Dell Networking W-ClearPass Deployment Guide
Copyright © Copyright 2016 Hewlett Packard Enterprise Development LP. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses.
Contents Copyright 2 Contents 3 About W-ClearPass 11 About This Guide 11 Intended Audience 11 About the W-ClearPass Access Management System 12 W-ClearPass Access Management System Overview 12 Key Features 13 Advanced Policy Management 13 W-ClearPass Policy Manager Hardware and Virtual Appliances 14 W-ClearPass Specifications 14 Setting Up the W-ClearPass Hardware Appliances 15 About the W-ClearPass Hardware Appliances 16 W-ClearPass Policy Manager 500 Hardware Appliance 16 W-Cle
vSphere Web Client W-ClearPass Installation Overview 30 W-ClearPass VMware Virtual Appliance Installation Setup 30 Adding a Virtual Hard Disk 33 Launching the W-ClearPass Virtual Appliance 35 Completing the Virtual Appliance Setup 36 Applying and Activating the W-ClearPass License 37 Logging in to the W-ClearPass Virtual Appliance 39 Signing Up for Live Software Updates 40 Changing the Administration Password 40 Powering Off the W-ClearPass Virtual Appliance 41 Using Microsoft Hyper-V to
Starting or Stopping W-ClearPass Services 60 Summary of the Server Configuration Page 61 Subset of CLI for W-ClearPass Maintenance Tasks 62 Preparing the Mobility Controller for W-ClearPass Policy Manager Integration 65 Adding a Mobility Controller to W-ClearPass Policy Manager 65 Defining a New Mobility Controller 65 Importing a List of Network Devices 67 Generating an Example of Import File XML Format 67 Adding a W-ClearPass/RADIUS Server to the Mobility Controller 68 Adding the W-ClearPas
Adding Active Directory as an Authentication Source to W-ClearPass 100 About Authorization 101 User Objects 101 About the Bind Operation 101 Adding Active Directory as an Authentication Source 101 Obtaining and Installing a Signed Certificate From Active Directory 108 About Certificates in W-ClearPass Deployments 108 How to Obtain a Signed Certificate from Active Directory 109 Creating a Certificate Signing Request 109 Importing the Root CA Files to the Certificate Trust List 112 Obtaini
802.1X Wired Authentication Traffic Flow 129 Troubleshooting 802.
Introduction 146 Using the WebUI to Add a Subscriber Node 147 Using the CLI to Create a Subscriber Node 149 Rejoining a Down Node to the Cluster 150 Introduction 150 Removing a Subscriber Node from the Cluster 150 Rejoining a Node Back Into the Cluster 151 Deploying W-ClearPass Insight in a Cluster 152 Introduction 152 W-ClearPass Insight Placement Considerations 153 When a W-ClearPass Insight-Enabled Node Is Down 153 Enabling W-ClearPass Insight 153 Configuring Cluster File-Backup S
cluster reset-database 164 cluster set-cluster-passwd 164 cluster sync-cluster-passwd 164 Mobility Access Switch Configuration for 802.1X Authentication Mobility Access Switch Configuration for 802.1X Wired Authentication 165 165 About Defining Wired 802.1X Authentication 165 Configuring Authentication with a RADIUS Server 166 Authentication Terminated on the Mobility Access Switch 167 Configuring Access Control Lists 168 CLI-Based Configuration for Mobility Access Switch 802.
About EAP-PEAP MSCHAPv2 191 EAP-PEAP MSCHAPv2 Handshake Exchange Summary 191 Using the W-ClearPass Configuration API W-ClearPass Configuration API Overview 199 199 Introduction 199 Admin Accounts for API Access 199 XML Data Structure 200 Filter Elements 201 Advanced Match Operations 201 Setting Up Bulk Access for Endpoints and Guest Accounts 202 W-ClearPass Configuration API Methods 204 Introduction 204 Authentication Credentials 204 Entity Names Supported 205 NameList 206 Reorde
Chapter 1 About W-ClearPass This chapter provides an overview of the W-ClearPass Policy Manager Access Management System.
The user of this guide should have a working knowledge of the following: l AAA technologies (RADIUS, TACACS, 802.1X, MAC address authentication, and Web authentication) l Layer-2 and Layer-3 networking l User Identity stores, such as Active Directory Providing information about network device configurations and capabilities is outside the scope of this guide. For information on these topics, refer to the documentation provided by the vendor of your network equipment.
W-ClearPass leverages a user’s role, device, location, application use, and time of day to execute custom security policies, accelerate device deployments, and streamline network operations across wired networks, wireless networks, and VPNs. Third-Party Security and IT Systems W-ClearPass can be extended to third-party security and IT systems using REST-based APIs to automate work flows that previously required manual IT intervention.
l Access for unmanaged endpoints Unmanaged non-802.1X devices (such as printers, IP phones, and IP cameras) can be identified as known or unknown upon connecting to the network. The identity of these devices is based on the presence of their MAC address in an external or internal database. l Secure configuration of personal devices W-ClearPass Onboard fully automates the provisioning of any Windows, Mac OS X, iOS, Android, Chromebook, and Ubuntu devices via a built-in captive portal.
l Reporting, analytics, and troubleshooting tools l External captive portal redirect to multivendor equipment l Interactive policy simulation and monitor mode utilities l Deployment templates for any network type, identity store, and endpoint Framework and Protocol Support l RADIUS, RADIUS CoA, TACACS+, Web authentication, and SAML v2.
l Resetting the System Passwords to the Factory Defaults About the W-ClearPass Hardware Appliances Dell provides three hardware appliance platforms: l W-ClearPass Policy Manager 500 See W-ClearPass Policy Manager 500 Hardware Appliance l W-ClearPass Policy Manager 5K See W-ClearPass Policy Manager 5K Hardware Appliance. l W-ClearPass Policy Manager 25K See W-ClearPass Policy Manager 25K Hardware Appliance.
Figure 1 Ports on the W-ClearPass 500 Hardware Appliance You can also access the W-ClearPass hardware appliance by connecting a monitor and keyboard to the hardware appliance. Table 2 describes the specifications for the W-ClearPassPolicy Manager 500 hardware appliance. Table 2: CP-HW-500 Specifications CP-HW-500 Component Specification CPU Pentium G850, Dual Core, 2.9Ghz, 3MB Cache Memory 4 GB (2 x2GB) Hard drive storage 500GB 7.
CP-HW-500 Component Specification Environmental Specifications Operating temperature 10º C to 35º C (50º F to 95º F) Operating vibration 0.26 G at 5 Hz to 350 Hz for 5 minutes Operating shock 1 shock pulse of 31 G for up to 2.6 ms Operating altitude -16 m to 3,048 m (-50 ft to 10,000 ft) W-ClearPass Policy Manager 5K Hardware Appliance The W-ClearPass Policy Manager 5K hardware appliance (CP-HW-5K) is a RADIUS/ TACACS+ server that provides advanced policy control for up to 5,000 unique endpoints.
CP-HW- 5K Component Specification l RAID controller l PERC H200 l RAID configuration l 1 OOB management Maximum unique endpoints Maximum number of authentications per day Baseboard Management Controller (BMC) l High Capacity Guest (HGC) mode enabled: 10,000 l HGC not enabled: 5,000 l High Capacity Guest (HGC) mode enabled: 400,000 l HGC not enabled: 200,000 Form Factor Dimensions (WxHxD 17.53” x 1.7” x 16.
The LSI controller presents to W-ClearPass a single virtual 1.675 TB drive, masking the underlying two physical drive groups (two groups of two mirrored drives). Figure 3 shows the ports on the rear panel of the W-ClearPass 25K hardware appliance. The function of each of these ports is described in Table 1. Figure 3 Ports on the W-ClearPass 25K Hardware Appliance Table 4 describes the specifications for the W-ClearPass Policy Manager 25K hardware appliance.
CP-HW-25K Component Specification Power consumption (maximum) 750 watts Power supply Dual hot-swappable (optional) AC input voltage 100/240 VAC auto-selecting AC input frequency 50/60 Hz auto-selecting Environmental Specifications Operating temperature 10º C to 35º C (50º F to 95º F) Operating vibration 0.26 G at 5 Hz to 350 Hz for 5 minutes Operating shock 1 shock pulse of 31 G for up to 2.
Required Information Value for Your Installation Data port subnet mask (optional) Data port gateway (optional) Primary DNS Secondary DNS NTP server (optional) Configuring the W-ClearPass Hardware Appliance The initial setup dialog starts when you connect a terminal, PC, or laptop running a terminal emulation program to the Serial port on the W-ClearPass hardware appliance. To configure the W-ClearPass Policy Manager hardware appliance: 1. Connect the Serial port. a.
n Enter Data Port Gateway: n Enter Primary DNS: n Enter Secondary DNS: 5. Specify the cluster password. Setting the cluster password also changes the password for the CLI user appadmin, as well as the Administrative user admin. If you want the admin password to be unique, see Changing the Administration Password on page 25 a. Enter any string with a minimum of six characters, then you are prompted to confirm the cluster password. b.
When you click Activate Now, W-ClearPass Policy Manager attempts to activate the product over the Internet with W-Series Networks license activation servers. If the W-ClearPass Policy Manager hardware appliance does not have Internet access, you can perform the product activation offline by following the steps for offline activation presented in the Offline Activation section shown in Figure 5.
