Page is loading ...
Dell Networking
W-ClearPass Policy
Manager 6.5
User Guide
Dell Networking Dell Networking W-ClearPass Policy Manager | User Guide
Copyright Information
© 2015 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks
®
,
Aruba Wireless Networks
®
, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility
Management System
®
. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open
Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to
terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or
corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that
might be taken against it with respect to infringement of copyright on behalf of those vendors.
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 3
Contents
About Dell Networking W-ClearPass Policy Manager 25
About this Document 25
Getting Started 25
Feature Overview 26
Dell Networking W-ClearPass Policy Manager Service Components 26
Services Architecture and Flow 29
Authentication and Authorization Architecture and Flow 30
Authentication Method 30
Authentication Source 30
Enforcement Architecture and Flow 31
Posture Architecture and Flow 33
Posture Policy 33
Posture Server 33
Audit Server 33
Audit Servers 34
Common Tasks in Policy Manager 35
Importing 35
Exporting 36
Policy Manager Dashboard 39
Monitoring 43
Live Monitoring: Access Tracker 43
Editing the Access Tracker 44
Viewing Access Tracker Session Details 45
Summary Tab 45
Input Tab 46
Output Tab 48
Alerts Tab 49
Configuration Tab 49
Access Control Capabilities 50
Live Monitoring: Accounting 52
Modifying the Accounting Table 52
RADIUS Accounting Details 53
RADIUS Accounting Record Details - Summary Tab 54
RADIUS Accounting Record Details - Auth Sessions Tab 55
RADIUS Accounting Record Details - Utilization Tab 57
RADIUS Accounting Record Details - Details Tab 58
4 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
TACACS+ Accounting Record Details - Request Tab 59
TACACS+ Accounting Details 60
TACACS+ Accounting Record Details - Auth Sessions Tab 61
TACACS+ Accounting Record Details - Details Tab 62
Live Monitoring: OnGuard Activity 62
Bouncing an Agent Using Non-SNMP 63
Bouncing a Client Using SNMP 66
Broadcast Message 67
Send Message 67
Live Monitoring: Analysis and Trending 68
Live Monitoring: Endpoint Profiler 69
Live Monitoring: System Monitor 70
System Monitor Tab 71
Process Monitor Tab 71
Network Tab 73
ClearPass Tab 74
Audit Viewer 75
Event Viewer 77
Creating an Event Viewer Report Using Default Values 77
Creating an Event Viewer Report Using Custom Values 77
Viewing Report Details 78
Data Filters 79
Adding a Filter 80
Filter Tab 80
Rules Tab 81
Blacklisted Users 82
Configuration 85
Services 87
Start Here 87
Viewing Existing Services 89
Adding and Removing Services 90
Reordering Services 92
802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless 94
Dell VPNAccess with Posture Checks 97
Aruba Auto Sign-On 99
Certificate/Two-factor Authentication for ClearPass Application Login 101
ClearPass Admin Access 103
ClearPass Admin SSO Login (SAML SP Service) 104
ClearPass Identity Provider (SAMLIdP Service) 105
Device Mac Authentication 106
EDUROAM Service 107
Encrypted Wireless Access via 802.1X Public PEAP method 110
Guest Access Web Login 111
Guest Access 112
Guest MACAuthentication 113
Guest Social MediaAuthentication 115
OAuth2 API User Access 117
Onboard 117
User Authentication with MAC Caching 119
Policy Manager Service Types 122
Dell 802.1X Wireless 122
Service Tab 123
Authentication Tab 125
Authorization Tab 126
Roles Tab 127
Posture Tab 128
Enforcement Tab 129
Audit Tab 130
Profiler Tab 131
Accounting Proxy Tab 132
Summary Tab 133
802.1X Wireless 133
802.1X Wired 134
MAC Authentication 134
Web-based Authentication 135
Web-based Health Check Only 136
Web-based Open Network Access 137
802.1X Wireless - Identity Only 138
