Dell W-ClearPass Virtual Appliances User guide

Dell Networking

W-ClearPass

Policy Manager 6.2

User Guide

2 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Copyright Information

Copyright

®

, Aruba

Wireless Networks

®

, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System

®

.

Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject

to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source

code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate

other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for

this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it

with respect to infringement of copyright on behalf of those vendors.

Contents

About Dell Networking W-ClearPass Policy Manager 12

Common Tasks in Policy Manager 12

Importing 12

Exporting 13

Powering Up and Configuring Policy Manager Hardware 14

Server Port Overview 14

Server Port Configuration 15

Powering Off the System 17

Resetting Passwords to Factory Default 17

Generating Support Key for Technical Support 17

Policy Manager Dashboard 20

Monitoring 24

Access Tracker 24

Viewing Session Details 25

Accounting 26

OnGuard Activity 33

Analysis and Trending 35

Endpoint Profiler 36

System Monitor 37

Audit Viewer 39

Event Viewer 41

Data Filters 42

Add a Filter 43

Policy Manager Policy Model 46

Services Paradigm 46

Viewing Existing Services 49

Adding and Removing Services 49

Links to Use Cases and Configuration Instructions 50

Policy Simulation 52

Add Simulation Test 53

Import and Exporting Simulations 58

Import Simulations 58

Export Simulations 59

Export 59

ClearPass Policy Manager Profile 60

Device Profile 60

Collectors 60

DHCP 61

Sending DHCP Traffic to CPPM 61

ClearPass Onboard 61

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 3

4 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

HTTP User-Agent 61

Configuration 61

MAC OUI 61

ActiveSync Plugin 62

CPPM OnGuard 62

SNMP 62

Services 66

Architecture and Flow 66

Start Here Page 67

Policy Manager Service Types 69

Services 80

Adding Services 81

Modifying Services 84

Reordering Services 85

Authentication and Authorization 88

Architecture and Flow 88

Configuring Authentication Components 89

Adding and Modifying Authentication Methods 90

PAP 92

MSCHAP 93

EAP-MSCHAP v2 94

EAP-GTC 94

EAP-TLS 95

EAP-TTLS 97

EAP-PEAP 98

EAP-FAST 100

MAC-AUTH 105

CHAP and EAP-MD5 105

Authorize 107

Adding and Modifying Authentication Sources 107

Generic LDAP or Active Directory 108

AD/LDAPConfigure Filter Browse tab 115

AD/LDAPConfigure Filter, Filter Tab 115

AD/LDAP Configure Filter Attributes Tab 118

AD/LDAP Configure Filter Configuration Tab 119

Modify Default Filters 119

Generic SQL DB (Open Data Base Connectivity (ODBC) compliant SQL Databases) 120

HTTP 123

Kerberos 126

Okta 128

Static Host List 130

Token Server 132

Identity: Users, Endpoints, Roles and Role Mapping 136

Architecture and Flow 136

Configuring a Role Mapping Policy 136

Configuring a Role Mapping Policy 137

Adding and Modifying Role Mapping Policies 137

Policy Tab 138

Mapping Rules Tab 138

Adding and Modifying Roles 140

Local Users, Guest Users, Onboard Devices, Endpoints, and Static Host List Configuration 140