Figure 7 W-ClearPass Policy Manager Landing Page Signing Up for Live Software Updates Upon your initial login to W-ClearPass Policy Manager, you should register for software updates. 1. Navigate to the Administration > Agents and Software Updates > Software Updates page. A message is displayed indicating that the W-ClearPass hardware appliance is not signed up for live updates and that you must enter your subscription ID. Figure 8 Entering the Subscription ID for Live Updates 2.
If you wish to assign a unique admin password, use this procedure to change it. To change the administration password: 1. In W-ClearPass, navigate to Administration > Users and Privileges > Admin Users. The Admin Users page appears. Figure 9 Admin Users Page 2. Select the appropriate admin user. The Edit Admin User dialog appears. Figure 10 Changing the Administration Password 3. Change the administration password, verify the new password, then click Save.
Resetting the System Passwords to the Factory Defaults To reset the system account passwords in Policy Manager to the factory defaults, you must first generate a password recovery key, then log in as the apprecovery user to reset the system account passwords. Generating the Password Recovery Key To generate the password recovery key: 1. If you are employing a hardware connection, connect to the W-ClearPass Policy Manager hardware appliance using the serial port (using any terminal program).
Using the VMware vSphere Web Client to Install W-ClearPass on a Virtual Machine This section documents the procedures for using the VMware vSphere® Web Client to install W-ClearPass on an ESXi host, as well as completing important administrative tasks, such as registering for W-ClearPass software updates and changing the admin password.
W-ClearPass Server I/O Rate Most virtualized environments use a shared disk subsystem, assuming that each application will have bursts of I/O without a sustained high I/O throughput. W-ClearPass Policy Manager requires a continuous sustained high data-I/O rate. For the latest information on the supported hypervisors and virtual hardware requirements, refer to the appropriate version of the W-ClearPass Release Notes at https://download.dell-pcw.com under the W-ClearPass 6.6.0 Upgrade folder.
Required Information Value for Your Installation Primary DNS Secondary DNS NTP server (optional) vSphere Web Client W-ClearPass Installation Overview W-ClearPass VMware software packages are distributed as Zip files. The process of installing the W-ClearPass Policy Manager virtual appliance on a host that runs VMware vSphere Web Client consists of four stages: 1. 1. Download the VMware ESXi package from the from the Dell Download site at http://download.dellpcw.
Figure 11 Deploy OVF Template: Selecting the Source Location 6. Select Local File, then click Browse. 7. Navigate to the folder where you extracted the files, then click Next. The Review Details screen opens. 8. Review the information presented, then click Next. The Accept EULAs screen opens. 9. Read the End User License Agreements (EULA) and click Accept, then click Next. The Select Name and Folder screen opens. Figure 12 Selecting the Name and Location for the Deployed Template 10.
Figure 13 Selecting a Resource 11. If required, choose the VMware host where W-ClearPass will be deployed, then click Next. The Select Storage screen opens. Figure 14 Selecting the Location to Store the Files 12. Choose the virtual disk format and data store for the W-ClearPass virtual appliance, then click Next. The virtual disk format specified in Figure 14 is Thin Provision.
Figure 15 Configuring the Networks for VM Deployment 13. Specify the virtual network where W-ClearPass will reside, then click Next. The Ready to Complete screen opens, which displays all the settings you chose for this OVF file deployment. 14. Review the settings for accuracy, and make any changes if necessary, then click Finish. The OVF file is deployed in the selected network.
2. Click Edit Settings. The Edit Settings dialog opens. Figure 17 Editing the Virtual Machine Settings 3. Add a new virtual hard disk: a. Consult the W-ClearPass Policy Manager Release Notes for determining the correct size of the virtual hard disk to add to your W-ClearPass virtual appliance. b. From the New Device drop-down, select New Hard Disk. c. Click Add. The Virtual Hardware dialog opens. Figure 18 Specifying the Size of the New Hard Disk d. Enter the size of the new hard disk, then click OK.
For the latest information on the recommended disk sizes for a virtual hard disk, refer to the W-ClearPass Release Notes at https://download.dell-pcw.com under the W-ClearPass 6.6 Upgrade folder. Access to this site requires log-in credentials. 4. Make sure that the network adapters are assigned correctly: a. Network adapter 1: Management port b. Network adapter 2: Data port c. Click OK. Launching the W-ClearPass Virtual Appliance To launch the W-ClearPass virtual appliance: 1.
Figure 20 Initial Virtual Machine Console Screen 3. To proceed, enter y. W-ClearPass setup and installation begins. Two console screens appear sequentially, which indicate that first the W-ClearPass Installer reboots, then the virtual appliance reboots. When the rebooting process is complete, the W-ClearPass virtual appliance is configured, and the virtual appliance will power on and boot up within a couple of minutes.
n Enter Data Port IP Address: n Enter Data Port Subnet Mask: n Enter Data Port Gateway: n Enter Primary DNS: n Enter Secondary DNS: 4. Specify the cluster password. Setting the cluster password also changes the password for the CLI user appadmin, as well as the Administrative user admin. If you want the admin password to be unique, see Changing the Administration Password on page 40. a. Enter any string with a minimum of six characters, then you are prompted to confirm the cluster password. b.
Figure 21 Entering the License Key 3. Do the following: a. In the Select Application drop-down, make sure the application is set to Policy Manager. b. Make sure the I agree to the above terms and conditions check box is enabled. c. In the Enter license key text box, enter your W-ClearPass license key. d. Click Add License. Upon successfully entering the license key, the Admin Login screen opens with a message indicating that you have 90 days to activate the product and a link to activate the product.
Figure 23 Performing Offline Activation After successfully activating W-ClearPass online, you will see a message above the Admin Login screen indicating that the product has been successfully activated. Logging in to the W-ClearPass Virtual Appliance After a successful activation, the Admin Login dialog appears. Figure 24 Logging in to the W-ClearPass Virtual Appliance 1.
Figure 25 W-ClearPass Policy Manager Landing Page Signing Up for Live Software Updates Upon your initial login to W-ClearPass Policy Manager, you need to register for software updates. 1. Navigate to the Administration > Agents and Software Updates > Software Updates page. A message is displayed indicating that the W-ClearPass virtual appliance is not signed up for live updates and that you must enter your subscription ID. Figure 26 Entering the Subscription ID for Live Updates 2.
to assign a unique admin password, use this procedure to change it. To change the administration password: 1. In W-ClearPass, navigate to Administration > Users and Privileges > Admin Users. The Admin Users page opens. Figure 27 Admin Users Page 2. Select the appropriate admin user. The Edit Admin User dialog opens. Figure 28 Changing the Administration Password 3. Change the administration password, verify the new password, then click Save.
l Introduction l Before Starting the W-ClearPass Installation l W-ClearPass Hyper-V Virtual Appliance Installation Summary l Importing the Virtual Machine l Adding a Hard Disk to a Virtual Machine l Launching the W-ClearPass Virtual Appliance l Completing the Virtual Appliance Configuration l Applying and Activating the W-ClearPass License l Logging in to the W-ClearPass Virtual Appliance l Signing Up for Live Software Updates l Changing the Administration Password l Powering Off the
details). The additional space required depends on the W-ClearPass virtual appliance version. Processing and Memory Requirements To ensure scalability, dedicate or reserve the processing and memory to the W-ClearPass VM instance. You must also ensure that the disk subsystem can maintain the IOPs (I/O operations per second) throughput as detailed below.
W-ClearPass Hyper-V Virtual Appliance Installation Summary The process of installing the W-ClearPass Policy Manager virtual appliance on one or more hosts that runs Microsoft Hyper-V consists of four stages: 1. 1. Download the Microsoft Hyper-V package from the from the Dell Download site. 2. Import the virtual machine. a. Choose the import type. b. If required, specify the virtual switch that the Management Interface and Data Interface will be connected to. 3. Add a new virtual hard disk. a.
Figure 30 Locating the Folder 6. In the Locate Folder step, select the folder you unzipped in Step 2, then click Next. The Select Virtual Machine dialog opens. Figure 31 Selecting the Virtual Machine 7. Make sure the correct virtual appliance is highlighted, then click Next. The Choose Import Type dialog opens. Figure 32 Specifying the Import Type 8. In the Choose Import Type step, select Copy the virtual machine, then click Next.
Figure 33 Specifying the Folders for the Virtual Machine Files 9. You can choose to either specify an alternate location to store the virtual appliance's files or accept the defaults: a. To specify an alternate location to store the virtual appliance's files, click (enable) the Store the virtual machine in a different location check box, specify the following folders, then click Next: n Virtual machine configuration folder n Snapshot folder n Smart Paging folder b.
Figure 35 Specifying the Virtual Switch in the Event of an Error 11. From the Connection drop-down, choose the virtual switch that will be used for the Management interface on the W-ClearPass Policy Manager virtual appliance, then click Next. The following screen will be displayed to allow you to (optionally) specify the Data interface of the WClearPass Policy Manager virtual appliance. Figure 36 Specifying the Data Interface (Optional) 12.
Adding a Hard Disk to a Virtual Machine Do not create the virtual hard disk in a folder that is marked for encryption. Virtual hard disks are stored as .vhd files. Hyper-V does not support the use of storage media if Encrypting File System (EFS) has been used to encrypt the .vhd file. However, you can use files stored on a volume that uses Windows BitLocker Drive Encryption. To add a hard disk to a virtual machine: 1. Open Hyper-V Manager. 2.