802.1X Wired - Identity Only 138
RADIUS Enforcement (Generic) 138
RADIUS Proxy 139
RADIUS Authorization 140
TACACS+ Enforcement 141
Dell W-Series Application Authentication 141
Dell W-Series Application Authorization 142
Cisco Web Authentication Proxy 143
Authentication and Authorization 145
Supported Authentication Methods 145
Adding and Modifying Authentication Methods 145
Authorize Authentication Method 147
CHAP and EAP-MD5 147
EAP-FAST 148
General Tab 148
Inner Methods Tab 150
PACs Tab 151
PAC Provisioning Tab 151
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 5
6 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
EAP-GTC 152
EAP-MSCHAPv2 154
EAP-PEAP 154
General Tab 155
Inner Methods Tab 156
EAP-PEAP-Public 157
General 158
Inner Methods 159
EAP-PWD 160
EAP-TLS 161
EAP-TTLS 163
General Tab 164
Inner Methods Tab 165
MAC-AUTH 166
MSCHAP 166
PAP 167
Adding and Modifying Authentication Sources 169
Generic LDAP and Active Directory 170
General Tab 170
Primary Tab 172
Attributes Tab 174
Summary Tab 183
Generic SQL DB 183
General Tab 184
Primary Tab 185
Attributes Tab 186
Summary Tab 188
HTTP 188
General Tab 189
Primary Tab 190
Attributes Tab 191
Summary Tab 193
Kerberos 193
General Tab 194
Primary Tab 195
Summary Tab 196
Okta 196
General Tab 197
Primary Tab 198
Attributes Tab 199
Summary Tab 201
RADIUSServer 201
General Tab 201
Primary Tab 202
Attributes Tab 203
Summary Tab 204
Static Host List 204
General Tab 205
Static Host Lists Tab 205
Summary Tab 206
Token Server 206
General Tab 207
Primary Tab 208
Attributes Tab 208
Summary Tab 209
Identity 211
Configuring Single Sign-On 211
SAML Service Provider (SP) Configuration 211
Identity Provider (IdP) Configuration 212
Managing Local Users 212
Adding a Local User 213
Modifying a Local User Account 214
Importing and Exporting Local Users 215
Setting Password Policy for Local Users 215
Adding and Modifying Endpoints 216
Additional Available Tasks 222
Adding and Modifying Static Host Lists 223
Additional Available Tasks 224
Configuring a Role and Role Mapping Policy 224
Adding and Modifying Roles 225
Adding and Modifying Role Mapping Policies 225
Policy Tab 226
Mapping Rules Tab 227
Posture 229
Posture Methods 229
Configuring Posture Policy Agents and Hosts 230
NAP Agent 230
OnGuard Agent (Persistent or Dissolvable) 232
Configuring Posture Policy Plug-ins 235
Configuring NAP Agent Plugins 236
Windows System Health Validator - NAP Agent 236
Windows Security Health Validator - NAP Agent 237
Configuring OnGuard Agent Plugins 237
ClearPass Windows Universal System Health Validator - OnGuard Agent 238
Windows System Health Validator - OnGuard Agent 262
Windows Security Health Validator - OnGuard Agent 263
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 7
8 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
ClearPass Linux Universal System Health Validator Plugin 264
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 266
Configuring Posture Policy Rules 279
Configuring Posture for Services 280
Configuring Posture Servers 282
Posture Server Tab 283
Primary Server and Backup Server Tabs 284
Summary Tab 285
Configuring Audit Servers 285
Built-In Audit Servers 285
Adding Auditing to a Policy Manager Service 285
Modifying Built-In Audit Servers 288
Custom Audit Servers 288
Nessus Audit Server 289
NMAP Audit Server 294
Post-Audit Rules 296
Enforcement 299
Configuring Enforcement Policies 299
Configuring Enforcement Profiles 301
Agent Enforcement 303
Profile Tab 304
Attributes Tab 305
Summary Tab 307
Aruba Downloadable Role Enforcement 307
Profile Tab 307
Role Configuration Tab 308
Summary Tab 317
Aruba RADIUS Enforcement 317
Profile Tab 318
Attributes Tab 319
Summary Tab 319
Cisco Downloadable ACL Enforcement 319
Profile Tab 320
Attributes Tab 320
Summary Tab 321
Cisco Web Authentication Enforcement 321
