Page is loading ...
Dell Networking
W-ClearPass Policy
Manager 6.4
User Guide
2 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Copyright Information
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks
®
,
Aruba Wireless Networks
®
, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility
Management System
®
. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open
Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to
terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or
corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that
might be taken against it with respect to infringement of copyright on behalf of those vendors.
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 3
Contents
About Dell Networking W-ClearPass Policy Manager 1
Common Tasks in Policy Manager 1
Importing 1
Exporting 2
Powering Up and Configuring Policy Manager Hardware 5
Server Port Overview 5
Server Port Configuration 5
Powering Off the System 7
Resetting the Passwords to Factory Default 8
Generating a Support Key for Technical Support 8
Policy Manager Dashboard 11
Monitoring 17
Live Monitoring 17
Access Tracker 17
Editing the Access Tracker 18
Viewing Access Tracker Session Details 19
Accounting 24
RADIUS Accounting Record Details (Auth Sessions tab) 26
RADIUS Accounting Record Details (Details tab) 27
RADIUS Accounting Record Details (Summary tab) 27
RADIUS Accounting Record Details (Utilization tab) 29
TACACS+ Accounting Record Details (Auth Sessions tab) 31
TACACS+ Accounting Record Details (Details tab) 31
TACACS+ Accounting Record Details (Request tab) 32
OnGuard Activity 34
Bounce an Agent (non-SNMP) 35
Bouncing a Client Using SNMP 38
Broadcast Message 39
Send Message 39
Analysis and Trending 40
Endpoint Profiler 41
System Monitor 43
System Monitor tab 44
Process Monitor tab 47
Network tab 49
ClearPass tab 50
Audit Viewer 51
Viewing Audit Row Details (Add Page) 51
Viewing Audit Row Details (Modify Page) 53
4 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Old Data Tab 53
New Data tab 54
Inline Difference tab 55
Viewing Audit Row Details (Remove Page) 55
Event Viewer 56
Creating an Event Viewer Report Using Default Values 56
Creating an Event Viewer Report Using Custom Values 56
Viewing Report Details 57
Data Filters 58
Add a Filter 59
Blacklisted Users 61
Policy Manager Policy Model 63
Services Paradigm 63
Viewing Existing Services 66
Adding and Removing Services 67
Links to Use Cases and Configuration Instructions 68
Policy Simulation 70
Adding Simulation Test 71
Import and Export Simulations 76
Export Simulations 77
Services 79
Architecture and Flow 79
Start Here 79
802.1X Wired, 802.1X Wireless, and Dell W-Series 802.1X Wireless 81
Dell VPNAccess with Posture Checks 84
Aruba Auto Sign-On 86
ClearPass Admin Access 87
ClearPass Admin SSO Login (SAML SP Service) 89
ClearPass Identity Provider (SAMLIdP Service) 89
EDUROAM Service 90
Encrypted Wireless Access via 802.1X Public PEAP method 92
Guest Access Web Login 93
Guest Access 94
Guest MACAuthentication 95
OAuth2 API User Access 96
Onboard 96
Policy Manager Service Types 98
Dell 802.1X Wireless 98
Service Tab 99
Authentication Tab 100
Authorization Tab 102
Roles Tab 103
Posture Tab 104
Enforcement Tab 105
Audit Tab 106
Summary Tab 107
802.1X Wireless 108
802.1X Wired 108
MAC Authentication 109
Web-based Authentication 110
Web-based Health Check Only 110
Web-based Open Network Access 111
802.1X Wireless - Identity Only 112
802.1X Wired - Identity Only 113
RADIUS Enforcement (Generic) 113
RADIUS Proxy 114
RADIUS Authorization 115
TACACS+ Enforcement 116
Dell W-Series Application Authentication 116
Dell W-Series Application Authorization 117
Cisco Web Authentication Proxy 118
Services 118
Adding Services 119
Modifying Services 122
Reordering Services 124
Authentication and Authorization 127
Authentication and Authorization Architecture and Flow 127
Authentication Method 127
Authentication Source 127
Configuring Authentication Components 128