6. Below the Virtual hard disk field, click New. The New Virtual Hard Disk Wizard opens. 7. From the Before You Begin dialog, click Next. The Choose Disk Format dialog opens. Figure 39 Specifying the Disk Format 8. For the disk format, choose VHDX, then click Next. The Choose Disk Type dialog opens. Figure 40 Specifying the Virtual Hard Disk Type 9. For the disk type, choose Fixed size, then click Next. The Specify Name and Location dialog opens.
Figure 41 Specifying the Name and Location of the Hard Disk File 10. Do the following: a. Enter the name of the virtual hard disk file. b. Browse to the location of the virtual hard disk file, select it, then click Next. The Configure Disk dialog opens. Figure 42 Configuring the New Virtual Hard Disk 11. Select Create a new blank virtual hard disk. a. Then enter the size of the of virtual hard disk in Gigabytes (GB).
l By default, membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. However, an administrator can use Authorization Manager to modify the authorization policy so that a user or group of users can complete this procedure. l Virtual hard disks are stored as .vhd files, which makes them portable, but it also poses a potential security risk. We recommend that you mitigate this risk by taking precautions such as storing the .
Figure 44 Launching the VM Console The initial virtual machine console screen is displayed. Figure 45 Initial Virtual Machine Console Screen 3. To proceed with the installation, enter y. W-ClearPass setup and installation begins. Two console screens appear sequentially—the first screen indicates that the W-ClearPass Installer is rebooting, and the second screen indicates that the virtual appliance is rebooting.
4. After the W-ClearPass virtual appliance launches correctly, the virtual applicance login banner is displayed. 5. Proceed to the next section, Completing the Virtual Appliance Configuration. Completing the Virtual Appliance Configuration To complete the virtual appliance configuration: 1. Refer to and note the required W-ClearPass server configuration information listed in Table 7. 2.
Applying and Activating the W-ClearPass License Activating the W-ClearPass license is necessary for the virtual appliance only, not the hardware appliance, because the W-ClearPass license is included with the hardware appliance. To activate and apply the W-ClearPass license: 1. After the configuration has been applied at the virtual appliance console, open a web browser and go to the management interface of W-ClearPass Policy Manager: https://x.x.x.x/tips/, where x.x.x.
If the W-ClearPass Policy Manager virtual appliance does not have Internet access, you can perform the license activation offline by following the steps for offline activation presented in the Offline Activation section shown in Figure 48. Figure 48 Performing Offline Activation After successfully activating W-ClearPass online, you will see a message above the Admin Login screen indicating that the product has been successfully activated.
Figure 50 W-ClearPass Policy Manager Landing Page Signing Up for Live Software Updates Upon your initial log-in to W-ClearPass Policy Manager, you should register for live software updates. 1. Navigate to the Administration > Agents and Software Updates > Software Updates page. A message is displayed indicating that the W-ClearPass virtual appliance is not signed up for live updates and that you must enter your subscription ID. Figure 51 Entering the Subscription ID for Live Updates 2.
you wish to assign a unique admin password, use this procedure to change it. To change the administration password: 1. In W-ClearPass, navigate to Administration > Users and Privileges > Admin Users. The Admin Users page opens. Figure 52 Admin Users Page 2. Select the appropriate admin user. The Edit Admin User dialog opens. Figure 53 Changing the Administration Password 3. Change the administration password, verify the new password, then click Save.
l Accessing W-ClearPass Online Help Supported Browsers The supported browsers for W-ClearPass are: l Mozilla Firefox on Windows Vista, Windows 7, Windows 8.x, Windows 10, and Macintosh OS X l Google Chrome for Macintosh OS X and Windows l Apple Safari 3.x and later on Macintosh OS X l Mobile Safari 5.x on iOS l Microsoft Internet Explorer 10 and later on Windows 7 and Windows 8.x When accessing W-ClearPass Insight with Internet Explorer (IE), IE 11 or above is required.
W-ClearPass Policy Manager is now activated. The Admin Login dialog opens. Figure 55 Admin Login Dialog 4. Log in using the following credentials, then click Log In: n Username: admin n Password: eTIPS123 Changing the Administration Password The recommended next task is to change the administration password for this W-ClearPass server. To change the administration password: 1. In W-ClearPass, navigate to Administration > Users and Privileges > Admin Users. The Admin Users page opens.
Accessing W-ClearPass Online Help The W-ClearPass Policy Manager User Guide is incorporated into the Online Help system. All Policy Manager features include context-sensitive help. To access context-sensitive help, click the Help link at the top right-hand corner of any W-ClearPass screen.
l You can also start an individual service from the command line: service start l You can start all the services from the command line: service start all Summary of the Server Configuration Page The Server Configuration page provides many options. Table 8 describes each of the top-level server configuration options that are available. For details, refer to the "Server Configuration" chapter in the WClearPass Policy Manager User Guide.
Subset of CLI for W-ClearPass Maintenance Tasks The CLI provides a way to manage and configure Policy Manager information. You can access the CLI from the console using the serial port on the W-ClearPass appliance hardware, or remotely using SSH, or use the VMware or Hyper-V console to run the virtual appliance. ***************************************************************************************** * Dell W-ClearPass Policy Manager * * Software Version : 6.6.0.
Flag/Parameter [domain NetBIOS name] Description Required. This is the name of the host to be joined to the domain. NOTE: Use the Fully Qualified Domain Name. Optional.
| About W-ClearPass Dell Networking W-ClearPass Deployment Guide
Chapter 2 Preparing the Mobility Controller for W-ClearPass Policy Manager Integration This chapter describes how to prepare the Mobility Controller in order to integrate with W-ClearPass Policy Manager. This chapter includes the following information: l Adding a Mobility Controller to W-ClearPass Policy Manager l Adding a W-ClearPass/RADIUS Server to the Mobility Controller l Adding the W-ClearPass/RADIUS Server to a Server Group l Configuring an AAA Profile for 802.
Figure 59 Network Devices Screen 2. Click Add. The Add Device wizard appears: You can also import a list of devices from a file. For details, see Importing a List of Network Devices. Figure 60 Add Device Wizard: Device Tab 3. Populate the Network Device parameters as described in Table 9: Table 9: Defining a Mobility Controller Parameter Action/Description Name 1. Enter the name of the Mobility Controller. IP or Subnet Address 2. Enter the IP address or subnet address of the Mobility Controller.
Parameter Description Action/Description Dell recommends including a description of the device. RADIUS Shared Secret 3. Specify the RADIUS Shared Secret for the current W-ClearPass Policy Manager server. NOTE: Make sure that the value of the Key parameter for the RADIUS server configured on the mobility controller is identical to the RADIUS Shared Secret you specify here for the current Policy Manager server (see Table 10).
The Export to File dialog opens. Figure 61 Export to File Dialog 4. In the Export to file dialog, select No to the Export file with password protection field, then click Export. 5. Download the XMLfile. 6. Open the XML file in a text editor to view the format (see ). Figure 62 Example of the Import File XML Format Adding a W-ClearPass/RADIUS Server to the Mobility Controller The W-ClearPass Policy Manager server is a RADIUS server.
Figure 63 Defining the RADIUS Server in the Mobility Controller The new server is added to the RADIUS Server list. 6. Click the name of the new RADIUS server. The RADIUS Server configuration screen opens.
7. Specify the values for the RADIUS server configuration parameters as described in Table 10. Table 10: Configuring RADIUS Server Parameters on the Mobility Controller RADIUS Server Parameter Host Key Action/Description Comments 1. Specify the IP address or the fully qualified domain name of the RADIUS server. NOTE: In this case, specify the IP address of the W-ClearPass server, which is a RADIUS server.
RADIUS Server Parameter Action/Description 9. Specify the NAS IP address to send in RADIUS packets. NAS IP l To set the global NAS IP address, enter the following command: ip radius nas-ip Enable IPv6 To enable the operation of the RADIUS server over IPv6, check the Enable IPv6 check box. 10. Enter a VLAN number ID. This allows you to use source IP addresses to differentiate RADIUS requests.
RADIUS Server Parameter Action/Description Comments 14. Optionally, specify a MAC address delimiter. Sends the MAC address with the following delimiters in the authentication and accounting requests of this server: MAC address delimiter l colon: Send MAC address as: XX:XX:XX:XX:XX:XX l dash: Send MAC address as: XX-XX-XX-XXXX-XX l none: Send MAC address as: XXXXXXXXXXXX l oui-nic: Send MAC address as: XXXXXXXXXXXX Default: None Service-type of FRAMED-USER 15.
Adding the W-ClearPass/RADIUS Server to a Server Group Before you can reference the W-ClearPass/RADIUS server in the configuration, you must add the WClearPass/RADIUS server to a server group. l You can add multiple RADIUS servers in a server group. You can configure the same server in more than one server group. Note that you must configure a server before you can include it in a server group. Server names must be unique. Even if there is only one RADIUS server, you must add it to a RADIUS server group.
Figure 66 Server Group Configuration Screen 6. To add a W-ClearPass Policy Manager server to the server group, in the Servers section, click New. The Servers configuration screen opens. 7. To choose the W-ClearPass server for inclusion in the RADIUS server group, select the W-ClearPass (RADIUS) server name from the drop-down list (see Figure 67). Figure 67 Selecting the W-ClearPass Server for Inclusion in the RADIUS Server Group The new RADIUS server name is now displayed in the Server Name list. 8.
Figure 68 W-ClearPass Server Added to the RADIUS Server Group 9. Click Apply, then from the top of the screen, click Save Configuration. You have now defined the W-ClearPass server as a RADIUS server, and the RADIUS server is a member of a RADIUS server group. These tasks are required before you can use the W-ClearPass Policy Manager server as a RADIUS server in the network.