Profile Tab 322
Attributes Tab 322
Summary Tab 323
ClearPass Entity Update Enforcement 323
Profile Tab 324
Attributes Tab 324
Summary Tab 325
CLI Based Enforcement 325
Profile Tab 326
Attributes Tab 326
Summary Tab 327
Filter ID Based Enforcement 327
Profile Tab 327
Attributes Tab 328
Generic Application Enforcement 329
Profile Tab 329
Attributes Tab 330
Summary Tab 331
HTTP Based Enforcement 331
Profile Tab 331
Attributes Tab 332
RADIUS Based Enforcement 332
Profile Tab 332
Attributes Tab 333
RADIUS Change of Authorization (CoA) 334
Profile Tab 334
Attributes Tab 336
Session Notification Enforcement 336
Profile Tab 337
Attributes Tab 337
Summary Tab 338
Session Restrictions Enforcement 338
Profile Tab 339
Attributes Tab 339
SNMP Based Enforcement 340
Profile Tab 340
Attributes tab 341
TACACS+ Based Enforcement 341
Profile Tab 342
Services Tab 343
VLAN Enforcement 343
Profile Tab 343
Attributes Tab 344
Network Access Devices 347
Adding and Modifying Devices 347
Adding a Device 348
Device 348
SNMP Read Settings 349
SNMP Write Settings 351
CLISettings 352
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 9
10 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
Additional Tasks 353
Adding and Modifying Device Groups 353
Adding and Modifying Proxy Targets 356
Adding a Proxy Target 356
ClearPass Policy Manager Profile 359
Device Profile 359
Collectors 359
DHCP 360
Sending DHCP Traffic to CPPM 360
ClearPass Onboard 360
HTTP User-Agent 360
MAC OUI 360
ActiveSync Plugin 361
CPPM OnGuard 361
SNMP 361
Subnet Scan 362
SNMPConfiguration 363
Fingerprint Dictionaries 364
Profiling 365
The Profiler User Interface 365
Post Profile Actions 365
Policy Simulation 367
Active Directory Authentication 367
Simulation Tab 368
Results Tab 368
Application Authentication 369
Simulation Tab 369
Attributes Tab 369
Results tab 369
Audit 370
Results Tab 371
Chained Simulation 371
Simulation Tab 371
Attributes Tab 372
Results Tab 373
Enforcement Policy 374
Simulation Tab 374
Attributes tab 376
Results Tab 377
RADIUS Authentication 377
Simulation tab 377
Attributes tab 379
NAS Type:Aruba Wireless Controller 380
NAS Type:Aruba Wired Switch Controller 380
NAS Type:Cisco Wireless Switch 381
Results Tab 381
Role Mapping 382
Simulation Tab 382
Attributes Tab 383
Results Tab 384
Service Categorization 384
Simulation Tab 385
Attributes Tab 385
Results Tab 386
Import and Export Simulations 386
Export Simulations 387
Administration 389
ClearPass Portal 390
Admin Users 391
Adding an Admin User 392
Importing and Exporting Admin Users 392
Setting Password Policy for Admin Users 392
Admin Privileges 393
Creating Custom Administrator Privileges 394
Administrator Privilege XML File Structure 394
Administrator Privileges and IDs 395
Sample Administrator Privilege XML File 398
Server Configuration 399
Edit Server Configuration Settings 400
Setting Date and Time 401
Synchronizing Cluster Password 401
Promoting to Publisher 401
Joining a Server Back to Cluster 402
System Tab 404
Services Control Tab 409
Service Parameters Tab 410
System Monitoring Tab 423
Network Tab 425
FIPS Tab 430
Set Date & Time 432
Date&Time Tab 433
Time Zone on Publisher Tab 433
Change Cluster Password 434
Policy Manager Zones 435
Manage Policy Manager Zones 435
NetEvents Targets 436
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 11
12 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
Virtual IPSettings 437
Clear Machine Authentication Cache 438
Make Subscriber 439
Upload Nessus Plugins 440
Cluster-Wide Parameters 440
General 441
Cleanup Intervals 443
Notifications 445
Standby Publisher 446
Virtual IPConfiguration 447
Mode 448
Database 451
Collect Logs 452
Backup 453
Restore 454
Cleanup 455
Shutdown/Reboot 457
Drop Subscriber 457
Log Configuration 457
Service Log Configuration 458
System Level 459