Adding and Modifying Authentication Methods 130
Authorize 132
CHAP and EAP-MD5 133
EAP-FAST 135
General Tab 136
Inner Methods Tab 137
PACs tab 138
PAC Provisioning tab 139
EAP-GTC 141
EAP-MSCHAPv2 142
EAP-PEAP 143
General Tab 143
Inner Methods Tab 144
EAP-PEAP-Public 145
General 145
Inner Methods 147
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 5
6 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
EAP-TLS 148
EAP-TTLS 149
General Tab 149
Inner Methods Tab 150
MAC-AUTH 151
MSCHAP 152
PAP 153
Adding and Modifying Authentication Sources 154
Generic LDAP and Active Directory 155
General Tab 155
Primary Tab 157
Attributes Tab 160
Summary Tab 169
Generic SQL DB 169
General Tab 169
Primary Tab 171
Attributes Tab 172
Summary Tab 174
HTTP 174
General Tab 174
Primary Tab 176
Attributes Tab 177
Summary Tab 178
Kerberos 178
General Tab 179
Primary Tab 180
Summary Tab 181
Okta 181
General Tab 181
Primary Tab 183
Attributes Tab 183
Summary Tab 185
Static Host List 185
General Tab 186
Static Host Lists Tab 186
Summary Tab 187
Token Server 187
General Tab 187
Primary Tab 189
Attributes Tab 190
Identity 191
Configuring Single Sign-On, Local Users, Endpoints, and Static Host Lists 192
Configuring Single Sign-On 192
Adding and Modifying Local Users 193
Adding and Modifying Endpoints 195
Additional Available Tasks 200
Adding and Modifying Static Host Lists 200
Additional Available Tasks 201
Configuring a Role and Role Mapping Policy 202
Adding and Modifying Roles 202
Adding and Modifying Role Mapping Policies 203
Policy Tab 204
Mapping Rules Tab 204
Posture 207
Posture Architecture and Flow 207
Posture Policy 207
Posture Server 207
Audit Server 207
Configuring Posture 209
Adding a Posture Policy 210
NAP Agent 210
OnGuard Agent (Persistent or Dissolvable) 212
ClearPass Mac OS X 214
ClearPass Windows Universal System Health Validator - NAP Agent 215
Windows System Health Validator - NAP Agent 215
Windows Security Health Validator - NAP Agent 216
ClearPass Linux Universal System Health Validator - OnGuard Dissolvable Agent 217
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 217
ClearPass Windows Universal System Health Validator - OnGuard Agent 225
Windows Security Health Validator - OnGuard Agent 245
Windows System Health Validator - OnGuard Agent 246
Adding and Modifying Posture Servers 247
Microsoft NPS 247
Audit Servers 249
Configuring Audit Servers 250
Built-In Audit Servers 250
Add Auditing to a Policy Manager Service 250
Modifying Built-In Audit Servers 251
Custom Audit Servers 252
Nessus Audit Server 253
NMAP Audit Server 258
Post-Audit Rules 260
Enforcement 263
Enforcement Architecture and Flow 263
Configuring Enforcement Profiles 264
Agent Enforcement 266
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 7
8 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Profile tab 267
Attributes tab 267
Aruba Downloadable Role Enforcement 268
Profile tab 269
Role Configuration tab 269
Captive Portal Profile 270
Policer Profile 271
QOs Profile 272
VoIP Profile 272
NetService Configuration 273
NetDestination Configuration 273
Time Range Configuration 274
NAT Pool Configuration 274
ACL 275
Aruba RADIUS Enforcement 277
Profile tab 277
Attributes tab 277
Cisco Downloadable ACL Enforcement 278
Profile tab 278
Attributes tab 279
Cisco Web Authentication Enforcement 279
Profile tab 280
Attributes tab 280
ClearPass Entity Update Enforcement 281
Profile tab 281
Attributes tab 282
CLI Based Enforcement 282
Profile tab 283
Attributes tab 283
Filter ID Based Enforcement 284
Profile tab 284
Attributes tab 285
Generic Application Enforcement 285
Profile tab 286
Attributes tab 286
HTTP Based Enforcement 287
Profile tab 287
Attributes tab 288
RADIUS Based Enforcement 288
Profile tab 288
Attributes tab 289
RADIUS Change of Authorization (CoA) 289
Profile tab 290
Attributes tab 291
Session Restrictions Enforcement 292
Profile tab 292
Attributes tab 293
SNMP Based Enforcement 294
Profile tab 294
Attributes tab 295
TACACS+ Based Enforcement 295
