Aruba Networks ClearPass Guest 3.9 Deployment Manual Download Page 293 | Manualshive

Page: 293 / 518

background image

ClearPass Guest 3.9 | Deployment Guide

Guest Management |

293

Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

2-Factor Authentication

2-factor authentication checks against both credentials and the MAC address on record.

Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you
would probably add

mac

as a text field to the

create_user

form. When

mac

is enabled in a self-registration

it will be included in the account as long as

mac

is passed in the URL. Relying on self-registration may

defeat the purpose of two-factor authentication, however.

The 2-factors are performed as follows:

1. Regular RADIUS authentication using username and password

2. Role checks the user account mac against the passed Calling-Station-Id.

Edit the user role and the attribute for

Reply-Message

or

Aruba-User-Role

. Adjust the condition from

Always

to

Enter conditional expression

.

return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();

There is an alternative syntax where you keep the condition at

Always

and instead adjust the

Value

.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] :
AccessReject()

or

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()

MAC-Based Derivation of Role

Depending on whether the MAC address matches a registered value, you can also adjust which role is
returned. The controller must be configured with the appropriate roles and the reply attributes mapping to
them as expected.

Edit the

Value

of the attribute within the role returning the role to the controller.

If you are on the registered MAC, apply the

Employee

role, otherwise set them as

Guest

.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'

This can be expanded if you create multiple MAC fields. Navigate to

Customize > Fields

and duplicate

mac

. Rename it as mac_byod and then add it to the 'create_user and guest_edit forms. In this example the

account has a registered employee device under mac, and a registered BYOD device under mac_byod.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac_byod']) ? 'BYOD' :
(MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest')

User Detection on Landing Pages

When

mac

is passed in the redirect URL, the user is detected and a customized message displays on the

landing page.

Navigate to

Administrator > Plugin Manager > Manage Plugins: MAC Authentication:

Configuration

and enable

MAC Detect

.

Edit the header of your redirect landing page (login or registration) and include the following:

<p>{if $guest_receipt.u.visitor_name}

Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}!

{else}

Welcome to the show!

{/if}</p>

«
...
291
292
293
294
295
...
»

Summary of Contents for ClearPass Guest 3.9

Page 1: ...ClearPass Guest 3 9 Deployment Guide ...

Page 2: ...he GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by t...

Page 3: ...on Checklist 31 Chapter 3 Setup Guide 33 Hardware Appliance Setup 33 Default Network Configuration 33 Setting Up the Virtual Appliance 34 VMware Workstation or VMware Player 34 VMware ESXi 34 Accessing the Console User Interface 35 Console Login 35 Console User Interface Functions 36 Accessing the Graphical User Interface 37 Initial Configuraton Using the Setup Wizard 37 Logging In 37 Accepting th...

Page 4: ... 61 Accessing Onboard 64 Configuring the User Interface for Device Provisioning 64 Customizing the Device Provisioning Web Login Page 65 Using the nwa_mdps_config Template Function 66 Configuring ClearPass Servers for Device Provisioning 66 Configuring the Certificate Authority 68 Setting Up the Certificate Authority 69 Setting Up a Root Certificate Authority 70 Setting Up an Intermediate Certific...

Page 5: ...10 Advanced Device Authentication During Provisioning 110 Onboard Troubleshooting 111 iOS Device Provisioning Failures 112 Chapter 5 RADIUS Services 113 Accessing RADIUS Services 113 Server Control 113 RADIUS Log Snapshot 113 Debug RADIUS Server 114 Viewing Failed Authentications 114 Server Configuration 115 Example Removing a User Name Suffix 117 Removing a Variable Length Suffix 117 Example Corr...

Page 6: ...0 Requesting a Certificate from a Certificate Authority 150 Importing a Server Certificate 151 Installing a Server Certificate from a Certificate Authority 152 Installing an Imported Server Certificate 152 Exporting Server Certificates 152 PEAP Sample Configuration 152 Importing a Root Certificate Windows Vista and Windows 7 153 Active Directory Domain Services 157 Joining an Active Directory Doma...

Page 7: ...or Messages 195 LDAP Translation Rules 196 Custom LDAP Translation Processing 198 Operator Logins Configuration 200 Custom Login Message 200 Operator Password Options 201 Advanced Operator Login Options 202 Automatic Logout 202 Chapter 7 Guest Management 203 Accessing Guest Manager 203 About Guest Management Processes 203 Sponsored Guest Access 204 Self Provisioned Guest Access 204 Standard Guest ...

Page 8: ...elf Registration Pages 256 Configuring Basic Properties for Self Registration 257 Using a Parent Page 258 Paying for Access 258 Requiring Operator Credentials 258 Editing Registration Page Properties 259 Editing the Default Self Registration Form Settings 260 Editing Guest Receipt Page Properties 261 Editing Receipt Actions 262 Enabling Sponsor Confirmation for Role Selection 262 Editing Download ...

Page 9: ...ages 293 Click Through Login Pages 294 Active Sessions Management 294 Session States 295 RFC 3576 Dynamic Authorization 296 Filtering the List of Active Sessions 296 Managing Multiple Active Sessions 297 Closing All Stale Sessions Immediately 297 Closing All Stale Sessions and Specifying a Duration 297 Closing Specified Open Sessions 299 Disconnecting or Reauthorizing Active Sessions 300 Sending M...

Page 10: ...al Report 348 Creating Reports 348 Creating the Report Step 1 349 Creating the Report Step 2 349 Creating Sample Reports 350 Report Based on Modifying an Existing Report 350 Report Created from Report Manager using Create New Report 351 Report Created by Duplicating an Existing Report 353 Report Troubleshooting 355 Report Preview with Debugging 355 Troubleshooting Tips 356 Chapter 9 Administrator ...

Page 11: ...g the Operating System Update Log 392 Determining Installed Operating System Packages 393 Plugin Manager 393 Managing Subscriptions 394 Viewing Available Plugins 394 Adding or Updating New Plugins 395 Configuring Plugin Update Notifications 396 Configuring Plugins 396 Configuring the Kernel Plugin 397 Configuring the Aruba ClearPass Skin Plugin 398 Server Time 399 System Control 401 Changing Syste...

Page 12: ...ilability Systems 425 Terminology Concepts 425 Network Architecture 426 Deploying an SSL Certificate 427 Normal Cluster Operation 427 Failure Detection 427 Database Replication 427 Configuration Replication 428 Primary Node Failure 429 Secondary Node Failure 429 Email Notification 430 Cluster Status 430 Cluster Setup 431 Prepare Primary Node 432 Prepare Secondary Node 434 Cluster Initialization 43...

Page 13: ...imeformat Modifier 455 Date Time Format String Reference 456 Programmer s Reference 457 NwaAlnumPassword 457 NwaBoolFormat 457 NwaByteFormat 457 NwaByteFormatBase10 457 NwaComplexPassword 457 NwaCsvCache 457 NwaDigitsPassword len 458 NwaDynamicLoad 458 NwaGeneratePictureString 458 NwaGenerateRandomPasswordMix 458 NwaLettersDigitsPassword 458 NwaLettersPassword 458 NwaMoneyFormat 458 NwaParseCsv 45...

Page 14: ...rSessions 484 GetIpAddressSessions 484 GetUserActiveSessions 484 GetCurrentSession 484 GetUserCurrentSession 485 GetIpAddressCurrentSession 485 GetCallingStationCurrentSession 485 GetUserStationCount 486 GetSessionTimeRemaining 486 ChangeToRole 486 RADIUS Server Options 487 General Configuration 487 Security Configuration 489 Proxy Configuration 489 SNMP Query Configuration 490 Thread Pool Configu...

Page 15: ...gin 129 Figure 18 Captive Network Assistant on MacOS X 137 Figure 19 Captive Network Assistant on iPad 137 Figure 20 Captive Network Assistant on iPhone 138 Figure 21 Captive Portal Profile Configuration 139 Figure 22 Configuring the Web Login page 140 Figure 23 Operator profiles and visitor access control 180 Figure 24 Sponsored guest access with guest created by operator 204 Figure 25 Guest acce...

Page 16: ...s with groups 327 Figure 46 Components of the Report Editor 328 Figure 47 Network diagram showing IP addressing for a GRE tunnel 366 Figure 48 Data Retention Policy page 405 Figure 49 Guest self provisioning 415 Figure 50 Network architecture of high availability cluster 426 ...

Page 17: ...Certificates 92 Table 17 RADIUS Attributes Included with a Device Authentication Request 111 Table 18 Web Login Page Syntax 135 Table 19 Operators supported in filters 184 Table 20 Operators supported in filters 188 Table 21 Server Type Parameters 192 Table 22 LDAP Error Messages 195 Table 23 Template Variables 198 Table 24 Operators supported in filters 212 Table 25 Operators supported in filters...

Page 18: ...plexity Requirements 475 Table 53 Form Field Display Functions 476 Table 54 Display Expressions for Data Formatting 478 Table 55 PHP Variables 479 Table 56 General Configuration Settings 487 Table 57 Security Configuration Settings 489 Table 58 Proxy Configuration Settings 489 Table 59 Thread Pool Settings 490 Table 60 Authentication Module Configuration Settings 491 Table 61 Database Modeule Conf...

Page 19: ...custom scratch cards each with a defined network access time which can then be handed out in a corporate environment or sold in public access scenarios Using the built in customization features your visitors are also able to self provision their own guest accounts using the settings you have defined The registration experience is delivered with a branded and customized Web portal ensuring a stream...

Page 20: ...ng setting up guest self provisioning and defining new SMS or email receipts Chapter 8 Report Management covers the use of the built in reports and explains how to create new reports to summarize visitor account information and network usage accounting data Chapter 9 Administrator Tasks describes the configuration and maintenance tools used by network administrators to manage ClearPass Guest Chapt...

Page 21: ...r training Quick Help In list views click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list On some forms and views the Quick Help icon may also be used to provide additional detail about a field Context Sensitive Help For more detailed information about the area of the applicat...

Page 22: ...contact your reseller The reseller can usually provide you with the answer or obtain a solution to your problem If you still need information refer to the Web Resources command available under Support Services in the ClearPass Guest user interface Words may be excluded from the search by typing a minus sign directly before the word to exclude for example exclude Exact phrase matches may also be se...

Page 23: ...ure shows a high level representation of a typical visitor access scenario See Figure 1 Figure 1 Visitor access using ClearPass Guest In this scenario visitors are using their own mobile devices to access a corporate wireless network Because access to the network is restricted visitors must first obtain a username and password A guest account may be provisioned by a corporate operator such as a re...

Page 24: ...nistrator operators and visitors may use different network interfaces to access the visitor management features The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points Key Interactions The following figure shows the key interactions between ClearPass Guest and the people and othe...

Page 25: ...h consists of a group of RADIUS attributes These attributes are used to control every aspect of the guest s network session effectively defining a security policy that controls what the guest is permitted to do on the network Vendor specific attributes may be used to configure the finer details of the NAS security policy The network usage of authorized guests is monitored by the NAS and reported i...

Page 26: ...AS authenticates the user with the RADIUS protocol 5 ClearPass Guest determines whether the user is authorized and if so returns vendor specific attributes 6 that are used to configure the NAS based on the user s role 7 If the user s access is granted the NAS permits the guest access to the network based on the settings provided by the ClearPass Guest server The NAS reports details about the user ...

Page 27: ...on Customizing Self Provisioned Access Web login portal Web Logins Visitor Management Create and manage visitor accounts individually or in groups Standard Guest Management Features Manage active RADIUS sessions using RFC 3576 dynamic authorization support Active Sessions Management Import and export visitor accounts Importing Guest Accounts Create guest self registration forms Creating a Self Reg...

Page 28: ... new Web login pages for visitor NAS access Web Logins Create new reports Creating Reports Administrative Management Features Operators defined and authenticated locally Local Operator Authentication Operators authenticated via LDAP LDAP Operator Authentication Restrict operator logins by IP address ranges Creating a VLAN Interface Role based access control for operators Operator Profiles Configur...

Page 29: ...fields displayed to an operator Netw ork Access Server Device that provides network access to users such as a wireless access point network switch or dial in terminal server When a user connects to the NAS device a RADIUS access request is generated by the NAS Ope rator Profile Characteristics assigned to a class of operators such as the permissions granted to those operators Ope rator Operator Lo...

Page 30: ... place on the shared secret between NAS and the RADIUS server to ensure network security is not compromised What IP address ranges will operators be using to access the server Should HTTPS be required in order to access the visitor management server Operational Concerns When deploying a visitor management solution you should consider these operational concerns Who is going to be responsible for ma...

Page 31: ...f day access Bandwidth allocation to guests Prioritization of traffic Different guest roles IP address ranges for operators Enforce access via HTTPS Operational Concerns Who will manage guest accounts Guest account self provisioning What privileges will the guest managers have Who will be responsible for printing reports Network Management Policy Password format for guest accounts Shared secret fo...

Page 32: ...32 Management Overview ClearPass Guest 3 9 Deployment Guide ...

Page 33: ...luded in the box with the appliance for detailed installation information for the chassis and rack assembly Default Network Configuration The AMG HW 100 and AMG HW 2500 appliances have two gigabit Ethernet network ports on the rear of the chassis See Figure 5 Figure 5 Rear port configuration for AMG HW 100 2500 appliances The factory default network configuration for these ports is Table 5 Default...

Page 34: ...with the files for the virtual machine An OVF file specifies the details of the virtual machine To install the virtual appliance 1 Extract the contents of the zip file to a new directory 2 Start the VMware vSphere Client 3 Use the File Deploy OVF Template command to create a new virtual machine from the files in the virtual appliance directory Table 6 Ethernet adapter configuration Item Network Ad...

Page 35: ...t settings of 9600 baud 8 data bits no parity and 1 stop bit Flow control is not required Both hardware and virtual appliances support command line access directly at the console and remotely via SSH The following table summarizes the methods that you may use to access the console user interface Console Login To access the console user interface Log in with the username admin and the appliance s r...

Page 36: ... appliance s network settings 2 Restart services Restarts major system services 3 Reinitialize database Destroys the entire configuration of the appliance and resets to the factory default state All guest accounts operator logins RADIUS accounting records application configuration and customization will be lost 4 Change shell password Sets the new shell password used to access the console user int...

Page 37: ...l configuration process which is explained in more detail below Logging In To start the setup wizard Enter the default username and password When you log in for the first time the default username is admin and the default password is admin Click the Log In button The default login settings for new installations require https to access the graphical user interface However if you use https to access...

Page 38: ...ware license agreement 2 Mark the Accept check box then click Continue If you have any questions about the license agreement contact Aruba support using the Web site http support arubanetworks com Setting the Administrator Password After you review and accept the software license agreement you will be prompted to set the password for the administrator account This account has full access to all se...

