add Proxy Target popup Container Description Name/Description Freeform label and description.
Additional Available Tasks 242 l To import a Proxy Target, click Import Proxy Targets. In the Import from File popup, browse to select a file, then click Import. l To export all Proxy Targets from the configuration, click Export Proxy Targets. In the Export to File popup, specify a file path, and then click Export. l To export a single Proxy Target from the configuration, select it (check box on left), then click Export. In the Save As popup, specify a file path, and then click Export.
Chapter 19 Administration All administrative activities including server configuration, log management, certificate and dictionary maintenance, portal definitions, and administrator user account maintenance are done from the Administration menus. The Policy Manager Administration menu provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.
Admin Users The Policy Manager Admin Users menu Administration > Users and Privileges > Admin Users provides the following interfaces for configuration: l "Add User" on page 244 l "Import Users " on page 245 l "Export Users " on page 246 l "Export " on page 246 Figure 212: Admin Users Table 133: Admin Users Container Description Add User Opens the Add User popup form. Import Users Opens the Import Users popup form. Export Users Exports all users to an XML file.
Figure 213: Add Admin User Table 134: Add Admin User Container Description User ID Name Specify the identity and password for a new admin user. Password Verify Password Privilege Level Select Privilege Level: Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add/Cancel Add or dismiss changes. Import Users Select the Import Users link in the upper right portion of the page.
Table 135: Import (Admin) Users Container Description Select file Browse to select name of admin user import file. Enter secret key for file (if any) Enter the secret key used (while exporting) to protect the file. Import/Cancel Commit or dismiss import. Export Users Select the Export Users link from the upper right portion of the page. The Export (Admin) Users link exports all (admin) users. Click Export.
Figure 216: Fig: Import (Admin) Privileges Table 136: Import (Admin) Privileges Container Description Select file Browse to select name of admin privileges import file. Enter secret key for file (if any) Enter the secret key used (while exporting) to protect the file. Import/Cancel Commit or dismiss import. Export Admin Privileges Select the Export Admin Privileges link on the upper right side of the page. The Export Admin Privileges link exports all admin privileges. Click Export.
l "Collect Logs " on page 256 l "Backup " on page 258 l "Restore" on page 259 l "Shutdown/Reboot " on page 260 l "Drop Subscriber " on page 260 Figure 217: Server Configuration Clicking on the server row provides the following interfaces for configuration: l "System Tab " on page 260 l "Services Control Tab " on page 264 l "Service Parameters Tab " on page 264 l "System Monitoring Tab " on page 272 l "Network Interfaces Tab" on page 273 Set Date/Time Navigate to Administration > Server
Figure 218: Change Date and Time - Date & Time tab Table 137: Change Date and Time - Date & Time tab Container Description Date in yyyy-mm-dd format To specify date and time, use the indicated syntax. This is available only when Synchronize time with NTP server is unchecked. Time in hh:mm:ss format Synchronize Time With NTP Server To synchronize with a Network Time Protocol Server, enable this check box and specify the NTP servers. Only two servers may be specified.
Figure 219: Time zone on publisher Change Cluster Password Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. NOTE: Changing this password also changes the password for the CLI user - 'appadmin'. Figure 220: Change Cluster Password 250 Dell Networking W-ClearPass Policy Manager 6.
Table 138: Change Cluster Password Container Description New Password Enter and confirm the new password. Verify Password Save/Cancel Commit or dismiss changes. Manage Policy Manager Zones CPPM shares a distributed cache of runtime state across all nodes in a cluster.
Table 139: Policy Manager Zones Container Description Name Enter the name of the configured Policy Manager Zone. Delete Select the delete (trashcan) icon to delete a zone. NetEvents Targets Netevents is a collection of details for various ClearPass Policy Manager such as users, endpoints, guests, authentications, accounting details, and so on. This information is periodically posted to a server that is configured as the NetEvents target.
node. The Policy Manager appliance defaults to a Publisher node unless it is made a Subscriber node. Cluster commands can be used to change the state of the node, hence the Publisher can be made a Subscriber. When it is a Subscriber, you will not see this link. Navigate to the Administration > Server Manager > Server Configuration page, and click on the Make Subscriber link.
Figure 224: Upload Nessus Plugins Table 142: Upload Nessus Plugins Container Description Select File Click Browse and select the plugins file with the extension tar.gz. Enter secret for the file (if any) Always leave this blank. Import/Cancel Load the plugins, or dismiss. If there are a large number of plugins, the load time can be in the order of minutes.
Table 143: Cluster-Wide Parameters Container Description Policy result cache cleanup timeout The number of minutes to store the role mapping and posture results derived by the policy engine during policy evaluation. This result can then be used in subsequent evaluation of policies associated with a service, if “Use cached Roles and Posture attributes from previous sessions” is turned on for the service. A value of 0 disables caching.
