2. Computers & electronics
  3. Software
  4. Dell
  5. W-ClearPass Virtual Appliances

Dell W-ClearPass Virtual Appliances, W-ClearPass Hardware Appliances User guide

  • Hello! I am an AI chatbot trained to assist you with the Dell W-ClearPass Virtual Appliances User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Dell Networking
W-ClearPass
Policy Manager 6.2
User Guide
2 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Copyright Information
Copyright
© 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks
®
, Aruba
Wireless Networks
®
, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System
®
.
Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject
to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source
Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open Source
code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
Contents
About Dell Networking W-ClearPass Policy Manager 12
Common Tasks in Policy Manager 12
Importing 12
Exporting 13
Powering Up and Configuring Policy Manager Hardware 14
Server Port Overview 14
Server Port Configuration 15
Powering Off the System 17
Resetting Passwords to Factory Default 17
Generating Support Key for Technical Support 17
Policy Manager Dashboard 20
Monitoring 24
Access Tracker 24
Viewing Session Details 25
Accounting 26
OnGuard Activity 33
Analysis and Trending 35
Endpoint Profiler 36
System Monitor 37
Audit Viewer 39
Event Viewer 41
Data Filters 42
Add a Filter 43
Policy Manager Policy Model 46
Services Paradigm 46
Viewing Existing Services 49
Adding and Removing Services 49
Links to Use Cases and Configuration Instructions 50
Policy Simulation 52
Add Simulation Test 53
Import and Exporting Simulations 58
Import Simulations 58
Export Simulations 59
Export 59
ClearPass Policy Manager Profile 60
Device Profile 60
Collectors 60
DHCP 61
Sending DHCP Traffic to CPPM 61
ClearPass Onboard 61
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 3
4 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
HTTP User-Agent 61
Configuration 61
MAC OUI 61
ActiveSync Plugin 62
CPPM OnGuard 62
SNMP 62
Services 66
Architecture and Flow 66
Start Here Page 67
Policy Manager Service Types 69
Services 80
Adding Services 81
Modifying Services 84
Reordering Services 85
Authentication and Authorization 88
Architecture and Flow 88
Configuring Authentication Components 89
Adding and Modifying Authentication Methods 90
PAP 92
MSCHAP 93
EAP-MSCHAP v2 94
EAP-GTC 94
EAP-TLS 95
EAP-TTLS 97
EAP-PEAP 98
EAP-FAST 100
MAC-AUTH 105
CHAP and EAP-MD5 105
Authorize 107
Adding and Modifying Authentication Sources 107
Generic LDAP or Active Directory 108
AD/LDAPConfigure Filter Browse tab 115
AD/LDAPConfigure Filter, Filter Tab 115
AD/LDAP Configure Filter Attributes Tab 118
AD/LDAP Configure Filter Configuration Tab 119
Modify Default Filters 119
Generic SQL DB (Open Data Base Connectivity (ODBC) compliant SQL Databases) 120
HTTP 123
Kerberos 126
Okta 128
Static Host List 130
Token Server 132
Identity: Users, Endpoints, Roles and Role Mapping 136
Architecture and Flow 136
Configuring a Role Mapping Policy 136
Configuring a Role Mapping Policy 137
Adding and Modifying Role Mapping Policies 137
Policy Tab 138
Mapping Rules Tab 138
Adding and Modifying Roles 140
Local Users, Guest Users, Onboard Devices, Endpoints, and Static Host List Configuration 140
Adding and Modifying Local Users 141
Additional Available Tasks 142
Adding and Modifying Guest Users 142
Onboard Devices 144
Adding and Modifying Endpoints 145
Adding and Modifying Static Host Lists 147
Additional Available Tasks 148
Posture 150
Posture Architecture and Flow 150
Configuring Posture 151
Adding and Modifying Posture Policies 152
Configuring Posture Policy Plugins 153
ClearPass Windows Universal System Health Validator - NAP Agent 156
Processes to be Present 158
Processes to be Absent 160
Registry Keys to be Absent 162
Configure Network Connection Type 171
ClearPass Windows Universal System Health Validator - OnGuard Agent 172
ClearPass Linux Universal System Health Validator - NAP Agent 172
ClearPass Linux Universal System Health Validator - OnGuard Agent 174
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent 174
Windows Security Health Validator - NAP Agent 176
Windows Security Health Validator - OnGuard Agent 176