Figure 69 AAA Profiles Summary 2. To add a new AAA profile, scroll to the bottom of the screen and click Add. 3. Enter the name of the AAA profile in the Add text box, then click Add. 4. Scroll to the name of the new AAA profile and click the profile name. The AAA Profiles configuration page opens, with the list of existing AAA profiles displayed on the left. 5. Expand the menu to view the desired AAA profile, then select the profile. The AAA Profile Configuration page opens.
6. Configure the AAA profile parameters according to your particular use case (refer to Table 11 below for AAA profile parameter details). Table 11: Configuring AAA Profile Parameters AAA Profile Parameter Initial role MAC Authentication Default Role Action/Description Comments 1. Click the Initial Role drop-down list and select a role for unauthenticated users. 2. Click the MAC Authentication Default Role drop-down list and select the role assigned to the user when the device is MAC authenticated. 3.
AAA Profile Parameter Action/Description Comments Upon configuration, the following warning is issued: Warning: Increased max-IP limit can keep system from scaling to max users on all master and local controllers. RADIUS Interim Accounting 7. Enable this option to allow the mobility controller to send Interim-Update messages with current user statistics to the RADIUS accounting server at regular intervals. User derivation rules 8.
AAA Profile Parameter Open SSID RADIUS Accounting Action/Description Comments 14. Enable this option to have a Network Access Server (NAS) operate as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers.
When you create a Wireless LAN using the mobility controller’s WLAN wizard, the mobility controller automatically creates a Virtual AP profile (VAP) based on the Wireless LAN’s configuration. The name the mobility controller assigns to the VAP is the name of the WLAN with “-vap_prof” appended to the name. For example, the VAP for a Wireless LAN named “802.1X-CP” would be named “802.1X-CP-vap_prof.
Figure 71 Virtual AP Profile Configuration Screen The list of profiles on the left of Figure 71 shows all the settings associated with the selected virtual AP profile—AAA profile (which contains the RADIUS information), 802.11K, and SSID settings. 4. Configure the profile parameters described in Table 13. The virtual AP profile is divided into two tabs: n Basic: Displays only those configuration settings that often need to be adjusted to suit a specific network.
VAP Parameter Action/Description To associate that VLAN with the virtual AP profile: a. Click the drop-down list to select a configured VLAN. b. Click the Arrow button. The Forward mode parameter controls whether data is tunneled to the mobility controller using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination—corporate traffic goes to the mobility controller, and Internet access remains local.
VAP Parameter Action/Description AP tries to force 5Ghz-capable APs to use that radio band. l Prefer-5GHz (Default): If you configure the AP to use Prefer-5GHz band steering mode, the AP tries to steer the client to the 5G band (if the client is 5G capable), but the AP lets the client connect on the 2.4G band if the client persists in 2.4G association attempts. l Balance-bands: The AP balances the clients across the two radios to best utilize the available 2.4G bandwidth.
l Configuring the W-ClearPass Server as a CoA Server l Using the CLI About the CoA Server This section describes how to configure the W-ClearPass server as a CoA (Change of Authorization) server. You can configure a RADIUS server to send user disconnect, change of authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS).
Figure 73 Setting 3576 Server Parameters 5. Specify the parameters for the RFC 3576 server. a. Key parameter: Enter and verify the RADIUS shared key. This key value is the same RADIUS key value configured for the mobility controller. To enable communication between the mobility controller and the W-ClearPass server, the values for RADIUS key configured on the mobility controller and the RADIUS shared secret configured on the W-ClearPass server must be identical. b.
ArubaOS supports different types of the Advanced Encryption Standard (AES), Temporal Key Integrity Protocol (TKIP), and wired equivalent privacy (WEP) encryption. AES is the most secure and the recommended encryption method. Most modern devices are AES capable, and therefore AES should be the default encryption method. Use TKIP only when the network includes devices that do not support AES. In these situations, use a separate SSID for devices that are only capable of TKIP.
Figure 75 Creating a New Wireless LAN 5. To proceed, press OK. The new Wireless LAN is added to the list of Wireless LANs. Note that the New, Copy, Delete, and Share buttons are now enabled. 6. To begin configuration for the new Wireless LAN, press Next. The Specify Forwarding Mode configuration screen opens. Figure 76 Specifying Forwarding Mode n The forwarding mode selected for a mobility controller affects how much traffic and how many tunnels the AP will generate.
Figure 77 Specifying Radio Type and VLAN ID 8. Enter the values to specify the radio type and VLAN, then click Next. a. Radio Type: This allows you to specify which radio frequencies the SSID will broadcast on. The a+n radio type is selected in this example because this radio type specifies the 5 GHz spectrum, which has more bandwidth than the 2.4 GHz spectrum. b. Broadcast SSID: Indicate by Yes or No whether you want to broadcast this SSID. c.
Figure 79 Setting Up Authentication and Encryption 10. For this step, do the following: a. Specify Strong encryption with 802.1X authentication. b. Accept the default settings for Authentication: WPA-2Enterprise and Encryption: aes, then click Next. The Specify Authentication Server screen opens. You can either select an existing authentication server or specify a new authentication server. Figure 80 Specifying the Authentication Server for the WLAN 11.
a. Choose Select from known servers. b. Scroll to select the W-ClearPass/RADIUS authentication server, then click OK. The selected server is added to the ordered list of authentication servers. c. Click Next. The Configure Role Assignment screen opens (skip to Figure 82). 12. To specify a new W-ClearPass/RADIUS authentication server, click Add. a. Choose Specify new server. The following dialog is displayed: Figure 81 Specifying a New Authentication Server b.
Parameter Action/Description 5. Specify the accounting port on the RADIUS/Policy Manager server. Acct port Shared Key l Range: 1 to 65535 l Default: 1813 6. Specify the RADIUS Shared Secret for the W-ClearPassPolicy Manager server. NOTE: Make sure that the value of the Key parameter for the RADIUS server configured on the mobility controller is identical to the Shared Key you specify here for the Policy Manager server (see Table 10). c. When finished, click OK.
The settings specified are pushed to the mobility controller. You receive the message: Configuration pushed successfully. 9. Click Close. You now have a new set of configurations for the SSID.
Chapter 3 Preparing for Active Directory Authentication This chapter describes the required steps to integrate W-ClearPass Policy Manager and Microsoft Active Directory. For some use cases, it's required that W-ClearPass is joined to the Active Directory—802.1X authentication with EAP-PEAP-MSCHAPv2 is one such use case. 802.1X authentication with Active Directory as the primary authentication source is the focus of this chapter.
If you need to authenticate users that belong to multiple Active Directory forests or domains in your network, and there is no trust relationship between these entities, then you must join W-ClearPass to each of these untrusting forests or domains. You do not need to join W-ClearPassPolicy Manager to multiple domains belonging to the same Active Directory forest, because a one-way trust relationship exists between these domains. In this case, you should join CPPM to the root domain.
Figure 84 Confirming NTP Server Synchronization To synchronize with a Network Time Protocol server, the Synchronize time with NTP server check box must be enabled. Nor more than two NTP servers can be specified. In the example shown in Figure 84, the W-ClearPass Policy Manager server is synchronized to two NTP servers on the Internet. 3. Return to the Server Configuration page by clicking Cancel. 4.
Figure 85 Server Configuration Screen for Selected W-ClearPass Server You can now join the Active Directory domain. 2. Click Join AD Domain. The Join AD Domain dialog opens. Figure 86 Join AD Domain Dialog 3. Domain Controller: Enter the Fully Qualified Domain Name (FQDN) of the domain controller, then press Tab. Note that the primary DNS server IP address (as shown in Figure 85) is also the IP address of the Active Directory domain controller.
W-ClearPass searches for the NetBIOS name for the domain. NetBIOS is another term for the short domain name, or the NT4 domain name, also known as the pre-Windows 2000 domain name. Figure 87 shows that W-ClearPass found the NetBIOS domain name and populated the NetBIOS Name field with the correct name. Figure 87 Entering the Domain Controller FQDN 4. In case of a controller name conflict: a. Use specified Domain Controller: Accept the default setting. b.
Figure 88 W-ClearPass Server Added to the Active Directory Domain The Join AD Domain status screen indicates that the services have restarted. As shown in Figure 88, the final INFO line states that the selected W-ClearPass server joined the domain. 5. Click Close. You return to the Server Configuration page, and it now shows that the W-ClearPass server is joined to the domain.
Figure 90 Location of Modify Password Servers Icon The Configure AD Passwords Servers screen appears. Figure 91 Configuring Active Directory Password Servers 4. In the Password Servers text box, enter the names of the domain controllers that will be used for authentication (one entry per line). 5. When finished, click Save.
Figure 92 Leave AD Domain Dialog 4. Enter the Administrator account password. The Administrator account doesn’t have to be the same account that is used to join the server to the domain—it only has to be an account that has permissions to do this operation. 5. Click Leave. The Leave AD Domain status screen appears, with the heading message: “Removing host from the AD domain.” When the process is complete, the status screen displays the message: “Removed host from the domain.” 6. Click Close.
About Authorization Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. In functional terms, "to authorize" is to define an access policy. In the context of 802.1X authentication, authorization is accomplished using LDAP (Lightweight Directory Access Protocol). LDAP is a protocol for accessing directories.