Container Description cleanup interval Free disk space threshold value This controls the percentage below which disk usage warnings are issued in the Policy Manager Event Viewer. For example, a value of 30% indicates that a warning is issued if only 30% or below of disk space is available. Free memory threshold value This controls the percentage below which RAM usage warnings are issued in the Policy Manager Event Viewer.
Figure 226: Collect Logs 3. Enter a filename and add the .tar.gz extension to the filename. 4. Select which types of logging information you want to collect: n System Logs n Logs from all Policy Manager services n Capture network packets for the specified duration. Use this with caution, and use this only when you want to debug a problem. System performance can be severely impacted. n Diagnostic dumps from Policy Manager services 5. Enter the time period of the information you want to collect.
To view log files 1. Open the file in software that can read and extract from GZip files. 2. Extract the file in the .tar.gz file. The result will be a file with the .tar extension. 3. Open the .tar file and extract the files within it. The result will be a folder named the same as the .tar file. Inside that folder, you will find another folder with a randomly generated name that begins with "tmp." Inside that folder, you will find one folder for each of the 4 types of information you wanted to save.
Table 144: Back Up Container Description Generate filename Enable to have Policy Manager generate a filename; otherwise, specify Filename. Backup files are in the gzipped tar format (tar.gz extension). The backup file is automatically placed in the Shared Local Folder under folder type Backup Files (See "Local Shared Folders " on page 277). Filename Do not backup log database Select this if you do not want to backup the log database.
Container Description button is selected). Shared backup files present on the server Select a file from the files in the local shared folders (See "Local Shared Folders " on page 277). This is shown only when File on server radio button is selected. Restore configuration DB Enable to include the configuration database in the restore. Restore log DB (if it exists in the backup). Enable to include the log database in the restore.
Figure 230: Fig: System Tab Table 146: Server Configuration System tab Container Description Hostname Hostname of Policy Manager appliance. It is not necessary to enter the fully qualified domain name here. Policy Manager Timezone Select a previously configured timezone from the drop down menu. Click on the Policy Manager Timezone link to add and edit timezones from within this page. Enable Profile Enable the profile to perform endpoint classifications.
Container Description DNS: Primary DNS Primary DNS for name lookup DNS: Secondary DNS Secondary DNS for name lookup AD Domains Displays a list of joined active directory domains Select Join Domain to join an Active Directory domain. See below. Multiple Active Directory Domains You can join CPPM to an Active Directory domain to authenticate users and computers that are members of an Active Directory domain. Users can then authenticate into the network using 802.
Figure 231: Join Active Directory Domain Table 147: Join AD Domain Container Description Domain Controller Fully qualified name of the Active Directory domain controller Short Name NETBIOS name (optional) The short name or NETBIOS name of the domain. Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your AD administrator about the NETBIOS name.
Services Control Tab From the Services Control tab, you can view a service status and control (stop or start) Policy Manager services. Figure 232: Services Control Tab Service Parameters Tab Navigate to the Service Parameters tab to change system parameters of the services.
Service Parameter Description primary server again. External Posture Server Thread Pool Size This specifies the number of threads to use for posture servers. External Posture Server Primary Retry Interval Once a primary posture server is down, Policy Manager connects to one of the backup servers. This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again.
Service Parameter Description Maximum Response Delay Time delay before retrying a proxy request, if the target server has not responded Maximum Reactivation Time Time to elapse before retrying a dead proxy server Maximum Retry Counts Maximum number of times to retry a proxy request if the target server doesn't respond Security Reject Packet Delay Delay time before sending an actual RADIUS Access-Reject after the server decides to reject the request Maximum Attributes Maximum number of RADIUS attr
Service Parameter Description EAP - TLS Fragment Size Maximum size of the EAP-TLS fragment size. Use Inner Identity in Access-Accept Reply Specify TRUE or FALSE TLS Session Cache Limit Number of TLS sessions to cache before purging the cache (used in TLS based 802.
Table 150: Service Paramters tab - TACACS server Service Parameter Description TACACS+ Profiles Cache Timeout This specifies the time (in seconds) for which TACACS+ profile result entries are cached by Policy Manager You can use the ClearPass system service parameters for PHP configuration as well as if all your http traffic flows through a proxy server. Policy Manager relies on an http connection to the Dell update portal in order to download the latest version information for posture services.
Service Parameter Description HTTP Proxy Proxy Server Hostname or IP address of the proxy server Port Port at which the proxy server listens for HTTP traffic Username Username to authenticate with proxy server Password Password to authenticate with proxy server The ClearPass Network Services parameters aggregate service parameters from the following services: l DhcpSnooper Service l Snmp Service l WebAuth Service l Posture Service Figure 237: ClearPass Network Services Parameters Table 15
Service Parameters DHCP Request Probation Time Description Number of seconds to wait before considering the MAC to IP binding received in a DHCPREQUEST message as final.