Windows System Health Validator - NAP Agent 176
Windows System Health Validator - OnGuard Agent 177
Adding and Modifying Posture Servers 177
Microsoft NPS 178
Audit Servers 180
Architecture and Flow 180
Configuring Audit Servers 180
Built-In Audit Servers 181
Adding Auditing to a Policy Manager Service 181
Modifying Built-In Audit Servers 182
Custom Audit Servers 183
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 5
6 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
NESSUS Audit Server 183
NMAP Audit Server 185
Nessus Scan Profiles 186
Post-Audit Rules 189
Enforcement 192
Enforcement Architecture and Flow 192
Configuring Enforcement Profiles 193
RADIUS Enforcement Profiles 196
RADIUS CoA Enforcement Profiles 198
SNMP Enforcement Profiles 198
TACACS+ Enforcement Profiles 199
Application Enforcement Profiles 201
CLI Enforcement Profile 202
Agent Enforcement Profiles 202
Post Authentication Enforcement Profiles 203
Configuring Enforcement Policies 204
Network Access Devices 208
Adding and Modifying Devices 208
Adding a Device 208
Additional Available Tasks 212
Adding and Modifying Device Groups 212
Additional Available Tasks 214
Adding and Modifying Proxy Targets 214
Add a Proxy Target 214
Additional Available Tasks 215
Administration 216
Admin Users 216
Add User 217
Import Users 218
Export Users 218
Export 218
Admin Privileges 219
Custom Admin Privileges 219
Create a Custom Admin Privilege 219
Admin Privilege XML Structure 219
Admin Privileges and IDs 220
Sample Admin Privilege XML 222
Server Configuration 223
Set Date/Time 224
Change Cluster Password 225
Manage Policy Manager Zones 226
NetEvents Targets 227
Virtual IPSettings 227
Make Subscriber 228
Upload Nessus Plugins 229
Cluster-Wide Parameters 229
Collect Logs 233
Viewing Log Files 234
Backup 235
Restore 236
Shutdown/Reboot 237
Drop Subscriber 237
System Tab 237
Multiple Active Directory Domains 238
Services Control Tab 240
Service Parameters Tab 240
System Monitoring Tab 248
Network Tab 249
Creating GREtunnels 249
Creating VLAN 250
Defining Access Restrictions 251
Log Configuration 252
Local Shared Folders 254
Server and Application Licensing 254
Activate a Server License 255
Add an Application License 256
Activate an Application License 256
Update an Application License 257
SNMP Trap Receivers 257
Add SNMP Trap Server 258
Import SNMP Trap Server 259
Export all SNMP Trap Servers 259
Export a Single SNMPTrap Server 259
Syslog Targets 260
Add Syslog Target 260
Import Syslog Target 261
Export Syslog Target 262
Export 262
Syslog Export Filters 262
Add Syslog Filter 263
Import Syslog Filter 264
Export Syslog Filter 265
Export 265
Messaging Setup 265
Endpoint Context Servers 268
Add an endpoint context server 268
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 7
8 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Modify an endpoint context server 268
Delete an endpoint context server 268
Endpoint Context Server Configuration Details 269
Server Certificate 269
Create Self-Signed Certificate 270
Create Certificate Signing Request 272
Export Server Certificate 273
Import Server Certificate 273
Certificate Trust List 274
Add Certificate 274
Revocation Lists 275
Add Revocation List 275
RADIUS Dictionaries 276
Import RADIUS Dictionary 277
Posture Dictionaries 278
TACACS+ Services 278
Fingerprints 279
Attributes 280
Add Attribute 281
Import Attributes 282
Export Attributes 282
Export 282
Application Dictionaries 283
View an application dictionary 283
Delete an application dictionary 283
OnGuard Settings 283
OnGuard Portal 285
Update Portal 288
Install Update dialog box 289
Updating the Policy Manager Software 290
Upgrade the Image on a Single Policy Manager Appliance 291
Upgrade the Image on All Appliances 291
Command Line Configuration 292
Available Commands 292
Cluster Commands 294
drop-subscriber 295
list 295
make-publisher 295
make-subscriber 296
reset-database 296
set-cluster-passwd 296
set-local-passwd 297
Configure Commands 297
date 297
dns 298
hostname 298
ip 298
timezone 299
Network Commands 299
ip 299
nslookup 300
ping 300
reset 301
traceroute 301
Service commands 301
<action> 302
Show Commands 302
all-timezones 303
date 303
dns 303
domain 303
hostname 304
ip 304
license 304
timezone 305
version 305
System commands 305
boot-image 305
gen-support-key 306
install-license 306