Additional Enforcement Information After authentication takes place, there are usually additional enforcement details provided to the controller, such as VLAN assignment and user membership. To add Active Directory as an authentication source: 1. In the W-ClearPass Policy Manager, navigate to Configuration > Authentication > Sources. The following screen appears: Figure 93 Authentication Sources Screen 2. Click Add. General Page The Authentication Sources General page appears.
Figure 94 Authentication Sources General Page 3. Enter the values for these parameters as described in Table 15. Table 15: General Parameters for an AD Authentication Source Parameter Action/Description Name 1. Enter the name of the Active Directory authentication source. Description 2. Provide the additional information that helps to identify the Active Directory authentication source. Type 3. If not already selected, select Active Directory.
Parameter Action/Description Specifies the duration in number of seconds that Policy Manager waits before considering this server unreachable. Server Timeout Cache Timeout If multiple backup servers are available, then this value indicates the duration in number of seconds that Policy Manager waits before attempting to fail over from the primary to the backup servers in the order in which they are configured. Policy Manager caches attributes fetched for an authenticating entity.
4. Enter the information for each of the required parameters as described in Table 16. Table 16: Primary Parameters for an Active Directory Authentication Source Parameter Action/Description 1. Enter the name or IP address of the Active Directory server you’re going to use for authentication. Hostname The host name entered here must be an LDAP server (note that most domain controllers are also LDAP servers). W-ClearPass uses LDAP to talk to the domain controller. 2.
Parameter Action/Description l For a single domain Active Directory Domain Service, the Bind DN entry must be located in the same branch and below the Base DN. l For a multi-domain Active Directory Domain Service (AD DS) forest, because you leave the Base DN text box empty, the restrictions that apply for a single domain do not apply for a multi-domain forest. W-ClearPass fills in the domain portion of the Bind DN. 6. Specify the username.
Parameter Action/Description l Base Object: Searches any object under the Base DN. LDAP Referrals Dell does not recommend enabling the "Follow Referrals" check box. This function directs the LDAP server to find a specific user in its tree, but it’s possible for the user to be included on another LDAP server, which can cause a search loop. Bind User This option allows the bind operation using a password. The Allow bind using user password check box is enabled by default.
Obtaining and Installing a Signed Certificate From Active Directory This section describes how to obtain and install a signed server certificate from Active Directory for 802.1X authentication.
3. The server verifies the employee‘s credentials, and the employee is connected to the network. Using Both Client and Server Certificates There is a potential problem in this authentication sequence—the employee verified the server’s identity, but the server didn’t verify the employee's identity. It is possible that the user stole the username and password from another employee and is using these stolen credentials on his own device.
Figure 97 Create Certificate Signing Request Dialog 3. Enter the information for each of the required parameters as described in Table 17. Table 17: Parameters for Creating a Certificate Signing Request Parameter Action/Description Common Name Displays the name associated with this entity. This can be a host name, IP address, or other name. The default is the fully-qualified domain name (FQDN). This field is mandatory. Organization (O) Specify the name of the organization. This field is optional.
Parameter Action/Description l IP: ip_address l dns: dns_name l rid: id This field is optional. Private Key Password 1. Enter the private key password, then reenter it to verify the password. 2. Select the length for the generated private key types from the following options: Private Key Type l 1024-bit RSA l 2048-bit RSA l 4096-bit RSA l X9.62/SECG curve over a 256 bit prime field l NIST/SECG curve over a 384 bit prime field The default private key type is 2048-bit RSA. 3.
Figure 98 Displayed View of the Certificate Signing Request 5. Copy the contents of the certificate request into a text file so that you can paste it into the Directory Certificate Services web form as described in Obtaining a Signed Certificate from Active Directory on page 113. 6. To save the Certificate Signing Request file and the private key password file, click Download CSR and Private Key Files.
Figure 99 Certificate Trust List 3. To add the certificate file(s) to the Certificate Trust List, click Add, then browse to the root CA certificate file on your computer. Be sure to add the root CA file first, then add the intermediate CA files after you've added the root CA file. The root CA certificate file is now listed in the Certificate Trust List. Figure 100 New Root CA File(s) Added to the Certificate Trust List 4.
To obtain a signed certificate from Active Directory: 1. Navigate to the Microsoft Active Directory Certificate Services page: Figure 101 Microsoft Active Directory Certificate Services 2. Click Request a certificate. Figure 102 Certificate Services: Request a Certificate 3. Choose advanced certificate request. The Submit a Certificate Request or Renewal Request dialog appears. This operation submits a saved certificate request to the Certificate Authority.
Figure 103 AD Certificate Services: Submit a Certificate Request 4. Copy the contents of the Certificate Signing Request into the Saved Request text box. 5. In the Certificate Template drop-down menu, select Web Server. Figure 104 shows an example of the completed Certificate Request web form.
Figure 104 Completed Submit a Certificate Request Dialog 6. Click Submit. The Certificate Issued dialog appears. Figure 105 AD Certificate Services: Certificate Issued 7. Do the following: a. Select Base 64 encoded. Base-64 encoding is used for 802.1X authentication. b. Click Download certificate. The server certificate is downloaded to your system. c.
Importing a Server Certificate into W-ClearPass To import a server certificate into W-ClearPass: 1. Navigate to Administration > Certificates > Server Certificate. The W-ClearPass Policy Manager Server Certificate dialog appears. Figure 106 W-ClearPass Policy Manager Server Certificate Dialog 2. From the Select Server drop-down menu, select the appropriate W-ClearPass server. When you select the W-ClearPass Policy Manager server, the Select Type field is automatically populated. 3.
Figure 108 Server Certificate Updated Successfully 6. Log out of the W-ClearPass server, then log in again to resume operations on this server. Manually Testing Login Credentials Against Active Directory To test a username and password against the Active Directory, run the ad auth command in the Policy Manager CLI. This command manually checks against Active Directory to indicate whether or not a username and password are valid. 1.
Chapter 4 Preparing for 802.1X Wireless Authentication with Active Directory This chapter includes the following information: l About 802.1X Authentication l What Is AAA? l Walking Through an 802.1X Authentication Scenario l Configuring 802.1X Wireless Authentication with Active Directory l Troubleshooting 802.1X Configuration Issues About 802.1X Authentication This section contains the following information: l Introducing 802.1X l 802.1X Authentication Components Introducing 802.
l The authentication server is typically a host running software supporting the RADIUS and EAP protocols. It provides a database of information required for authentication and informs the authenticator to deny or permit access to the supplicant. In this guide, the authentication server is the W-ClearPass Policy Manager server. Figure 109 802.1X Authentication Network Components Table 18 describes each of the W-ClearPass firewall ports that are used by Active Directory®.
What Is AAA? AAA stands for authentication, authorization, and accounting. AAA is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These processes working in concert are important for effective network management and security.
This section describes how to use the W-ClearPass Policy Manager to configure 802.1X authentication with Active Directory in a Dell network. Authenticating Against Active Directory 802.1x authentication can be used to authenticate users or computers against a user database or domain such as Microsoft Active Directory (for related information, see Preparing for Active Directory Authentication on page 93).
Table 19: Description of the 802.1X Authentication Processes Authentication Process Description 1 RADIUS AccessRequest The Network Access Server (NAS) sends a RADIUS access request to Policy Manager, which then evaluates the request and identifies RADIUS connection control attributes. 2 Service Categorization Based on the RADIUS connection control attributes identified by Policy Manager, the request will be categorized into a Policy Manager service.
To create the 802.1X wireless service: 1. From W-ClearPass Policy Manager, navigate to Configuration > Start Here > Aruba 802.1x Wireless. The General page for the W-ClearPass 802.1X Wireless Service template opens. Figure 111 General Page in the 802.1X Wireless Service Template 2. In the Name Prefix field, enter a prefix that is appended to services using this template, then click Next. The Authentication page is displayed. 3.
Figure 113 Selecting the Mobility Controller The fields in the Wireless Network Settings page are automatically populated with the selected mobility controller's configuration information. 5. Click Next. The Posture Settings page appears. Figure 114 Enabling Posture Checks W-ClearPass Policy Manager performs automated endpoint health checks and posture assessments to ensure that devices are compliant before they connect to mobile networks. 6.
Figure 115 Creating a New Enforcement Policy Table 20: Enforcement Policy Configuration Settings Parameter Action/Description The attributes defined in the Authentication Source are listed here. 1. Configure an optional enforcement policy based on the following attributes: Attribute Name Attribute Value l Department l Email l Name l Phone l Title l UserDN l company l member of 2. Enter the Active Directory attribute value for the selected name in the Attribute Name field. 3.
Figure 116 Summary of the 802.1X Service Configuration Deleting a W-ClearPass Policy Manager Service You can only delete W-ClearPass services that have been created by an administrator. Default services cannot be deleted. To delete a W-ClearPass Policy Manager service: 1. Navigate to Configuration > Services. The Configuration > Services page opens. Figure 117 Deleting a W-ClearPass Service 2. Select the appropriate service's check box, then click Delete.
Walking Through an 802.1X Authentication Scenario This section shows the for 802.1X authentication traffic flow for wireless and wired authentication scenarios and provides a typical example of the 802.1X authentication process. 802.1X Wireless Authentication Traffic Flow Figure 118 shows the flow of traffic for 802.1X authentication using Active Directory. Figure 118 Traffic flow for 802.1X Wireless Authentication with Active Directory Walking Through the 802.