Profile tab 296
Services tab 296
VLAN Enforcement 297
Profile tab 297
Attributes tab 298
Configuring Enforcement Policies 298
Network Access Devices 303
Adding and Modifying Devices 303
Adding a Device 303
Additional Available Tasks 309
Adding and Modifying Device Groups 309
Additional Available Tasks 311
Adding and Modifying Proxy Targets 311
Add a Proxy Target 312
Additional Available Tasks 312
Import a Proxy Target 312
Export all Proxy Targets 312
Export one Proxy Target 312
Delete one Proxy Target 312
Custom Admin Privileges 313
Policy Simulation 315
Active Directory Authentication 316
Simulation tab 316
Results tab 316
Application Authentication 317
Simulation tab 317
Attributes tab 317
Results tab 318
Audit 318
Results tab 319
Chained Simulation 319
Simulation tab 319
Attributes tab 320
Results tab 321
Enforcement Policy 322
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 9
10 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Simulation tab 322
Attributes tab 324
Results tab 325
RADIUS Authentication 325
Simulation tab 326
Attributes tab 328
NAS Type:Aruba Wireless Controller 328
NAS Type:Aruba Wired Switch Controller 329
NAS Type:Cisco Wireless Switch 329
Results tab 330
Role Mapping 330
Simulation tab 331
Attributes tab 332
Results tab 333
Service Categorization 333
Simulation tab 333
Attributes tab 334
Results tab 335
ClearPass Policy Manager Profile 337
Device Profile 337
Collectors 337
DHCP 338
Sending DHCP Traffic to CPPM 338
ClearPass Onboard 338
HTTP User-Agent 338
MAC OUI 338
ActiveSync Plugin 339
CPPM OnGuard 339
SNMP 339
Subnet Scan 340
Profiling 340
The Profiler User Interface 341
Post Profile Actions 341
Fingerprint Dictionaries 342
Administration 343
ClearPass Portal 344
Admin Users 345
Add User 346
Import Users 346
Export Users 347
Export 347
Admin Privileges 347
Administrator Privilege XML File Structure 348
Administrator Privileges and IDs 348
Creating Custom Administrator Privileges 351
Sample Administrator Privilege XML File 352
Log Configuration 353
Server Configuration 355
Editing Server Configuration Settings 356
System Tab 357
Join AD Domain 359
Add Password Server 360
Services Control Tab 361
Service Parameters Tab 362
ClearPass Network Services Options 363
System Monitoring Tab 374
Network Tab 376
FIPS Tab 379
Set Date & Time 382
Change Cluster Password 383
Manage Policy Manager Zones 384
NetEvents Targets 385
Virtual IPSettings 386
Make Subscriber 387
Upload Nessus Plugins 387
Cluster-Wide Parameters 388
General 388
Cleanup Intervals 390
Notifications 392
Standby Publisher 393
Virtual IPConfiguration 394
Mode 395
Collect Logs 398
Backup 399
Restore 399
Shutdown/Reboot 401
Drop Subscriber 401
Local Shared Folders 401
Licensing 402
Activating an Application License 403
Activating a Server License 403
Adding an Application License 404
Updating an Application License 405
SNMP Trap Receivers 406
Adding an SNMP Trap Server 407
Exporting all SNMP Trap Servers 407
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 11
12 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Exporting a Single SNMP Trap Server 408
Importing an SNMP Trap Server 408
Syslog Targets 408
Add Syslog Target 409
Import Syslog Target 410
Export Syslog Target 410
Export 410
Syslog Export Filters 411
Import Syslog Filter 411
Export Syslog Filter 412
Export 412
Adding a Syslog Export Filter (Filter and Columns tab) 412
Session Logs 412
Insight Logs 413
Adding a Syslog Export Filter (General tab) 414
Adding a Syslog Export Filter (Summary tab) 416
Messaging Setup 416
Endpoint Context Servers 418
Adding an Endpoint Context Server 419
Modify an endpoint context server 419
Delete an endpoint context server 419
Adding an AirWatch Endpoint Context Server 419
Adding an AirWave Endpoint Context Server 421
Adding an Aruba Activate Endpoint Context Server 422
Adding a ClearPass Cloud Proxy Endpoint Context Server 424
Adding a Generic HTTP Endpoint Context Server 425
Adding a JAMF Endpoint Context Server 426
