Dell W-ClearPass Virtual Appliances User guide

Dell Networking

W-ClearPass

Policy Manager 6.3

User Guide

2 | Dell Networking W-ClearPass Policy Manager 6.3 |User Guide

Copyright Information

®

, Aruba

Wireless Networks

®

, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System

®

.

Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject

to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source

code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate

other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for

this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it

with respect to infringement of copyright on behalf of those vendors.

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 3

Contents

About Dell Networking W-ClearPass Policy Manager 21

Common Tasks in Policy Manager 21

Importing 21

Exporting 22

Powering Up and Configuring Policy Manager Hardware 23

Server Port Overview 23

Server Port Configuration 23

Powering Off the System 25

Resetting the Passwords to Factory Default 26

Generating a Support Key for Technical Support 26

Policy Manager Dashboard 29

Monitoring 33

Live Monitoring 33

Access Tracker 33

Editing the Access Tracker 35

Viewing Access Tracker Session Details 35

Accounting 39

RADIUS Accounting Record Details (Auth Sessions tab) 40

RADIUS Accounting Record Details (Details tab) 41

RADIUS Accounting Record Details (Summary tab) 41

RADIUS Accounting Record Details (Utilization tab) 43

TACACS+ Accounting Record Details (Auth Sessions tab) 44

TACACS+ Accounting Record Details (Details tab) 45

TACACS+ Accounting Record Details (Request tab) 46

OnGuard Activity 47

Bounce an Agent (non-SNMP) 48

Bounce a Client Using SNMP 49

Broadcast Message 50

Send a Message 50

Analysis and Trending 51

Endpoint Profiler 51

System Monitor 53

System Monitor tab 54

Process Monitor tab 56

Network tab 57

ClearPass tab 58

Audit Viewer 58

Viewing Audit Row Details (Add Page) 59

Viewing Audit Row Details (Modify Page) 60

4 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Old Data Tab 60

New Data tab 61

Inline Difference tab 62

Viewing Audit Row Details (Remove Page) 62

Event Viewer 63

Creating an Event Viewer Report Using Default Values 64

Creating an Event Viewer Report Using Custom Values 64

Viewing Report Details 65

Data Filters 65

Add a Filter 66

Blacklisted Users 68

Policy Manager Policy Model 71

Services Paradigm 71

Viewing Existing Services 75

Adding and Removing Services 75

Links to Use Cases and Configuration Instructions 76

Policy Simulation 77

Adding Simulation Test 79

Import and Export Simulations 84

Export Simulations 85

Export 85

Services 87

Architecture and Flow 87

Start Here 87

802.1X Wired, Wireless, and Dell Wireless 88

Dell VPNAccess with Posture Checks 89

Aruba Auto Sign-On 91

ClearPass Admin Access 92

ClearPass Admin SSO Login (SAML SP Service) 92

ClearPass Identity Provider (SAMLIdP Service) 93

EDUROAM Service 93

Guest Access Web Login 95

Guest Access 95

Guest MACAuthentication 96

Onboard 97

WorkSpace Authentication 98

Policy Manager Service Types 99

Dell 802.1X Wireless 99

Service Tab 100

Authentication Tab 100