Adding and Modifying Local Users 141

Additional Available Tasks 142

Adding and Modifying Guest Users 142

Onboard Devices 144

Adding and Modifying Endpoints 145

Adding and Modifying Static Host Lists 147

Additional Available Tasks 148

Posture 150

Posture Architecture and Flow 150

Configuring Posture 151

Adding and Modifying Posture Policies 152

Configuring Posture Policy Plugins 153

ClearPass Windows Universal System Health Validator - NAP Agent 156

Processes to be Present 158

Processes to be Absent 160

Registry Keys to be Absent 162

Configure Network Connection Type 171

ClearPass Windows Universal System Health Validator - OnGuard Agent 172

ClearPass Linux Universal System Health Validator - NAP Agent 172

ClearPass Linux Universal System Health Validator - OnGuard Agent 174

ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 174

Windows Security Health Validator - NAP Agent 176

Windows Security Health Validator - OnGuard Agent 176

Windows System Health Validator - NAP Agent 176

Windows System Health Validator - OnGuard Agent 177

Adding and Modifying Posture Servers 177

Microsoft NPS 178

Audit Servers 180

Architecture and Flow 180

Configuring Audit Servers 180

Built-In Audit Servers 181

Adding Auditing to a Policy Manager Service 181

Modifying Built-In Audit Servers 182

Custom Audit Servers 183

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 5

6 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

NESSUS Audit Server 183

NMAP Audit Server 185

Nessus Scan Profiles 186

Post-Audit Rules 189

Enforcement 192

Enforcement Architecture and Flow 192

Configuring Enforcement Profiles 193

RADIUS Enforcement Profiles 196

RADIUS CoA Enforcement Profiles 198

SNMP Enforcement Profiles 198

TACACS+ Enforcement Profiles 199

Application Enforcement Profiles 201

CLI Enforcement Profile 202

Agent Enforcement Profiles 202

Post Authentication Enforcement Profiles 203

Configuring Enforcement Policies 204

Network Access Devices 208

Adding and Modifying Devices 208

Adding a Device 208

Additional Available Tasks 212

Adding and Modifying Device Groups 212

Additional Available Tasks 214

Adding and Modifying Proxy Targets 214

Add a Proxy Target 214

Additional Available Tasks 215

Administration 216

Admin Users 216

Add User 217

Import Users 218

Export Users 218

Export 218

Admin Privileges 219

Custom Admin Privileges 219

Create a Custom Admin Privilege 219

Admin Privilege XML Structure 219

Admin Privileges and IDs 220

Sample Admin Privilege XML 222

Server Configuration 223

Set Date/Time 224

Change Cluster Password 225

Manage Policy Manager Zones 226

NetEvents Targets 227

Virtual IPSettings 227

Make Subscriber 228

Upload Nessus Plugins 229

Cluster-Wide Parameters 229

Collect Logs 233

Viewing Log Files 234

Backup 235

Restore 236

Shutdown/Reboot 237

Drop Subscriber 237

System Tab 237

Multiple Active Directory Domains 238

Services Control Tab 240

Service Parameters Tab 240

System Monitoring Tab 248

Network Tab 249

Creating GREtunnels 249

Creating VLAN 250

Defining Access Restrictions 251

Log Configuration 252

Local Shared Folders 254

Server and Application Licensing 254

Activate a Server License 255

Add an Application License 256

Activate an Application License 256

Update an Application License 257

SNMP Trap Receivers 257

Add SNMP Trap Server 258

Import SNMP Trap Server 259

Export all SNMP Trap Servers 259

Export a Single SNMPTrap Server 259

Syslog Targets 260

Add Syslog Target 260

Import Syslog Target 261

Export Syslog Target 262

Export 262

Syslog Export Filters 262

Add Syslog Filter 263

Import Syslog Filter 264

Export Syslog Filter 265

Export 265

Messaging Setup 265

Endpoint Context Servers 268

Add an endpoint context server 268

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 7

8 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Modify an endpoint context server 268