Service Parameters Description PostureService Audit Thread Pool Size This specifies the number of threads to use for connections to audit servers. Audit Result Cache Timeout This specifies the time (in seconds) for which audit result entries are cached by Policy Manager Audit Host Ping Timeout This specifies the number of seconds for which Policy Manager pings an end-host before giving up and deeming the host to be unreachable.
Service Parameter Description 15 Min CPU load average Threshold System Monitoring Tab Navigate to the System Monitor tab to configure the SNMP parameters. This ensures that external Management Information Base (MIB) browsers can browse the system level MIB objects exposed by the Policy Manager appliance.
Service Parameter Description SNMP Configuration: SNMP v3: Authentication Protocol Authentication protocol (MD5 or SHA) and key SNMP Configuration: SNMP v3: Authentication key SNMP Configuration: SNMP v3: Privacy Protocol Privacy protocol (DES or AES) and key SNMP Configuration: SNMP v3: Privacy Key Network Interfaces Tab Navigate to the Network Interfaces tab to create GRE tunnels and VLANs related to guest users.
Figure 241: Creating GRE Tunnel Table 155: Creating GRE Tunnel Container Description Display Name Optional name for the tunnel interface. This name is used to identify the tunnel in the list of network interfaces. Local Inner IP Local IP address of the tunnel network interface. Remote Outer IP IP address of the remote tunnel endpoint. Remote Inner IP Remote IP address of the tunnel network interface. Enter a value here to automatically create a route to this address through the tunnel.
Table 156: Creating VLAN Container Description Physical Interface The physical port on which to create the VLAN interface. This is the interface through which the VLAN traffic will be routed. VLAN Name Name for the VLAN interface. This name is used to identify the VLAN in the list of network interfaces. VLAN ID 802.1Q VLAN identifier. Enter a value between 1- 4094. The VLAN ID cannot be changed after the VLAN interface has been created. IP Address IP address of the VLAN.
Table 157: Log Configuration (Services Level tab) Container Description Select Server Specify the server for which to configure logs. All nodes in the cluster appear in the drop down list. Select Service Specify the service for which to configure logs. Module Log Level Settings Enable this options to set the log level for each module individually (listed in decreasing level of verbosity.
Table 158: Log Configuration (System Level tab) Container Description Select Server Specify the server for which to configure logs. Number of log files Specify the number of log files of a specific module to keep at any given time. When a log file reaches the specified size (see below), Policy Manager rolls the log over to another file until the specified number of log files is reached; once this log files exceed this number, Policy Manager overwrites the first numbered file.
Figure 245: Local Shared Folders Application Licensing The Administration > Server Manager > Licensing page shows all the licenses that have been activated for the entire CPPM cluster. Each server node in the cluster has an embedded permanent license. You can: l Adding a License l Activating an Application License l Updating a License NOTE: On a VM instance of CPPM, the permanent license must be entered. These licenses are listed in the tables on the License Summary tab.
Figure 247: Licensing Page - Servers tab NOTE: If the number of licenses used exceeds the number purchased, you will see a warning four months after the number is exceeded. The licenses used number is based on the daily moving average. Adding a License You can add a license by clicking the Add License button on the top right portion of this page. Figure 248: Add a License Table 159: Add a License Container Description Select Server Select a server from the drop down menu.
Updating a License Licenses typically require updating when they expire (for example, in the case of an evaluation license) or when capacity exceeds its licensed amount. You update an application's license by entering a new license key. To update a license 1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. 3. Click an application anywhere except in the Activation Status column. The Update License dialog box appears. Figure 250: Update License dialog box 4.
Figure 251: SNMP Trap Receivers Listing Page Table 160: SNMP Trap Receivers Container Description Add Trap Server Opens the Add Trap Server popup. Import Trap Server Opens the Import Trap Server popup. Export Trap Server Opens the Export Trap Server popup. Export Opens the Export popup. Delete To delete an SNMP Trap Configuration, select it (using the check box at the left), and then click Delete.
Table 161: Add SNMP Trap Server fields Container Description Host Address Trap destination hostname or ip address. NOTE: This server must have an SNMP trap receiver or trap viewer installed. Description Freeform description. SNMP Version V1 or V2C. Community String /Verify Community String Community string for sending the traps. Server Port Port number for sending the traps; by default, port 162. NOTE: Configure the trap server firewall for traffic on this port.
Server. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the SNMP trap server configuration. Export a Single SNMP Trap Server To export a single SNMP trap servers, navigate to Administration > External Servers > SNMP Trap Receivers. Select the SNMP Trap server that you want to export (using the check box at the left) and click the Export button in the lower-right corner of the page.
