2. Computers & electronics
  3. Software
  4. Dell
  5. W-ClearPass Hardware Appliances

Dell W-ClearPass Hardware Appliances User guide

  • Hello! I am an AI chatbot trained to assist you with the Dell W-ClearPass Hardware Appliances User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Dell Networking
W-ClearPass
Policy Manager 6.0
User Guide
2 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
Copyright Information
Copyright
© 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks
®
, Aruba
Wireless Networks
®
, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management
System
®
. Dell, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open
Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
Contents
About Dell Networking W-ClearPass Policy Manager 11
Powering Up and Configuring Policy Manager Hardware 13
Server Port Overview
13
Server Port Configuration
14
Powering Off the System
15
Resetting Passwords to Factory Default
16
Generating Support Key for Technical Support
16
Policy Manager Dashboard 19
Monitoring 23
Access Tracker
23
Viewing Session Details
25
Accounting
26
OnGuard Activity
35
Analysis and Trending
37
Endpoint Profiler
37
System Monitor
38
Audit Viewer
40
Event Viewer
43
Data Filters
44
Add a Filter
45
Policy Manager Policy Model 49
Services Paradigm
49
Viewing Existing Services
52
Adding and Removing Services
52
Links to Use Cases and Configuration Instructions
53
Policy Simulation
54
Add Simulation Test
56
Import and Exporting Simulations
59
Import Simulations
59
Export Simulations
60
Export
60
ClearPass Policy Manager Profile 61
Device Profile
61
Collectors
61
DHCP
62
Sending DHCP Traffic to CPPM
62
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 3
4 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
ClearPass Onboard
62
HTTP User-Agent
62
Configuration
63
MAC OUI
63
ActiveSync Plugin
63
CPPM OnGuard
63
SNMP
63
802.1x Wireless Use Case 67
Configuring the Service
67
Web Based Authentication Use Case 73
Configuring the Service
73
MAC Authentication Use Case 79
Configuring the Service
80
TACACS+ Use Case 83
Configuring the Service
83
Single Port Use Case 87
Services 89
Architecture and Flow
89
Start Here Page
90
Policy Manager Service Types
92
Services
101
Adding Services
102
Modifying Services
104
Reordering Services
106
Authentication and Authorization 109
Architecture and Flow
109
Configuring Authentication Components
110
Adding and Modifying Authentication Methods
111
PAP
113
MSCHAP
114
EAP-MSCHAP v2
114
EAP-GTC
115
EAP-TLS
116
EAP-TTLS
118
EAP-PEAP
119
EAP-FAST
121
MAC-AUTH
126
CHAP and EAP-MD5
127
Adding and Modifying Authentication Sources
127
Generic LDAP or Active Directory
129
Kerberos
140
Generic SQL DB
141
Token Server
145
Static Host List
147
HTTP
148
Identity: Users, Endpoints, Roles and Role Mapping 153
Architecture and Flow
153
Configuring a Role Mapping Policy
154
Configuring a Role Mapping Policy
154
Adding and Modifying Role Mapping Policies
155
Policy Tab
155
Mapping Rules Tab
156
Adding and Modifying Roles
158
Local Users, Guest Users, Onboard Devices, Endpoints, and Static Host List Configuration
159
Adding and Modifying Local Users
159
Additional Available Tasks
160
Adding and Modifying Guest Users
161
Onboard Devices
163
Adding and Modifying Endpoints
164
Adding and Modifying Static Host Lists
166
Additional Available Tasks
167
Posture 169
Posture Architecture and Flow
169
Configuring Posture
171
Adding and Modifying Posture Policies
172
Configuring Posture Policy Plugins
173
ClearPass Windows Universal System Health Validator - NAP Agent
176
ClearPass Windows Universal System Health Validator - OnGuard Agent
192
ClearPass Linux Universal System Health Validator - NAP Agent
192
ClearPass Linux Universal System Health Validator - OnGuard Agent
195
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent
195
Windows Security Health Validator - NAP Agent
197
Windows Security Health Validator - OnGuard Agent
198
Windows System Health Validator - NAP Agent
199
Windows System Health Validator - OnGuard Agent
199
Adding and Modifying Posture Servers
199
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 5
6 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
Microsoft NPS
200
Audit Servers 203
Architecture and Flow
203
Configuring Audit Servers
204
Built-In Audit Servers
205
Adding Auditing to a Policy Manager Service
205
Modifying Built-In Audit Servers
206
Custom Audit Servers
207
NESSUS Audit Server