Page 39: ...learPass Guest sends notification emails to this address for various system events When the administrator password is set for the first time the root password for the system will also be set to this password The root password is required to log in to the console user interface See Console Login in this chapter for a description of how to do this However once you have set the initial root password ...

Page 40: ...ttings for the system s network interfaces To configure network interface settings 1 Go to Administrator Network Setup Network Interfaces The results of an automated network diagnostic test are displayed at the top of the page For more details about the network diagnostics see Automatic Network Diagnostics in the Administrator Tasks chapter 2 To change the configuration of a network interface clic...

Page 41: ...xy settings 1 Go to Administrator Network Setup HTTP Proxy 2 If your network configuration requires the use of an HTTP proxy to access the Internet enter the details for the proxy in the Proxy URL field then click Save Changes If your HTTP proxy requires authentication supply the username and password in the URL as shown in the field help For details on HTTP proxy settings See Automatic Network Di...

Page 42: ...d the fields on this form click the Send Test Message button to send an email to a test email address The test email is in the selected format and is used to verify the SMTP configuration and check the delivery of HTML formatted emails 4 Click the Save and Close button to save the updated SMTP configuration Configuring SNMP Settings The SNMP Setup form is used to configure the system s SNMP server...

Page 43: ...ntains the correct time of day at all times To configure the server s time and time zone 1 Go to Administrator Server Time 2 In the Time Zone field select the server s time zone 3 It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server s time In the Time Servers field enter the list of NTP servers to use for synchronization If available it is r...

Page 44: ...ADIUS Web Login pages that have vendor specific settings 2 Click Save and Continue to apply the RADIUS server configuration Defining RADIUS Network Access Servers A network access server NAS is a RADIUS client and must be predefined in order to access the RADIUS server For security each NAS device must also have a shared secret which is known only to the device and the RADIUS server Use the Networ...

Page 45: ...ardware and software appliances are shipped with a restricted default license This default license permits each guest account to have only a limited lifetime as well as restricting other capabilities of the software If you have purchased ClearPass Guest you will have one or more subscription IDs that enable particular modules of functionality that you have purchased These subscription IDs will hav...

Page 46: ...ith the corresponding subscription ID in parentheses For example ClearPass Guest Subscription xn2ncr gyjyd4 mxlx2s fv9gcy rwy7n6 3 Click Save and Continue once you have entered your subscription IDs If your subscription includes SMS capabilities an SMS gateway is automatically created based on your subscription ID Installing Subscription Updates If you have entered any subscription IDs the softwar...

Page 47: ...Completion After downloading and installing the available plugin updates the setup process is complete and the Welcome screen is displayed You may begin using ClearPass Guest Context sensitive help is available throughout the application For more detailed information about the area of the application you are using click the Help link displayed at the top right of the page This opens a the relevant...

Page 48: ...s for which ClearPass Guest performs authentication authorization and accounting AAA functions Visitor accounts are managed by operators using the Guest Manager component of the software See Guest Management chapter for more details on setting up visitor account provisioning RADIUS Services is for system administrator use and provides fine grained control over the AAA functions of the application ...

Page 49: ...nt information about ClearPass Onboard Onboard Deployment Checklist Use the following checklist to complete your Onboard deployment Table 10 Onboard Deployment Checklist Deployment Step Reference Planning and Preparation Review the Onboard feature list to identify the major areas of interest for your deployment See Onboard Feature List Review the list of platforms supported by Onboard and identify...

Page 50: ... See Configuring Network Settings for Device Provisioning Configure networking equipment for non provisioned devices Set authentication for the provisioning SSID if required Ensure the captive portal redirects non provisioned devices to the device provisioning page See Network Requirements for Onboard Configure networking equipment to authenticate provisioned devices Ensure 802 1X authentication m...

Page 51: ... to prevent network access Support for Windows Mac OS X iOS and Android devices Leverage ClearPass Profiling to identify device type manufacturer and model Control the user interface displayed during device provisioning Certificate authority enables the creation and revocation of unique credentials on a specific user s device Root and intermediate CA modes of operation Supports SCEP enrollment of ...

Page 52: ...ficate authority The following sections explain how the certificate authority works and which certificates are used in this process Certificate Hierarchy In a public key infrastructure PKI system certificates are related to each other in a tree like structure See Figure 6 Apple Mac OS X MacBook Pro MacBook Air Mac OS X 10 8 Mountain Lion Mac OS X 10 7 Lion 1 Mac OS X 10 6 Snow Leopard Mac OS X 10 ...

Page 53: ...server The identity information in the server certificate may be displayed during network authentication One or more Device Certificates may be issued typically one or two per provisioned device The identity information in the device certificate uniquely identifies the device and the user that provisioned the device You do not need to manually create the profile signing certificate it is created w...

Page 54: ...re not used when using PEAP unique device credentials The Onboard server automatically updates the status of the username when the device s client certificate is revoked Re Provisioning a Device Because bring your own devices are not under the complete control of the network administrator it is possible for unexpected configuration changes to occur on a provisioned device For example the user may ...

Page 55: ...ing an Onboard client certificate place them into a provisioned role For provisioned devices additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role Using a Different SSID for the Provisioning and Provisioned Networks To configure dual SSIDs to support provisioned devices on one network and non provisioned devices on a separate n...

Page 56: ...Network Architecture for Onboard The high level network architecture for the Onboard solution is shown in Figure 7 Figure 7 ClearPass Onboard Network Architecture The sequence of events shown in Figure 7 is 1 Users bring their own device to the enterprise 2 The ClearPass Onboard workflow is used to provision the user s device securely and with a minimum of user interaction 3 Once provisioned the d...

Page 57: ...thod b Other supported platforms use the Onboard provisioning method 3 Once provisioned client devices use a secure authentication method based on 802 1X and the capabilities best supported by the device a The unique device credentials issued during provisioning are in the form of an EAP TLS client certificate for iOS devices and OS X 10 7 devices b Other supported devices are also issued a client...

Page 58: ...nd the appropriate EAP types for the ClearPass Guest RADIUS server ClearPass Policy Manager supports a rich policy definition framework If you have complex policies to enforce multiple authentication or authorization sources that define user accounts or you need features beyond those available in the ClearPass Guest RADIUS server you should deploy Policy Manager for authentication The ClearPass On...

Page 59: ...s authenticated at the device provisioning page and then provisions their device with the Onboard server The device is configured with appropriate network settings and a device specific certificate 3 Authentication Once configuration is complete the user switches to the secure network and is authenticated using an EAP TLS client certificate A sequence diagram showing the interactions between each ...

Page 60: ...es with their provisioning credentials these are typically the user s enterprise credentials from Active Directory If the user is authorized to provision a mobile device the over the air provisioning workflow is then triggered see Figure 12 on page 61 below 4 After provisioning has completed the device switches to EAP TLS authentication using the newly provisioned client certificate Mutual authent...

Page 61: ...quely and is used to encrypt the device configuration profile so that only this device can read its unique settings b A Transport Layer Security TLS client certificate is issued to the device This certificate identifies the device and the user that provisioned the device It is used as the device s network identity during EAP TLS authentication Devices Supporting Onboard Provisioning ClearPass Onbo...

Page 62: ... the device 2 Provisioning The device provisioning page detects the device type and downloads or starts the QuickConnect app The app authenticates the user and then provisions their device with the Onboard server The device is configured with appropriate network settings and credentials that are unique to the device See Figure 14 on page 63 for details 3 Authentication Once configuration is comple...

Page 63: ...hat includes both the QuickConnect app and the Onboard configuration settings 3 The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server The device is configured with appropriate network settings and credentials that are unique to the device 4 After provisioning has completed the app switches the device to PEAP authenti...

Page 64: ...ures within Onboard Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways Customizing the Web login page used for device provisioning All devices will reach the device provisioning Web login page as the first step of the provisioning process See Customizing the Device Provisioning Web Login Page to make changes t...

Page 65: ...ard Provisioning row in the list and then click Edit The RADIUS Web Logins Editor form opens Scroll to the Onboard Device Provisioning rows of the form For details about the rest of this form see Creating a Web Login Page in the RADIUS Services chapter The Onboard specific settings required for a device provisioning page are described below Mark the Enable device provisioning check box to activate...

Page 66: ...pecifies which property should be returned as described in Table 13 on page 66 Configuring ClearPass Servers for Device Provisioning To configure ClearPass servers for device provisioning navigate to Administrator Network Setup ClearPass or click the ClearPass command link The Manage ClearPass Servers form opens Table 13 Properties Available for Use with the nwa_mdps_ocnfig Smarty Template Functio...

Page 67: ...vices provisioned with Onboard Specify the hostname or IP address of the Policy Manager publisher node in the Host text field You must provide a valid username and password for the Policy Manager This account should have Super Administrator privileges Note Onboard requires only the ability to create guest user accounts Onboard accounts and endpoint records No other configuration changes are made u...

Page 68: ...ion is sent to Profiler when a valid device provisioning request has been received The Profiling Interval text field may be used to limit the rate of repeated updates for the same client This option can be used to reduce the load on the Profiler server especially if the When client requests a guest facing page profiling event is enabled A primary Profiler server must be configured Specify the host...

Page 69: ... Certificate Configure the data retention policy applied to certificates issued by the authority See Configuring Data Retention Policy for Certificates Setting Up the Certificate Authority The Certificate Authority Settings form is used to set up the mode of operation for the certificate authority The Name and Description fields are used internally to identify this certificate authority for the ne...

Page 70: ... public key infrastructure PKI and would like to include the certificate issued for Onboard devices in that infrastructure Click the Continue button to proceed to the second step See Setting Up an Intermediate Certificate Authority Setting Up a Root Certificate Authority If you already have a certificate and private key for the certificate authority see Installing a Certificate Authority s Certifi...

Page 71: ... as the issuer of other certificates notably the signing certificate Enter a descriptive name for the signing certificate in the Signing Common Name text field This value will be used to identify the signing certificate as the issuer of client and server certificates from this certificate authority The other identity information in the signing certificate will be the same as for the root certifica...

Page 72: ...e Digest Algorithm drop down list allows you to specify which hash algorithm should be used Note MD5 is not recommended for use with root certificates Mark the Generate CA certificate and invalidate all other certificates check box to confirm the changes Click the Create Root Certificate button to save the settings and generate a new root certificate Setting Up an Intermediate Certificate Authorit...

Page 73: ...ate authority Enter a contact email address in the Email Address text field This email address will be included in the certificate authority s certificate and provides a way for users of the certificate authority to contact your organization In the Private Key section Mark the Generate a new private key check box to create a new private key for the intermediate certificate This is only necessary i...

Page 74: ... also used to renew the certificate authority s intermediate certificate when it is close to expiring You can copy the certificate signing request in text format using your Web browser Use this option when you can paste the request directly into another application to obtain a certificate You can click the Download the current CSR link to download the certificate signing request as a file Use this...

Page 75: ...ide Onboard 75 Click the Request a Certificate link on this page The Request a Certificate page is displayed Click the link to submit an advanced certificate request The Submit a Certificate Request or Renewal Request page is displayed ...

Page 76: ...ficate Template drop down list Click the Submit button to issue the certificate The Certificate Issued page is displayed Select the Base 64 encoded option and then click the Download certificate chain link A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded Refer to the instructions in Installing a Certificate Authority s Certificate fo...

Page 77: ...be used multiple times to import each of the certificates in the trust chain Check the message displayed above the form to determine which certificate or type of file must be uploaded next In the Step 1 section of the form select one of the following options in the Format radio buttons Copy and paste certificate as text The form expands to include the Step 2 fields To upload a single certificate c...

Page 78: ...ate Key Passphrase and Confirm Passphrase fields Click the Upload Certificate button to save your changes If additional certificates are required you will remain at the same page Check the message displayed above the form to determine which certificate or type of file must be uploaded next When the trust chain is complete it will be displayed This completes the initialization of the certificate au...

Page 79: ...priate for your organization s retention policy Note Use a blank value for Minimum Period to enable the Delete Certificate and Delete Request actions in the Certificate Management list view This is useful for testing and initial deployment The default data retention policy specifies the values Minimum Period of 12 weeks Maximum Period of 52 weeks Uploading Certificates for the Certificate Authorit...

Page 80: ...ficate s extended key usage property will contain a value of Client Auth indicating that the certificate may be used to identify a client TLS Server Certificate Use this option when the certificate is to be issued to a network server such as a Web server or as the EAP TLS authentication server When this option is selected the issued certificate s extended key usage property will contain a value of...

Page 81: ...ed for general use 4096 bit RSA higher security Note Using a private key containing more bits will increase security but will also increase the processing time required to create the certificate and authenticate the device The additional processing required will also affect the battery life of a mobile device It is recommended to use the smallest private key size that is feasible for your organiza...

Page 82: ...e certificates and certificate requests in the Onboard system Table 15 on page 83 lists the types of certificate that are displayed in this list Table 14 Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Desctiption Device Type Type of device such as iOS Android etc Device UDID Unique device identifier UDID for this device This is typically a 64 ...

Page 83: ...orking with Certificates Click on a certificate to select it You can then select from one of these actions View certificate Displays the properties of the certificate Click the Cancel button to close the certificate properties Export certificate Displays the Export Certificate form Table 15 Types of Certificate Supported by Onboard Certificate Management Certificate Type Type Column Notes Root cer...

Page 84: ... other certificates required to establish the trust chain for the certificate as a PKCS 12 container This option is only available if the private key for the certificate is available to the server If you selected the PKCS 12 format you must enter a passphrase to protect the private key stored in the file Note To protect against brute force password attacks and ensure the security of the private ke...

Page 85: ...ilable if the data retention policy is configured to permit the certificate s deletion See Configuring Data Retention Policy for Certificates The Delete Certificate form is displayed Mark the Delete this client certificate check box to confirm the certificate s deletion and then click the Delete Certificate button Working with Certificate Signing Requests Certificate signing requests can be manage...

Page 86: ...ust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager mark the Include certificate trust chain check box then click the Export Certificate button Click the Export Request button to download the certificate signing request file in the selected format Sign request Displays the Sign Request form Use this action to approve the request for a certif...

Page 87: ... deletion See Configuring Data Retention Policy for Certificates The Delete Request form is displayed Mark the Delete this request check box to confirm the certificate signing request s deletion and then click the Delete Request button Requesting a Certificate From the Certificate Management page click the Upload a certificate signing request link to access the Certificate Signing Request form Pro...