Add Syslog Target To add a Syslog Target, navigate to Administration > External Servers > Syslog Targets and select Add Syslog Target. Figure 255: Add Syslog Target Table 164: Add Syslog Target Container Description Host Address Syslog server hostname or IP address. Description Freeform description. Server Port Port number for sending the syslog messages; by default, port 514. Save/Cancel Click Save to commit the configuration or Cancel to dismiss.
Container Description Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Target Navigate to Administration > External Servers > Syslog Targets and select the Export Syslog Target link. The Export Syslog Target link exports all configured syslog targets. Click Export Syslog Target.
Figure 257: Syslog Filters Listing page Table 166: Syslog Export Filters Configuration Container Description Add Syslog Filter Opens Add Syslog Filter page (Administration > External Servers > Syslog Export Filters > Add). Import Syslog Filter Opens Import Syslog Filter popup. Export Syslog Filter Opens Export Syslog Filter popup. Enable/Disable Click the toggle button Enable/Disable to enable or disable the syslog filter. Export Opens Export popup.
Figure 258: Add Syslog Filters (General tab) Table 167: Syslog Export Filters Configuration Container Description Name/Description Freeform label. Export Template Session Logs, Audit Records or System Events Syslog Server A drop down list shows all Syslog Targets configured. (Refer to "Add Syslog Target " on page 284). Modify/Add new syslog target Click to Modify the selected syslog target, or select the Add new syslog target link to add a new syslog target.
Figure 259: Add Syslog Filters (Filter and Columns tab) Table 168: Add Syslog Filters (Filter and Columns tab) Container Description Data Filter Specify the data filter. The data filter limits the type of records sent to syslog target. Modify/ Add new Data filter Modify the selected data filter, or add a new one. Columns Selection This provides a way to limit the type of columns sent to syslog.
Figure 260: Import Syslog Filter Table 169: Import from File Container Description Select File Browse to the Syslog Filter configuration file to be imported. Enter secret for the file (if any) If the file was exported with a secret key for encryption, enter the same key here. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Syslog Filter Navigate to Administration > External Servers > Syslog Filters and select the Export Syslog Filter link.
Figure 261: Messaging Setup (SMTP Servers) Table 170: Messaging Setup (SMTP Servers tab) 290 Container Description Select Server Specify the server for which to configure messaging. All nodes in the cluster appear in the drop down list. Use the same settings for sending both emails and SMSes Check this box to configure the same settings for both your SMTP and SMS email servers. This box is checked, by default. Server name Fully qualified domain name or IP address of the server.
Figure 262: Messaging Setup (Mobile Service Providers tab) Table 171: Messaging Setup (Mobile Service Providers tab) Container Description Add Add a mobile service provider Provider Name Name of the provider Mail Address Domain name of the provider Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from MDM vendors and Dell W-series IAPs and RAPs. Navigate to Administration > External Servers > Endpoint Context Servers.
Figure 263: Endpoint Context Servers MDM Servers Mobile Device Management (MDM) is supported for the following vendors: l Airwatch l JAMF l MaaS360 l MobileIron l SOTI These mobile device management platforms run on MDM servers. These servers provision mobile devices to configure connectivity settings, enforce security policies, restore lost data, and other administrative services.
Container Description minimum value is 1 minute. API Key If airwatch is specified as the vendor, then enter the associated API key (provided by the vendor) for this MDM server. Customer ID If JAMF is specified as the vendor, then enter the associated Customer ID (provided by the vendor). Group ID If SOTI is specified as the vendor, then enter the associated Group ID (provided by the vendor).
Table 173: Server Certificate Container Description Create Self-Signed Certificate Opens the Create Self-Signed Certificate popup. Create Certificate Signing Request Opens the Create Certificate Signing Request popup. Select Server Select a server in the cluster for server certificate operations. Export Opens the Export popup. Import Opens the Import popup.
Figure 266: Generated Self Signed Certificate Table 174: Create Self-Signed Certificate Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional. State (ST) State, country, and/or another meaningful location.
Container Description Key Length Select length for the generated private key: 512, 1024 , or 2048. Digest Algorithm Select message digest algorithm to use: SHA-1, MD5, and MD2. Valid for Specify duration in days. Submit/Cancel On submit, Policy Manager generates a popup containing the self-signed certificate. Click on the Install button to install the certificate on the selected server. NOTE: All services are restarted; you must relogin into the UI to continue.
Figure 268: Generated Certificate Signing Request Table 175: Create Certificate Signing Request Container Description Common Name (CN) Name associated with this entity. This can be a host name, IP address or other meaningful name. This field is required. Organization (O) Name of the organization. This field is optional. Organizational Unit (OU) Name of a department, division, section, or other meaningful name. This field is optional. State (ST) State, country, and/or another meaningful location.
