Page is loading ...
Dell Networking
W-ClearPass
Policy Manager 6.3
User Guide
2 | Dell Networking W-ClearPass Policy Manager 6.3 |User Guide
Copyright Information
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks
®
, Aruba
Wireless Networks
®
, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System
®
.
Dellâ„¢, the DELLâ„¢ logo, and PowerConnectâ„¢ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject
to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source
Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open Source
code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 3
Contents
About Dell Networking W-ClearPass Policy Manager 21
Common Tasks in Policy Manager 21
Importing 21
Exporting 22
Powering Up and Configuring Policy Manager Hardware 23
Server Port Overview 23
Server Port Configuration 23
Powering Off the System 25
Resetting the Passwords to Factory Default 26
Generating a Support Key for Technical Support 26
Policy Manager Dashboard 29
Monitoring 33
Live Monitoring 33
Access Tracker 33
Editing the Access Tracker 35
Viewing Access Tracker Session Details 35
Accounting 39
RADIUS Accounting Record Details (Auth Sessions tab) 40
RADIUS Accounting Record Details (Details tab) 41
RADIUS Accounting Record Details (Summary tab) 41
RADIUS Accounting Record Details (Utilization tab) 43
TACACS+ Accounting Record Details (Auth Sessions tab) 44
TACACS+ Accounting Record Details (Details tab) 45
TACACS+ Accounting Record Details (Request tab) 46
OnGuard Activity 47
Bounce an Agent (non-SNMP) 48
Bounce a Client Using SNMP 49
Broadcast Message 50
Send a Message 50
Analysis and Trending 51
Endpoint Profiler 51
System Monitor 53
System Monitor tab 54
Process Monitor tab 56
Network tab 57
ClearPass tab 58
Audit Viewer 58
Viewing Audit Row Details (Add Page) 59
Viewing Audit Row Details (Modify Page) 60
4 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Old Data Tab 60
New Data tab 61
Inline Difference tab 62
Viewing Audit Row Details (Remove Page) 62
Event Viewer 63
Creating an Event Viewer Report Using Default Values 64
Creating an Event Viewer Report Using Custom Values 64
Viewing Report Details 65
Data Filters 65
Add a Filter 66
Blacklisted Users 68
Policy Manager Policy Model 71
Services Paradigm 71
Viewing Existing Services 75
Adding and Removing Services 75
Links to Use Cases and Configuration Instructions 76
Policy Simulation 77
Adding Simulation Test 79
Import and Export Simulations 84
Export Simulations 85
Export 85
Services 87
Architecture and Flow 87
Start Here 87
802.1X Wired, Wireless, and Dell Wireless 88
Dell VPNAccess with Posture Checks 89
Aruba Auto Sign-On 91
ClearPass Admin Access 92
ClearPass Admin SSO Login (SAML SP Service) 92
ClearPass Identity Provider (SAMLIdP Service) 93
EDUROAM Service 93
Guest Access Web Login 95
Guest Access 95
Guest MACAuthentication 96
Onboard 97
WorkSpace Authentication 98
Policy Manager Service Types 99
Dell 802.1X Wireless 99
Service Tab 100
Authentication Tab 100
Authorization Tab 101
Roles Tab 101
Posture Tab 101
Enforcement Tab 102
Audit Tab 102
Profiler Tab 102
802.1X Wireless 103
Service Tab 103
Authentication Tab 103
Authorization Tab 104
Roles Tab 104
Posture Tab 104
Enforcement Tab 105
Audit Tab 105
Profiler Tab 105
802.1X Wired 105
MAC Authentication 106
Service Tab 106
Authentication Tab 107
Authorization Tab 107
Roles Tab 108
Enforcement Tab 108
Audit Tab 108
Profiler Tab 108
Web-based Authentication 109
Service Tab 109
Authentication Tab 109
Authorization Tab 110
Roles Tab 110
Posture Tab 110
Enforcement Tab 110
Web-based Health Check Only 111
Web-based Open Network Access 111
802.1X Wireless - Identity Only 112
802.1X Wired - Identity Only 112
RADIUS Enforcement (Generic) 112
Service Tab 113
Authorization Tab 114
Roles Tab 114
Posture Tab 114
Enforcement Tab 114
Audit Tab 114
Profiler Tab 115
RADIUS Proxy 115
RADIUS Authorization 116