Page 88: ...Glv biBTZXJ2ZXIxHzAdBgkqhkiG9w0BCQEWEGluZm9AZXhhbXBsZS5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALR4wRSH26wlcf3OEPEIh34iXRQIUrnYnDfo ZezeB i4NZUhRvLMvhPW7DcLpiZJ17ILj3aPPUXWDBYYiiuOkmuFX3dG7eKCLMH Z4E9z1ozK5Znm8cWIj56kg69le7QrAZBYrd5QaBTMxEe0F9CGFsYbFx1viMUMxN6 EJILaCTBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB8 So9KU5BS3oxjyxftIwF dWvNP2CNruKyQaba5RQ1ixdHAsPE 3uYIHNvlqqIpSzBlfYkr21S4DdR3SSC3bXy t4l fyM...

Page 89: ...ting that the certificate may be used to identify a server Certificate Authority Use this option when the certificate is for an subordinate certificate authority When this option is selected the issued certificate will contain an extension identifying it as an intermediate certificate authority and the extended key usage property will contain the three values Client Auth Server Auth and OCSP Signi...

Page 90: ...first part of the Device Provisioning Settings form is used to specify basic information about the Onboard provisioning The Name and Description fields are used internally to identify this set of Onboard settings for the network administrator These values are never displayed to the user during device provisioning Use the Organization field to provide the name of your organization this will be disp...

Page 91: ...12 00 The default of 15 minutes is reasonable If you expect that all devices on the network will be synchronized then the value may be reduced A setting of 0 minutes is not recommended as this does not permit any variance in clocks between devices When issuing a certificate the certificate s validity period is determined as follows The not valid before time is set to the current time less the cloc...

Page 92: ...the OCSP URL Specify an OCSP responder URL The Authority Info Access extension is added to the client certificates with the OCSP responder URL set to a value defined by the administrator This value may be specified in the OCSP URL field Table 16 Device Information Stored in TLS Client Certificates Name Description OID Device ICCID Integrated Circuit Card Identifier ICCID number from the Subscriber...

Page 93: ...nd OS X 10 7 Lion or later device provisioning check box to enable provisioning for these devices Mark the Enable device authentication check box to enable an additional authorization step to be performed during device provisioning See Advanced Device Authentication During Provisioning for details about this process Use the Display Name and Profile Description text fields to control the user inter...

Page 94: ...te used to sign the configuration profile This certificate will be automatically created by the certificate authority and appears as the Signed field on the device when the user authorizes the device provisioning Mark the Change the profile ID check box to change the unique value associated with the configuration profile This value is used to identify the configuration settings as being from a par...

Page 95: ...this option requires that the device be able to resolve the listed hostname at the time the device is provisioned The system s IP address network adapter name Select this option to use the IP address of the system for device provisioning The drop down list includes one option for each of the IP addresses detected on the system Use this option when DNS resolution of the system s hostname is not ava...

Page 96: ...cial SSL certificate Configuring User Interface Options for Mac OS X Windows and Android Devices The Device Provisioning section of the Device Provisioning Settings form allows you to customize the user interface displayed by the QuickConnect app To display your enterprise s logo select an image from the list in the Logo Image field Navigate to Administrator Content Manager to upload new images fo...

Page 97: ...e of security that is used See Configuring Basic Network Access Settings Protocols Specifies the 802 1X authentication protocols that are used by the network See Configuring 802 1X Authentication Network Settings Authentication Specifies the type of device authentication to be used for the network See Configuring Device Authentication Settings Trust Specifies options related to mutual authenticati...

Page 98: ... when the Network Type is set to Wired only Personal PSK Use this option to setup a network that requires only a pre shared key password to access the network This option is only available when the Network Type is set to Wireless only The Security Type field lets you set the encryption version for the wireless network to WPA or WPA2 If you have selected the Personal PSK security type you must prov...

Page 99: ...y be used if you have a specific requirement for that method The Windows EAP options that may be specified include Enable Fast Reconnect Fast Reconnect is a PEAP property that enables wireless clients to move between wireless access points on the same network without being re authenticated each time they associate with a new access point Enable Quarantine Checks Enable this option to obtain a syst...

Page 100: ...ed but the client authentication will use unique device credentials as for Onboard devices When this option is selected EAP TTLS or PEAP must be selected on the Protocols tab The Windows Authentication options that may be selected are Machine Only Use computer only credentials User Only Use user only credentials Machine Or User Use computer only credentials or user only credentials When a user is ...

Page 101: ...iew certificates for potential issues before accepting them Mark the Validate the server certificate check box for Windows This ensures that the provisioned device will check the server certificate is valid before using the server for authentication In the Android Trust row the default setting is for Android devices to automatically provision Onboard s Root CA certificate to the device You can cho...

Page 102: ...If a client is not compliant NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access Deploying NAP requires a NAP compatible authentication server so that appropriate policies may be implemented based on the statement of health provided by the NAP client To enable NAP for Microsoft Windows clients mark the Enable NAP...

Page 103: ... proxy server if the device supports it Specify the location of a proxy auto config file in the PAC URL text field Click the Previous button to return to the Windows tab Click the Next button to continue to the Post Install tab Click the Save Changes button to make the new network configuration settings take effect Click the Cancel button to discard your changes and return to the main Onboard conf...

Page 104: ...e new network configuration settings take effect Click the Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring an iOS Device VPN Connection To configure the VPN settings that will be sent to a device go to Onboard VPN Settings or click the VPN Settings command link The VPN Settings page opens This page is used to automatically configure vir...

Page 105: ...ng Protocol Complete the fields shown in the L2TP Connection Settings section of the form PPTP Connection uses the Point to Point Tunneling Protocol Complete the fields shown in the PPTP Connection Settings section of the form IPSec Connection uses the Internet Protocol with security extensions Complete the fields shown in the IPSec Connection Settings section of the form The Authentication Type d...

Page 106: ...ation and Password text fields Automatic The proxy server will be automatically configured with this VPN profile Specify the location of a proxy auto config file in the Proxy Server URL text field Click the Save Changes button to save the VPN connection profile and return to the main Onboard configuration user interface Configuring an iOS Device Email Account To configure the Exchange ActiveSync s...

Page 107: ...hoose one of the following options from the Account Details drop down list User provided entered by user on device This option requires the user to enter their credentials on the device to access their email Identity certificate created during provisioning This option uses the device s TLS client certificate to authenticate the user Using this option requires configuration of the ActiveSync server...

Page 108: ...cy To make changes to the Passcode Policy configuration that will be sent to a device go to Onboard Passcode Policy or click the Passcode Policy command link The Passcode Policy Settings page opens This page is used to configure a passcode policy that is applied to iOS devices when provisioned Typically you would enable this policy when provisioning a corporate owned device or if you are allowing ...

Page 109: ...y on all iOS devices mark the Enable passcode policy check box and configure the remaining options according to your enterprise s security requirements Click the Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface ...

Page 110: ...any server certificates The default certificate authority certificate will be recreated The provisioning settings for iOS and Onboard capable devices are not modified Re create the Onboard weblogin page Select this option to create the default device_provisioning Web login page if it has been deleted or has been modified and no longer functions correctly All certificates and settings are left unmo...

Page 111: ...ormation is unavailable If multiple MAC addresses are available only the first MAC address will be included in the RADIUS request Framed IP Address 8 IPv4 address of the device being provisioned NAS IP Address 4 Always set to 127 0 0 1 NAS Identifier 32 Set to the hostname of the Onboard server NAS Port 5 Always set to 0 NAS Port Type 61 Always set to Ethernet 15 Service Type 6 Always set to Autho...

Page 112: ... have been issued by an untrusted or unknown root certificate authority will cause iOS device provisioning to fail with the message The server certificate for is invalid A workaround for this issue is to install an appropriate root certificate on the iOS device This root certificate must be the Web server s SSL certificate if it is a self signed certificate or the certificate authority that issued...

Page 113: ...connected or for changes in authorization to be made while a guest is connected Lastly the RADIUS database records summarized accounting information about each guest session This allows you to generate reports about guest network usage Accessing RADIUS Services To access RADIUS Services From the Home page click the RADIUS Services command link Alternatively use the RADIUS link at the top level of ...

Page 114: ...equests from incoming clients and generating responses However if you are troubleshooting an authentication problem sometimes it is convenient to see exactly what is being sent and received by the RADIUS server This can help track down configuration problems in NAS clients such as an incorrect shared secret or an invalid request attribute user roles wrong reply attributes or values and other probl...

Page 115: ... The user has never logged in and no sessions have been recorded Logged Out The user has previously logged in but there is no current active session for this user To view the start and stop times for the user s most recent session hover over the text Logged In The user is currently logged in To view the start time for the user s most recent active session hover over the text Stale The user has an ...

Page 116: ... a production environment If you do enable it for troubleshooting remember to disable it when you are through Logging interim accounting updates is optional and is disabled by default You can use the check box in the Interim Accounting row to enable or disable logging of RADIUS interim accounting updates The Internal Auth Type option lets the administrator specify the authentication method to use ...

Page 117: ... consentry consentry cons entr consent consen conse cons con co c Example Correcting the NAS IP Address Attribute Some NAS equipment notably Chillispot will send a NAS IP Address of 0 0 0 0 in accounting records which renders the active sessions list view useless as well as any attempt to perform RFC 3576 management such as a session disconnect This can be fixed by using the Client IP Address inte...

Page 118: ...ed by a unique number The ID is shown in the list view When creating visitor accounts the role_id field should contain the ID of one of the user roles defined in the RADIUS server The RADIUS attributes for each role are shown in the list view The icon displayed with each attribute indicates the type of condition attached to it The attribute is enabled and will always be included in a RADIUS Access...

Page 119: ...d with them which allows you to control the behavior of network access devices that authenticate users with the RADIUS server Furthermore you can associate a set of rules called a condition with each RADIUS attribute This allows you to make adjustments to the precise definition of a role depending on what kind of access is being requested To open the RADIUS Attribute Editor 1 Do one of the followi...

Page 120: ...e definitions The choices for an attribute condition are Always the attribute will always be included in the RADIUS server s response Never the attribute is never included in the response This option can be used to disable an attribute without deleting it Enter condition expression the attribute will be included in the response only if the expression is true See Example Time of Day Conditions and ...

Page 121: ... Example Time Based Authorization In this example users will be authorized to access the network only between the local time of 7 30am and 8 00pm 1 Create a new role named Sample role 2 Click the Add Attribute tab 3 Select the Reply Message attribute from the drop down list Any attribute can be used for this example because the attribute will never be included in the response 4 Select Enter condit...

Page 122: ...ibute php statement The PHP statement is evaluated To include a value for the attribute the statement must be a return statement that is return expression Several predefined functions and variables are available for use in value expressions See View Display Expression Technical Reference in the Reference chapter for details Example Using Request Attributes in a Value Expression In this example the...

Page 123: ... with the Access Request Here the NAS IP Address attribute is retrieved which will contain the IP address of the NAS making the RADIUS request PHP s ternary operator is used to check if the NAS is 192 168 30 2 if it is then 100 is returned as the VLAN ID In all other cases the value 200 is returned as the VLAN ID Multiple ternary statements can be nested in parentheses to allow more than two value...

Page 124: ...ver When a user connects to the NAS device a RADIUS user authentication request Access Request packet is generated by the NAS Network access servers are RADIUS clients and must be predefined in order to access the RADIUS server For security each NAS device must also have a shared secret which is known only to the device and the RADIUS server To manage network access servers Go to RADIUS Network Ac...

Page 125: ...S servers This name must be unique The NAS type is selected from a drop down list with the following predefined types Other NAS RFC 3576 Dynamic Authorization Extensions Compatible Aerohive RFC 3576 support Aruba Networks RFC 3576 support Aruba Networks Bluesocket Chillispot RFC 3576 support Cisco Cisco RFC 3576 support Colubris HP Consentry Networks Enterasys Extreme Networks Extricom Infoblox Ju...

Page 126: ...this chapter for details on customizing this page Click the Create NAS Device button to create this NAS If you do not want to proceed click the Reset Form button to cancel your entry Once a NAS entry has been created it can be edited deleted or pinged by clicking on it Importing a List of Network Access Servers NAS entries may be created from an existing list by uploading the list to ClearPass Gue...

Page 127: ...68 22 12 Radius_Secret external 10 22 0 10 Rmd 3n2pEfz9 Because this data does not include a header row that contains field names the corresponding fields must be identified in the data Use the Match Fields form to identify which NAS server fields are present in the imported data You can also specify the values to be used for fields that are not present in the data To complete the Match Fields for...

Page 128: ...rt process The selected items will be created or updated A completion screen is then displayed showing the results of the import operation You must restart the RADIUS server in order for the new NAS entries to be recognized See Server Control in this chapter for more information Web Logins Many NAS devices support Web based authentication for visitors When you use ClearPass Guest to define a Web l...

Page 129: ...he NAS will perform the actual login 5 which invokes the AAA process If this is successful the NAS will apply the appropriate security policy to the visitor s session 6 enabling them to start browsing the Internet 7 In this way you can provide a branded and customized login page that is integrated with your existing network access devices Use this list view to define new Web login pages and to mak...

Page 130: ...in option controls whether the NAS login should be performed using HTTP or HTTPS When the Dynamic Address check box is selected the NAS login can be performed using the controller s IP address as provided to the client For example when using an Aruba Networks controller the controller performing the redirect sends its IP address using the switchip parameter To use this address for the guest login ...

Page 131: ...e Configuration icon to display the MAC Authentication Plugin page Select the Allow users to be detected via their MAC address option and click Save Configuration On the RADIUS Web Login page select Anonymous in the Authentication field Check the Auto generate the anonymous account option Make sure to select the Pre Auth Check option Local match a local account and save the configuration Underscor...

Page 132: ...ide extra fields if required by your NAS device and perform processing on parameters that have been supplied by the NAS during the redirect to the Web login page See NAS Redirect Parameters and NAS Login Parameters in this chapter for details about these parameters The NAS parameters and any extra fields specified are available for use within the Submit URL which may be a template expression This ...

Page 133: ...ting guest self registration page This may be of use when you are creating a landing page suitable for both registered and unregistered visitors You are able to optionally create a login message in this section This could be used to welcome the guest and outline the terms of usage The login message is only displayed for the time specified in the Login Delay The sixth section allows you to specify ...

Page 134: ...owed Access list If the Denied Access list is empty only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access This behavior is equivalent to adding the entry 0 0 0 0 0 to the Denied Access list Universal Access Method UAM Password Encryption Two different forms of password encryption are supported for the Web login page These are UAM basic Eq...

Page 135: ...page can be used within the template code Each parameter is defined as a page variable with the same name You can use the syntax var to display the value of the parameter var More complicated expressions can be built using Smarty template syntax See Smarty Template Syntax in the Reference chapter for details The NAS redirect parameters are also automatically stored as the properties of a session v...

Page 136: ...bile device App from associated App Store for retail applications Provide mobile device App based Web authentication for transparent Wi Fi access in retail application Mobile Device Access Control MDAC environments where the Web authentication process is used to push Device configurations and client certificates to mobile devices This Web sheet is displayed on iOS devices when a device connects to...