Container Description Digest Algorithm Select message digest algorithm to use: SHA-1, MD5, and MD2. Submit/Cancel On submit, Policy Manager generates a popup containing the certificate signing request for copying/pasting into the web form that you typically use to get the certificate signed by a CA. To create a file containing the certificate signing request, click Download CSR File. A .csr file is downloaded to your local computer.
Figure 270: Certificate Trust List Table 177: Certificate Trust List Container Description Subject The Distinguished Name (DN) of the subject field in the certificate Validity This indicates whether the CA certificate has expired. Enabled Whether this CA certificate is enabled or not. To view the details of the certificate, click on a certificate row. From the View Certificate Details popup you can enable the CA certificate.
Figure 272: Revocation Lists Table 179: Revocation Lists Container Description Add Revocation List Click to launch the Add Revocation List popup. Delete To delete a revocation list, select the check box to the left of the list that you want to delete and then click Delete. Add Revocation List Navigate to Administration > Certificates > Revocation Lists and select the Add Revocation List link.
RADIUS Dictionaries RADIUS dictionaries are available on the Administration > Dictionaries > RADIUS. This page includes the list of available vendor dictionaries. Figure 274: RADIUS Click on a row view the dictionary attributes, to enable or disable the dictionary, and to export the dictionary. For example, click on vendor IETF to see all IETF attributes and their data type.
Import RADIUS Dictionary You can add additional dictionaries using the Import too. To add a new vendor dictionary, navigate to Administration > Dictionaries > RADIUS, and click on the Import Dictionary link. To edit an existing dictionary, export an existing dictionary, edit the exported XML file, and then import the dictionary. To view the contents of the RADIUS dictionary, sorted by Vendor Name, Vendor ID, or Vendor Prefix, navigate to: Administration > Dictionaries > RADIUS.
Table 183: Posture Container Description Import Dictionary Click to open the Import Dictionary popup. Click on a vendor row to see all the attributes and their data type. For example, click on vendor Microsoft/System SHV to see all the associated posture attributes and their data type. Figure 277: Fig: Posture Dictionary Table 184: Posture Dictionary Attributes Container Description Export Click to save the posture dictionary file in XML format.
Figure 278: TACACS+ Services Table 185: TACACS+ Services Dictionary Container Description Import Dictionary Click to open the Import Dictionary popup. Import the dictionary (XML file). Export Dictionary Export all TACACS+ services into one XML file containing multiple dictionaries To export a specific service dictionary, select a service and click on Export. To see all the attributes and their data types, click on a service row.
Figure 280: Device Fingerprints You can click on a line in the Device Fingerprints list to drill down and view additional details about the category. Figure 281: Fig: Device Fingerprints Attributes The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access.
l "Add Attribute " on page 306 l "Import Attributes" on page 307 l "Export Attributes" on page 308 l "Export " on page 308 Figure 282: Attributes page Table 186: Attribute settings Container Description Filter Use the drop down menu to create a search based on the available Name, Entity, Data Type, Is Mandatory, or Allow Multiple settings. Name The name of the attribute. Entity Shows whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint.
Figure 283: Add Attributes Enter information in the fields described in the following table. Click Add when you are done. To modify attributes in an existing service dictionary, select the attribute, make any necessary changes, and then click Save. Table 187: Add Attribute settings Container Description Entity Specify whether the attribute applies to a LocalUser, GuestUser, Device, or Endpoint. Name Enter a unique ID for this attribute.
Table 188: Import from File settings Container Description Select File / Enter secret for the file Browse to the dictionary file to be imported. Enter the secret key (if any) that was used to export the dictionary. Import/Cancel Click Import to commit, or Cancel to dismiss the popup. Export Attributes Select Export Attributes on the upper right portion of the page to exports all attributes. The Export Attributes button saves the file Attributes.zip. The zip file has the server certificate (.
Figure 285: OnGuard Settings Table 189: OnGuard Settings Container Global Agent Settings Description Configure global parameters for OnGuard agents. Parameters include the following: CacheCredentialsForDays : Select the number of days the user credentials should be cached on OnGuard agents. l WiredAllowedSubnets : Add a comma-separated list of IP or subnet addresses.
Container Description URL In a captive portal scenario, the network device presents a captive portal page prior to user authentication. This portal page is presented when the user browses to a URL that is not authorized to be accessed prior to authentication. Enter such a URL here. Save/Cancel Commit the update information and generate new deployment packages. Guest Portal Navigate to the Administration > Agents and Software Updates> Guest Portal page.
Container Description l ShowOriginalPageRedirectLink: Show a link that will take the user to the original page (prior to being redirected to the captive portal). Name Name is ‘default’. Portal URL This is the URL that presents the guest portal page. (Note that this is automatically generated by Policy Manager).