TACACS+ Enforcement 116
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 5
6 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Service Tab 117
Authentication Tab 117
Authorization Tab 117
Roles Tab 118
Enforcement Tab 118
Dell W-Series Application Authentication 118
Service Tab 118
Authentication Tab 119
Roles Tab 119
Enforcement Tab 119
Dell W-Series Application Authorization 119
Cisco Web Authentication Proxy 120
Service Tab 120
Authentication Tab 120
Authorization Tab 121
Roles Tab 121
Enforcement Tab 122
Audit Tab 122
Services 122
Adding Services 123
Modifying Services 126
Reordering Services 128
Authentication and Authorization 129
Authentication and Authorization Architecture and Flow 129
Authentication Method 129
Authentication Source 129
Configuring Authentication Components 130
Adding and Modifying Authentication Methods 131
Authorize 133
CHAP and EAP-MD5 134
EAP-FAST 136
General Tab 136
Inner Methods Tab 137
PACs tab 138
PAC Provisioning tab 139
EAP-GTC 141
EAP-MSCHAPv2 142
EAP-PEAP 142
General Tab 142
Inner Methods Tab 143
EAP-TLS 144
EAP-TTLS 146
General Tab 146
Inner Methods Tab 147
MAC-AUTH 147
MSCHAP 148
PAP 149
Adding and Modifying Authentication Sources 149
Generic LDAP and Active Directory 150
General Tab 151
Primary Tab 152
Attributes Tab 155
Add More Filters 158
Browse Tab 158
Filter Tab 159
Attributes Tab 161
Configuration Tab 162
Modify Default Filters 162
Generic SQL DB 163
General Tab 163
Primary Tab 165
Attributes Tab 165
HTTP 167
General Tab 167
Primary Tab 168
Attributes Tab 169
Kerberos 170
General Tab 170
Primary Tab 171
Okta 172
General Tab 173
Primary Tab 174
Attributes Tab 174
Static Host List 175
General Tab 176
Static Host Lists Tab 176
Token Server 177
General Tab 177
Primary Tab 178
Attributes Tab 179
Identity 181
Configuring Single Sign-On, Local Users, Endpoints, and Static Host Lists 181
Configuring Single Sign-On 182
Adding and Modifying Local Users 183
Adding and Modifying Endpoints 185
Adding and Modifying Static Host Lists 187
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 7
8 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Additional Available Tasks 188
Configuring a Role Mapping Policy 189
Adding and Modifying Roles 189
Adding and Modifying Role Mapping Policies 190
Policy Tab 190
Mapping Rules Tab 191
Posture 195
Posture Architecture and Flow 195
Posture Policy 195
Posture Server 195
Audit Server 195
Configuring Posture 197
Adding a Posture Policy 198
NAP Agent 198
OnGuard Agent (Persistent or Dissolvable) 199
ClearPass Mac OS X 200
ClearPass Windows Universal System Health Validator - NTP Agent 201
ClearPass Linux Universal System Health Validator - NAP Agent 201
Windows System Health Validator - NAP Agent 204
Windows Security Health Validator - NAP Agent 204
ClearPass Linux Universal System Health Validator - OnGuard Agent 205
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 205
ClearPass Windows Universal System Health Validator - OnGuard Agent 212
Windows Security Health Validator - OnGuard Agent 229
Windows System Health Validator - OnGuard Agent 229
Adding and Modifying Posture Servers 230
Microsoft NPS 231
Audit Servers 233
Configuring Audit Servers 233
Built-In Audit Servers 234
Add Auditing to a Policy Manager Service 234
Modifying Built-In Audit Servers 235
Custom Audit Servers 236
Nessus Audit Server 236
NMAP Audit Server 240
Post-Audit Rules 242
Enforcement 245
Enforcement Architecture and Flow 245
Configuring Enforcement Profiles 246
Agent Enforcement 248
Profile tab 248
Attributes tab 249
Aruba Downloadable Role Enforcement 250
Profile tab 250
Role Configuration tab 250
Captive Portal Profile 251
Policer Profile: 252
QOs Profile 252
VoIP Profile 253
NetService Configuration 253
NetDestination Configuration 254
Time Range Configuration 254
ACL 255
Aruba RADIUS Enforcement 256
Profile tab 256
Attributes tab 257