Authorization Tab 101

Roles Tab 101

Posture Tab 101

Enforcement Tab 102

Audit Tab 102

Profiler Tab 102

802.1X Wireless 103

Service Tab 103

Authentication Tab 103

Authorization Tab 104

Roles Tab 104

Posture Tab 104

Enforcement Tab 105

Audit Tab 105

Profiler Tab 105

802.1X Wired 105

MAC Authentication 106

Service Tab 106

Authentication Tab 107

Authorization Tab 107

Roles Tab 108

Enforcement Tab 108

Audit Tab 108

Profiler Tab 108

Web-based Authentication 109

Service Tab 109

Authentication Tab 109

Authorization Tab 110

Roles Tab 110

Posture Tab 110

Enforcement Tab 110

Web-based Health Check Only 111

Web-based Open Network Access 111

802.1X Wireless - Identity Only 112

802.1X Wired - Identity Only 112

RADIUS Enforcement (Generic) 112

Service Tab 113

Authorization Tab 114

Roles Tab 114

Posture Tab 114

Enforcement Tab 114

Audit Tab 114

Profiler Tab 115

RADIUS Proxy 115

RADIUS Authorization 116

TACACS+ Enforcement 116

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 5

6 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Service Tab 117

Authentication Tab 117

Authorization Tab 117

Roles Tab 118

Enforcement Tab 118

Dell W-Series Application Authentication 118

Service Tab 118

Authentication Tab 119

Roles Tab 119

Enforcement Tab 119

Dell W-Series Application Authorization 119

Cisco Web Authentication Proxy 120

Service Tab 120

Authentication Tab 120

Authorization Tab 121

Roles Tab 121

Enforcement Tab 122

Audit Tab 122

Services 122

Adding Services 123

Modifying Services 126

Reordering Services 128

Authentication and Authorization 129

Authentication and Authorization Architecture and Flow 129

Authentication Method 129

Authentication Source 129

Configuring Authentication Components 130

Adding and Modifying Authentication Methods 131

Authorize 133

CHAP and EAP-MD5 134

EAP-FAST 136

General Tab 136

Inner Methods Tab 137

PACs tab 138

PAC Provisioning tab 139

EAP-GTC 141

EAP-MSCHAPv2 142

EAP-PEAP 142

General Tab 142

Inner Methods Tab 143

EAP-TLS 144

EAP-TTLS 146

General Tab 146

Inner Methods Tab 147

MAC-AUTH 147

MSCHAP 148

PAP 149

Adding and Modifying Authentication Sources 149

Generic LDAP and Active Directory 150

General Tab 151

Primary Tab 152

Attributes Tab 155

Add More Filters 158

Browse Tab 158

Filter Tab 159

Attributes Tab 161

Configuration Tab 162

Modify Default Filters 162

Generic SQL DB 163

General Tab 163

Primary Tab 165

Attributes Tab 165

HTTP 167

General Tab 167

Primary Tab 168

Attributes Tab 169

Kerberos 170

General Tab 170

Primary Tab 171

Okta 172

General Tab 173

Primary Tab 174

Attributes Tab 174

Static Host List 175

General Tab 176

Static Host Lists Tab 176

Token Server 177

General Tab 177

Primary Tab 178

Attributes Tab 179

Identity 181

Configuring Single Sign-On, Local Users, Endpoints, and Static Host Lists 181

Configuring Single Sign-On 182

Adding and Modifying Local Users 183

Adding and Modifying Endpoints 185

Adding and Modifying Static Host Lists 187

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 7

8 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Additional Available Tasks 188