Container Description following macros must be present in the custom HTML template: _eTIPS_GUEST_PORTAL_HEADER_ l _eTIPS_GUEST_PORTAL_BODY_ l _eTIPS_GUEST_PORTAL_FORM_ l Title Click on the current title text to change the way the title appears. Logo Image Click on the logo image to browse and select an image for the banner. Header Message Click to enter text that will display in the header. Footer Message Click to enter text that will display in the footer.
Updates are stored on ClearPass’s webservice server. The ClearPass Policy Manager server periodically communicates with the webservice to inquire about available updates. You can download and install these updates directly from this Software Updates page using your Subscription ID. The first time the Subscription ID is saved, the ClearPass Policy Manager contacts the webservice to download the latest Posture & Profile Data Updates and a list of available Firmware & Patch Updates.
Container Description Updates Firmware and Update patch binaries (obtained via support or other means) into this server. When logged in as appadmin, the Upgrade and Patch binaries imported can be installed manually via the CLI using the following commands: l system update (for patches) l system upgrade (for upgrades) NOTE: The Onboard, Guest Plugins and Skins can only be downloaded and installed via webservice. Download Click on this button to download that update from the webservice server.
Figure 289: Install Update Table 192: Install Update dialog box buttons and descriptions Container Description Close Click on this button to close the dialog box. Clear & Close Click on this button to delete the log messages and close the popup. This will also remove the corresponding row from the Firmware & Patch Updates table. Reboot This button appears only for the updates requiring a reboot to complete the installation. Click on this button to initiate a reboot of the server.
Upgrade the Image on a Single Policy Manager Appliance Perform these steps to upgrade the image on a single Policy Manager appliance: 1. From the ClearPass Policy Manager UI, navigate to Administration > Agents and Software Updates > Software Updates. l If a Subscription ID has been entered, then the server can communicate with the webservice. Available upgrades will be listed in the Firmware & Patches table. Download and install the upgrade, and then reboot the server.
Appendix A Command Line Configuration The Policy Manager command line provides commands of the following types: l "Cluster Commands" on page 319 l "Configure Commands" on page 322 l "Network Commands" on page 324 l "Service commands" on page 327 l "Show Commands" on page 328 l "System commands" on page 330 l "Miscellaneous Commands" on page 333 Available Commands Table 193: Command Categories Command ad auth See "Miscellaneous Commands" on page 333 ad netleave See "Miscellaneous Commands" on
Command cluster make-subscriber cluster reset-database cluster set-cluster-passwd cluster set-local-passwd configure date configure dns configure hostname configure ip configure timezone dump certchain See "Miscellaneous Commands" on page 333 dump logs See "Miscellaneous Commands" on page 333 dump servercert See "Miscellaneous Commands" on page 333 exit See "Miscellaneous Commands" on page 333 help See "Miscellaneous Commands" on page 333 krb auth See "Miscellaneous Commands" on page 333 krb list See "Misc
Command restore See "Miscellaneous Commands" on page 333 service activate service deactivate service list service restart service start service status service stop show date show dns show domain show all-timezones show hostname show ip showlicense show timezone show version system boot-image system gen-support-key system update system restart system shutdown system install-license system upgrade Cluster Commands The Policy Manager command line interface includes the following cluster commands: l "drop-su
l "make-subscriber" on page 321 l "reset-database" on page 321 l "set-cluster-passwd" on page 321 l "set-local-passwd" on page 322 drop-subscriber Removes specified subscriber node from the cluster. Syntax cluster drop-subscriber [-f] [-i ] -s Where: Table 194: Drop-Subscriber Commands Flag/Parameter Description -f Force drop, even for down nodes -i Management IP address of the node.
* current machine (which must be a subscriber in the * * cluster) to the cluster publisher. Do not close the * * shell or interrupt this command execution. * ******************************************************** Continue? [y|Y]: y make-subscriber Makes this node a subscriber to the specified publisher node. Syntax make-subscriber -i [-l] Where: Table 195: Make-Subscriber Commands Flag/Parameter Description -i Required. Publisher IP address. -l Optional.
Enter Cluster Passwd: santaclara Re-enter Cluster Passwd: santaclara INFO - Password changed on local (publisher) node Cluster password changed set-local-passwd Changes the local password. Executed locally; prompts for the new local password.
Example 1 Specify date/time/timezone: [appadmin]# configure date –d 2007-06-22 –t 12:00:31 –z America/Los_Angeles Example 2 Synchronize with a specified NTP server: [appadmin]# -s dns Configure DNS servers. At least one DNS server must be specified; a maximum of three DNS servers can be specified. Syntax configure dns [secondary] [tertiary] Example 1 [appadmin]# configure dns 192.168.1.1 Example 2 [appadmin]# configure dns 192.168.1.1 192.168.1.
Example [appadmin]# configure ip data 192.168.5.12 netmask 255.255.255.0 gateway 192.168.5.1 timezone Configures time zone interactively. Syntax configure timezone Example [appadmin]# configure timezone configure timezone ********************************************************* * WARNING: When the command is completed Policy Manager services * * are restarted to reflect the changes.