The mobility controller applies a Sales Department firewall role to this user's traffic. Typically for such a role, the firewall rule applied would be IP any permit, which permits all IP traffic. 802.1X Wired Authentication Traffic Flow This same process applies to wired clients that connect to a Mobility Access Switch (MAS) or a third-party switch and perform 802.1X authentication to the W-ClearPass Policy Manager server (see Figure 119). Figure 119 Traffic flow for 802.
Any mismatch will show ERROR/WARN events in the Event Viewer stating that an authentication request is received from an unknown IP address. 130 | Preparing for 802.
Chapter 5 Deploying W-ClearPass Clusters This chapter includes the following information: l W-ClearPass Cluster Overview l Cluster Design Considerations l About Large Scale Deployments l Deploying the Standby Publisher l Adding a Subscriber Node to the Publisher l Rejoining a Down Node to the Cluster l Deploying W-ClearPass Insight in a Cluster l Configuring Cluster File-Backup Servers l Using High Capacity Guest Mode l Cluster CLI Commands W-ClearPass Cluster Overview This section con
The cluster feature allows for shared configuration and databases. However, it does not provide a virtual IP address for the cluster, so failover/redundancy for captive portal for Guest relies on Domain Name System (DNS) lookup or load balancing. RADIUS clients must define a primary and backup RADIUS server. Authentication Requests in a Cluster The typical use case for Policy Manager is to process authentication requests using the policy framework.
Figure 120 Publisher and Subscribers in Hub and Spoke Configuration l l The Publisher node functions as the master controller in a cluster. The Publisher is your central point of configuration, monitoring, and reporting. It is also the central point of database replication. All the databases are managed through the Publisher. n There is at most one active Publisher in this model, and a potentially unlimited number of Subscribers.
However, certain elements are node-specific and these must be configured separately for each node, which you can achieve directly on the Publisher or individually on the Subscriber node. Elements Replicated Cluster replication is delta-based; that is, only changed information is replicated.
Cluster Scaling Limitations Due to the design requirements of the cluster Publisher/Subscriber model, various W-ClearPass components scale differently (see Table 22). Table 22: W-ClearPass Cluster Scaling Limitations Component Scaling Limitation Scales linearly according to the number of Subscriber nodes. Authentication capacity Configuration changes (Guest/ Onboard) Configuration changes (Policy Manager) Add more nodes as necessary to provide additional capacity to service authentication requests.
Cluster deployment sizing should not be based on raw performance numbers. To determine the optimum sizing for a W-ClearPass cluster: 1. Determine how many endpoints need to be authenticated. a. The number of authenticating endpoints can be determined by taking the number of users times the number of devices per user. b. To this total, add the other endpoints that just perform MAC authentication, such as printers and other non-authenticating endpoints. 2. Take into account the following factors: a.
Publisher Deployment Guidance l In a world-wide large-scale deployment, not all Subscriber nodes are equally busy. To determine the maximum request rate that must be handled by the Publisher node, examine the cluster's traffic pattern for busy hours and estimate the traffic load for each Subscriber node, adjusting for time zone differences. l In a large-scale deployment, isolate the Publisher node, to allow it to handle the maximum amount of traffic possible.
Using Subscriber Nodes as Workers Subscriber nodes should be used as workers that process the following: l Authentication requests (for example, RADIUS, TACACS+, Web-Auth) l Online Certificate Status Protocol (OCSP) requests l Static content delivery (for example, images, CSS, JavaScript) Avoid sending "worker traffic" to the Publisher, as the Publisher services API requests from Subscribers, handles the resulting database writes, and generates replication changes to send back to the Subscribers.
l The link bandwidth should be greater than 10Mbps. It's possible to configure a NAD/NAS to point at multiple RADIUS servers, either for load balancing or failover. For example, a NAD/NAS in Paris could point to a W-ClearPass Policy Manager server in London as a backup RADIUS server. That's not a problem as long at the round-trip time guidelines are adhered to.
Figure 121 Manage Policy Manager Zones Link 2. Click the Manage Policy Manager Zones link. The Policy Manager Zones dialog appears. 3. Select Click to add.... A blank field appears in the dialog. Figure 122 Adding a Policy Manager Zone 4. Enter the name of the new Policy Manager zone. 5. To create additional Policy Manager zones, repeat Steps 3 and 4. 6. When finished, click Save. You see the message, "Policy Manager Zones modified successfully.
About Large Scale Deployments This section contains the following information: l What Is a Large Scale Deployment? l Design Guidelines l Examples of Customer Cluster Deployments What Is a Large Scale Deployment? Large-scale deployments are defined as those clusters that require the Publisher node to be dedicated to servicing the Subscriber nodes.
Examples of Customer Cluster Deployments This section provides two examples of typical customer cluster deployments. Authenticating Corporate Users with Guest Access In this example, a cluster of W-ClearPass 5K hardware appliances (CP-HW-5K) has two nodes—U.S. East Coast and U.S. West Coast (see Figure 123). l US-West is the Publisher. l US-East is the Subscriber. l Each node handles the authentication traffic for 2,000 corporate endpoints. Each node also registers 100 guests per day.
Authenticating Conference Center Users In this example, the cluster has three W-ClearPass 25K hardware appliance nodes (CP-HW-25) in the same timezone (see Figure 124). l These nodes are located in San Jose (Publisher), San Diego (Subscriber), and Seattle (Subscriber). l Each node can register up to 15,000 guests per day, often in short bursts. l There is constant authentication traffic through the day from the onsite employees and guest.
Deploying the Standby Publisher This section contains the following information: l Setting Up the Standby Publisher l About the Fail-Over Process l Mitigation Strategies l Virtual IP Address Considerations l Functions Lost When the Publisher Is Down Setting Up the Standby Publisher W-ClearPass Policy Manager allows you to designate one of the subscriber nodes in a cluster to be the Standby Publisher, thereby providing for that subscriber node to be automatically promoted to active Publisher status
Table 25: Configuring Standby Publisher Parameters Parameter Action/Description Enable Publisher Failover 1. To authorize a node in a cluster on the system to act as a Publisher if the primary Publisher fails, select TRUE. The default value is FALSE. Designated Standby Publisher 2. From the drop-down, select the CPPM server in the cluster that will serve as the Standby Publisher. Failover Wait Time 3.
Virtual IP Address Considerations Using a virtual IP address allows for the deployment of a highly available pair of servers. This reduces the amount of down-time in the event of a server failure. If one of the servers in a high-availability pair fails, the other server can take over the virtual IP address and continue providing service to clients. This is particularly useful if the network access server (NAS) devices are processing basic RADIUS authentications to a CPPM node.
Using the WebUI to Add a Subscriber Node To add a Subscriber node to a Publisher node via the WebUI: 1. Log onto the W-ClearPass node that you want to make a Subscriber. 2. Navigate to Administration > Server Manager > Server Configuration. The Server Configuration page opens. Figure 126 Server Configuration > Make Subscriber Option 3. Click Make Subscriber. The Add Subscriber Node dialog opens. Figure 127 Configuring the Subscriber Node 4.
Table 26: Configuring Add Subscriber Node Parameters Parameter Action/Description Publisher IP 1. Enter the Publisher node's IP address. Publisher Password 2. Enter the appadmin (CLI) password. Restore the local log database after this operation 3. To restore the log database following the addition of a Subscriber node, select the check box. Do not backup the existing databases before this operation 4. Select this check box only if you do not require a backup to the existing database. 5.
You can also track this process in the Event Viewer following a successful Subscriber addition, as shown in Figure 130. Figure 130 Tracking the Add Node Process in the Event Viewer Using the CLI to Create a Subscriber Node You can make a node a Subscriber via the command line interface. You can perform multiple cluster-related administrative functions from the CLI. The CLI provides additional functionality that cannot be accomplished from the user interface.
Rejoining a Down Node to the Cluster This section contains the following information: l Introduction l Removing a Subscriber Node from the Cluster l Rejoining a Node Back Into the Cluster Introduction When a node loses communication with the cluster for a period greater than 24 hours, the publisher designates that node as down. To rejoin this node to the cluster requires that you remove the node from the cluster and reset the configuration on the out-of-sync node.
Figure 135 Drop Subscriber Node Confirmation Options You may optionally choose to enable the following Drop Subscriber Node options: n Drop a node even if it's down. n Do not reset the database on the dropped node. n Do not back up the existing databases before this operation. 5. Click the check box for each confirmation option you wish to enable, then click Yes. The subscriber node is removed from the cluster.
Figure 137 Join Server Back to Cluster Option Displayed 3. Click Join server back to cluster. A warning message appears, providing the option to promote the current node to publisher status: Figure 138 Option to Promote Disabled Node to Publisher 4. To proceed (without promoting the disabled node to publisher status), click Yes. The progress of the rejoin operation is shown, displaying the log entries for each completed task.
As you enable W-ClearPass Insight on additional nodes in the cluster, CPPM automatically adds these nodes to the W-ClearPass Insight database authentication source definition. W-ClearPass Insight does not replicate data to any other nodes within the cluster—it is an entirely stand-alone database.
3. To enable the W-ClearPass Insight reporting tool on this node, select the Enable Insight check box. n When you enable this check box on a cluster node, the W-ClearPass Insight Repository configuration is automatically updated to point to the server's management IP address. n When you enable this check box for other servers in the cluster, those servers are added as backups for the same authentication source.
Figure 139 Add File Backup Servers Page Table describes the Add File Backup Server page parameters. Table 27: Add File Backup Page Server Page Parameters Parameter Action/Description Host 1. Enter the name or IP address of the host. Description 2. Enter the description that provides additional information about the File Backup server. 3. Specify the protocol to be used to upload the generated reports to an external server.