restart 306
shutdown 306
update 307
upgrade 307
Miscellaneous Commands 308
ad auth 308
ad netjoin 308
ad netleave 309
ad testjoin 309
alias 309
backup 310
dump certchain 310
dump logs 310
dump servercert 311
exit 311
help 311
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 9
10 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
krb auth 312
krb list 312
ldapsearch 312
restore 313
quit 313
Rules Editing and Namespaces 314
Namespaces 314
Variables 320
Operators 320
Error Codes, SNMP Traps, and System Events 324
Error Codes 324
SNMPTrap Details 327
Example 1 327
Example 2 328
CPPMProcesses and OIDs 328
CPU Load Average Traps 328
Disk space threshold traps: 328
Network interface status traps: 328
Important System Events 329
Admin UI Events 329
Critical Events 329
Info Events 329
Admin Server Events 329
Info Events 329
Async Service Events 329
Info Events 329
ClearPass/Domain Controller Events 330
Critical Events 330
Info Events 330
ClearPass System Configuration Events 330
Critical Events 330
Info Events 330
ClearPass Update Events 330
Critical Events 330
Info Events 330
Cluster Events 331
Critical Events 331
Info Events 331
Command Line Events 331
Info Events 331
DB Replication Services Events 331
Info Events 331
Licensing Events 331
Critical Events 331
Info Events 331
Policy Server Events 331
Info Events 331
RADIUS/TACACS+ Server Events 331
Critical Events 331
Info Events 332
SNMPEvents 332
Critical Events 332
Info Events 332
Support Shell Events 332
Info Events 332
System Auxiliary Service Events 332
Info Events 332
System Monitor Events 332
Critical Events 332
Info Events 332
Service Names 333
Use Cases 334
802.1x Wireless Use Case 336
Configuring the Service 336
Dell Web Based Authentication Use Case 344
Configuring the Service 344
MAC Authentication Use Case 350
Configuring the Service 350
TACACS+ Use Case 354
Configuring the Service 354
Single Port Use Case 356
Software Copyright and License Statements 358
PostgreSQL Copyright 358
GNU LGPL 358
GNU GPL 363
Lighthttpd License 367
Apache License 367
OpenSSL License 369
OpenLDAP License 372
gSOAP Public License 373
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 11
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 12
Chapter 1
About Dell Networking W-ClearPass
Policy Manager
The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control
across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform,
such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration,
provisioning, profiling, health checks, and guest access.
With built-in RADIUS, SNMP and TACACS+ protocols, Dell Networking W-ClearPass Policy Manager provides
device registration, device profiling, endpoint health assessments, and comprehensive reporting to automatically
enforce user and endpoint access policies as devices connect to the network.
Common Tasks in Policy Manager
As you work in Policy Manager, you'll encounter many things that work similarly in different places. For example,
importing or exporting from a list of items. This section explains how to do these common tasks.
l "Importing" on page 12
l "Exporting" on page 13.
Importing
On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can import the information about one
or more items. That information is stored as an XML file, and this file can be password protected. The tags and
attributes in the XMLfile are explained in the APIGuide.
To import into Policy Manager
1. Click the Import link. The Import from File dialog box appears.
2. Click Browse and select the file you want to import from your hard drive.
The file must be an XMLfile in the correct format. If you've exported files from different places in Policy Manager,
make sure you're selecting the correct one. The APIGuide contains more information about the format and contents
of these XMLfiles.
3. If the file is password protected, enter the password (secret).
4. Click Import.
13 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Exporting
On most pages with lists in Dell Networking W-ClearPass Policy Manager, you can export the information about one
or more items. That information is exported as an XML file, and this file can be password protected. The tags and
attributes in the XMLfile are explained in the APIGuide. You can:
l Export all the items.
l Export one or more items.