Page 137: ...n to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications The following are examples of these Web sheet sessions from a Mac OS X Lion 10 7 laptop iPad and an iPhone Figure 18 Captive Network Assistant on MacOS X Figure 19 Captive Network Assistant on iPad ...

Page 138: ...l configuration has shown to also prevent the display of the Captive Network Assistant on Apple devices It appears that the redirect process to the HTTPS hosted Web Login page on ClearPass Guest prevents the display of the Web sheet and it is assumed that the Captive Network Assistant only supports HTTP This recommended approach of using HTTPS to avoid user credentials being passed in the clear fo...

Page 139: ...ptive Portal configuration If these devices are detected their initial request to the Apple Web site will be served locally from the ClearPass Guest server emulating the environment of an Open connection to the Internet By emulating the response from the Apple Web site the iOS device or Mac OS X machine will no longer initiate the Captive Network Assistant and the user can launch their local brows...

Page 140: ...he ClearPass Guest RADIUS server uses a database to store the user accounts for authentication and other settings for the server You can set up as many databases as you like including databases on other servers However exactly one database must be marked as the Active database This database will be used by the RADIUS server for user authentication The default configuration for ClearPass Guest incl...

Page 141: ...DIUS Dictionary is a complete list of all the vendor IDs vendor specific attributes and attribute values used in the RADIUS protocol The dictionary is used to translate between human readable strings and the underlying numbers used in RADIUS packets Many predefined vendor specific attributes have already been provided in the dictionary These items are indicated with a lock icon and cannot be remov...

Page 142: ... able to export the dictionary by clicking on the More Options tab and choosing the Export Dictionary command This saves the complete contents of the dictionary as a text file Reset Dictionary You can reset the dictionary to its default set of vendors To reset the dictionary 1 Click the More Options tab above the Dictionary Entry list then click the Reset to Defaults command The Reset Dictionary f...

Page 143: ... It is unique to this vendor and is used by the RADIUS protocol For the current mapping of vendor names to IANA Private Enterprise Codes refer to the IANA Web site http www iana org assignments enterprise numbers The Vendor Number must be less than or equal t o 65535 Once you have completed the form click the Create Vendor button to add this vendor to the dictionary Edit Vendor You are able to cha...

Page 144: ...Pv4 Address Date Time IPv6 Address IPv6 Prefix Interface ID 8 octets Ascend Binary Filter Attribute numbers are normally small decimal numbers in the range 0 255 These may be entered in decimal or in hexadecimal using the 0x prefix Certain vendors in the dictionary have support for larger attribute values If you want the attribute to appear in the active session views and on RADIUS accounting repo...

Page 145: ... takes place Add Attribute Value A Value Name with a corresponding numerical value can be created for a selected attribute These enumerated values are used to associate meaningful names with the underlying numerical values of the attribute Once an integer attribute has been added to a vendor you are able to define enumerated values for it When a vendor specific attribute is of integer type this ca...

Page 146: ...luding digital certificates smart cards and passwords This authentication protocol is the basis for the IEEE 802 1X standard which provides port based network access control for both wired and wireless networks ClearPass Guest supports EAP and 802 1X authentication This authentication method requires EAP messages to be encapsulated inside RADIUS packets The RADIUS server must also be configured wi...

Page 147: ...rtificate To export a server certificate see Exporting Server Certificates Specifying Supported EAP Types To enable the EAP TLS EAP TTLS and PEAP options on the EAP Configuration form you must first configure a digital certificate for the RADIUS server The server certificate is the RADIUS server s identity and will be provided to clients authenticating with these EAP methods To create and manage t...

Page 148: ...cally check certificate revocation status If this option is selected an OCSP responder defined in the client certificate is used to obtain revocation status If no OCSP responder is defined in the client certificate then the local certificate authority is used to check status Manually specify OCSP URL for certificate checks If this option is selected the URL specified in the OCSP row of the EAP Con...

Page 149: ...r In step 3 the certificate authority and server certificates are installed on the RADIUS server The CA root certificate is then downloaded for distribution to clients who will use this RADIUS server for authentication To create a self signed certificate authority and issue a server certificate using this CA use the process described below If you already have a certificate authority or are using a...

Page 150: ...icate Expiration fields 3 Click the Continue button to proceed to step 3 Installing the Self Signed RADIUS Server Certificate On the Certificate Details form the details of the RADIUS server certificate and its issuer and the certificate s validity period are displayed for review The Install Server Certificate form is included To confirm the certificate s information and complete the process mark ...

Page 151: ... certificate authority CA The CA signs the request to create the server s digital certificate Once you have the certificate you need to import it to set it up for use with EAP See Importing a Server Certificate Importing a Server Certificate To import a digital certificate and its private key go to RADIUS Authentication EAP 802 1X and click the Import Server Certificate command link The Import Ser...

Page 152: ...omplete the import process and configure the EAP server certificate After importing the certificate the RADIUS server will need to be restarted to complete the changes Exporting Server Certificates The Export Server Certificate form is used to export the RADIUS server s digital certificate or the certificate authority s root certificate in several different formats Select one of these options to e...

Page 153: ...ficate only and use the default PKCS 7 container format 6 Click the Download File button and a file named Guest Certificate Authority p7b will be downloaded the precise name depends on the common name for the CA certificate 7 This file must be imported as a trusted root certification authority on any client wishing to authenticate using this RADIUS Server The reason for this is that the server s i...

Page 154: ... the p7b file from Windows Explorer 2 Select the certificate in the list Right click it and choose Open The Certificate Information dialog opens 3 Click the Install Certificate button The Certificate Import Wizard opens 4 Click Next The Certificate Store form opens ...

Page 155: ... 3 9 Deployment Guide RADIUS Services 155 5 Click the Browse button to select the Trusted Root Certification Authorities store 6 Click OK and then click Next The last page of the Certificate Import Wizard is displayed ...

Page 156: ...e certificate all future certificates from this certificate authority will automatically be trusted 8 To make use of the imported root certificate make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP Click Yes to confirm and accept the certificate ...

Page 157: ...For information on Proxy RADIUS LDAP and local certifiacate authority external authentication servers see External Authentication Servers EAS To view the current domain information join or leave a domain or perform authentication tests for user accounts in the domain use the Active Directory Services command link on the RADIUS Authentication page The Domain Summary table shows the current domain s...

Page 158: ... the domain click the Join Domain command link on the RADIUS Authentication Active Directory Services page The Join Active Directory Domain form is displayed and includes troubleshooting tips When the server s DNS and network settings are correctly configured all the necessary domain related information is automatically detected ...

Page 159: ... for a domain administrator account Click the Join Domain button to complete the process Once the domain has been joined the status is available on the Active Directory Services page Testing Active Directory User Authentication To verify that the domain has been joined successfully click the Test Authentication command link on the RADIUS Authentication Active Directory page Provide a username and ...

Page 160: ...he username and password of a domain user is required to perform an LDAP bind to the Active Directory domain controller so that LDAP search operations can be performed for other user accounts in the directory The credentials provided do not need to be those of a domain administrator a restricted user account may be provided here Only user lookup operations are performed with this user account To p...

Page 161: ...entication servers and to modify system settings related to user authentication To perform certain types of user authentication such as using the MS CHAPv2 protocol to verify a username and password the RADIUS server must first be joined to an Active Directory domain See Active Directory Domain Services for more information Types of External Authentication Server An authentication server may be on...

Page 162: ...a server may be used to check the connection to an authentication server or verify the authorization rules that have been configured For Local Certificate Authority external authentication servers additional testing options are included to simulate EAP TLS authentication with a client certificate For information on editing an external authentication server see Configuring Properties for External A...

Page 163: ...g Authorization for External Authentication Servers in this chapter for details Configuring an Active Directory EAS Microsoft Active Directory user accounts are defined in a forest or domain and authenticated by the domain controller Both user and machine accounts may be authenticated Additionally support is provided for authenticating users with a supplied username of either DOMAIN user or user F...

Page 164: ...irectory but may be set to the root of the directory for example DC example DC com in order to authenticate both user and machine accounts Advanced Options additional options controlling authentication against the directory The following advanced options may be required in several common situations and are documented below access_attr_used_for_allow yes Determines if the access_attr LDAP attribute...

Page 165: ...SE the user is permitted access If the attribute exists and is set to FALSE the user is denied access If the attribute does not exist the user is denied access If access_attr_used_for_allow is no then the access_attr attribute is checked for existence in the user object If the attribute exists the user is denied access If the attribute does not exist the user is permitted access ldap_connections_n...

Page 166: ... sends the RADIUS server a username in the form of DOMAIN user but sends the challenge response based on only the user portion Enable this option to handle this behavior correctly ntlm_auth_domain domain name Domain name to provide when performing an NTLM authentication this is only required in certain circumstances for example authentication of users in a network using multiple domains and RADIUS...

Page 167: ...ess of the port number and never perform unencrypted LDAP Certificate Check displayed when one of the TLS security options is selected See Managing Certificates for External Authentication Servers in this chapter for information about installing digital certificates for external authentication servers The certificate verification options that may be selected are Do not request or verify the server...

Page 168: ...If set to yes the directory may provide an LDAP referral from the directory to answer the request This option must be set to no if you are contacting an Active Directory LDAP server access_attr_used_for_allow yes access_attr empty To configure the authorization method for an LDAP external authentication server see Configuring Authorization for External Authentication Servers See Configuring Proper...

Page 169: ...choose an authorization method from the Method drop down list Method options available for Local Certificate Authority servers are No authorization Authenticate only Use the common name of the certificate to match a local user account Assign a fixed user role Contractor Employee or Guest Use PHP code to assign a user role For information about these authorization methods see Configuring Authorizat...

Page 170: ...ed via EAP TLS on a client s local certificate server The RADIUS server will return an Access Accept or Access Reject message indicating the result of the authentication attempt Use attributes from Proxy RADIUS server may be used with a Proxy RADIUS external authentication server The RADIUS server passes through the Access Accept or Access Reject message from the proxy server as well as all RADIUS...

Page 171: ...reation or modification of the external authentication server About Authorization Methods in External Authentication Servers The level of authorized access an authenticated user can have is controlled by the external authentication server s authorization method There are two aspects to user authorization Is the user allowed Yes no decisions can be made in the context of authorization Examples user...

Page 172: ...s the RADIUS attributes defined for the fixed role that has been selected for this authentication server Use PHP code to assign a user role Advanced may be selected to return a role ID for users authenticated via EAP TLS on a client s local certificate server The PHP authorization code is entered on the Edit Authentication Server form The RADIUS Authentication diagnostic can be used to demonstrate...

Page 173: ... DN for the authentication server is set to the root of the domain for example DC server DC local rather than the users container This is necessary as the organizational units are located below the top level of the directory and cannot be searched from the CN Users container 2 Select the authorization method Use PHP code to assign a user role Advanced and use the following code if stripos user dis...

Page 174: ...t the complete distinguished name DN for the group must be specified as this is the value checked for in the array of values returned for the memberOf attribute The primary group of a user assigned in Active Directory cannot be checked in this way as Active Directory does not return the primary group in the values of the memberOf attribute You can build logic that uses the user primarygroupid prop...

Page 175: ...dress field for the Calling Station Id attribute 4 In the TLS Identity drop down list choose the format of the TLS client certificate The rest of the options available in the Inner Authentication area of the form depend on the TLS Identity selected To provide details for the selected TLS identity do one of the following If you selected PKCS 12 container with certificate and key p12 pfx for the TLS...

Page 176: ...de the lines BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY 4 Optional In the Passphrase row you may enter the passphrase for the client s private key 5 Optional To provide a file containing a CA certificate for verifying the server s identity you can use the Certificate Authority row to browse to the file When you have completed the fields for the network settings outer authentication and inner au...

Page 177: ...y X 509 or plain text Delete remove the certificate so that it will no longer be used for trust purposes To import a new certificate click the Import Certificate tab Use the Import Certificate form to specify a certificate file to upload The supported formats for digital certificates are Binary X 509 certificate also known as ASN 1 or DER format Certificates in this format typically have the file ...

Page 178: ...178 RADIUS Services ClearPass Guest 3 9 Deployment Guide ...

Page 179: ...ins ClearPass Guest supports role based access control through the use of operator profiles Each operator using the application is assigned a profile which determines the actions that the operator may perform as well as global settings such as the look and feel of the user interface Your profile may only allow you to create guest accounts or your profile might allow you to create guest accounts as...

Page 180: ...n an operator profile may be overridden in a specific operator s account settings These customized settings will take precedence over the default values defined in the operator profile Click the Manage Operator Profiles command link on the Administrator Operator Logins page to define new operator profiles and to make changes to existing operator profiles Creating an Operator Profile Click the Crea...

Page 181: ...ptions row you may keep the default setting or choose an option from the drop down list Password options are as follows Allow operators to change their password Enables the Change Password link in the navigation which allows an operator to change their password This is the default setting Prevent operators from changing their password The password cannot be changed by the operator Use this option ...

Page 182: ...t select the appropriate privileges in order for the profile to work See Operator Profile Privileges in this chapter for details about the available access levels for each privilege If you choose the Custom setting for an item the form expands to include additional privileges specific to that item 4 The User Roles list allows you to specify which user databases and roles the operator will be able ...

Page 183: ...o operator filter only show accounts created by the operator and only show accounts created by operators within their profile 6 The User Account Filter and Session Filter fields are optional and allow you to create and configure these filtering options The User Account Filter field lets you create a persistent filter applied to the user account list For example this feature is useful in large depl...

Page 184: ...ional In the Skin row the Default setting indicates that the skin plugin currently marked as enabled in the Plugin Manager will be used To have a different skin displayed for users with this operator profile choose one of the available skins from the drop down list For more information on skins see Configuring the Aruba ClearPass Skin Plugin in the Administrator Tasks chapter 2 Optional In the Sta...

Page 185: ...rom the drop down list 4 Optional In the Time Zone row the Default setting indicates that the operator s time zone will default to the system s currently configured time zone You can use the drop down list to specify a particular time zone Customizing Forms and Views 1 Optional In the Customization row to specify that an operator profile should use a different form when creating a new visitor acco...

Page 186: ...Resetting guest passwords Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be Managing Operator Profiles Once a profile has been created you are able to view to edit and to create new profiles When you click an operator profile entry in the Operator Profiles list a menu appears that allows you to perform any of the follow...

Page 187: ...9 Deployment Guide Operator Logins 187 Local Operator Authentication Local operators are those defined in ClearPass Guest Creating a New Operator After you create a profile you can create an operator to use that profile ...

Page 188: ...ssion filter enter a comma delimited list of field value pairs Supported operators are described below The user can enter a simple substring to match a portion of the username or any other fields that are configured for search and may include the following operators The Account Limit field lets you set a limit for the number of accounts that an operator can create Note that disabled accounts are i...