Configuring a Role Mapping Policy 189

Adding and Modifying Roles 189

Adding and Modifying Role Mapping Policies 190

Policy Tab 190

Mapping Rules Tab 191

Posture 195

Posture Architecture and Flow 195

Posture Policy 195

Posture Server 195

Audit Server 195

Configuring Posture 197

Adding a Posture Policy 198

NAP Agent 198

OnGuard Agent (Persistent or Dissolvable) 199

ClearPass Mac OS X 200

ClearPass Windows Universal System Health Validator - NTP Agent 201

ClearPass Linux Universal System Health Validator - NAP Agent 201

Windows System Health Validator - NAP Agent 204

Windows Security Health Validator - NAP Agent 204

ClearPass Linux Universal System Health Validator - OnGuard Agent 205

ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 205

ClearPass Windows Universal System Health Validator - OnGuard Agent 212

Windows Security Health Validator - OnGuard Agent 229

Windows System Health Validator - OnGuard Agent 229

Adding and Modifying Posture Servers 230

Microsoft NPS 231

Audit Servers 233

Configuring Audit Servers 233

Built-In Audit Servers 234

Add Auditing to a Policy Manager Service 234

Modifying Built-In Audit Servers 235

Custom Audit Servers 236

Nessus Audit Server 236

NMAP Audit Server 240

Post-Audit Rules 242

Enforcement 245

Enforcement Architecture and Flow 245

Configuring Enforcement Profiles 246

Agent Enforcement 248

Profile tab 248

Attributes tab 249

Aruba Downloadable Role Enforcement 250

Profile tab 250

Role Configuration tab 250

Captive Portal Profile 251

Policer Profile: 252

QOs Profile 252

VoIP Profile 253

NetService Configuration 253

NetDestination Configuration 254

Time Range Configuration 254

ACL 255

Aruba RADIUS Enforcement 256

Profile tab 256

Attributes tab 257

Cisco Downloadable ACL Enforcement 257

Profile tab 258

Attributes tab 258

Cisco Web Authentication Enforcement 259

Profile tab 259

Attributes tab 260

ClearPass Entity Update Enforcement 260

Profile tab 261

Attributes tab 261

CLI Based Enforcement 262

Profile tab 262

Attributes tab 263

Filter ID Based Enforcement 263

Profile tab 263

Attributes tab 264

Generic Application Enforcement 265

Profile tab 265

Attributes tab 266

HTTP Based Enforcement 266

Profile tab 266

Attributes tab 267

RADIUS Based Enforcement 267

Profile tab 267

Attributes tab 268

RADIUS Change of Authorization (CoA) 269

Profile tab 269

Attributes tab 270

Session Restrictions Enforcement 271

Profile tab 271

Attributes tab 272

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 9

10 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

SNMP Based Enforcement 272

Profile tab 273

Attributes tab 273

TACACS+ Based Enforcement 274

Profile tab 274

Services tab 275

VLAN Enforcement 276

Profile ta 276

Attributes tab 276

Configuring Enforcement Policies 277

Network Access Devices 281

Adding and Modifying Devices 281

Adding a Device 281

Additional Available Tasks 285

Adding and Modifying Device Groups 285

Additional Available Tasks 287

Adding and Modifying Proxy Targets 287

Add a Proxy Target 288

Additional Available Tasks 288

Import a Proxy Target 288

Export all Proxy Targets 288

Export one Proxy Target 289

Delete one Proxy Target 289

Custom Admin Privileges 289

Policy Simulation 291

Active Directory Authentication 292

Simulation tab 292

Results tab 292

Application Authentication 292

Simulation tab 293

Attributes tab 293

Results tab 293

Audit 294

Results tab 295

Chained Simulation 295

Simulation tab 295

Attributes tab 296

Results tab 297

Enforcement Policy 298

Simulation tab 298

Attributes tab 300

Results tab 301

RADIUS Authentication 301

Simulation tab 301

Attributes tab 303

NAS Type:Aruba Wireless Controller 304

NAS Type:Aruba Wired Switch Controller 304

NAS Type:Cisco Wireless Switch 305

Results tab 305

Role Mapping 306

Simulation tab 306

Attributes tab 307

Results tab 308

Service Categorization 309

Simulation tab 309

Attributes tab 309

Results tab 310

ClearPass Policy Manager Profile 311

Device Profile 311

Collectors 311

DHCP 312

Sending DHCP Traffic to CPPM 312

ClearPass Onboard 312

HTTP User-Agent 312

MAC OUI 312

ActiveSync Plugin 313

CPPM OnGuard 313

SNMP 313

Subnet Scan 314

Profiling 314

The Profiler User Interface 315

Post Profile Actions 315

Fingerprint Dictionaries 316

Administration 317

ClearPass Portal 318

Admin Users 319

Add User 319

Import Users 320

Export Users 320

Export 321

Admin Privileges 321

Administrator Privilege XML File Structure 321

Administrator Privileges and IDs 322

Creating Custom Administrator Privileges 323

Sample Administrator Privilege XML File 324

Log Configuration 325