To export all the items in a list
1. Click the Export link. The Export to File dialog box appears.
2. If you want the file password protected, select Yes and enter a password twice (in the Secret Key and Verify Secret
fields). If you do not want the file passowrd protected, select No.
3. Click Export.
Depending on which browser you use, the file is automatically saved to your hard drive or you are asked to save it,
and you may be asked where.
To export one or more items in a list
1. Select the check box next to the items you want to export.
2. Click the Export button at the bottom of the list. The Export to File dialog box appears.
3. If you want the file password protected, select Yes and enter a password twice (in the Secret Key and Verify Secret
fields). If you do not want the file passowrd protected, select No.
4. Click Export.
Depending on which browser you use, the file is automatically saved to your hard drive or you are asked to save it,
and you may be asked where.
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 14
Chapter 2
Powering Up and Configuring Policy
Manager Hardware
The Policy Manager server requires initial port configuration. Its backplane contains three ports.
Server Port Overview
Figure 1 Policy Manager Backplane
The ports in the figure above are described in the following table:
Table 1:
Device Ports
Key Port Description
A Serial Configures the ClearPass Policy Manager appliance initially, via hardwired
terminal.
B -
eth0
Management
(gigabit Ethernet)
Provides access for cluster administration and appliance maintenance via
web access, CLI, or internal cluster communications.
Configuration required.
C -
eth1
Data (gigabit
Ethernet)
Provides point of contact for RADIUS, TACACS+, Web Authentication and
other data-plane requests.
Configuration optional. If not configured, requests redirected to the
management port.
15 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Server Port Configuration
Before starting the installation, gather the following information that will need, write it in the table below, and keep it
for your records:
Table 2:
Required Information
Requirement Value for Your Installation
Hostname) Policy Manager
server)
Management Port IP
Address
Management Port Subnet
Mask
Management Port Gateway
Data Port IP Address
(optional)
Data Port IP Address must not be in the same subnet as the Management
Port IP Address
Data Port Gateway
(optional)
Data Port Subnet Mask
(optional)
Primary DNS
Secondary DNS
NTP Server (optional)
Perform the following steps to set up the Policy Manager appliance:
1. Connect and power on
Using the null modem cable provided, connect a serial port on the appliance to a terminal, then connect power and
switch on. The appliance immediately becomes available for configuration.
Use the following parameters for the serial port connection:
l Bit Rate: 9600
l Data Bits: 8
l Parity: None
l Stop Bits: 1
l Flow Control: None
2. Login
Later, you will create a unique appliance/cluster administration password. For now, use the following preconfigured
credentials:
login: appadmin
password: eTIPS123
This starts the Policy Manager Configuration Wizard.
3. Configure the Appliance
Replace the bolded placeholder entries in the following illustration with your local information:
Enter hostname:verne.xyzcompany.com
Enter Management Port IP Address: 192.168.5.10
Enter Management Port Subnet Mask: 255.255.255.0
Enter Management Port Gateway: 192.168.5.1
Enter Data Port IP Address: 192.168.7.55
Enter Data Port Subnet Mask: 255.255.255.0
Enter Data Port Gateway: 192.168.7.1
Enter Primary DNS: 198.168.5.3
Enter Secondary DNS: 192.168.5.1
4. Change your password
Use any string of at least six characters:
New Password:************
Confirm Password: ************
Going forward, you will use this password for cluster administration and management of the appliance.
5. Change the system date/time
Do you want to configure system date time information [y|n]: y
Please select the date time configuration options.
1) Set date time manually
2) Set date time by configuring NTP servers
Enter the option or press any key to quit: 2
Enter Primary NTP Server: pool.ntp.org
Enter Secondary NTP Server: time.nist.gov
Do you want to configure the timezone? [y|n]: y
After the timezone information is entered, you are asked to confirm the selection.
6. Commit or restart the configuration
Follow the prompts:
Proceed with the configuration [y[Y]/n[N]/q[Q]
y[Y] to continue
n[N] to start over again
q[Q] to quit
Enter the choice:Y
Successfully configured Policy Manager appliance
*************************************************************
* Initial configuration is complete.
* Use the new login password to login to the CLI.
* Exiting the CLI session in 2 minutes. Press any key to exit now.