Parameter Action/Description Timeout 6. Specify the timeout value in seconds. The default value is 30 seconds. Remote Directory 7. Specify the location where the files are to be copied. A folder will be automatically created in the file path that you specify based on the selected W-ClearPass servers in the W-ClearPass Servers field. 8. From the Select to Add drop-down, select the cluster-file backup server(s) to be backed up.
Figure 141 Server Configuration Menu 2. From the Server Configuration page, choose Cluster-Wide Parameters. Figure 142 Auto Backup Configuration Options 3. From the Auto backup configuration options drop-down, choose Config|SessionInfo. 4. When finished with changes to the cluster-wide parameters, click Save.
Introduction High Capacity Guest mode supports the high-volume licensing requirements in the public-facing enterprise environment, where a large volume of unique endpoints require wireless access and the number of endpoints changes every day, such as airports, hotels, hospitals, and shopping malls (for related information, see Licensing Considerations).
The additional guest licenses that High Capacity Guest mode provides must be purchased and applied. An additional consideration to keep in mind is that the W-ClearPass Policy AAA licensing is reset on a daily basis. For example, if you purchase 8,000 Guest licenses for a W-ClearPass 5K hardware appliance (CP-HW-5K), you would be entitled to process 8,000 unique endpoints/guests per day.
You receive the message: parameters updated successfully...Please refresh to continue. 5. Refresh the page. Cleanup Intervals Settings for High Capacity Guest Mode When you enable High Capacity Guest mode, the values for the Cleanup Intervals parameters are set automatically to ensure that W-ClearPass can support the significantly higher numbers of guests by making sure the amount of data stored in W-ClearPass is kept to a minimum (as shown in Figure 144).
Cleanup Intervals Parameters Values for HCG Mode Unknown endpoints cleanup interval HGC mode value: 3 days Expired guest accounts cleanup interval HGC mode value: 10 days Profiled endpoints cleanup interval HGC mode value: 3 days Static IP endpoints cleanup option HGC mode value: FALSE Old Audit Records cleanup interval HGC mode value: 10 days Profiled Known endpoints cleanup option HGC mode value: TRUE 2. Click Cancel to exit.
l MSCHAP l EAP_MD5 l MAC_AUTH l AUTHORIZE l EAP_PEAP_PUBLIC Cluster CLI Commands The Policy Manager command line interface includes the following cluster commands: l cluster drop-subscriber l cluster list l cluster make-publisher l cluster make-subscriber l cluster reset-database l cluster set-cluster-passwd l cluster sync-cluster-passwd cluster drop-subscriber Use the cluster drop-subscriber command to remove a specific subscriber node from the cluster.
Syntax cluster list Example The following example lists all the nodes in the cluster: [appadmin]# cluster list cluster make-publisher Use the cluster make-publisher command to promote a specific subscriber node to be the publisher node in the same cluster. When running this command, do not close the shell or interrupt the command execution.
cluster reset-database The cluster reset-database command resets the local database and erases its configuration. Running this command erases the Policy Manager configuration and resets the database to its default configuration—all the configured data will be lost. When running this command, do not close the shell or interrupt the command execution.
Chapter 6 Mobility Access Switch Configuration for 802.1X Authentication This chapter describes how to configure an Mobility Access Switch for 802.1X authentication. This chapter includes the following information: l Mobility Access Switch Configuration for 802.1X Wired Authentication l Configuring 802.1X Authentication with Machine Authentication l CLI-Based Configuration for Mobility Access Switch 802.1X Authentication Mobility Access Switch Configuration for 802.
6. Apply the AAA profile to the physical interface or interface group. You can now configure an interface for 802.1X authentication. Configuring Authentication with a RADIUS Server In order to authenticate to the network, the client communicates with the Mobility Access Switch through an EAP tunnel (see Figure 146). Therefore, the network authentication and encryption configured must be the same on both the client and the Mobility Access Switch. Figure 146 802.
Additional information on EAP types supported in a Windows environment for Microsoft supplicants and the authentication server is available at http://technet.microsoft.com/en-us/library/cc782851(WS.10).aspx. Authentication Terminated on the Mobility Access Switch User authentication is performed either via the Mobility Access Switch’s internal database or a non-802.1x server. Figure 147 802.
LDAP Server Configuration Task If you are using an LDAP server for user authentication, you need to configure the LDAP server on the Mobility Access Switch, and configure user IDs and passwords. RADIUS Server Configuration Task If you are using a RADIUS server for user authentication, you need to configure the RADIUS server on the Mobility Access Switch: l For details, see Configuring Authentication with a RADIUS Server on page 166. l For the CLI example, see Examples of Common 802.
(DellSwitch)(config) #'''user-role EMPLOYEE_1''' (DellSwitch)(config-role) #'''access-list stateless STATELESS''' You can also apply MAC and Ethertype ACLs to a user role. However, these ACLs apply only to a user's non-IP traffic.
(host) (802.1X Authentication Profile "FacultyAuth") #reauth-max 2 (host) (802.1X Authentication Profile "FacultyAuth") #reauthentication Verifying Configurations To verify the above configurations, execute the following show command: (host) (config) #show aaa authentication dot1x FacultyAuth 802.
Adding Users to the Local Database To add users to the local database, use the following command: local-userdb add username password role Configuring a Server Rule Using the CLI To configure a server rule using the CLI: aaa server-group dot1x_internal set role condition Role value-of Setting Variables for LDAP Servers If you are using a LDAP server for authentication, the following variables should be set: l Termination enabled l EAP type of PEAP (with inner-EAP-type set t
Using the CLI To use the CLI to configure certificates with authentication termination: aaa authentication dot1x termination enable server-cert ca-cert Configuring 802.1X Authentication with Machine Authentication This section contains the following information: l About Machine Authentication l Enabling the Enforce Machine Authentication Option l Role Assignment with Machine Authentication Enabled l VLAN Assignments l Authentication with an 802.
Figure 148 Enabling the Enforce Machine Authentication Option 3. To enable the option, select the Enforce Machine Authentication check box. Role Assignment with Machine Authentication Enabled When you enable machine authentication, there are two additional roles you can define in the 802.
Table 31: Role Assignments for User and Machine Authentication Machine Auth Status User Auth Status Description Role Assignment Failed Both machine authentication and user authentication failed. Layer 2 authentication failed. Initial role defined in the AAA profile will be assigned. If no initial role is explicitly defined, the default initial role (logon role) is assigned.
If machine authentication is successful, the client is associated to the VLAN configured on the interface. However, the client can be assigned a derived VLAN upon successful user authentication. You can optionally assign a VLAN as part of a user role configuration. It is recommended not to use VLAN derivation if user roles are configured with VLAN assignments. Table 32 describes VLAN assignment based on the results of the machine and user authentications when VLAN derivation is used.
l Guest l Sysadmin l Computer Examples of Common 802.1X Configuration Tasks Via the CLI This section provides several examples of common configuration tasks via the command line interface (CLI): l Creating an Alias for the Internal Network l Creating the Student Role and Policy l Creating the Faculty Role and Policy l Creating the Guest Role and Policy l Configuring the RADIUS Authentication Server l Configuring 802.
access-list stateless faculty access-list stateless allowall Creating the Guest Role and Policy The guest policy permits only access to the Internet (via HTTP or HTTPS) and only during daytime working hours. The guest policy is mapped to the guest user role. To create the guest role and policy: time-range working-hours periodic weekday 07:30 to 17:00 ip access-list stateless guest any host 10.1.1.25 svc-dhcp permit time-range working-hours any host 10.1.1.
Configuring the AAA Profile An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for authenticating clients. The AAA profile also specifies the default user roles for 802.1x authentication. To configure the AAA profile: aaa profile aaa_dot1x dot1x-default-role guest authentication-dot1x dot1x dot1x-server-group radiusGuest 178 | Mobility Access Switch Configuration for 802.
Chapter 7 Preparing W-ClearPass for LDAP and SQLAuthentication Sources This chapter describes how to prepare W-ClearPass for LDAP and SQL authentication.
3. Enter the values for these parameters as described in Table 33. Table 33: General Page Parameters for Generic LDAP Database Parameter Action/Description Name 1. Enter the name of the LDAP authentication source. Description 2. Provide the additional information that helps to identify the LDAP authentication source. Type 3. Select Generic LDAP.
Primary Page Figure 150 Primary Page: Generic LDAP Authentication Database Table 34: Primary Parameters for an LDAP Authentication Source Parameter Action/Description 1. Enter the name or IP address of the LDAP server you’re going to use for authentication. Hostname Note that most domain controllers are also LDAP servers. W-ClearPass uses LDAP to talk to the domain controller. 2. Set Connection Security to: LDAP over SSL.
Parameter Action/Description For a multi-domain LDAP Domain Service forest, the default ports for the global catalog are: Verify Server Certificate l Default port without SSL: 3268 l Default port with SSL: 3269 4. Enable this option to verify the Server Certificate for a secure connection. 5. Enter the Distinguished Name of the node in your directory tree from which to start searching for records.
Parameter Action/Description Dell recommends that you narrow down the Base DN as far as possible to reduce the load on the Active Directory LDAP server. For example, if all your users are in the AD Users and Computer Users folder, then set the Base DN to search in the Users folder. 8. To browse the LDAP directory hierarchy, click Search Base DN. The LDAP Browser opens. 9. Navigate to the DN you want to use as the Base DN. 10. Click on the appropriate node in the tree structure to select it as a Base DN.