Cisco Downloadable ACL Enforcement 257
Profile tab 258
Attributes tab 258
Cisco Web Authentication Enforcement 259
Profile tab 259
Attributes tab 260
ClearPass Entity Update Enforcement 260
Profile tab 261
Attributes tab 261
CLI Based Enforcement 262
Profile tab 262
Attributes tab 263
Filter ID Based Enforcement 263
Profile tab 263
Attributes tab 264
Generic Application Enforcement 265
Profile tab 265
Attributes tab 266
HTTP Based Enforcement 266
Profile tab 266
Attributes tab 267
RADIUS Based Enforcement 267
Profile tab 267
Attributes tab 268
RADIUS Change of Authorization (CoA) 269
Profile tab 269
Attributes tab 270
Session Restrictions Enforcement 271
Profile tab 271
Attributes tab 272
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 9
10 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
SNMP Based Enforcement 272
Profile tab 273
Attributes tab 273
TACACS+ Based Enforcement 274
Profile tab 274
Services tab 275
VLAN Enforcement 276
Profile ta 276
Attributes tab 276
Configuring Enforcement Policies 277
Network Access Devices 281
Adding and Modifying Devices 281
Adding a Device 281
Additional Available Tasks 285
Adding and Modifying Device Groups 285
Additional Available Tasks 287
Adding and Modifying Proxy Targets 287
Add a Proxy Target 288
Additional Available Tasks 288
Import a Proxy Target 288
Export all Proxy Targets 288
Export one Proxy Target 289
Delete one Proxy Target 289
Custom Admin Privileges 289
Policy Simulation 291
Active Directory Authentication 292
Simulation tab 292
Results tab 292
Application Authentication 292
Simulation tab 293
Attributes tab 293
Results tab 293
Audit 294
Results tab 295
Chained Simulation 295
Simulation tab 295
Attributes tab 296
Results tab 297
Enforcement Policy 298
Simulation tab 298
Attributes tab 300
Results tab 301
RADIUS Authentication 301
Simulation tab 301
Attributes tab 303
NAS Type:Aruba Wireless Controller 304
NAS Type:Aruba Wired Switch Controller 304
NAS Type:Cisco Wireless Switch 305
Results tab 305
Role Mapping 306
Simulation tab 306
Attributes tab 307
Results tab 308
Service Categorization 309
Simulation tab 309
Attributes tab 309
Results tab 310
ClearPass Policy Manager Profile 311
Device Profile 311
Collectors 311
DHCP 312
Sending DHCP Traffic to CPPM 312
ClearPass Onboard 312
HTTP User-Agent 312
MAC OUI 312
ActiveSync Plugin 313
CPPM OnGuard 313
SNMP 313
Subnet Scan 314
Profiling 314
The Profiler User Interface 315
Post Profile Actions 315
Fingerprint Dictionaries 316
Administration 317
ClearPass Portal 318
Admin Users 319
Add User 319
Import Users 320
Export Users 320
Export 321
Admin Privileges 321
Administrator Privilege XML File Structure 321
Administrator Privileges and IDs 322
Creating Custom Administrator Privileges 323
Sample Administrator Privilege XML File 324
Log Configuration 325
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 11
12 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Server Configuration 327
Editing Server Configuration Settings 328
System Tab 328
Join AD Domain 330
Add Password Server 332
Services Control Tab 332
Service Parameters Tab 333
System Monitoring Tab 343
Network Tab 345
Set Date & Time 347
Change Cluster Password 349
Manage Policy Manager Zones 350
NetEvents Targets 351
Virtual IPSettings 351
Make Subscriber 352
Upload Nessus Plugins 353
Cluster-Wide Parameters 353
Collect Logs 357
Backup 358
Restore 359
Shutdown/Reboot 361
Drop Subscriber 361
Local Shared Folders 361
Licensing 361
Activating an Application License 362
Activating a Server License 362
Adding an Application License 363
Updating an Application License 363
SNMP Trap Receivers 364
Adding an SNMP Trap Server 365
Exporting all SNMP Trap Servers 365
Exporting a Single SNMP Trap Server 365
Importing an SNMP Trap Server 365
Syslog Targets 366
Add Syslog Target 367
Import Syslog Target 367
Export Syslog Target 368
Export 368
Syslog Export Filters 368