Local Shared Folders 460
License Management 461
Licensing Main Page 461
License Summary Tab 461
Servers Tab 461
Applications Tab 462
Adding an Application License 462
Activating a Server License 463
Activating an Application License 463
Updating a Server License 464
Updating an Application License 465
SNMP Trap Receivers 466
SNMP Trap Receivers Main Page 467
Adding an SNMP Trap Server 467
Importing an SNMP Trap Server 468
Exporting All SNMP Trap Servers 469
Exporting an SNMP Trap Server 469
Deleting an SNMP Trap Server 470
Syslog Targets 470
Syslog Targets Main Page 471
Adding a Syslog Target 471
Importing a Syslog Target 472
Exporting All Syslog Target 473
Exporting a Syslog Target 474
Deleting a Syslog Target 475
Syslog Export Filters 475
Syslog Export Filters Main Page 476
Adding a Syslog Export Filter 477
General Tab 477
Filter and Columns Tab 481
Summary Tab 484
Importing a Syslog Filter 484
Exporting All Syslog Filter 485
Exporting a Syslog Filter 486
Deleting a Syslog Filter 487
Messaging Setup 487
Endpoint Context Servers 489
Endpoint Context Servers Main Page 490
Adding an Endpoint Context Server 490
Importing an Endpoint Context Server 491
Exporting All Endpoint Context Servers 492
Modifying an Endpoint Context Server 493
Server Tab 493
Poll Status Tab 495
Actions Tab 497
Certificates Tab 498
Polling an Endpoint Context Server 498
Deleting an Endpoint Context Server 499
Adding an AirWatch Endpoint Context Server 499
Server Tab 499
Actions Tab 501
Adding an Aruba Activate Endpoint Context Server 501
Server Tab 502
Certificates Tab 503
Adding an AirWave Endpoint Context Server 504
Adding a Google Admin Console Endpoint Context Server 505
Server Tab 505
Certificates Tab 506
Adding a Generic HTTP Endpoint Context Server 507
Adding a JAMF Endpoint Context Server 508
Adding a MaaS360 Endpoint Context Server 509
Server Tab 509
Actions Tab 511
Adding a MobileIron Endpoint Context Server 512
Server Tab 512
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 13
14 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
Actions Tab 513
Adding a Palo Alto Networks Firewall Endpoint Context Server 514
Adding a Palo Alto Networks Panorama Endpoint Context Server 515
Adding an SAP Afaria Endpoint Context Server 517
Server Tab 517
Actions Tab 518
Adding an SOTI Endpoint Context Server 519
Adding a XenMobile Endpoint Context Server 520
File Backup Servers 522
Server Certificate 523
Server Certificate Main Page 523
Server Certificate Type 524
RADIUS Server Certificate 524
HTTPS Server Certificate 525
Creating a Certificate Signing Request 526
Creating a Self-Signed Certificate 529
Installing a Self-Signed Certificate 532
Exporting a Server Certificate 534
Importing a Server Certificate 534
Certificate Trust List 535
Certificate Trust List Main Page 535
Adding a Certificate 536
Viewing a Certificate Detail 536
Deleting a Certificate 536
Certificate Revocation Lists 537
Certificate Revocation Lists Main Page 537
Adding a Certificate Revocation List 537
Deleting a Certificate Revocation List 538
RADIUS Dictionary 538
Import RADIUS Dictionary 539
Posture Dictionary 540
TACACS+ Services Dictionary 542
Fingerprints Dictionary 543
Attributes 544
Add Attributes 545
Import Attributes 546
Export Attributes 547
Export 547
Applications Dictionaries 547
Viewing an Application Dictionary 547
Deleting an Application Dictionary 548
Endpoint Context Server Actions 548
Adding an Endpoint Context Server Action Item 549
Action Tab 550
Header Tab 551
Content Tab 552
Attributes Tab 553
OnGuard Settings 553
OnGuard Settings Main Page 554
Software Updates 556
Software Updates Main Page 556
Install Update Dialog Box 558
Reinstalling a Patch 559
Uninstalling a Skin, Translation, or Plugin 559
Updating the Policy Manager Software 560
Upgrade the Image on a Single Policy Manager Appliance 560