SQL Authentication Source Configuration This section includes the following information: l Configuring a Generic SQL Authentication Source l Defining a Filter Query Configuring a Generic SQL Authentication Source Policy Manager can perform MSCHAPv2 and PAP/GTC authentication against any Open Database Connectivity (ODBC) compliant SQL database such as Microsoft SQL Server, Oracle, MySQL, or PostgrSQL.
Table 35: General Page Parameters for Generic SQL Database Parameter Action/Description Name 1. Enter the name of the SQL authentication source. Description 2. Provide the additional information that helps to identify the authentication source. Type 3. Select Generic SQL DB. Use for Authorization 4. Leave the Use for Authorization setting enabled. When Use for Authorization is enabled, W-ClearPass can use this authentication source to fetch role-mapping attributes. This option is enabled by default.
Primary Page Figure 152 Primary Page: Generic SQL Authentication Source 10. Enter the information for each of the required parameters as described in Table 36. Table 36: Primary Page Parameters for Generic SQL Database Parameter Action/Description Server Name Enter the name or IP address of the Generic SQL server you’re going to use for authentication. Port Optionally, you can specify a port value to override the default port.
Parameter Action/Description l Cleartext : Password is stored as clear, unencrypted text. l NT Hash: Password is stored with an NT hash using MD4. l LM Hash : Password is stored with a LAN Manager Hash using DES. l SHA: Password is stored with a Secure Hash Algorighm (SHA) hash. l SHA256: Password is stored with an SHA-256 hash function. 11. When satisfied with the Primary page settings, click Next. The Attributes page appears.
Defining a Filter Query The Configure Filter page allows you to define a filter query and the related attributes to be fetched from the SQL DB store. To define a filter query: 1. Navigate to Configuration > Authentication > Sources. The Authentication Sources page opens. a. If you're defining a new filter for an existing authentication source, click the name of the authentication source, then select the Attributes tab. b.
Parameter Action/Description Data Type Specify the data type for this attribute, such as String, Integer, or Boolean. Enabled As Specify whether this value is to be used directly as a role or an attribute in an Enforcement Policy. This option bypasses having to assign a role in Policy Manager through a Role Mapping Policy. 4. When satisfied with the Configure Filter page settings, click Save.
| Preparing W-ClearPass for LDAP and SQLAuthentication Sources Dell Networking W-ClearPass Deployment Guide
Appendix A 802.
Table 39: Detailed Sequence of the EAP-PEAP-Active Directory Handshake Exchange Extensible Authentication Protocol over LAN (EAPOL) Start 1 The authenticator sends an EAP-Request for the identity of the connecting supplicant (client device). 2 The supplicant responds to the authenticator with an EAP Identity Response that contains the identity (username) used for authentication. This is referred to as the "Outer Identity.
EAPOL 6 The authentication server responds to the supplicant through the authenticator with an EAP-Request message indicating that it would like to initiate EAP-PEAP. 7 The authenticator passes the EAP-Request message to the supplicant. Transport Layer Security (TLS) Tunnel Setup 8 The supplicant sends a Transport Layer Security (TLS) "Client Hello" message within an EAP-response message through the authenticator to the authentication server.
Transport Layer Security (TLS) Tunnel Setup 12 Steps 10 and 11 repeat until the authentication server has transmitted all of its handshake messages. This may take several steps due to having to dismantle the certificates into fragments that fit within the size limits of an EAP message. 13 The supplicant sends another TLS Handshake message inside an EAP-Response message of types "Client Key Exchange," "Change Cipher Spec," "Handshake," and "Client Finished" to the authenticator.
Inner EAP MSCHAPv2 20 The authenticator sends the EAP Identity Request message to the supplicant requesting the client's identity. 21 The supplicant responds with an EAP Identity Response containing its identity to the authenticator. 22 The authenticator forwards this EAP Identity Response to the authentication server.
Inner EAP MSCHAPv2 25 The authentication server sends an EAP request to the supplicant containing an MS-CHAPv2 challenge. 26 The authenticator forwards the EAP request to the supplicant. 27 The supplicant responds with an EAP Identity Response containing its identity to the authenticator. 28 The authenticator forwards this EAP Identity Response to the authentication server.
Inner EAP MSCHAPv2 31 The authentication server sends an EAP-Request message for the supplicant with an MSCHAPv2 success message and an authenticator response string from the Active Directory Domain Controller to the authenticator. 32 The authenticator passes the EAP-Request with an MSCHAPv2 success message and the authenticator response to the supplicant. 33 The supplicant sends an EAP-Response message for the authentication server with an MSCHAPv2 success message to the authenticator.
EAPOL 39 The authentication server sends a RADIUS access-accept message to the authenticator with an EAPOL success message along with the key material. 40 The authenticator sends an EAPOL success message to the supplicant. 41 The authenticator and supplicant complete a four-way handshake to start the flow of encrypted wireless traffic. 198 | 802.
Appendix B Using the W-ClearPass Configuration API This chapter includes the following information: l W-ClearPass Configuration API Overview l W-ClearPass Configuration API Methods l W-ClearPass Configuration API Examples l API Error Handling l About the API Explorer W-ClearPass Configuration API Overview This section contains the following information: l Introduction l Admin Accounts for API Access l XML Data Structure l Filter Elements l Advanced Match Operations l Setting Up Bulk Ac
To create a new user for API access, update the password of the default apiadmin user account or create a new Admin user with only API access privileges. This ensures that all API actions are tracked through the Audit Viewer page for this user account. Additionally, restrictions to specific entities can be enforced by defining a custom admin privilege level and creating API admin users with that privilege level.
Filter Elements Use the Filter element to fetch a list of objects of a specific entity. You can use a filter to perform Read and Delete operations. A filter contains a Criteria element that includes the following: l fieldname: Specifies the name of the field present in XML that needs to be filtered. l filterString: Specifies the string that is used to match the filter during a match of the filter. l match: Specifies the operator to be used.
Filtering Based on Tag Attributes The following entity types support tag attributes: l Endpoint l Device l GuestUser l LocalUser To filter based on the tag attributes, include an additional attribute called dataType=”ATTRIBUTE” for that filter condition as described in the following example: PAGE 203 NameList Method XML Response The following is an example of the Namelist method XML response: PAGE 204
W-ClearPass Configuration API Methods This section contains the following information: l Introduction l Authentication Credentials l Entity Names Supported l NameList l Reorder l Status Change Introduction The model for the W-ClearPass Configuration API is a Representational State Transfer (REST) API, where each method is represented by a URL.
Entity Names Supported Table 40 describes the Entity Names supported in the W-ClearPass Policy Manager Configuration API. Table 40: Supported Entity Names in the Configuration API Entity Name Description AdminPrivileges Specifies the Admin user privileges. AdminUser Specifies the Admin user repository. AuditPosture Specifies the audit posture servers, such as Network Mapper (NMAP) and Nessus scanner.
Entity Name Description NadGroup Specifies the network device group. OnboardDevice Specifies the Onboard devices managed by Onboard module. PostureExternal Specifies the External Posture Server. PostureInternal Specifies the Internal Posture Policy that tests requests against Internal Posture rules to assess device health. ProxyTarget Specifies the RADIUS request that needs to be proxied to another RADIUS server. RADIUSDictionary Specifies the RADIUS vendor attributes dictionary.
In the XML response, EntityNameList is populated with the entity-names. The list of names in the XML response is not displayed in a specific order. However, for the entities that have a specific order (for example, Services), the names are populated in the order as specified in the EntityNameList. The URL for the NameList method is: https:///tipsapi/config/namelist/ XML Request The following is an example of the NameList method XML request:
[AirGroup Authorization Service] XML Response The following is an example of the Reorder method XML response: PAGE 209Status successfully changed [AirGroup Authorization Service] [Aruba Device Access Service] [Guest Operator Logins] [Policy Manager Admin Network Login Service] test 802.
Retrieving a Local User Value For other entity types, you do not need to include the source attribute. If the Guest description is present in the XML request, the GuestUserDetails element is displayed in the Guest details.
Adding a Guest User Value For the Guest description, you must include the GuestUserDetails element as described in the following example. You can set the sendSms and sendEmail attribute values to false as these values are not used by Guest.
PAGE 213
XML Response The following is an example of the XML response: Success 1 PAGE 214API Error Handling This section contains the following information: l When There Is an Error During a Request l InvalidFetchCriteria Example When There Is an Error During a Request When there is an error or failure during a request, the StatusCode is set to Failure. A TipsApiError element is set with an Error Code and a list of messages. You must use the source attribute with the value Guest for the GuestUser and OnboardDevice entity types.
About the API Explorer In addition to the W-ClearPass Configuration API, Dell offers a number of other APIs that are available through the API Explorer: Table 41: W-ClearPass APIs Available Through the API Explorer API Services Provided ApiFramework ApiClients GuestManager Configuration, Device, Guest Onboard Certificate, CertificateChain, CertificateExport, CertificateImport, CertificateNew, CertificateReject, CertificateRequest, CertificateRevoke, CertificateSign OperatorLogins GetAccount, GetPri
Figure 158 API Explorer Dialog 4. Select the API of choice. The API page for the selected API opens. The example in Figure 159 is the OperatorLogins API. Figure 159 OperatorLogins API Selected 5. In the Authorization field, enter the Authorization header value. 6. Proceed to work in the API as needed. 7. To return to the API Explorer, click Back to API Explorer.