Import Syslog Filter 369
Export Syslog Filter 370
Export 370
Adding a Syslog Export Filter (Filter and Columns tab) 370
Adding a Syslog Export Filter (General tab) 371
Adding a Syslog Export Filter (Summary tab) 372
Messaging Setup 373
Endpoint Context Servers 375
Adding an Endpoint Context Server 375
Modify an endpoint context server 375
Delete an endpoint context server 375
Adding an Air Watch Endpoint Context Server 375
Adding an Air Wave Endpoint Context Server 377
Adding an Aruba Activate Endpoint Context Server 378
Adding a Generic HTTP Endpoint Context Server 379
Adding a JAMF Endpoint Context Server 381
Adding a MaaS360 Endpoint Context Server 381
Adding a MobileIron Endpoint Context Server 383
Adding a Palo Alto Networks Firewall 384
Adding a Palo Alto Networks Panorama Endpoint Context Server 385
Adding an SOTI Endpoint Context Server 386
Adding a XenMobile Endpoint Context Server 387
Server Certificate 388
Server Certificate Page Overview 388
Server Certificate Page (RADIUS Server Certificate Type) 389
Server Certificate Page (HTTPS Server Certificate Type) 389
Creating a Certificate Signing Request 390
Creating a Self-Signed Certificate 392
Installing the self-signed certificate 394
Exporting a Server Certificate 395
Importing a Server Certificate 395
Certificate Trust List 396
Add Certificate 396
Revocation Lists 397
Adding a Revocation List 397
Dictionaries 398
RADIUS Dictionary 398
Import RADIUS Dictionary 399
Posture Dictionary 400
TACACS+ Services Dictionary 401
Fingerprints Dictionary 402
Attributes Dictionary 403
Adding Attributes 404
Import Attributes 405
Export Attributes 405
Export 405
Applications Dictionary 406
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 13
14 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
View an application dictionary 406
Delete an application dictionary 406
Endpoint Context Server Actions 406
Filter an Endpoint Context Server Action Report 407
View Details About Endpoint Context Server Actions 407
Add an Endpoint Context Server Action Item 407
Import Context Server Actions 408
Export Context Server Actions 409
OnGuard Settings 409
Software Updates 411
Install Update dialog box 413
Updating the Policy Manager Software 414
Upgrade the Image on a Single Policy Manager Appliance 415
Upgrade the Image on all Appliances 415
Support 416
Contact Support 416
Remote Assistance 416
Remote Assistance Process Flow Description 416
Adding a Remote Assistance Session 417
Documentation 418
Command Line Interface 421
Available Commands 421
Cluster Commands 423
drop-subscriber 424
list 424
make-publisher 424
make-subscriber 425
reset-database 425
set-cluster-passwd 425
set-local-passwd 426
Configure Commands 426
date 426
dns 427
hostname 427
ip 427
timezone 428
Network Commands 428
ip 428
nslookup 429
ping 430
reset 430
traceroute 431
Service Commands 431
<action> 431
Show Commands 432
all-timezones 432
date 432
dns 433
domain 433
hostname 433
ip 433
license 434
timezone 434
version 434
System Commands 434
boot-image 435
gen-support-key 435
install-license 435
morph-vm 436
restart 436
shutdown 436
update 436
upgrade 437
Miscellaneous Commands 437
ad auth 438
ad netjoin 438
ad netleave 439
ad testjoin 439
alias 439
backup 440
dump certchain 440
dump logs 440
dump servercert 441
exit 441
help 441
krb auth 442
krb list 442
ldapsearch 442
quit 443
restore 443
system start-rasession 444
system terminate-rasession 444
system status-rasession 444
Rules Editing and Namespaces 445
Namespaces 445
Application Namespace 446
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 15
16 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Audit Namespaces 447
Authentication Namespaces 447
Authentication namespace editing context 447
Authorization Namespaces 449
Authorization editing context 449
AD Instance Namespace 449
Authorization 449
LDAP Instance Namespace 449