Page 189: ...e removes the operator login from the Operator Logins list Disable temporarily disables an operator login while retaining its entry in the Operator Logins list Enable reenables a disabled operator login Duplicate makes a copy of the profile to use as a basis for a new profile Edit Profile opens the operator profile editor allowing you to edit the operator profile associated with the selected opera...

Page 190: ...ervers ClearPass Guest supports a flexible authentication mechanism that can be readily adapted to any LDAP server s method of authenticating users by name There are built in defaults for Microsoft Active Directory servers POSIX compliant directory servers and RADIUS servers When an operator attempts to log in each LDAP server that is enabled for authentication is checked in order of priority from...

Page 191: ...ection hostname and optional port number use a Server URL of the form ldap hostname or ldap hostname port See Advanced LDAP URL Syntax in this chapter for more details about the types of LDAP URL you may specify Select the Enabled option if you want this server to authenticate operator logins ...

Page 192: ...ver POSIX Compliant Server URL The URL of the LDAP server Bind DN The password to use when binding to the LDAP server or empty for an anonymous bind Bind Password The password to use when binding to the LDAP server Leave this field blank to use an anonymous bind Base DN The Distinguished Name to use for the LDAP search Default Profile The default operator profile to assign to operators authorized ...

Page 193: ...DAP server URL using a format such as ldap 192 168 88 1 ou IT 20Services ou Departments dc server dc com To specify a secure connection over SSL TLS use the prefix ldaps To specify the use of LDAP v3 use the prefix ldap3 or ldap3s if you are using LDAP v3 over SSL TLS When Microsoft Active Directory is selected as the Server Type LDAP v3 is automatically used An LDAP v3 URL has the format ldap hos...

Page 194: ...ectivity operator authentication and to look up operator usernames Testing Connectivity To test network connectivity between an LDAP server and the ClearPass Guest server click the Ping link in the server s row The results of the test appear below the server entry in the LDAP server table Testing Operator Login Authentication 1 To test authentication of operator login values select a server name i...

Page 195: ...authorization information for the specified sponsor 5 Click Search Directory to attempt to find sponsor names that match the lookup values or click Cancel to cancel the test The Authentication Test area is added above the server names to indicate the search s progress Troubleshooting Error Messages The error messages in the following table can be used to diagnose error messages such as LDAP Bind f...

Page 196: ...DAP translation rule 1 In the Name field enter a self explanatory name for the translation rule In the example above the translation rule is to check that the user is an Administrator hence the name MatchAdmin 2 Select the Enabled check box to enable this rule once you have created it If you do not select this check box the rule you create will appear in the rules list but will not be active until...

Page 197: ...ctory Assign custom value to operator field uses a template to assign a value to a specific operator field Apply custom processing evaluates a template that may perform custom processing on the LDAP operator Remove attribute from operator removes the selected LDAP attribute from the operator 6 Click the Operator Profile drop down list and select the profile to be assigned if there is a rule match ...

Page 198: ...er priority on the rule list Move Down moves the rule down to a lower priority on the rule list Custom LDAP Translation Processing When matching an LDAP translation rule custom processing may be performed using a template The template variables available are listed in the table below For a Smarty template syntax description See Smarty Template Syntax in the Reference chapter These may be used to m...

Page 199: ... of groups The operator field enabled will determine if the user is permitted to log in or not The custom template uses the strip block function to remove any whitespace which makes the contents of the template easier to understand The if statement first checks for membership of the Administrators group using the PHP stripos function for case insensitive substring matching if matched the operator ...

Page 200: ...gins Configuration command link to modify these configuration parameters Custom Login Message If you are deploying ClearPass Guest in a multi lingual environment you can specify different login messages depending on the currently selected language The following example from the demonstration site uses Danish da Spanish es and the default language English as highlighted in bold if current_language ...

Page 201: ... form Select the login skin from the Login Skin drop down menu Options include the default skin or a customized skin Operator Password Options The password complexity for operators may be specified here The following options are available No password complexity requirement a password policy is not defined by the system At least one uppercase and one lowercase letter At least one digit At least one...

Page 202: ...Log all access Log messages for operator logins whether successful or unsuccessful are shown in the application log Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator s session will be ended The value for Logout After should be specified in hours You can use fractional numbers for values less than an hour for e...

Page 203: ...ms and views as well as the forms for guest self registration Accessing Guest Manager Use the Guest Manager command on the home page to access the guest management features Alternatively use the Guest Manager navigation menu to jump directly to any of the features within Guest Manager About Guest Management Processes There are two major ways to manage guest access either by your operators provisio...

Page 204: ...on her receipt The NAS authenticates and authorizes the guest s login in ClearPass Guest Once authorized the guest is able to access the network Self Provisioned Guest Access Self provisioned access is similar to sponsored guest access but there is no need for an operator to create the account or to print the receipt See Figure 25 Figure 25 Guest access when guest is self provisioned The guest log...

Page 205: ... a complete set of features for managing guest accounts including Creating single guest accounts Creating multiple guest accounts Listing guest accounts and editing individual accounts Editing multiple accounts Viewing and managing active sessions Importing new accounts from a text file Exporting a list of accounts Viewing MAC devices Creating new MAC devices Customizing Guest Manager settings for...

Page 206: ...ccount cannot be used before the activation time or after the expiration time The Account Role specifies what type of account the visitor should have A random password is created for each visitor account This is displayed on this form but will also be available on the guest account receipt You must mark the Terms of Use check box in order to create the visitor account Click the Create Account butt...

Page 207: ...r an SMS message has been sent Click the Send email receipt link to send an email copy of the guest account receipt Use the Email Receipt form to enter the email address to which the receipt should be sent You can also specify the subject line for the email message If the administrator has enabled automatic email for guest account receipts and the visitor s email address was typed into the New Vis...

Page 208: ...e Guest Account Receipts Once a group of guest accounts has been created the details for the accounts are displayed To print the receipts select an appropriate template from the Open print window using template list A new Web browser window will open and the Print dialog box will be displayed To download a copy of the receipt information in CSV format click the Save list for scratch cards CSV file...

Page 209: ...st Accounts form create_multi has not yet been customized to include it You will create it for the form in the next step 2 Click on any field in the list to expand a row then click the Insert After link you can modify this placement later The Customize Form Field form opens 3 In the Field Name row choose password from the drop down list The form displays configuration options for this field 4 In t...

Page 210: ...nts you wish to create 3 In the Visitor Password field enter the password that is to be used by all the accounts 4 Complete the other fields with the appropriate information then click Create Accounts The Finished Creating Guest Accounts view opens The password and other account details are displayed for each account ...

Page 211: ...ing or removing the existing fields See Customization of Fields in this chapter for details about this customization process The default settings for this view are described below The Username Role Status and Expiration columns display information about the visitor accounts that have been created The value in the Expiration column is colored red if the account will expire within the next 24 hours ...

Page 212: ... ability to customize the view Click a user account s row to select it You can then select from one of these actions Reset password Changes the password for a guest account A new randomly generated password is displayed on the Reset Password form Table 24 Operators supported in filters Operator Meaning Additional Information is equal to You may search for multiple values when using the equality or...

Page 213: ...letes a guest account Select the appropriate Action radio button and click the Make Changes button to disable or delete the account Activate Re enables a disabled guest account or specifies an activation time for the guest account Select an option from the drop down list to change the activation time of the guest account Choose Now to re enable an account that has been disabled Click the Enable Ac...

Page 214: ...s receipt To recover a forgotten or lost guest account password use the Reset password link Managing Multiple Guest Accounts Use the Edit Accounts list view to work with multiple guest accounts This view may be accessed by clicking the Edit Multiple Guest Accounts command link This view guest_multi may be customized by adding new fields or by modifying or removing the existing fields See Customizi...

Page 215: ... to work with You may click either the check box or the row to select a visitor account To select or unselect all visible visitor accounts click the check box in the header row of the table Table 25 Operators supported in filters Operator Meaning Additional Information is equal to You may search for multiple values when using the equality or inequality operators To specify multiple values list the...

Page 216: ...lable if there are no visitor accounts selected This form may be customized by adding new fields or modifying or removing the existing fields See Customizing Self Provisioned Access in this chapter for details about this customization process This is the guest_multi_form form The Results tab will be automatically selected after you have made changes to one or more guest accounts You can create new...

Page 217: ... set encoding you are using Import format The format of the accounts file is automatically detected You may specify one of the following encoding types if the automatic detection is not suitable for your data XML Comma separated values Tab separated values Pipe separated values Colon separated values Semicolon separated values Select the Force first row as header row check box if your data contain...

Page 218: ...emo eleven secret011 2011 06 13 12 00 Because this data includes a header row that contains field names the corresponding fields have been automatically detected in the data Use the Match Fields form to identify which guest account fields are present in the imported data You can also specify the values to be used for fields that are not present in the data To complete the Match Fields form make a ...

Page 219: ...wn list at the bottom of the form and select the number of entries that should appear on each page Click the check box by the account entries you want to create or click one of the following options to select the desired accounts Click the This Page link to select all entries on the current page Click the All link to select all entries on all pages Click the None link to deselect all entries Click...

Page 220: ...ount lifetime is not set Expire Action Number specifying the action to take when the guest account expires 0 through 4 The default XML format consists of a userlist element containing a user element for each exported guest account The numeric ID of the guest account is provided as the id attribute of the user element The values for both standard and custom fields for guest accounts are exported as...

Page 221: ... content and advertising Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation These settings can be modified by navigating to Customize Guest Manager within the Guest Manager Customization screen Figure 26 Customize Guest Manager page part 1 Username Type The default method used to generate random account usernames when creati...

Page 222: ...ield is set to Format picture It sets the format of the password to be created See Format Picture String Symbols in the Reference chapter for a list of the special characters that may be used in the format string This may be overridden by using the random_password_picture field Password Complexity The policy to enforce when guests change their account passwords using the guest self service user in...

Page 223: ... value is 1 year after the user account is deleted If you do not want to retain any data set the value to 0 If you want to view deleted accounts in a list view or report add the delete_time field to the output and deleted users will automatically be included in the results Session Warning Number of minutes prior to being logged out before warning the guest Enter 0 to disable warnings Expiration Op...

Page 224: ... use using the Content Manager See Content Manager in the Administrator Tasks chapter If this file is called terms html then the Terms of Use URL should be public terms html Active Sessions Default maximum number of active sessions that should be allowed for a guest account This may be overridden by using the simultaneous_use field when creating or editing a guest account Password Logging By defau...

Page 225: ...ators on the Guest Manager start page to be customized or removed if a single hyphen is entered About Fields Forms and Views A field is a named item of information A form is a group of fields that is used to collect information from an operator whereas a view is a grouping of fields that is used to display information to an operator Business Logic for Account Creation When guest accounts are creat...

Page 226: ...is used random_password_method The method used to generate a random account password If not specified the default value from the GuestManager configuration is used random_password_length The length in characters of random account passwords If not specified the default value from the GuestManager configuration is used Visitor Account Activation Properties enabled This field determines if the accoun...

Page 227: ...d use that expiration time and set do_expire to 4 if it has not otherwise been set If the expire_time specified is in the past set do_expire to 0 and ignore the specified expiration time Otherwise if expire_time is not specified then the expire_time is not set and do_expire will always be set to zero expire_postlogin This field determines the amount of time after the initial login for which the vi...

Page 228: ...f the standard fields shipped with ClearPass Guest Standard Forms and Views The figure below shows the standard forms and views in the application The table below lists all the forms and views used for visitor management Table 27 Visitor Management Forms and Views Name Type Visitor Management Function Editable change_expiration Form Change Expiration Yes create_multi Form Create Multiple Yes creat...

Page 229: ...st of guest accounts optimized for working with multiple accounts guest_sessions view displays a list of current or historical sessions See Active Sessions Management in this chapter guest_users view displays a list of guest accounts optimized for working with individual accounts Customization of Fields Custom fields are fields that you define yourself to cater for areas of interest to your organi...

Page 230: ...r the Create a new field link at the bottom of the window The Create Field form is displayed The Field Name is not permitted to have spaces but you can use underscores Enter a description in the Description field You can enter multiple line descriptions which result in separate lines displayed on the form The Field Type can be one of String Integer Boolean or No data type The No data type field wo...

Page 231: ... field is copied and a number appended to the end of the field name for example if you were to duplicate the card_code field the duplicated field would be card_code_1 To rename the field click Edit Editing a Field You are able to alter the properties of the field by making changes to the Field Name Field Type or Description when you click the Edit link This link is available when you click a field...

Page 232: ...ms and Views page opens Editing Forms and Views Clicking on the Use link opens the form or view for use in your Web browser An asterisk shown next to a form or view indicates that the form or view has been modified from the defaults Click the Reset to Defaults link to remove your modifications and restore the original form Resetting a form or view is a destructive operation and cannot be undone Yo...

Page 233: ...rived from the original which cannot be changed Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view Click the Show Usage link for a duplicated form or view to see the operator profiles that are referencing it Click the Delete link for a duplicated form or view to remove the copy A duplicated item cannot be removed if it is reference...

Page 234: ...d definition Any changes made to the field using this editor will apply to all forms that are using this field except where the form field has already been modified to be different from the underlying field definition The Insert Before and Insert After links can be used to add a new field to the form Clicking one of these links will open a blank form field editor and automatically set the rank num...

Page 235: ...ending on the selection you make in the User Interface drop down list The available user interface elements are listed below together with an example of each Use default The default user interface type defined for the field will be used No user interface The field does not have a user interface specified Using this value will cause a diagnostic message to be displayed Form element is missing the u...

Page 236: ...its value set to the check box value default and recommended value 1 If the check box is not selected the field is not submitted with the form Checklist A list of check boxes is displayed The text displayed for each check box is the value from the options list Zero or more check boxes may be selected This user interface type submits an array of values containing the option key values of each selec...

Page 237: ...omma separated list of the selected values enable the Advanced options select NwaImplodeComma for Conversion select NwaExplodeComma for Display Function and enter the field s name for Display Param The Vertical and Horizontal layout styles control whether the check boxes are organized in top to bottom or left to right order The default is Vertical if not specified When using these options you may ...

Page 238: ...endar and time chooser A date may be typed directly into the text field or selected using the calendar The text value typed is submitted with the form If using a date time picker you should validate the field value to ensure it is a date Certain guest account fields such as expire_time and schedule_time require a date time value to be provided as a UNIX time value In this case the conversion and d...

Page 239: ...the User Interface drop down list the field is not displayed to the user but is submitted with the form This option is often used to force a specific value such as a user s role or an expiration date However it is possible for someone to use browser tools to modify the intial value when the form is submitted If the value should be forced use the Force Value setting under Advanced Properties to ens...