Delete a rule. Where: Table 199: Network IP Delete Commands Flag/Parameter Description -i Id of the rule to delete. Syntax network ip list List all routing rules. Syntax network ip reset Reset routing table to factory default setting. All custom routes are removed. Example 1 [appadmin]# network ip add data -s 192.168.5.0/24 Example 2 [appadmin]# network ip add data -s 192.168.5.12 Example 3 [appadmin]# network ip list nslookup Returns IP address of host using DNS.
Where: Table 201: Ping Commands Flag/Parameter Description -i Optional. Originating IP address for ping. -t Optional. Ping indefinitely. Host to be pinged. Example [appadmin]# network ping –i 192.168.5.10 –t sun.us.arubanetworks.com reset Reset network data port. Syntax network reset Where: Table 202: Reset Commands Flag/Parameter Description Required. Name of network port to reset.
Service commands The Policy Manager command line interface includes the following service commands: l start l stop l status l restart l activate l deactivate l list These commands in this section have identical syntax; therefore, this section presents them as variations on . Activates the specified Policy Manager service.
Show Commands The Policy Manager command line interface includes the following show commands: l "all-timezones" on page 328 l "date" on page 328 l "dns" on page 328 l "domain" on page 329 l "hostname" on page 329 l "ip" on page 329 l "license" on page 329 l "timezone" on page 330 l "version" on page 330 all-timezones Interactively displays all available timezones Syntax show all-timezones Example [appadmin]# show all-timezones Africa/Abidjan Africa/Accra .....
Tertiary DNS : =========================================== domain Displays Domain Name, IP Address, and Name Server information. Syntax show domain Example [appadmin]# show domain hostname Displays hostname. Syntax show hostname Example [appadmin]# show hostname show hostname wolf ip Displays IP and DNS information for the host.
Syntax show license Example [appadmin]# show license show license timezone Displays current system timezone. Syntax show timezone Example [appadmin]# show timezone show timezone version Displays Policy Manager software version hardware model. Syntax show version Example [appadmin]# show version ======================================= Policy Manager software version : 2.0(1).
Table 205: Boot-Image Commands Flag/Parameter Description -l Optional. List boot images installed on the system. -a Optional. Set active boot image version, in A.B.C.D syntax. Example [appadmin]# system boot-image gen-support-key Generates the support key for the system.
* WARNING: This command will shutdown all applications * * and reboot the system * ******************************************************** Are you sure you want to continue? [y|Y]: y shutdown Shutdown the system Syntax system shutdown Example [appadmin]# system shutdown ******************************************************** * WARNING: This command will shutdown all applications * * and power off the system * ******************************************************** Are you sure you want to continue? [y
Table 208: Upgrade Commands Flag/Parameter Description Required. Enter filepath, using either syntax provided in the two examples provided. Example 1 [appadmin]# 71.tgz system upgrade admin@sun.us.arubanetworks.com:/tmp/PolicyManager-x86-64-upgrade- Example 2 [appadmin]# system upgrade http://sun.us.arubanetworks.com/downloads/PolicyManager-x86-64upgrade-71.
Table 209: Ad Auth Commands Flag/Parameter Description Required. username of the authenticating user. Example [appadmin]# ad auth --username=mike ad netjoin Joins host to the domain. Syntax ad netjoin [domain NETBIOS name] Where: Table 210: Ad Netjoin Commands Flag/Parameter Description Required. Host to be joined to the domain. [domain NETBIOS name] Optional. Example [appadmin]# ad netjoin atlas.us.arubanetworks.
Syntax alias = Where: Table 211: Alias Commands Flag/Parameter Description = Sets as the alias for . = Removes the association. Example 1 [appadmin]# alias sh=show Example 2 [appadmin]# alias sh= backup Creates backup of Policy Manager configuration data. If no arguments are entered, the system auto-generates a filename and backups up the configuration to this file.
Table 213: Dump Certchain Commands Flag/Parameter Description Specifies the hostname and SSL port number. Example 1 [appadmin]# dump certchain ldap.acme.com:636 dump certchain dump logs Dumps Policy Manager application log files. Syntax dump logs -f [-s yyyy-mm-dd] [-e yyyy-mm-dd] [-n ] [-t ] [-h] Where: Table 214: Dump Logs Commands Flag/Parameter Description -f Specifies target for concatenated logs.
Example 1 [appadmin]# dump servercert ldap.acme.com:636 exit Exits shell.
krb list Lists the cached kerberos tickets Syntax krb list Example [appadmin]# krb list ldapsearch The Linux ldapsearch command to find objects in an LDAP directory. (Note that only the Policy Manager-specific command line arguments are listed below. For other command line arguments, refer to ldapsearch man pages on the Internet).