Delete an endpoint context server 268

Endpoint Context Server Configuration Details 269

Server Certificate 269

Create Self-Signed Certificate 270

Create Certificate Signing Request 272

Export Server Certificate 273

Import Server Certificate 273

Certificate Trust List 274

Add Certificate 274

Revocation Lists 275

Add Revocation List 275

RADIUS Dictionaries 276

Import RADIUS Dictionary 277

Posture Dictionaries 278

TACACS+ Services 278

Fingerprints 279

Attributes 280

Add Attribute 281

Import Attributes 282

Export Attributes 282

Export 282

Application Dictionaries 283

View an application dictionary 283

Delete an application dictionary 283

OnGuard Settings 283

OnGuard Portal 285

Update Portal 288

Install Update dialog box 289

Updating the Policy Manager Software 290

Upgrade the Image on a Single Policy Manager Appliance 291

Upgrade the Image on All Appliances 291

Command Line Configuration 292

Available Commands 292

Cluster Commands 294

drop-subscriber 295

list 295

make-publisher 295

make-subscriber 296

reset-database 296

set-cluster-passwd 296

set-local-passwd 297

Configure Commands 297

date 297

dns 298

hostname 298

ip 298

timezone 299

Network Commands 299

ip 299

nslookup 300

ping 300

reset 301

traceroute 301

Service commands 301

<action> 302

Show Commands 302

all-timezones 303

date 303

dns 303

domain 303

hostname 304

ip 304

license 304

timezone 305

version 305

System commands 305

boot-image 305

gen-support-key 306

install-license 306

restart 306

shutdown 306

update 307

upgrade 307

Miscellaneous Commands 308

ad auth 308

ad netjoin 308

ad netleave 309

ad testjoin 309

alias 309

backup 310

dump certchain 310

dump logs 310

dump servercert 311

exit 311

help 311

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 9

10 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

krb auth 312

krb list 312

ldapsearch 312

restore 313

quit 313

Rules Editing and Namespaces 314

Namespaces 314

Variables 320

Operators 320

Error Codes, SNMP Traps, and System Events 324

Error Codes 324

SNMPTrap Details 327

Example 1 327

Example 2 328

CPPMProcesses and OIDs 328

CPU Load Average Traps 328

Disk space threshold traps: 328

Network interface status traps: 328

Important System Events 329

Admin UI Events 329

Critical Events 329

Info Events 329

Admin Server Events 329

Info Events 329

Async Service Events 329

Info Events 329

ClearPass/Domain Controller Events 330

Critical Events 330

Info Events 330

ClearPass System Configuration Events 330

Critical Events 330

Info Events 330

ClearPass Update Events 330

Critical Events 330

Info Events 330

Cluster Events 331

Critical Events 331

Info Events 331

Command Line Events 331

Info Events 331

DB Replication Services Events 331

Info Events 331

Licensing Events 331

Critical Events 331

Info Events 331

Policy Server Events 331

Info Events 331

RADIUS/TACACS+ Server Events 331

Critical Events 331

Info Events 332

SNMPEvents 332

Critical Events 332

Info Events 332

Support Shell Events 332

Info Events 332

System Auxiliary Service Events 332

Info Events 332

System Monitor Events 332

Critical Events 332

Info Events 332

Service Names 333

Use Cases 334

802.1x Wireless Use Case 336

Configuring the Service 336

Dell Web Based Authentication Use Case 344

Configuring the Service 344

MAC Authentication Use Case 350

Configuring the Service 350

TACACS+ Use Case 354

Configuring the Service 354

Single Port Use Case 356

Software Copyright and License Statements 358

PostgreSQL Copyright 358

GNU LGPL 358

GNU GPL 363

Lighthttpd License 367

Apache License 367

OpenSSL License 369

OpenLDAP License 372

gSOAP Public License 373

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 11

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 12

Chapter 1

About Dell Networking W-ClearPass

Policy Manager

The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control

across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform,

such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration,

provisioning, profiling, health checks, and guest access.

With built-in RADIUS, SNMP and TACACS+ protocols, Dell Networking W-ClearPass Policy Manager provides

device registration, device profiling, endpoint health assessments, and comprehensive reporting to automatically

enforce user and endpoint access policies as devices connect to the network.

Common Tasks in Policy Manager

As you work in Policy Manager, you'll encounter many things that work similarly in different places. For example,

importing or exporting from a list of items. This section explains how to do these common tasks.

l "Importing" on page 12

l "Exporting" on page 13.

Importing

On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can import the information about one

or more items. That information is stored as an XML file, and this file can be password protected. The tags and

attributes in the XMLfile are explained in the APIGuide.

To import into Policy Manager

1. Click the Import link. The Import from File dialog box appears.

2. Click Browse and select the file you want to import from your hard drive.

The file must be an XMLfile in the correct format. If you've exported files from different places in Policy Manager,

make sure you're selecting the correct one. The APIGuide contains more information about the format and contents

of these XMLfiles.

3. If the file is password protected, enter the password (secret).

4. Click Import.

13 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Exporting

On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can export the information about one

or more items. That information is exported as an XML file, and this file can be password protected. The tags and

attributes in the XMLfile are explained in the APIGuide. You can:

l Export all the items.

l Export one or more items.