Page 240: ...he user obscured The text typed in this field is submitted as the value for the field Radio buttons The field is displayed as a group of radio buttons allowing one to be selected The text displayed for each option is the value from the options list When the form is submitted the key of the selected value becomes the value of the field ...

Page 241: ...ext The field s value is displayed as a non editable text string An icon image may optionally be displayed before the field s value A hidden element is also included for the field thereby including the field s value when the form is submitted To set the value of this field use the Initial Value option in the form field editor If the Hide when no options are selectable check box is selected the fie...

Page 242: ...on in the form field editor If the Hide when no options are selectable option is selected the field will be hidden if its value is blank Static text Options lookup The value of the field is assumed to be one of the keys from the field s option list The value displayed is the corresponding value for the key as a non editable text string An icon image may optionally be displayed before the field s v...

Page 243: ...Important CSS class to visually distinguish the group heading s title Submit button The field is displayed as a clickable form submit button with the label of the field the label of the button The description is not used The field s value is ignored and will be set to NULL when the form is submitted To place an image on the button an icon may be specified To match the existing user interface conve...

Page 244: ...fy the desired minimum dimensions of the text area either with the Rows and Columns options or by specifying a width in the CSS Style for example width 460px height 100px specifies a 460 x 100 pixel minimum area Text field The field is displayed as a single line text box The text typed in this box is submitted as the value for the field A short text label may be placed after the text box using the...

Page 245: ...value In particular for drop down list and radio button selections the initial value should be the key of the desired default option Likewise for date time fields that have a display function set the initial value should be a value that can be passed to the display function Select the Field value must be supplied check box to mark the field as a required field Required fields are marked with an as...

Page 246: ...s this does not need to be set Set the Validator Param to its default value Use argument to provide a fixed value as the argument to the validator The Validator Argument is used to provide further instructions to the selected validator Not all validators require an argument a validator such as IsValidEmail is entirely self contained and will ignore the Validator Argument Validators such as IsEqual...

Page 247: ...on under the Advanced Properties Example 2 To create a form field that accepts one of a small number of string values use the following settings in the form field editor This example could be used for a string field named visitor_department Because the values are known in advance a drop down list is the most suitable user interface An initial value for the form field as shown above could be used i...

Page 248: ... to those found elsewhere in the application On the Customize Form Fields page select the Show advanced properties check box to display the advanced properties in the form field editor The Conversion Value Format and Display Function options can be used to enable certain form processing behavior See Form Field Conversion Functions and Form Field Display Formatting Functions In the Force Value row ...

Page 249: ...from the drop down list For example a bulk account creation might use random usernames and each visitor s entry in that field would not need to match exactly If a preliminary value was provided for the field and the guest s entered value must match case or all characters choose Guest must supply field match case from the drop down list If the guest s entry does not successfully match the preregist...

Page 250: ...me representation from the form field for example 2008 01 01 to UNIX time for example 1199145600 The Validator for the expire_time field is IsValidFutureTimestamp which checks an integer argument against the current time The Value Formatter is applied after validation This may be used in situations where the validator requires the specific type of data supplied on the form but the stored value sho...

Page 251: ... In the case of the expire_time form field the Display Function is set to NwaDateFormat to perform a conversion from a UNIX time to a date time string and the Display Argument specifies the format to use for the conversion See Form Field Display Formatting Functions in the Reference chapter for a detailed list of the options available to you for the Display Function and Static Display Function The...

Page 252: ...e expire_time field uses the JavaScript expression expire_after value 0 for the Visible If option When the 1 option has been selected this condition will become true and the field will be displayed Additional examples of the Visible If conditional expressions can be found in the guest_edit form Editing Views A view consists of one or more columns each of which contains a single field You can chang...

Page 253: ...and automatically set the rank number of the new column Use the Enable Field and Disable Field links to quickly turn the display of a column on or off Click the Add Field tab to add a new column to the view View Field Editor The view field editor is used to control the data display aspects of a column within the view Each column in a view displays the value of a single field To use the default vie...

Page 254: ...n Generally this is a simple expression that returns an appropriate piece of data for display but more complex expressions can be used to perform arbitrary data processing and formatting tasks Customizing Self Provisioned Access Guest self registration allows an administrator to customize the process for guests to create their own visitor accounts The registration process consists of a data collec...

Page 255: ... created and the receipt page is displayed 4 with the details of the guest account If NAS login is enabled submitting the form on this page will display a login message 5 and automatically redirect the guest to the NAS login 6 After authentication and authorization the guest s security profile is applied by the NAS 7 enabling the guest to access the network 8 Creating a Self Registration Page Clic...

Page 256: ...tinue button to proceed to the next step of the setup Once a self registration page has been created you are able to edit delete duplicate or go to it providing self registration has been enabled Editing Self Registration Pages The guest self registration process is displayed in graphical form shown below in See Figure 31 The workflow for the guest is shown using solid orange arrows while the admi...

Page 257: ...ges Click an icon or label in the diagram to jump directly to the editor for that item Configuring Basic Properties for Self Registration Click the Master Enable User Database Choose Skin or Rename Page links to edit the basic settings for guest self registration The Basic Properties window has configurable settings such as Name Description enabling guest self registration Register Page Parent and...

Page 258: ...ne option you can also configure the Hotspot option You can configure this setting so that registrants have to pay for access Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account select the Require operator credentials prior to registering guest check box The sponsor s operator profile must have the Guest Mana...

Page 259: ... 0 24 is less specific than a smaller network such as 192 168 2 192 26 which in turn is less specific than the IP address 192 168 2 201 which may also be written as 192 168 2 201 32 To determine the result of the access control list the most specific rule that matches the client s IP address is used If the matching rule is in the Denied Access field then the client will be denied access If the mat...

Page 260: ...button to update the self registration page and continue to the next editor Editing the Default Self Registration Form Settings Click the Form link for the Register Page to edit the fields on the self registration form The default settings for this form are as follows The visitor_name and email fields are enabled The email address of the visitor will become their username for the network The expir...

Page 261: ...s Click the Receipt Page link or one of the Title Header or Footer fields for the Receipt Page to edit the properties of the receipt page This page is shown to guests after their visitor account has been created Click the Save Changes button to return to the process diagram for self registration ...

Page 262: ...tion for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self registered account To enable role selection by the sponsor 1 Go to Customization Guest Self Registration Click the Guest Self Registration row then click its Edit link The Customize Guest Registration diagram opens 2 In the Receipt Page area of the diagram click the A...

Page 263: ...you configure this option 4 In the Authentication row mark the check box for Require sponsors to provide credentials prior to sponsoring the guest 5 In the Role Override row choose Prompt from the drop down list 6 Complete the rest of the form with the appropriate information then click Save Changes The Customize Guest Registration diagram opens again 7 Click the Launch this guest registration pag...

Page 264: ...unt Role drop down list the sponsor chooses the role for the guest then clicks the Confirm button Editing Download and Print Actions for Guest Receipt Delivery Select the Download or Print check box to enable the template and display options to deliver a receipt to the user as a downloadable file or display the receipt in a printable window in the visitor s browser Editing Email Delivery of Guest ...

Page 265: ...be used to create an opt in facility for guests Use a check box for the auto_send_smtp field and add it to the create_user form or a guest self registration instance and email receipts will be sent to the visitor only if the check box has been selected Display a link enabling a guest receipt via email A link is displayed on the receipt page if the visitor clicks this link an email receipt will be ...

Page 266: ...used to create an opt in facility for guests Use a check box for the auto_send_sms field and add it to the create_user form or a guest self registration instance and SMS messages will be sent to the specified phone number only if the check box has been selected Display a link enabling a guest receipt via SMS A link is displayed on the receipt page if the visitor clicks this link an SMS receipt wil...

Page 267: ...layed if automatic guest login is enabled and a guest clicks the submit button from the receipt page to log in The login page is also a separate page that can be accessed by guests using the login page URL The login page URL has the same base name as the registration page but with _login appended To determine the login page URL for a guest self registration page first ensure that the Enable guest ...

Page 268: ...ter HTML sections The login message page is displayed after the login form has been submitted while the guest is being redirected to the NAS for login The title and message displayed on this page can be customized The login delay can be set this is the time period in seconds for which the login message page is displayed Click the Save Changes button to return to the process diagram for self regist...

Page 269: ...f service portal The behavioral properties of the self service portal are described below The Enable self service portal check box must be selected for guests to be able to access the portal Access to the portal when it is disabled results in a disabled message being displayed this message may be customized using the Disabled Message field The Disabled Users check box controls whether a user accou...

Page 270: ...lity to reset a guest account s password The default user interface for the self service portal is shown below Clicking the I ve forgotten my password link displays a form where the user password may be reset Entering a valid username will reset the password for that user account and will then display the receipt page showing the new password and a login option if NAS login has been enabled This f...

Page 271: ...itor_name field as the Required Field results in a Reset Password form like this Customizing Print Templates Print templates are used to define the format and appearance of a guest account receipt The Print Templates menu item is now located under the Customization Print Templates navigation menu Click a print template s row in the table to select it You can then choose to edit duplicate delete or...

Page 272: ... and the footer Each section must be written in HTML There is provision in each section for the insertion of multiple content items such as logos You are able to add Smarty template functions and blocks to your code These act as placeholders to be substituted when the template is actually used See Smarty Template Syntax in the Reference chapter for further information on Smarty template syntax You...

Page 273: ...a page with guest account details Centered Best for wide logo images less formal design Label Printer These print template styles are designed for small thermal printers in various widths On screen assistance is provided when printing to ensure that a consistent result can be obtained Click the Preview at right or Preview at bottom link at the top of the page to move the real time preview of the p...

Page 274: ... the level of an operator profile The Permissions link is only displayed if the current operator has the Object Permissions privilege This privilege is located in the Administrator group of privileges The permissions defined on this screen apply to the print template identified in the Object line The owner profile always has full access to the print template To control access to this print templat...

Page 275: ... and the settings for it may be viewed The print template cannot be edited or deleted Update access the print template is visible in the list and may be edited The print template cannot be deleted and the permissions for the print template cannot be modified Update and delete access the print template is visible in the list and may be edited or deleted The permissions for the print template cannot...

Page 276: ...int templates include username password expiration as well as other options For the purpose of access codes we only want the username presented This access code login example bases the print template off an existing scratch card templates 1 Navigate to Customization Print Templates 2 Select Two column scratch cards and click Duplicate 3 Select the Copy of Two column scratch cards template then cli...

Page 277: ...the Guest Accounts form to add a flag that to allows access code based authentication 1 Navigate to Customization Forms Views 2 In the Customize Forms Views list select create_multi and then click Edit Fields 3 In the Edit Fields list look for a field named username_auth If the field exists but is not bolded and enabled select it and click Enable Field If the field does not exist select any field ...

Page 278: ...ication field added in the procedure above If you do not select this check box and if the username is entered on the login screen the authentication will be denied The example shown below will create 10 accounts that will expire in two weeks or fours hours after the visitors first log in whichever comes first 3 Click Create Accounts to display the Finished Creating Guest Accounts page If you creat...

Page 279: ... in this section generally require a WLAN capable of MAC authentication with captive portal fallback Please refer to the Aruba WLAN documentation for setting up the controller appropriately To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features go to Administrator Plugin Manager List Available Plugins For information on ...

Page 280: ...link for the MAC Authentication Plugin The MAC Authentication Plugin page opens Figure 32 MAC Authentication Plugin Configuration On the controller the fields look as follows Figure 33 MAC Authentication Profile Managing Devices To view the list of current MAC devices go to Guests List Devices The Guest Manager Devices page opens ...

Page 281: ...lso click an individual page number to jump directly to that page To select a device click the device you want to work with Changing a Device s Expiration Date To change a device s expiration date click the device s row in the Guest Manager Devices list then click its Change expiration link The row expands to include the Change Expiration form Table 28 Operators supported in filters Operator Meani...

Page 282: ...tes then click a day to select the date 2 If you choose any option other than will not expire or now in the Account Expiration field the Expire Action row is added to the table Use the drop down list in this row to specify one of the following actions delete delete and log out disable or disable and log out 3 Click Update Account to commit your changes Disabling and Deleting Devices To remove a de...

Page 283: ...w is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date 3 Click Enable Account to commit your changes Editing a Device To edit a device s account click the device s row in the Guest Manager Devices list then click its Ed...

Page 284: ...hoose Account expires after the Expires After row is added to the form Choose an interval of hours days or weeks from the drop down list The maximum is two weeks If you choose Account Expires at a specified time the Expiration Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields t...

Page 285: ...ng template drop down list opens a print preview window and the printer dialog Options include account details receipts in various formats a session expiration alert and a sponsorship confirmation notice MAC Creation Modes MAC device accounts may be created in three ways Manually in ClearPass Guest using the Create Device form During guest self registration by a mac parameter passed in the redirec...

Page 286: ...nd click the Configuration link for the MAC Authentication Plugin 4 Choose one of the options in the Account Activation drop down list You may choose to activate the account immediately at a preset interval of hours or days at a specified time or leave the account disabled If you choose Activate at a specified time the Activation Time row is added to the form Click the button to open the calendar ...

Page 287: ...link and read the agreement then mark the check box to agree to the terms 8 To commit your changes and create the device click Create MAC The Account Details and print options are displayed For more information see Viewing and Printing Device Details Creating Devices During Guest Self Registration MAC Only This section describes how to configure a guest self registration so that it creates a MAC d...

Page 288: ...tration Paired Accounts Paired accounts is a means to create a standard visitor account with credentials but to have a MAC account created in parallel that is directly tied to the visitor account These accounts share the same role expiration and other properties This requires a vendor passing a mac parameter in the redirect URL ClearPass Guest does not support querying the controller or DHCP serve...

Page 289: ... or some form of transparent login and the application server registers the MAC for future use The device may be configured to do this automatically or you may enter the following PHP code Edit the role of your guests and add the following Attribute Tmp String 0 Value blank Condition Enter condition expression Expression return empty user mac_auth NwaDynamicLoad NwaCreateUser NwaDynamicLoad NwaNor...

Page 290: ...ems synched modify_expire_time Friday 17 00 OPTIONAL Fixed caching time Default inherits paired account create_time time initialize the creation time auto_update_account 1 empty user id NwaCreateUser array This is an external server creator_accept_terms 1 role_id user role_id Match the role to the current mac_auth 1 Flag as a MAC Device mac mac sponsor_name user username Set sponsor_name so we kno...

Page 291: ...ClearPass Guest 3 9 Deployment Guide Guest Management 291 Figure 35 RADIUS Role Editor Note that modify_expire_time supports any valid syntax of strtotime ...

Page 292: ...agram opens Click the Advanced Editor link at the lower left corner of the diagram The Customize Guest Registration form opens with several property areas displayed 2 Scroll down to the Post Authentication area On the Web Login Editor this is at the bottom of the page On the Customize Guest Registration form it is within the Login Form area of the page 3 In the Policy Manager row mark the check bo...