207
NMAP Audit Server
209
Nessus Scan Profiles
211
Post-Audit Rules
215
Enforcement 217
Enforcement Architecture and Flow
217
Configuring Enforcement Profiles
218
RADIUS Enforcement Profiles
221
RADIUS CoA Enforcement Profiles
223
SNMP Enforcement Profiles
224
TACACS+ Enforcement Profiles
224
Application Enforcement Profiles
226
CLI Enforcement Profile
227
Agent Enforcement Profiles
228
Post Authentication Enforcement Profiles
228
Configuring Enforcement Policies
229
Network Access Devices 233
Adding and Modifying Devices
233
Adding a Device
233
Additional Available Tasks
237
Adding and Modifying Device Groups
237
Additional Available Tasks
240
Adding and Modifying Proxy Targets
240
Add a Proxy Target
241
Additional Available Tasks
242
Administration 243
Admin Users
244
Add User
244
Import Users
245
Export Users
246
Export
246
Admin Privileges
246
Import Admin Privileges
246
Export Admin Privileges
247
Export
247
Server Configuration
247
Set Date/Time
248
Change Cluster Password
250
Manage Policy Manager Zones
251
NetEvents Targets
252
Make Subscriber
252
Upload Nessus Plugins
253
Cluster-Wide Parameters
254
Collect Logs
256
Viewing Log Files
257
Backup
258
Restore
259
Shutdown/Reboot
260
Drop Subscriber
260
System Tab
260
Multiple Active Directory Domains
262
Services Control Tab
264
Service Parameters Tab
264
System Monitoring Tab
272
Network Interfaces Tab
273
Creating GREtunnels
273
Creating VLAN
274
Log Configuration
275
Local Shared Folders
277
Application Licensing
278
Adding a License
279
Activating an Application License
279
Updating a License
280
SNMP Trap Receivers
280
Add SNMP Trap Server
281
Import SNMP Trap Server
282
Export all SNMP Trap Servers
282
Export a Single SNMPTrap Server
283
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 7
8 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
Syslog Targets
283
Add Syslog Target
284
Import Syslog Target
284
Export Syslog Target
285
Export
285
Syslog Export Filters
285
Add Syslog Filter
286
Import Syslog Filter
288
Export Syslog Filter
289
Export
289
Messaging Setup
289
Endpoint Context Servers
291
MDM Servers
292
Server Certificate
293
Create Self-Signed Certificate
294
Create Certificate Signing Request
296
Export Server Certificate
298
Import Server Certificate
298
Certificate Trust List
298
Add Certificate
299
Revocation Lists
299
Add Revocation List
300
RADIUS Dictionaries
301
Import RADIUS Dictionary
302
Posture Dictionaries
302
TACACS+ Services
303
Fingerprints
304
Attributes
305
Add Attribute
306
Import Attributes
307
Export Attributes
308
Export
308
OnGuard Settings
308
Guest Portal
310
Update Portal
312
Install Update dialog box
314
Updating the Policy Manager Software
315
Upgrade the Image on a Single Policy Manager Appliance
316
Upgrade the Image on All Appliances
316
Command Line Configuration 317
Available Commands
317
Cluster Commands
319
drop-subscriber
320
list
320
make-publisher
320
make-subscriber
321
reset-database
321
set-cluster-passwd
321
set-local-passwd
322
Configure Commands
322
date
322
dns
323
hostname
323
ip
323
timezone
324
Network Commands
324
ip
324
nslookup
325
ping
325
reset
326
traceroute
326
Service commands
327
<action>
327
Show Commands
328
all-timezones
328
date
328
dns
328
domain
329
hostname
329
ip
329
license
329
timezone
330
version
330
System commands
330
boot-image
330
gen-support-key
331
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 9
10 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
install-license
331
restart
331
shutdown
332
update
332
upgrade
332
Miscellaneous Commands
333
ad auth
333
ad netjoin
334
ad netleave
334
ad testjoin
334
alias
334
backup
335
dump certchain
335
dump logs
336
dump servercert
336
exit
337
help
337
krb auth
337
krb list
338
ldapsearch
338
restore
338
quit
339
Rules Editing and Namespaces 341
Namespaces
341
Variables
347
Operators
348
Software Copyright and License Statements 351
PostgreSQL Copyright
351
GNU LGPL
351
GNU GPL
357
Lighthttpd License
362
Apache License
362
OpenSSL License
365
OpenLDAP License
371
gSOAP Public License
372
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 11
Chapter 1
About Dell Networking W-ClearPass
Policy Manager
The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control
across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager
platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device
configuration, provisioning, profiling, health checks, and guest access.