Upgrade the Image on all Appliances 560
Contact Support 561
Remote Assistance 561
Remote Assistance Process Flow 562
Adding a Remote Assistance Session 563
Documentation 564
Command Line Interface 567
Cluster Commands 567
drop-subscriber 567
Syntax 567
Example 567
list 568
Syntax 568
Example 568
make-publisher 568
Syntax 568
Example 568
make-subscriber 568
Syntax 568
Example 569
reset-database 569
Syntax 569
Example 569
set-cluster-passwd 569
Syntax 569
Example 569
set-local-passwd 569
Syntax 569
Example 569
Configure Commands 570
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 15
16 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
date 570
Syntax 570
Example 1 570
Example 2 570
dns 571
Syntax 571
Example 1 571
Example 2 571
Example 3 571
fips-mode 571
Syntax 571
Example 1 571
hostname 572
Syntax 572
Example 572
ip 572
Syntax 572
Example 572
ip6 572
Syntax 572
Example 573
mtu 573
Syntax 573
Example 1 573
Example 2 573
Example 3 574
timezone 574
Syntax 574
Example 574
Network Commands 575
ip 575
Syntax 575
Syntax 575
Syntax 575
Syntax 576
Example 1 576
Example 2 576
ip6 576
Syntax 576
Syntax 577
Syntax 577
Syntax 577
Example 1 577
Example 2 577
nslookup 577
Syntax 577
Example 1 578
Example 2 578
Syntax 578
Example 578
ping 578
Syntax 578
Example 578
ping6 578
Syntax 579
Example 579
reset 579
Syntax 579
Example 579
traceroute 579
Syntax 579
Example 580
traceroute6 580
Syntax 580
Example 580
Service Commands 580
<action> 580
Syntax 581
Example 1 581
Example 2 581
Example 3 581
Show Commands 581
all-timezones 581
Syntax 582
Example 582
date 582
Syntax 582
Example 582
dns 582
Syntax 582
Example 582
domain 582
Syntax 582
Example 582
fipsmode 583
Example 583
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 17
18 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
hostname 583
Syntax 583
Example 583
ip 583
Syntax 583
Example 583
license 584
Syntax 584
Example 584
sysinfo 584
Syntax 584
Example 584
timezone 585
Syntax 585
Example 585
version 585
Syntax 585
Example 585
System Commands 585
apps-access-reset 586
Syntax 586
Example 586
boot-image 586
Syntax 586
Example 586
cleanup 586
Syntax 586
Example 587
gen-recovery-key 587
Example 587
gen-support-key 587
Syntax 587
Example 587
install-license 587
Syntax 588
Example 588
morph-vm 588
Syntax 588
Example 588
refresh-license 589
Syntax 589
Example 589
restart 589
Syntax 589
Example 589
shutdown 589
Syntax 589
Example 589
sso-reset 589
Syntax 590
start-rasession 590
Syntax 590
status-rasession 590
Syntax 590
Example 590
terminate-rasession 590
Syntax 590
Example 590
update 590
Syntax 590
Example 591
upgrade 591
Syntax 591
Example 1: Upgrading from a Linux server 592
Example 2: Upgrading from a Web server 592
Example 3: Performing an offline upgrade 592
Miscellaneous Commands 593
ad auth 593
Syntax 593
Example 593
ad netjoin 593
Syntax 594
Example 594
ad netleave 594
Syntax 594
Example 594
ad testjoin 594
Syntax 594
Example 594
alias 594
Syntax 594
Example 1 595
Example 2 595
backup 595
Syntax 595
Example 595
Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Contents | 19
20 | Contents Dell Networking W-ClearPass Policy Manager 6.5 | User Guide
dump certchain 595
Syntax 595
Example 1 596
dump logs 596
Syntax 596
Example 1 596
Example 2 596
dump servercert 596
Syntax 596
Example 597
exit 597
Syntax 597
Example 597
help 597
Syntax 597
Example 597
krb auth 597
Syntax 597
Example 598
krb list 598
Syntax 598
Example 598
ldapsearch 598
Syntax 598
Example 598
quit 598
Syntax 598
Example 598
restore 599
Syntax 599
Example 599
system start-rasession 599
Syntax 599
system terminate-rasession 600
Syntax 600
system status-rasession 600
Syntax 600
Rules Editing and Namespaces 601
Namespaces 601
Application Namespace 602
Audit Namespaces 603
Authentication Namespaces 603
Authentication Namespace Editing Context 604
/