Flag/Parameter Description -p Optional. Force restore from a backup file that does not have password fields present. -s Optional. Restore cluster server/node entries from the backup. (Node entries disabled on restore.) Example [appadmin]# restore user@hostname:/tmp/tips-backup.tgz -l -i -c -s quit Exits shell. Syntax quit Example [appadmin]# quit Dell Networking W-ClearPass Policy Manager 6.
Dell Networking W-ClearPass Policy Manager 6.
Appendix B Rules Editing and Namespaces In the Policy Manager administration User Interface (UI) you use the same editing interface to create different types of objects: l Service rules l Role mapping policies l Internal user policies l Enforcement policies l Enforcement profiles l Post-audit rules l Proxy attribute pruning rules l Filters for Access Tracker and activity reports l Attributes editing for policy simulation When editing all these elements, you are presented with a tabular in
are editing service rules you work with, among other namespaces, the RADIUS namespace, but not the posture namespace. Enumerated below are the namespaces you will find in the different rules editing contexts: l RADIUS Namespace - Dictionaries in the RADIUS namespace come pre-packaged with the product. The administration interface does provide a way to add new dictionaries into the system (See "RADIUS Dictionaries " on page 301 for more information).
Active Directory, you need to define filters for that authentication source (see "Adding and Modifying Authentication Sources " on page 127 for more information). n LDAP Instance Namespace - For each instance of an LDAP authentication source, there is an LDAP instance namespace that appears in the rules editing interface. The LDAP instance namespace consists of all the attributes that were defined when the authentication source was created.
Attribute Description Dest-IP-Address Dst-IP-Address and Dst-Port are the IP address and port at which Policy Manager received the request (RADIUS, TACACS+, etc.
Attribute Name Values "Adding and Modifying Authentication Methods" on page 111).
Attribute Name Values Issuer-DN, Issuer-DC, Issuer-UID, Issuer-CN, Issuer-GN, IssuerSN, Issuer-C, Issuer-L, Issuer-ST, Issuer-O, Issuer-OU, IssueremailAddress Attributes associated with the issuer (Certificate Authorities or the enterprise CA). Not all of these fields are populated in a certificate.
l Audit Namespace - Dictionaries in the audit namespace come pre-packaged with the product. Audit namespace has the notation Vendor:Audit, where Vendor is the name of the Company that has defined attributes in the dictionary. An example of a dictionary in the audit namespace is: Avenda Systems:Audit or Qualys:Audit. n Audit namespace appears when editing post-audit rules. (See " Audit Servers " on page 203for more information.
Variable Description Address-Colon} % {RADIUS:IETF:MACAddress-Hyphen} MAC address of client in aa-bb-cc-dd-ee-ff format % {RADIUS:IETF:MACAddress-Dot} MAC address of client in aabb.ccdd.eeff format % {RADIUS:IETF:MACAddress-NoDelim} MAC address of client in aabbccddeeff format Note that you can also use any other dictionary-based attributes (or namespace attributes defined in this chapter) as variables in role mapping rules, enforcement rules, enforcement profiles and LDAP or SQL filters.
The following table describes all the operator types: Table 225: Operator Types Operator Description EQUALS True if the run-time value of the attribute matches the configured value. For string data type, this is a case-sensitive comparison. E.g., RADIUS:IETF:NAS-Identifier EQUALS "SJ-VPN-DEVICE" CONTAINS For string data type, true if the run-time value of the attribute is a substring of the configured value. E.g.
Operator Description E.g., RADIUS:IETF:NAS-Port LESS_THAN 10 350 LESS_ THAN_OR_ EQUALS For integer, time and date data types, true if the run-time value of the attribute is less than or equal to the configured value. E.g., RADIUS:IETF:NAS-Port LESS_THAN_OR_EQUALS 10 IN_RANGE For time and date data types, true if the run-time value of the attribute is less than or equal to the first configured value and less than equal to the second configured value. E.g.
Appendix C Software Copyright and License Statements This appendix lists the copyright notices for the binary distribution from Aruba Networks. A copy of the source code is available for portions of the software whose copyright statement requires Aruba Networks to publish any modified source code. To cover the costs of duplication and shipping, there is a nominal cost to obtain the source code material. To obtain a copy of the source code, contact info@arubanetworks.com.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it.
Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves.
c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6.
automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License.
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2.
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
12.
http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 1. You must give any other recipients of the Work or Derivative Works a copy of this License; and 2.
and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS OpenSSL License /* ============================================== * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
* software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5.
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.
*/ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to.
* the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1.
* The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.
* The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ OpenLDAP License The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1.
OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. gSOAP Public License Portions created by gSOAP are Copyright (C) 2001-2004 Robert A. van Engelen, Genivia inc. All Rights Reserved.