Adding a MaaS360 Endpoint Context Server 427
Adding a MobileIron Endpoint Context Server 429
Adding a Palo Alto Networks Firewall 430
Adding a Palo Alto Networks Panorama Endpoint Context Server 431
Adding a SAP Afaria Endpoint Context Server 432
Adding an SOTI Endpoint Context Server 434
Adding a XenMobile Endpoint Context Server 435
Server Certificate 436
Server Certificate Page Overview 437
Server Certificate Page (RADIUS Server Certificate Type) 437
Server Certificate Page (HTTPS Server Certificate Type) 438
Creating a Certificate Signing Request 439
Creating a Self-Signed Certificate 442
Installing the self-signed certificate 445
Exporting a Server Certificate 447
Importing a Server Certificate 447
Certificate Trust List 447
Add Certificate 448
Revocation Lists 449
Adding a Revocation List 449
Dictionaries 450
RADIUS Dictionary 450
Import RADIUS Dictionary 451
Posture Dictionary 452
TACACS+ Services Dictionary 453
Fingerprints Dictionary 454
Attributes Dictionary 455
Adding Attributes 456
Import Attributes 457
Export Attributes 458
Export 458
Applications Dictionary 458
View an application dictionary 459
Delete an application dictionary 459
Endpoint Context Server Actions 459
Filtering an Endpoint Context Server Action Report 460
Viewing Details About Endpoint Context Server Actions 460
Adding an Endpoint Context Server Action Item 460
Import Context Server Actions 461
Export Context Server Actions 462
OnGuard Settings 463
Software Updates 465
Install Update Dialog Box 468
Reinstalling a Patch 469
Uninstalling a Skin, Translation, or Plugin 470
Updating the Policy Manager Software 471
Upgrade the Image on a Single Policy Manager Appliance 471
Upgrade the Image on all Appliances 472
Support 472
Contact Support 472
Remote Assistance 473
Remote Assistance Process Flow Description 473
Adding a Remote Assistance Session 474
Documentation 476
Command Line Interface 477
Available Commands 477
Cluster Commands 479
drop-subscriber 480
list 480
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 13
14 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
make-publisher 481
make-subscriber 481
reset-database 481
set-cluster-passwd 482
set-local-passwd 482
Configure Commands 482
date 482
dns 483
fips-mode 484
hostname 484
ip 484
ip6 485
mtu 486
timezone 487
Network Commands 487
ip 487
ip6 489
nslookup 490
ping 491
ping6 491
reset 492
traceroute 492
traceroute6 493
Service Commands 493
<action> 493
Show Commands 494
all-timezones 494
date 495
dns 495
domain 495
fipsmode 495
hostname 496
ip 496
license 497
timezone 497
version 497
System Commands 498
apps-access-reset 498
boot-image 498
gen-recovery-key 499
gen-support-key 499
install-license 499
morph-vm 500
refresh-license 500
restart 500
shutdown 501
sso-reset 501
start-rasession 501
status-rasession 501
terminate-rasession 502
update 502
upgrade 502
Miscellaneous Commands 504
ad auth 505
ad netjoin 505
ad netleave 505
ad testjoin 506
alias 506
backup 506
dump certchain 507
dump logs 507
dump servercert 508
exit 508
help 509
krb auth 509
krb list 509
ldapsearch 510
quit 510
restore 510
system start-rasession 511
system terminate-rasession 512
system status-rasession 512
Rules Editing and Namespaces 513
Namespaces 513
Application Namespace 514
Audit Namespaces 515
Authentication Namespaces 515
Authentication namespace editing context 516
Authorization Namespaces 517
Authorization editing context 517
AD Instance Namespace 517
Authorization 517
LDAP Instance Namespace 517
RSAToken Instance Namespace 517
Sources 518
SQL Instance Namespace 518
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 15
16 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Certificate Namespaces 518
Certificate namespace editing context 518
Connection Namespaces 519
Connection namespace editing contexts 519
Date Namespaces 520
Date namespace editing contexts 520
Device Namespaces 520
Endpoint Namespaces 521
Guest User Namespaces 521
Host Namespaces 521
Local User Namespaces 521