When your Policy Manager system is up and running, navigate to the Administration > Agents and Software Updates
> Software Updates page to view and download any available software updates. Refer to "Updating the Policy
Manager Software " on page 290 for more information.
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 16
17 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Powering Off the System
Perform the following to power off the system gracefully without logging in:
l Connect to the CLI from the serial console via the front serial port and enter the following:
login: poweroff
password: poweroff
This procedure gracefully shuts down the appliance.
Resetting Passwords to Factory Default
Administrator passwords in Policy Manager can be reset to factory defaults by logging into the CLI as the apprecovery
user. The password to log in as the apprecovery user is dynamically generated.
Perform the following steps to generate the recovery password:
1. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port
Configuration " on page 15 for details.
2. Reboot the system. See the restart command.
3. When the system restarts, it waits at the following prompt for 10 seconds:
Generate support keys? [y/n]:
Enter ‘y’ at the prompt. The system prompts you with the following choices:
Please select a support key generation option.
1) Generate password recovery key
2) Generate a support key
3) Generate password recovery and support keys
Enter the option or press any key to quit:
4. To generate the recovery key, select option 1 (or 3, if you want to generate a support key, as well).
5. Once the password recovery key is generated, email the key to Dell technical support. A unique password will be
generated from the recovery key and emailed back to you.
6. Enter the following at the command prompt:
[apprecovery] app reset-passwd
*******************************************************
* WARNING: This command will reset the system account *
* passwords to factory default values *
*******************************************************
Are you sure you want to continue? [y/n]: y
INFO - Password changed on local node
INFO - System account passwords have been reset to
factory default values
Generating Support Key for Technical Support
To troubleshoot certain critical system level errors, Dell technical support might need to log into a support shell.
Perform the following steps to generate a dynamic support password:
1. Log into the Command Line Interface (CLI) and enter the command: system gen-support-key. See gen-support-
key for details.
2. Connect to the Policy Manager appliance via the front serial port (using any terminal program). See "Server Port
Configuration " on page 15 for details.
3. Reboot the system. See the restart command.
4. When the system restarts it waits at the following prompt for 10 seconds:
Generate support keys? [y/n]:
Enter ‘y’ at the prompt. The system prompts with the following choices:
Please select a support key generation option.
1) Generate password recovery key
2) Generate a support key
3) Generate password recovery and support keys
Enter the option or press any key to quit:
5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well).
6. Once the password recovery key is generated, email the key to Dell technical support. A unique password can now
be generated by Dell technical support to log into the support shell.
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 18
19 Dell Networking W-ClearPass Policy Manager 6.2 | User Guide
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 20
Chapter 3
Policy Manager Dashboard
The Policy Manager Dashboard menu allows you to display system health and other request related statistics. Policy
Manager comes pre-configured with different dashboard elements. The screen on the right of the dashboard menu is
partitioned into five fixed slots. You can drag and drop any of the dashboard elements into the five slots. The
dashboard elements are listed below:
This shows a graph of all requests processed by
Policy Manager over the past week. This includes
RADIUS, TACACS+ and WebAuth requests. The
default data filter “All Requests” is used to plot
this graph. Clicking on each bar in the graph drills
down into the Access Tracker and shows the
requests for that day.
This shows a graph of the “Healthy” vs.
“Unhealthy” requests over the past week. Healthy
requests are those requests where the health
state was deemed to be healthy (based on the
posture data sent from the client). Unhealthy
requests are those requests whose health state
was deemed to be quarantined (posture data
received but health status is not compliant) or
unknown (no posture data received). This
includes RADIUS and WebAuth requests. The
default data filters “Health Requests” and
“Unhealthy Requests” are used to plot this graph.
Clicking on each circle on the line graph drills
down into the Access Tracker and shows the
healthy or unhealthy requests for that day.
This shows a graph of the “Failed” vs.
“Successful requests over the past week. This
includes RADIUS, WebAuth and TACACS+
requests. The default data filters “Failed
Requests” and “Successful Requests” are used to
plot this graph. Clicking on each circle on the line
graph drills down into the Access Tracker and
shows the failed or successful requests for that
day.
This shows a table of the last few authentications.
Clicking on a row drills down into the Access
Tracker and shows requests sorted by timestamp
with the latest request showing first.
/