Page 293: ...tation Id user mac Employee AccessReject MAC Based Derivation of Role Depending on whether the MAC address matches a registered value you can also adjust which role is returned The controller must be configured with the appropriate roles and the reply attributes mapping to them as expected Edit the Value of the attribute within the role returning the role to the controller If you are on the regist...

Page 294: ...ice the Log In button should be enabled otherwise it will be disabled You may also want to add a message so visitors get some direction p if guest_receipt u username if guest_receipt u visitor_name Welcome back guest_receipt u visitor_name htmlspecialchars else Welcome back if Please accept the terms before proceeding else You need to register if p You can hide the login form by having the final l...

Page 295: ...Sessions To send SMS notifications to visitors click the SMS tab For more information see Sending Multiple SMS Alerts To include additional fields in the Active Sessions list or delete fields from it click the More Options tab The Customize View Fields page opens For more information see Editing Forms Session States A session may be in one of three possible states Active An active session is one f...

Page 296: ...sconnect causes a Disconnect Request message to be sent to the NAS for an active session requesting that the NAS terminate the session immediately The NAS should respond with a Disconnect ACK message if the session was terminated or Disconnect NAK if the session was not terminated Reauthorize causes a Disconnect Request message to be sent to the NAS for an active session This message will contain ...

Page 297: ...ose all stale sessions leave the Close Stale Sessions radio button marked and click Make Changes All stale sessions are closed and are removed from the Active Sessions list A session is considered stale after 24 hours without an accounting update indicating session traffic This is the default value and can be configured for the RADIUS server Closing All Stale Sessions and Specifying a Duration You...

Page 298: ... the elapsed session time 5 Use the Session Stop drop down list to specify how the stop time will be calculated for each session If you choose Use session start time the session will be closed when you commit your changes on this form To specify a range of time after a session s start time choose one of the options for hours day or week Sessions will be closed when that amount of time has elapsed ...

Page 299: ...radio button on the Manage Multiple Sessions form The form expands to include rows for calculating the stop time 2 In the Close Sessions row choose Select open sessions by time range from the drop down list The form expands to also include rows for selecting the range of open sessions 3 Use the Start Time row to indicate the beginning of the time range for selecting sessions To specify a time for ...

Page 300: ...er the start time Because this setting is relative to start time each session may be closed at a different time To specify a range of time that is not included in the list select the Specify another value option This adds the Session End row to the form where you can set a time interval In the Session End row enter a number value in the text box and choose the time interval from the drop down list...

Page 301: ...te If this End Time field is specified and the Start Time field is left empty all sessions that started before the specified end time are selected If this End Time field and the Start Time field are both specified all sessions that started between the start time and end time are selected 4 When your entries on the form are complete click Make Changes If you selected Disconnect Active Sessions as t...

Page 302: ...customized guest account receipt to your guest s mobile phone You are also able to use SMS Services to send an SMS from your Web browser To use the SMS features you must have the SMS Services plugin installed Configuring SMS Gateways You can configure the application to send SMS messages using the Manage SMS Gateways link on the Administrator SMS Services page The SMS Gateways window displays the ...

Page 303: ...e configuration options for that gateway type and the Service Method row includes the GET and POST options When you select the POST option the HTTP Headers and HTTP Post rows are added You can use the text fields in these rows to override HTTP headers and enter the text to post If needed for custom SMS handlers you can specify that the message format should be converted to hex encoded UTF 16 Unico...

Page 304: ...e instead The second part of the form includes the Connection Settings Debug Credits and Test SMS Settings areas Complete the fields with the appropriate information then click either Send Test Message or Save and Close The new configuration settings will take effect immediately Sending an SMS You are able to send an SMS if the system has been configured to allow this by clicking the Send SMS comm...

Page 305: ...determined by looking up all local operators with the special IT Administrators operator profile and using any configured email address for those operators Up to three messages will be sent A low credit warning is sent once the Credits Available value reaches the warning threshold the default value is 50 A second low credit warning is sent once the Credits Available value reaches half the warning ...

Page 306: ... which you want to send a receipt then click the Send SMS receipt link displayed on the guest account receipt page When using guest self registration SMS Delivery options are available for the receipt page actions See Editing SMS Delivery of Guest Receipts in this chapter for full details SMS Receipt Options The SMS Services plugin configuration allows you to configure options related to SMS recei...

Page 307: ...S Receipt Select the print template to be used when an SMS receipt is created The print template used for the receipt must be in plain text format Phone Number Field Select which guest account field contains the guest s mobile telephone number This field is used to determine the SMS recipient address ...

Page 308: ...wn list and select one of the following options Use the visitors value When you select this option the SMS gateway will always send the SMS message using the phone number and country code entered by the visitor Always include the country code When you select this option the SMS gateway will always send the SMS message using the global country code and default phone number length specified in the D...

Page 309: ...r the SMS service provider If blank or unset the default value from the SMS plugin configuration is used sms_template_id This field specifies the print template ID for the SMS receipt If blank or unset the default value from the SMS plugin configuration is used sms_phone_field This field specifies the name of the field that contains the visitor s phone number If blank or unset the default value fr...

Page 310: ...d plain text print template and send it to the specified phone number SMTP Services With SMTP Services you can configure ClearPass Guest to send customized guest account receipts to visitors and sponsors by email Email receipts may be sent in plain text or HTML format As of SMTP Services 2 1 0 you may also send email receipts using any of the installed skins to provide a look and feel To use the e...

Page 311: ...r s email address Auto send guest receipts by email with a special field set If the Auto Send Field is set to a non empty string or a non zero value an email receipt will be generated and sent to the visitor s email address The auto send field can be used to create an opt in facility for guests Use a check box for the auto_send_sms field and add it to the create_user form or a guest self registrat...

Page 312: ... used and the email will be sent in plain text format Use this option to remove all formatting from the email No skin HTML only A skin is not used but the email will be sent in HTML format Use this option to provide a basic level of formatting in the email No skin Native receipt format A skin is not used The email will be sent in either plain text or HTML format depending on the type of print temp...

Page 313: ...page continued Check Enable warnings if you to send an alert sent when the session is about to be logged out Enter the exact text that you want to appear as the alert in the Subject Line field You can set the time for warnings using the Guest Manager customization page See Guest Manager Customization Check Allow the reply to address to be overridden per operator if you want the reply to address to...

Page 314: ...p_auto_send_field This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the email receipt configuration is used Additionally the special values _Disabled and _Enabled may be used to never send email or always send email respectively smtp_cc_list This field specifies a list of additional email addresses that will receive a copy of the v...

Page 315: ...t receive a copy of the visitor account receipt under Logout Warnings on the email receipt If the value is default the default carbon copy list under Logout Warnings from the email receipt configuration is used smtp_warn_before_cc_action This field overrides how copies are sent as indicated under Logout Warnings on the email receipt to send copies of email receipts It may be one of never always_cc...

Page 316: ...316 Guest Management ClearPass Guest 3 9 Deployment Guide ...

Page 317: ...k utilization This report calculates the average link utilization for all accounting traffic in the selected period Average session time per day This report calculates the average elapsed time for each session in the selected period Average traffic volume per session This report calculates the average amount of data traffic for each session in the selected time period Average traffic volume per us...

Page 318: ...he View HTML link This opens a window with the report s name date generated and date range A graph is displayed in your default graph style The data for the graph is displayed below the graph in table format If you initially selected to run the report in a number of formats you will also have these options listed for example View Text and View CSV Report History Clicking the History link opens the...

Page 319: ...rt Options form Click the Run Report button to generate the report using the selected parameters A progress window will appear as the report is generated and then the report will be displayed automatically To print the report click the Print icon in your Web browser Edit a report You can edit any of the predefined reports Clicking the Edit link opens the Report Editor window See Components of the ...

Page 320: ...layed if the current operator has the Object Permissions privilege This privilege is located in the Administrator group of privileges The permissions defined on this page apply to the report identified in the Object line The owner profile always has full access to the report To control access to this report by other entities add or modify the entries in the Access list To add an entry to the list ...

Page 321: ...le in the list and may be duplicated and edited The report cannot be deleted and the permissions for the report cannot be modified Update and delete access the report is visible in the list and may be edited or deleted The permissions for the report cannot be modified Full access ownership the report is visible in the list and may be edited or deleted Permissions can be changed when you have Full ...

Page 322: ...to export If you select the Download file option clicking the Export Reports button will download the selected report definitions to your Web browser Otherwise if the View in browser option is selected the selected report definitions will be displayed as text This allows you to copy and paste report definitions to another application Only the report definition will be exported The report definitio...

Page 323: ...ed Use the check boxes to select the reports to import and click the Import Reports button to create new reports Importing a report that already exists will replace the existing report definition Resetting Report Definitions Report definitions may be individually reset to the factory defaults Use this option if you have modified a report and it is no longer functioning correctly or if you have acc...

Page 324: ...Filters in this chapter is used to restrict which data is included in the report In some reports data is classified and grouped into Bins and Groups Classification Groups Using these classification groups allows for summary information to be calculated Statistics and Metrics in this chapter The result of the report is one or more Output Series Output Series in this chapter which can contain data f...

Page 325: ...nto a date is a bin classification because all time measurements that are made on any particular date will fall into the same bin when this classification is applied Binning can only be applied to numerical values such as time measurements traffic measurements or the duration of a user s session where the range of possible values is potentially unlimited Classifying into bins is achieved by calcul...

Page 326: ...lue for east of GMT and a negative value for west of GMT the value is negated Groups Grouping is a classification method that applies to discrete values For example collecting together data records that have the same username is a group classification Some time measurements can be grouped for example grouping all time measurements based on the hour of the day or day of the week is a group classifi...

Page 327: ...epresents a different date and the source data is a traffic measurement then the statistic here could be the total amount of traffic per day See Figure 44 Figure 44 Reporting Bin statistics without groups The next figure shows statistics calculated per group when both bins and groups are present For example if each bin represents a different date the source data is a traffic measurement and the gr...

Page 328: ...328 Report Management ClearPass Guest 3 9 Deployment Guide Figure 46 Components of the Report Editor Report Type ...

Page 329: ...ort run The value of a parameter may be obtained from the operator as input before running the report or may be a fixed internal value that is set by the report designer A report parameter can be used in many places throughout the report including In an expression used to calculate the value of a derived field As a value used in a source filter range match or list As a value used in data classific...

Page 330: ...meter or text if the parameter is blank or not set if parameter true else false if Substitutes the word true or false depending on the value of the parameter To create a parameter click the Create Parameter tab at the top of the Edit Parameters list view The Create Parameter form will be displayed Parameters share the same namespace as the other types of field within the report source fields deriv...

Page 331: ...he report is run Otherwise if another type of user interface element is selected clicking the Run icon link from the list of reports will display a Run Options form that includes an additional user interface element that corresponds to the parameter In this way the value for a parameter may be selected by the operator before the report is generated For example to generate a report with information...

Page 332: ...s See Form Validation Properties for form validation properties or Advanced Form Field Properties for advanced properties Data Source You must select a data source for the report using the Select Data Source form You should also select the fields that are required by the report Different fields will be displayed depending on which data source has been selected See Data Sources in this chapter for ...

Page 333: ...rt is constructed You should add source fields for any item of data on which you want to filter any items that must be aggregated or grouped together or any item over which statistics are to be calculated Source fields are of two kinds Data source fields are individual items of data taken from the data source for the report This is the smallest fundamental unit of data available in the report Deri...

Page 334: ...er If you select a field from the Data Source Field drop down list that field name is automatically placed in the Field Name area It can be changed if you want As derived fields do not exist in the Data Source you will need to give each field a unique name You are also required to give the field a value This can be by calculating a value using a PHP expression entered in the Field Expression box ...

Page 335: ... report to be easily specified when a report is run for example by selecting the last month option for the report range When running a report you can also select specific date and time values for the start and end of the report which will become the minimum and maximum values for the first source filter You should ensure that the first source filter is applied to a time field in order to maintain ...

Page 336: ...filter The Edit link allows you to alter the options for the source filter as well as being able to disable the filter Click the Save Changes button to keep any changes you have made The Insert After link allows you to create additional filters You are required to select a field from the Source Field drop down list This displays a list of the fields that you previously created in the Data Source o...

Page 337: ...he report subdividing it into various groups of related data and then analyzing the groups using statistics and graphs to identify the desired features Classification groups perform the task of grouping related input data into sets which makes it possible to calculate statistics over the items of interest There are two types of classification groups Bins are classification methods that convert a c...

Page 338: ...lusive of the endpoints of the range The bin offset is used to account for time zones See Binning Example Time Measurements in this chapter for a description Discrete bins from value of source field See Data Sources in this chapter for a bin classification description The bin classification method applies the bin number formula described in the to the value of the source field to calculate a bin n...

Page 339: ...1 pm This is used as the group number which collects together all data records that have the same hour of the day Time measurement group by month of the year This group classification uses the specified date time field to calculate the month of the year from 1 to 12 where 1 is January and 12 is December This is used as the group number which collects together all data records that have the same mo...

Page 340: ...mmon property that each value shares Indicates the structure of the classification group What is the underlying data that is being summarized Indicates the type of statistic or metric and the source fields to consider How is the metric calculated from the underlying data Indicates the metric expression or statistic computation method To create a statistic or a metric click the Create Statistic tab...

Page 341: ...alues of the source field over the selected classification group is calculated The form is slightly different if you select to create a metric The Field Type parameter must be changed to Computed metric and the Field Name must be unique You should select what data the metric is to be calculated over in the Calculate Across field The type of metric can be one of Add value 1 value 2 the values are a...

Page 342: ...ch output series one item in the series is generated for each item in the selected dimension of the report For example the report might define a group which contains sets of related input records this group is a dimension of the report A statistic can be defined in that dimension that is computed for each group across all of the input data in each set An output series for that dimension can includ...

Page 343: ...re not available for the selected output series dimension or because they have been deleted from the report definition The order in which you select output fields is significant because table and chart presentation blocks will display the fields of an output series in order You may reorder the fields by using the Move Up and Move Down links To insert a new field into the output series select an ex...

Page 344: ...report to determine whether a particular item will be included in the output of the report The presentation blocks of the report can only include the output data that has passed through the output filters You should define output filters to specify what parts of the output data you are interested in looking at You can also define output filters to specify what output data should be excluded from t...

Page 345: ...ypes of output filter that are available are the same as used in the source filters See Source Filters in this chapter for details about the types of filter that are available The Match Rule allows you to construct more complex filtering rules You can choose from the following matching rules Include item if filter matches If the filter matches the item in the output series the item will be include...