With built-in RADIUS, SNMP and TACACS+ protocols, Dell Networking W-ClearPass Policy Manager provides
device registration, device profiling, endpoint health assessments, and comprehensive reporting to automatically
enforce user and endpoint access policies as devices connect to the network.
12 DellNetworking W-ClearPass Policy Manager 6.0 | User Guide
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 13
Chapter 2
Powering Up and Configuring Policy
Manager Hardware
The Policy Manager server requires initial port configuration. Its backplane contains three ports.
Server Port Overview
Figure 1: Policy Manager Backplane
The ports in the figure above are described in the following table:
Table 1:
Device Ports
Key Port Description
A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired terminal.
B -
eth0
Management
(gigabit Ethernet)
Provides access for cluster administration and appliance maintenance via web
access, CLI, or internal cluster communications.
Configuration required.
C -
eth1
Data (gigabit
Ethernet)
Provides point of contact for RADIUS, TACACS+, Web Authentication and other data-
plane requests.
Configuration optional. If not configured, requests redirected to the management
port.
14 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
Server Port Configuration
Before starting the installation, gather the following information that will need, write it in the table below, and keep
it for your records:
Table 2:
Required Information
Requirement Description
Hostname) Policy Manager
server)
Management Port IP Address
Management Port Subnet
Mask
Management Port Gateway
Data Port IP Address (optional) Data Port IP Address must not be in the same subnet as the Management Port IP
Address
Data Port Gateway (optional)
Data Port Subnet Mask
(optional)
Primary DNS
Secondary DNS
NTP Server (optional)
Perform the following steps to set up the Policy Manager appliance:
1. Connect and power on
Using the null modem cable provided, connect a serial port on the appliance to a terminal, then connect power
and switch on. The appliance immediately becomes available for configuration.
Use the following parameters for the serial port connection:
l Bit Rate: 9600
l Data Bits: 8
l Parity: None
l Stop Bits: 1
l Flow Control: None
2. Login
Later, you will create a unique appliance/cluster administration password. For now, use the following
preconfigured credentials:
login: appadmin
password: eTIPS123
This starts the Policy Manager Configuration Wizard.
3. Configure the Appliance
Replace the bolded placeholder entries in the following illustration with your local information:
Enter hostname:verne.xyzcompany.com
Enter Management Port IP Address: 192.168.5.10
Enter Management Port Subnet Mask: 255.255.255.0
Enter Management Port Gateway: 192.168.5.1
Enter Data Port IP Address: 192.168.7.55
Enter Data Port Subnet Mask: 255.255.255.0
Enter Data Port Gateway: 192.168.7.1
Enter Primary DNS: 198.168.5.3
Enter Secondary DNS: 192.168.5.1
4. Change your password
Use any string of at least six characters:
New Password:************
Confirm Password: ************
Going forward, you will use this password for cluster administration and management of the appliance.
5. Change the system date/time
Do you want to configure system date time information [y|n]: y
Please select the date time configuration options.
1) Set date time manually
2) Set date time by configuring NTP servers
Enter the option or press any key to quit: 2
Enter Primary NTP Server: pool.ntp.org
Enter Secondary NTP Server: time.nist.gov
Do you want to configure the timezone? [y|n]: y
After the timezone information is entered, you are asked to confirm the selection.
6. Commit or restart the configuration
Follow the prompts:
Proceed with the configuration [y[Y]/n[N]/q[Q]
y[Y] to continue
n[N] to start over again
q[Q] to quit
Enter the choice:Y
Successfully configured Policy Manager appliance
*************************************************************
* Initial configuration is complete.
* Use the new login password to login to the CLI.
* Exiting the CLI session in 2 minutes. Press any key to exit now.
When your Policy Manager system is up and running, navigate to the Administration > Agents and Software
Updates > Software Updates page to view and download any available software updates. Refer to "Updating the Pol-
icy Manager Software " on page 315 for more information.
Powering Off the System
Perform the following to power off the system gracefully without logging in:
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 15
16 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
l Connect to the CLI from the serial console via the front serial port and enter the following:
login: poweroff
password: poweroff
This procedure gracefully shuts down the appliance.
Resetting Passwords to Factory Default
Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the
apprecovery
user. The password to log in as the
apprecovery
user is dynamically generated.
Perform the following steps to generate the recovery password:
1. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port
Configuration " on page 14 for details.