To export all the items in a list

1. Click the Export link. The Export to File dialog box appears.

2. If you want the file password protected, select Yes and enter a password twice (in the Secret Key and Verify Secret

fields). If you do not want the file passowrd protected, select No.

3. Click Export.

Depending on which browser you use, the file is automatically saved to your hard drive or you are asked to save it,

and you may be asked where.

To export one or more items in a list

1. Select the check box next to the items you want to export.

2. Click the Export button at the bottom of the list. The Export to File dialog box appears.

3. If you want the file password protected, select Yes and enter a password twice (in the Secret Key and Verify Secret

fields). If you do not want the file passowrd protected, select No.

4. Click Export.

Depending on which browser you use, the file is automatically saved to your hard drive or you are asked to save it,

and you may be asked where.

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 14

Chapter 2

Powering Up and Configuring Policy

Manager Hardware

The Policy Manager server requires initial port configuration. Its backplane contains three ports.

Server Port Overview

Figure 1 Policy Manager Backplane

The ports in the figure above are described in the following table:

Table 1:

Device Ports

Key Port Description

A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired

terminal.

B -

eth0

Management

(gigabit Ethernet)

Provides access for cluster administration and appliance maintenance via

web access, CLI, or internal cluster communications.

Configuration required.

C -

eth1

Data (gigabit

Ethernet)

Provides point of contact for RADIUS, TACACS+, Web Authentication and

other data-plane requests.

Configuration optional. If not configured, requests redirected to the

management port.

15 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Server Port Configuration

Before starting the installation, gather the following information that will need, write it in the table below, and keep it

for your records:

Table 2:

Required Information

Requirement Value for Your Installation

Hostname) Policy Manager

server)

Management Port IP

Address

Management Port Subnet

Mask

Management Port Gateway

Data Port IP Address

(optional)

Data Port IP Address must not be in the same subnet as the Management

Port IP Address

Data Port Gateway

(optional)

Data Port Subnet Mask

(optional)

Primary DNS

Secondary DNS

NTP Server (optional)

Perform the following steps to set up the Policy Manager appliance:

1. Connect and power on

Using the null modem cable provided, connect a serial port on the appliance to a terminal, then connect power and

switch on. The appliance immediately becomes available for configuration.

Use the following parameters for the serial port connection:

l Bit Rate: 9600

l Data Bits: 8

l Parity: None

l Stop Bits: 1

l Flow Control: None

2. Login

Later, you will create a unique appliance/cluster administration password. For now, use the following preconfigured

credentials:

login: appadmin

password: eTIPS123

This starts the Policy Manager Configuration Wizard.

3. Configure the Appliance

Replace the bolded placeholder entries in the following illustration with your local information:

Enter hostname:verne.xyzcompany.com

Enter Management Port IP Address: 192.168.5.10

Enter Management Port Subnet Mask: 255.255.255.0

Enter Management Port Gateway: 192.168.5.1

Enter Data Port IP Address: 192.168.7.55

Enter Data Port Subnet Mask: 255.255.255.0

Enter Data Port Gateway: 192.168.7.1

Enter Primary DNS: 198.168.5.3

Enter Secondary DNS: 192.168.5.1

4. Change your password

Use any string of at least six characters:

New Password:************

Confirm Password: ************

Going forward, you will use this password for cluster administration and management of the appliance.

5. Change the system date/time

Do you want to configure system date time information [y|n]: y

Please select the date time configuration options.

1) Set date time manually

2) Set date time by configuring NTP servers

Enter the option or press any key to quit: 2

Enter Primary NTP Server: pool.ntp.org

Enter Secondary NTP Server: time.nist.gov

Do you want to configure the timezone? [y|n]: y

After the timezone information is entered, you are asked to confirm the selection.

6. Commit or restart the configuration

Follow the prompts:

Proceed with the configuration [y[Y]/n[N]/q[Q]

y[Y] to continue

n[N] to start over again

q[Q] to quit

Enter the choice:Y

Successfully configured Policy Manager appliance

*************************************************************

* Initial configuration is complete.