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 11

12 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Server Configuration 327

Editing Server Configuration Settings 328

System Tab 328

Join AD Domain 330

Add Password Server 332

Services Control Tab 332

Service Parameters Tab 333

System Monitoring Tab 343

Network Tab 345

Set Date & Time 347

Change Cluster Password 349

Manage Policy Manager Zones 350

NetEvents Targets 351

Virtual IPSettings 351

Make Subscriber 352

Upload Nessus Plugins 353

Cluster-Wide Parameters 353

Collect Logs 357

Backup 358

Restore 359

Shutdown/Reboot 361

Drop Subscriber 361

Local Shared Folders 361

Licensing 361

Activating an Application License 362

Activating a Server License 362

Adding an Application License 363

Updating an Application License 363

SNMP Trap Receivers 364

Adding an SNMP Trap Server 365

Exporting all SNMP Trap Servers 365

Exporting a Single SNMP Trap Server 365

Importing an SNMP Trap Server 365

Syslog Targets 366

Add Syslog Target 367

Import Syslog Target 367

Export Syslog Target 368

Export 368

Syslog Export Filters 368

Import Syslog Filter 369

Export Syslog Filter 370

Export 370

Adding a Syslog Export Filter (Filter and Columns tab) 370

Adding a Syslog Export Filter (General tab) 371

Adding a Syslog Export Filter (Summary tab) 372

Messaging Setup 373

Endpoint Context Servers 375

Adding an Endpoint Context Server 375

Modify an endpoint context server 375

Delete an endpoint context server 375

Adding an Air Watch Endpoint Context Server 375

Adding an Air Wave Endpoint Context Server 377

Adding an Aruba Activate Endpoint Context Server 378

Adding a Generic HTTP Endpoint Context Server 379

Adding a JAMF Endpoint Context Server 381

Adding a MaaS360 Endpoint Context Server 381

Adding a MobileIron Endpoint Context Server 383

Adding a Palo Alto Networks Firewall 384

Adding a Palo Alto Networks Panorama Endpoint Context Server 385

Adding an SOTI Endpoint Context Server 386

Adding a XenMobile Endpoint Context Server 387

Server Certificate 388

Server Certificate Page Overview 388

Server Certificate Page (RADIUS Server Certificate Type) 389

Server Certificate Page (HTTPS Server Certificate Type) 389

Creating a Certificate Signing Request 390

Creating a Self-Signed Certificate 392

Installing the self-signed certificate 394

Exporting a Server Certificate 395

Importing a Server Certificate 395

Certificate Trust List 396

Add Certificate 396

Revocation Lists 397

Adding a Revocation List 397

Dictionaries 398

RADIUS Dictionary 398

Import RADIUS Dictionary 399

Posture Dictionary 400

TACACS+ Services Dictionary 401

Fingerprints Dictionary 402

Attributes Dictionary 403

Adding Attributes 404

Import Attributes 405

Export Attributes 405

Export 405

Applications Dictionary 406

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 13

14 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

View an application dictionary 406

Delete an application dictionary 406

Endpoint Context Server Actions 406

Filter an Endpoint Context Server Action Report 407

View Details About Endpoint Context Server Actions 407

Add an Endpoint Context Server Action Item 407

Import Context Server Actions 408

Export Context Server Actions 409

OnGuard Settings 409

Software Updates 411

Install Update dialog box 413

Updating the Policy Manager Software 414

Upgrade the Image on a Single Policy Manager Appliance 415

Upgrade the Image on all Appliances 415

Support 416

Contact Support 416

Remote Assistance 416

Remote Assistance Process Flow Description 416

Adding a Remote Assistance Session 417

Documentation 418

Command Line Interface 421

Available Commands 421

Cluster Commands 423

drop-subscriber 424

list 424

make-publisher 424

make-subscriber 425

reset-database 425

set-cluster-passwd 425

set-local-passwd 426

Configure Commands 426

date 426

dns 427

hostname 427

ip 427

timezone 428

Network Commands 428

ip 428

nslookup 429

ping 430

reset 430

traceroute 431

Service Commands 431

<action> 431

Show Commands 432

all-timezones 432

date 432

dns 433

domain 433

hostname 433

ip 433

license 434

timezone 434

version 434

System Commands 434

boot-image 435

gen-support-key 435

install-license 435

morph-vm 436

restart 436

shutdown 436

update 436

upgrade 437

Miscellaneous Commands 437

ad auth 438

ad netjoin 438

ad netleave 439

ad testjoin 439

alias 439

backup 440

dump certchain 440

dump logs 440

dump servercert 441

exit 441

help 441

krb auth 442

krb list 442

ldapsearch 442

quit 443

restore 443

system start-rasession 444

system terminate-rasession 444

system status-rasession 444