2. Reboot the system. See the restart command.
3. When the system restarts, it waits at the following prompt for 10 seconds:
Generate support keys? [y/n]:
Enter ‘y’ at the prompt. The system prompts you with the following choices:
Please select a support key generation option.
1) Generate password recovery key
2) Generate a support key
3) Generate password recovery and support keys
Enter the option or press any key to quit:
4. To generate the recovery key, select option 1 (or 3, if you want to generate a support key, as well).
5. Once the password recovery key is generated, email the key to Dell technical support. A unique password will be
generated from the recovery key and emailed back to you.
6. Enter the following at the command prompt:
[apprecovery] app reset-passwd
*******************************************************
* WARNING: This command will reset the system account *
* passwords to factory default values *
*******************************************************
Are you sure you want to continue? [y/n]: y
INFO - Password changed on local node
INFO - System account passwords have been reset to
factory default values
Generating Support Key for Technical Support
To troubleshoot certain critical system level errors,Dell technical support might need to log into a
support shell
.
Perform the following steps to generate a dynamic support password:
1. Log into the Command Line Interface (CLI) and enter the command: system gen-support-key. See gen-
support-key for details.
2. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port
Configuration " on page 14 for details.
3. Reboot the system. See the restart command.
4. When the system restarts it waits at the following prompt for 10 seconds:
Generate support keys? [y/n]:
Enter ‘y’ at the prompt. The system prompts with the following choices:
Please select a support key generation option.
1) Generate password recovery key
2) Generate a support key
3) Generate password recovery and support keys
Enter the option or press any key to quit:
5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well).
6. Once the password recovery key is generated, email the key to Dell technical support. A unique password can now
be generated by Dell technical support to log into the support shell.
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 17
18 DellNetworking W-ClearPass Policy Manager 6.0 | User Guide
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 19
Chapter 3
Policy Manager Dashboard
The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy
Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is
partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The
dashboard elements are listed below:
This shows a graph of all requests processed by
Policy Manager over the past week. This includes
RADIUS, TACACS+ and WebAuth requests. The
default data filter “All Requests” is used to plot this
graph. Clicking on each bar in the graph drills down
into the Access Tracker and shows the requests for
that day.
This shows a graph of the “Healthy” vs. “Unhealthy
requests over the past week. Healthy requests are
those requests where the health state was deemed to
be healthy (based on the posture data sent from the
client). Unhealthy requests are those requests whose
health state was deemed to be quarantined (posture
data received but health status is not compliant) or
unknown (no posture data received). This includes
RADIUS and WebAuth requests. The default data
filters “Health Requests” and “Unhealthy Requests”
are used to plot this graph. Clicking on each circle on
the line graph drills down into the Access Tracker
and shows the healthy or unhealthy requests for that
day.
This shows a graph of the “Failed” vs. “Successful”
requests over the past week. This includes RADIUS,
WebAuth and TACACS+ requests. The default data
filters “Failed Requests” and “Successful Requests”
are used to plot this graph. Clicking on each circle on
the line graph drills down into the Access Tracker
and shows the failed or successful requests for that
day.
This shows a table of the last few authentications.
Clicking on a row drills down into the Access Tracker
and shows requests sorted by timestamp with the
latest request showing first.
20 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide
This chart shows the graph of all profiled devices
categorized into built in categories – Smartdevices,
Access Points, Computer, VOIP phone, Datacenter
Appliance, Printer, Physical Security, Game Console,
Routers, Unknown and Conflict.
Unknown devices are devices that the profiler was
not able to profile.
Conflict indicates a conflict in the categorization of
the device. For example, if the device category
derived from the HTTP User Agent string does not
match with the category derived from DHCP
fingerprinting, a conflict is flagged, and the device is
marked as Conflict.
The Device Family widget allows you to drill down
further into each of the built-in device categories. For
example, selecting SmartDevice shows the different
kinds of smartdevices identified by Profile.
This shows a table of the last few successful
authentications. Clicking on a row drills down into
the Access Tracker and shows successful requests
sorted by timestamp with the latest request showing
first.
This shows a table of the last few failed
authentications. Clicking on a row drills down into
the Access Tracker and shows failed requests sorted
by timestamp with the latest request showing first.
This shows a bar chart with each bar representing an
Policy Manager service requests were categorized
into. Clicking on a bar drills down into the Access
Tracker and shows the requests that were
categorized into that specific service.
This shows a table of last few system level events.
Clicking on a row drills down into the Event Viewer
/