* Use the new login password to login to the CLI.

* Exiting the CLI session in 2 minutes. Press any key to exit now.

When your Policy Manager system is up and running, navigate to the Administration > Agents and Software Updates

> Software Updates page to view and download any available software updates. Refer to "Updating the Policy

Manager Software " on page 290 for more information.

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 16

17 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Powering Off the System

Perform the following to power off the system gracefully without logging in:

l Connect to the CLI from the serial console via the front serial port and enter the following:

login: poweroff

password: poweroff

This procedure gracefully shuts down the appliance.

Resetting Passwords to Factory Default

Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the apprecovery

user. The password to log in as the apprecovery user is dynamically generated.

Perform the following steps to generate the recovery password:

1. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port

Configuration " on page 15 for details.

2. Reboot the system. See the restart command.

3. When the system restarts, it waits at the following prompt for 10 seconds:

Generate support keys? [y/n]:

Enter ‘y’ at the prompt. The system prompts you with the following choices:

Please select a support key generation option.

1) Generate password recovery key

2) Generate a support key

3) Generate password recovery and support keys

Enter the option or press any key to quit:

4. To generate the recovery key, select option 1 (or 3, if you want to generate a support key, as well).

5. Once the password recovery key is generated, email the key to Dell technical support. A unique password will be

generated from the recovery key and emailed back to you.

6. Enter the following at the command prompt:

[apprecovery] app reset-passwd

*******************************************************

* WARNING: This command will reset the system account *

* passwords to factory default values *

*******************************************************

Are you sure you want to continue? [y/n]: y

INFO - Password changed on local node

INFO - System account passwords have been reset to

factory default values

Generating Support Key for Technical Support

To troubleshoot certain critical system level errors, Dell technical support might need to log into a support shell.

Perform the following steps to generate a dynamic support password:

1. Log into the Command Line Interface (CLI) and enter the command: system gen-support-key. See gen-support-

key for details.

2. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port

Configuration " on page 15 for details.

3. Reboot the system. See the restart command.

4. When the system restarts it waits at the following prompt for 10 seconds:

Generate support keys? [y/n]:

Enter ‘y’ at the prompt. The system prompts with the following choices:

Please select a support key generation option.

1) Generate password recovery key

2) Generate a support key

3) Generate password recovery and support keys

Enter the option or press any key to quit:

5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well).

6. Once the password recovery key is generated, email the key to Dell technical support. A unique password can now

be generated by Dell technical support to log into the support shell.

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 18

19 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide

Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 20

Chapter 3

Policy Manager Dashboard

The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy

Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is

partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The

dashboard elements are listed below:

This shows a graph of all requests processed by

Policy Manager over the past week. This includes

RADIUS, TACACS+ and WebAuth requests. The

default data filter “All Requests” is used to plot

this graph. Clicking on each bar in the graph drills

down into the Access Tracker and shows the

requests for that day.

This shows a graph of the “Healthy” vs.

“Unhealthy” requests over the past week. Healthy

requests are those requests where the health

state was deemed to be healthy (based on the

posture data sent from the client). Unhealthy

requests are those requests whose health state

was deemed to be quarantined (posture data

received but health status is not compliant) or

unknown (no posture data received). This

includes RADIUS and WebAuth requests. The

default data filters “Health Requests” and

“Unhealthy Requests” are used to plot this graph.

Clicking on each circle on the line graph drills

down into the Access Tracker and shows the

healthy or unhealthy requests for that day.

This shows a graph of the “Failed” vs.

“Successful” requests over the past week. This

includes RADIUS, WebAuth and TACACS+

requests. The default data filters “Failed

Requests” and “Successful Requests” are used to

plot this graph. Clicking on each circle on the line

graph drills down into the Access Tracker and

shows the failed or successful requests for that

day.

This shows a table of the last few authentications.

Clicking on a row drills down into the Access

Tracker and shows requests sorted by timestamp

with the latest request showing first.

Page is loading ...

Dell W-ClearPass Virtual Appliances User guide

This manual is also suitable for

Dell W-ClearPass Virtual Appliances User guide

Related papers

Other documents