Posture Namespaces 522
Posture Namespace Editing Context 522
RADIUS Namespaces 522
RADIUS namespace editing contexts 522
Tacacs Namespaces 523
Tips Namespaces 523
Role 523
Posture 523
Tips namespace editing context 523
Variables 523
Operators 524
Error Codes, SNMP Traps, and System Events 529
Error Codes 529
SNMP Trap Details 532
SNMP Daemon Trap Events 533
CPPM Processes Stop and Start Events 533
Network Interface up and Down Events 533
Disk Utilization Threshold Exceed Events 533
CPU Load Average Exceed Events for 1, 5, and 15 Minute Thresholds 533
SNMP Daemon Traps 533
Process Status Traps 533
1 (a) RADIUS server stop SNMP trap 533
1 (b) RADIUS server start SNMP trap 534
2 (a) Admin Server stop SNMP trap 534
2 (b) Admin Server start SNMP trap 534
3 (a) System Auxiliary server stop SNMP trap 534
3 (b) System Auxiliary server start SNMP trap 535
4 (a) Policy server stop SNMP trap 535
4 (b) Policy server start SNMP trap 535
5 (a) Async DB write service stop SNMP trap 535
5 (b) Async DB write service start SNMP trap 536
6 (a) DB replication service stop SNMP trap 536
6 (b) DB replication service start SNMP trap 536
7 (a) DB Change Notification server stop SNMP trap 536
7 (b) DB Change Notification server start SNMP trap 537
8 (a) Async netd service stop SNMP trap 537
8 (b) Async netd service start SNMP trap 537
9 (a) Multi-master Cache service stop SNMP trap 537
9 (b) Multi-master Cache service start SNMP trap 538
10 (a) AirGroup Notification service stop SNMP trap 538
10 (b) AirGroup Notification service start SNMP trap 538
11 (a) Micros Fidelio FIAS service stop SNMP trap 538
11 (b) Micros Fidelio FIAS service start SNMP trap 539
12 (a) TACACS server stop SNMP trap 539
12 (b) TACACS server start SNMP trap 539
13 (a) Virtual IP service stop SNMP trap 539
13 (b) Virtual IP service start SNMP trap 540
14 (a) Stats Collection service stop SNMP trap 540
14 (b) Stats Collection service start SNMP trap 540
15 (a) Stats Aggregation service stop SNMP trap 540
15 (b) stats Aggregation service start SNMP trap 541
Network Interface Status Traps 541
Disk Space Threshold Traps 541
CPU Load Average Traps 542
Important System Events 542
Admin UI Events 543
Critical Events 543
Info Events 543
Admin Server Events 543
Info Events 543
Async Service Events 543
Info Events 543
ClearPass/Domain Controller Events 543
Critical Events 543
Info Events 543
ClearPass System Configuration Events 544
Critical Events 544
Info Events 544
ClearPass Update Events 544
Critical Events 544
Info Events 544
Cluster Events 544
Critical Events 544
Info Events 544
Command Line Events 545
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide | 17
18 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
Info Events 545
DB Replication Services Events 545
Info Events 545
Licensing Events 545
Critical Events 545
Info Events 545
Policy Server Events 545
Info Events 545
RADIUS/TACACS+ Server Events 545
Critical Events 545
Info Events 545
SNMPEvents 546
Critical Events 546
Info Events 546
Support Shell Events 546
Info Events 546
System Auxiliary Service Events 546
Info Events 546
System Monitor Events 546
Critical Events 546
Info Events 546
Service Names 546
Use Cases 549
802.1X Wireless Use Case 549
Configuring the Service 550
Web Based Authentication Use Case 556
Configuring the Service 557
MAC Authentication Use Case 564
Configuring the Service 564
TACACS+ Use Case 567
Configuring the Service 567
Single Port Use Case 569
OnGuard Dissolvable Agent 571
Native Agents Only Mode 571
Configuring Workflow in Native Agents Only Mode 571
End-to-end flow in Native Agents Only Mode 572
Auto-Login 576
Troubleshooting 576
Native Agents with Java Fallback Mode 576
Configuring Native Agents with Java Fallback Mode 576
End-to-end flow in Native Agents with Java Fallback Mode 577
Configuring Web Agent Flow - Java Only Mode 578
Configuring Web Agent Flow in Dell Networking W-ClearPass Policy Manager 578
20 | Dell Networking W-ClearPass Policy Manager 6.4 | User Guide
/