RSAToken Instance Namespace 449
Sources 450
SQL Instance Namespace 450
Certificate Namespaces 450
Certificate namespace editing context 450
Connection Namespaces 451
Connection namespace editing contexts 451
Date Namespaces 452
Date namespace editing contexts 452
Device Namespaces 452
Endpoint Namespaces 453
Guest User Namespaces 453
Host Namespaces 453
Local User Namespaces 453
Posture Namespaces 454
Posture Namespace Editing Context 454
RADIUS Namespaces 454
RADIUS namespace editing contexts 454
Tacacs Namespaces 455
Tips Namespaces 455
Role 455
Posture 455
Tips namespace editing context 455
Variables 455
Operators 456
Error Codes, SNMP Traps, and System Events 461
Error Codes 461
SNMP Trap Details 464
SNMP Daemon Trap Events 464
CPPM Processes Stop and Start Events 464
Network Interface up and Down Events 465
Disk Utilization Threshold Exceed Events 465
CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds 465
SNMP Daemon Traps 465
Process Status Traps 465
1 (a) RADIUS server stop SNMP trap 465
1 (b) RADIUS server start SNMP trap 465
2 (a) Admin Server stop SNMP trap 466
2 (b) Admin Server start SNMP trap 466
3 (a) System Auxiliary server stop SNMP trap 466
3 (b) System Auxiliary server start SNMP trap 466
4 (a) Policy server stop SNMP trap 467
4 (b) Policy server start SNMP trap 467
5 (a) Async DB write service stop SNMP trap 467
5 (b) Async DB write service start SNMP trap 467
6 (a) DB replication service stop SNMP trap 468
6 (b) DB replication service start SNMP trap 468
7 (a) DB Change Notification server stop SNMP trap 468
7 (b) DB Change Notification server start SNMP trap 468
8 (a) Async netd service stop SNMP trap 469
8 (b) Async netd service start SNMP trap 469
9 (a) Multi-master Cache service stop SNMP trap 469
9 (b) Multi-master Cache service start SNMP trap 469
10 (a) AirGroup Notification service stop SNMP trap 470
10 (b) AirGroup Notification service start SNMP trap 470
11 (a) Micros Fidelio FIAS service stop SNMP trap 470
11 (b) Micros Fidelio FIAS service start SNMP trap 470
12 (a) TACACS server stop SNMP trap 471
12 (b) TACACS server start SNMP trap 471
13 (a) Virtual IP service stop SNMP trap 471
13 (b) Virtual IP service start SNMP trap 471
14 (a) Stats Collection service stop SNMP trap 472
14 (b) Stats Collection service start SNMP trap 472
15 (a) Stats Aggregation service stop SNMP trap 472
15 (b) stats Aggregation service start SNMP trap 472
Network Interface Status Traps 473
Disk Space Threshold Traps 473
CPU Load Average Traps 473
Important System Events 474
Admin UI Events 474
Critical Events 474
Info Events 474
Admin Server Events 475
Info Events 475
Async Service Events 475
Info Events 475
ClearPass/Domain Controller Events 475
Critical Events 475
Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Contents | 17
18 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
Info Events 475
ClearPass System Configuration Events 475
Critical Events 475
Info Events 475
ClearPass Update Events 476
Critical Events 476
Info Events 476
Cluster Events 476
Critical Events 476
Info Events 476
Command Line Events 476
Info Events 476
DB Replication Services Events 476
Info Events 476
Licensing Events 476
Critical Events 476
Info Events 476
Policy Server Events 477
Info Events 477
RADIUS/TACACS+ Server Events 477
Critical Events 477
Info Events 477
SNMPEvents 477
Critical Events 477
Info Events 477
Support Shell Events 477
Info Events 477
System Auxiliary Service Events 477
Info Events 477
System Monitor Events 478
Critical Events 478
Info Events 478
Service Names 478
Use Cases 479
802.1X Wireless Use Case 479
Configuring the Service 479
Web Based Authentication Use Case 485
Configuring the Service 486
MAC Authentication Use Case 492
Configuring the Service 493
TACACS+ Use Case 495
Configuring the Service 496
Single Port Use Case 497
20 | Contents Dell Networking W-ClearPass Policy Manager 6.3 | User Guide
/