Rules Editing and Namespaces 445

Namespaces 445

Application Namespace 446

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 15

16 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Audit Namespaces 447

Authentication Namespaces 447

Authentication namespace editing context 447

Authorization Namespaces 449

Authorization editing context 449

AD Instance Namespace 449

Authorization 449

LDAP Instance Namespace 449

RSAToken Instance Namespace 449

Sources 450

SQL Instance Namespace 450

Certificate Namespaces 450

Certificate namespace editing context 450

Connection Namespaces 451

Connection namespace editing contexts 451

Date Namespaces 452

Date namespace editing contexts 452

Device Namespaces 452

Endpoint Namespaces 453

Guest User Namespaces 453

Host Namespaces 453

Local User Namespaces 453

Posture Namespaces 454

Posture Namespace Editing Context 454

RADIUS Namespaces 454

RADIUS namespace editing contexts 454

Tacacs Namespaces 455

Tips Namespaces 455

Role 455

Posture 455

Tips namespace editing context 455

Variables 455

Operators 456

Error Codes, SNMP Traps, and System Events 461

Error Codes 461

SNMP Trap Details 464

SNMP Daemon Trap Events 464

CPPM Processes Stop and Start Events 464

Network Interface up and Down Events 465

Disk Utilization Threshold Exceed Events 465

CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds 465

SNMP Daemon Traps 465

Process Status Traps 465

1 (a) RADIUS server stop SNMP trap 465

1 (b) RADIUS server start SNMP trap 465

2 (a) Admin Server stop SNMP trap 466

2 (b) Admin Server start SNMP trap 466

3 (a) System Auxiliary server stop SNMP trap 466

3 (b) System Auxiliary server start SNMP trap 466

4 (a) Policy server stop SNMP trap 467

4 (b) Policy server start SNMP trap 467

5 (a) Async DB write service stop SNMP trap 467

5 (b) Async DB write service start SNMP trap 467

6 (a) DB replication service stop SNMP trap 468

6 (b) DB replication service start SNMP trap 468

7 (a) DB Change Notification server stop SNMP trap 468

7 (b) DB Change Notification server start SNMP trap 468

8 (a) Async netd service stop SNMP trap 469

8 (b) Async netd service start SNMP trap 469

9 (a) Multi-master Cache service stop SNMP trap 469

9 (b) Multi-master Cache service start SNMP trap 469

10 (a) AirGroup Notification service stop SNMP trap 470

10 (b) AirGroup Notification service start SNMP trap 470

11 (a) Micros Fidelio FIAS service stop SNMP trap 470

11 (b) Micros Fidelio FIAS service start SNMP trap 470

12 (a) TACACS server stop SNMP trap 471

12 (b) TACACS server start SNMP trap 471

13 (a) Virtual IP service stop SNMP trap 471

13 (b) Virtual IP service start SNMP trap 471

14 (a) Stats Collection service stop SNMP trap 472

14 (b) Stats Collection service start SNMP trap 472

15 (a) Stats Aggregation service stop SNMP trap 472

15 (b) stats Aggregation service start SNMP trap 472

Network Interface Status Traps 473

Disk Space Threshold Traps 473

CPU Load Average Traps 473

Important System Events 474

Admin UI Events 474

Critical Events 474

Info Events 474

Admin Server Events 475

Info Events 475

Async Service Events 475

Info Events 475

ClearPass/Domain Controller Events 475

Critical Events 475

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 17

18 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Info Events 475

ClearPass System Configuration Events 475

Critical Events 475

Info Events 475

ClearPass Update Events 476

Critical Events 476

Info Events 476

Cluster Events 476

Critical Events 476

Info Events 476

Command Line Events 476

Info Events 476

DB Replication Services Events 476

Info Events 476

Licensing Events 476

Critical Events 476

Info Events 476

Policy Server Events 477

Info Events 477

RADIUS/TACACS+ Server Events 477

Critical Events 477

Info Events 477

SNMPEvents 477

Critical Events 477

Info Events 477

Support Shell Events 477

Info Events 477

System Auxiliary Service Events 477

Info Events 477

System Monitor Events 478

Critical Events 478

Info Events 478

Service Names 478

Use Cases 479

802.1X Wireless Use Case 479

Configuring the Service 479

Web Based Authentication Use Case 485

Configuring the Service 486

MAC Authentication Use Case 492

Configuring the Service 493

TACACS+ Use Case 495

Configuring the Service 496

Single Port Use Case 497

Supported Browsers and Java Versions 498

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 19

20 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide

Page is loading ...

Dell W-ClearPass Virtual Appliances User guide

This manual is also suitable for

Dell W-ClearPass Virtual Appliances User guide

Related papers

Other documents