Page 346: ...ext presentations are blocks of text included in the report You may insert the values of metrics or perform custom processing to include the output data from the report in the text For details See Text Presentations in this chapter Presentation blocks are included in the final report in the order they are defined Chart Presentations A chart presentation block displays the values of an output serie...

Page 347: ...should be applied to the table The table may be displayed in one of two ways Assuming the output series dimension covers three values A B and C the default table layout will displays the output series fields organized by columns If you select the Transpose table check box the columns and rows will be interchanged which results in the following layout Transposed tables are recommended if the output...

Page 348: ...k creates a basic data report for the specified time range and for the specified data fields The report editor may then be used to further customize the report by defining new filters classification groups and output series Table 32 Template Variables Variable Description _data Data store for this report instance See Report Preview with Debugging in this chapter for information about the structure...

Page 349: ...you clicked the Data Source option in the Report Editor See Data Sources in this chapter for more details about this form When you are first creating a report the fields you select here will be used to automatically construct an output series in the report The output series will be for the Data dimension of the report and will include all the fields selected in step 2 This allows you to create sim...

Page 350: ...Report Editor The Bin classification needs to be changed from days to weeks This is done by clicking on the Bin and then clicking the Edit button 6 The Classification method should be changed to Time measurement bin by weeks The Bin Offset may be changed to suit your time zone See Binning Example Time Measurements in this chapter for more information 7 Click the Save Changes button 8 Click the Bac...

Page 351: ... create a new report without it being based on an existing report click Create New Report 2 You must give the report a Title For this report Today s Sessions would be an appropriate name 3 Enable the report by marking the Enabled check box 4 Ensure that the Date Range is Today and select an Output Format These changes are shown in the screen below 5 Click the Continue button to move to Step 2 ...

Page 352: ... report the fields are shown in the screen below These are the fields of interest for the report 7 Click the Save Changes button to have the report created The Report Editor screen is displayed 8 If you click the Final Report option in the Report Editor you can see the report as it is after these two steps ...

Page 353: ...k the Duplicate link This creates a copy of the report which will be titled Copy of Average Traffic Volume per User 3 Click the Copy of Average Traffic Volume per User report 4 Click the Edit link to open the Report Editor 5 Click Report Type in the Report Editor You need to change the name of the report and its description The new report will be called Average traffic volume per NAS 6 Click the S...

Page 354: ... report the average_bytes field must be updated to refer to the total_nas field instead Click the average_bytes field and then click the Edit link Change Value 2 to total_nas 14 Click the Save Changes button 15 Click the Back to report editor link to return to the Report Editor 16 Click Output Series in the Report Editor Select Series 1 The description should be changed Click the Edit link and the...

Page 355: ...e data store so if you are not getting the results you expect from the report this could be because the data store either does not contain the right data or does not contain the right classification groups Examining the data store will help you find the cause of the problem No Classification Groups When there are no classification groups the report data store is a simple list of the source data ar...

Page 356: ...ble to do this filtering Use only one classification group Multiple bin and group classification groups can be defined but this can complicate the report s structure unnecessarily To build an easily understood and maintainable report stick to a single classification bin or group or the combination of a single bin with a single group Remove unnecessary fields Each record from the data source will h...

Page 357: ...inistrator navigation menu to jump directly to any of the system administration features Network Setup The Network Setup command allows you to configure the system s network interfaces and other related network parameters To access network setup and configuration tasks choose Administrator Network Setup in the left menu A summary of the system s current network configuration is displayed on the Ne...

Page 358: ...learPass Profiler and Policy Manager servers To configure integration with ClearPass servers 1 Go to Administrator Network Setup ClearPass The Manage ClearPass Servers form opens 2 To configure integration with ClearPass Policy Manager mark the Enable Policy Manager check box The form expands to include options for specifying the Policy Manager hostname username and password ...

Page 359: ...figure integration with ClearPass Profiler mark the Enable Profiling check box The form expands to include options for sending device error event and profile interval information as well as the hostname username and password for the primary and secondary Profiler servers ...

Page 360: ...automatic network connectivity test determines the current status of the network and the results of the diagnostic are displayed The problems that can be detected with this built in diagnostic include No default gateway set Default gateway is not responding to ICMP echo request DNS name resolution is not available System services need to be restarted to verify DNS HTTP proxy access is not availabl...

Page 361: ...ails and configure settings for the system s network interfaces You can enable and disable network interfaces change the IP address static routing or other configuration items for an interface and add or remove new network interfaces To open this page choose Administrator Network Setup Network Interfaces The icons for each network interface indicate its state Down Network interface is disabled Up ...

Page 362: ...essing and other properties of the network interface To change the configuration of a network interface choose Administrator Network Setup Network Interfaces to display the Network Interfaces List Click the network interface s row in the list then click the Edit command The row expands to provide configuration options Use the Configuration drop down list to select the IP address configuration meth...

Page 363: ...rnet uses a MTU of 1500 bytes you may find it necessary to reduce the MTU slightly in some network topologies ClearPass Guest uses a default MTU of 1476 bytes unless otherwise specified in this form The Ethernet Settings field specifies the physical layer link parameters to use for this network interface You may select one of the following Automatic uses link auto negotiation to determine the best...

Page 364: ...ddress is configured Click the Continue button to apply the new network settings If the appliance s IP address has changed you will be automatically redirected to the new IP address If the computer you are using to configure the appliance does not have suitable network settings to access the new IP address the redirect will fail You can update your computer s network settings and then click the Re...

Page 365: ...dd the route Changes made to the routing table entries are applied immediately To manage existing routing entries click the entry in the table The Edit link may be used to modify the settings for a routing entry Click Delete to remove a routing entry Click Test Gateway to verify that the gateway IP address is reachable via an ICMP ping Creating a Tunnel Network Interface ClearPass Guest supports c...

Page 366: ...ue is supplied which may be used without modification A Display Name may be specified to identify the connection in the list of network interfaces The IP address settings for the GRE tunnel must be specified in order for it to be created successfully Select the Enable this interface check box to activate the tunnel interface immediately after it has been created Click the Create Interface button t...

Page 367: ...n to create a new network interface with the corresponding VLAN identifier Your network infrastructure must support tagged 802 1Q packets on the physical interface selected VLAN ID 1 is often reserved for use by certain network management components avoid using this ID unless you know it will not conflict with a VLAN already defined in your network Managing VLAN Interfaces After creating a VLAN in...

Page 368: ...Cycle Disables and re enables the VLAN interface This operation may be used to renew a DHCP lease Creating a Secondary Network Interface A secondary network interface is a secondary IP address assigned to a physical network interface The secondary network interface is displayed as a separate logical network interface From the Network Interfaces page click the Create a secondary network interface l...

Page 369: ...etwork Login Access form To access this form navigate to Administrator Network Setup then click the Network Login Access command link The login access rules that have been defined will only apply to the components of the system that require an operator login Guest specific pages that do not require an operator login are not affected by any allow deny rules and are always available regardless of th...

Page 370: ...matches any of the entries in the Denied Access list This behavior is equivalent to adding the entry 0 0 0 0 0 to the Allowed Access list If the Denied Access list is empty only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access This behavior is equivalent to adding the entry 0 0 0 0 0 to the Denied Access list For example assuming that vis...

Page 371: ...dresses Interface State Displays a summary of all network interfaces and the internal state of each interface Netstat Displays a list of currently open TCP and UDP sockets Network Kernel Parameters Displays a list of system configuration settings related to networking If required these settings can be changed using the system configuration parameters sysctl editor See Changing Network Security Set...

Page 372: ...configured for the system Traceroute Enter a hostname or IP address to determine the route that packets traverse to that host The test may take a considerable amount of time 30 seconds or more depending on network conditions Network Diagnostics Packet Capturing The Packet Capture network diagnostic can be used to capture network traffic for in depth debugging of network issues To access the Networ...

Page 373: ...he maximum size of a packet capture is 100 000 packets You can enter network addresses in the Source IP and Destination IP fields by using an IP address and a network address length for example 192 168 2 0 24 Click the Capture button to begin the packet capture operation While packet capturing is in effect the status of the packet capture is displayed as part of the Network Diagnostics form ...

Page 374: ...ers if required and click the Capture button Network Hosts The built in hosts file may be edited to make resolving hostnames easier in certain situations or to work around DNS issues that may be present in a complex network To manage and view the current host configuration click the Network Hosts command link on the Administrator Network Setup page The hosts file is a simple text file that associa...

Page 375: ...tails should be entered on this form To manage and view the current HTTP Proxy configuration click the HTTP Proxy command link on the Administrator Network Setup page Common port numbers for HTTP proxy access are 3128 and 8080 These port numbers can be specified in the Proxy URL For example http 192 168 88 30 3128 is a valid proxy URL with a port specification The default port is 80 if not otherwi...

Page 376: ...ported MIBs in this chapter for a list of supported MIBs To restrict access to the SNMP server a list of IP address and networks may be provided from which SNMP access will be permitted Network addresses may be specified using either a network prefix length for example 1 2 3 4 24 or a network mask for example 1 2 3 4 255 255 255 0 If the Allowed Access field is left blank all IP addresses will be ...

Page 377: ...t whether encryption should be used Traps are notification messages sent when certain conditions are reached A trap server and community string may be provided Currently there are no defined SNMP trap messages Click the Save Changes button to apply the new SNMP server settings The settings will take effect immediately Supported MIBs The SNMP server currently supports the following MIBs DISMAN EVEN...

Page 378: ...mand link on the Administrator Network Setup page See SMTP Services in the Guest Management chapter for additional configuration options for SMTP services The built in Sendmail mail transfer agent may be used to deliver email directly This option requires that the server have outbound internet access using port 25 Alternatively you may configure an outbound mail server to which messages will be de...

Page 379: ...anage and view SSL certificates click the SSL Certificate Setup command link on the Administrator Network Setup page If you already have a valid digital certificate for this server it may be uploaded and used directly The SSL Certificate Install command is used to do this See SSL Certificate in this chapter for details If you do not have a digital certificate you must first create a certificate si...

Page 380: ...k to download a csr file to your browser This file should be sent to your certificate authority to be signed and converted into a digital certificate Some certificate authorities will also request the type of server that the certificate is to be used for or will make the certificate available in several different formats You should choose a certificate for the Apache Web server Changing the SSL ce...

Page 381: ...ertificate is optional but is typically required for many public certificate authorities The reason for this is that the certificate authority s root certificate is not used to sign your certificate directly rather the root certificate is used to issue one or more intermediate certificates which are then used to sign the issued certificates Your certificate authority will provide this certificate ...

Page 382: ...the Current SSL Certificate After a certificate has been installed either a self signed certificate created with the certificate signing request or a certificate issued by a certification authority you may use the SSL Certificate Details link on the Adminstrator Network Setup page to display detailed information about the certificate The SSL Certificate form displays details about the certificate ...

Page 383: ... restored in case of hardware failure or an unintended change to the configuration Backing Up Appliance Configuration The Configuration Ba ckup command allows you to back up the current configuration of ClearPass Guest You can do either a complete backup default or a custom backup The complete backup does not require any input from you unless you want to alter the backup filename Click the Downloa...

Page 384: ... up 3 Partial complete backup Both the down arrow and tick marks are highlighted The components of the area are displayed and any that have not been specifically marked for no backup will be changed to a complete backup 4 Partial no backup Both the down arrow and cross marks are highlighted The components of the area are displayed and any that have not been specifically marked for a complete backu...

Page 385: ...e backup filename will be backup 20080101 123456 dat The target URL specifies where the automatic backups are stored The following URL schemes are supported FTP Use the syntax ftp user password example com path to backups FTP over SSL Use the syntax ftps user password example com path to backups SMB Use the syntax smb user password server share path to backups Additional protocol specific options ...

Page 386: ...r is able to accept backup files Click the Run Backup Now button to run the scheduled backup immediately A progress window is displayed as the backup is run Click the Save and Close button to save the new backup schedule and return to the Backup Restore page Restoring a Backup To restore a backup click the Configuration Restore command link on the Administrator Backup Restore page This procedure h...

Page 387: ... found during the system restore a diagnostic message will be displayed indicating the error More details about the error will be available in the application log One or more warning messages will be displayed if there is a difference in software version numbers between the system at the time of the backup and the restore system This warning is issued because the software version number cannot be ...

Page 388: ...ld be accessed using a URL such as http 192 168 88 88 public logo jpg Uploading Content You are able to add a new content item using your Web browser by clicking the Upload New Content tab The Add Content form will be displayed You can upload single content files multiple content asset files and folders or a Web deployment archive To upload multiple assets first compress the files as a tarball or ...

Page 389: ...item s filename and description Read only properties include the content type modification time file size and other content specific properties such as the image s size You are able to delete the content item using the Delete link You will be asked to confirm the deletion You can rename the content item using the Rename link Click the Download link to save a copy of the content item using your Web...

Page 390: ...pply the changes To disable a security check and prevent it from reappearing in future security audits click the Disable Check icon link If you have taken steps to correct a security problem a message can be marked as resolved by clicking the Mark as Resolved link When this is done the status of the message will change to Resolved Marking a message as Resolved does not disable the corresponding se...

Page 391: ...abled for operators See Creating a VLAN Interface in this chapter for details on configuring the access control list for operators Resetting the Root Password The root password is required to log into the appliance s console user interface either directly at the console or remotely via SSH See Console Login in the Setup Guide chapter for an explanation The default root password for the appliance i...

Page 392: ... The server s operating system software is automatically maintained by the Plugin Manager You can check for and install software updates using the process See Adding or Updating New Plugins in this chapter for details In some situations manual OS updates may be required Click the Manual OS Updates link to perform manual system maintenance tasks Manual Operating System Updates Use the Check For Sys...

Page 393: ... The Available Plugins page is displayed Plugins are listed by category and include Standard application plugins Provide corresponding functionality for interactive use by operators Kernel plugins Provide the basic framework for the application License plugins Authorize access to features of the application Operator plugins Conrol access to the Web application Skin plugins Provide the style for th...

Page 394: ...d be for the Hotspot Plugin Viewing Available Plugins Plugins are the software components that fit together to make your Web application The Available Plugins list shows all the plugins currently included in your application and lets you manage them Depending on the plugin options in the list let you view details configure enable or disable or remove the plugin To view the list of available plugin...

Page 395: ...from a file provided to you by email If your new plugin was emailed to you as a file navigate to Administrator Plugin Manager Add New Plugin On the Add New Plugin page choose the Add Plugin from File command then browse to the file to upload it The Add New Plugin page also provides the option to choose the internet download method To upload plugins or updates from the internet navigate to Administ...

Page 396: ...mand The Check for Plugin Updates page opens You can use the Plugin Updates form on this page to specify how often you want to be notified of plugin updates The notification frequency may be set to daily weekly monthly or disabled the default When new updates are available the following notification message is displayed at the top of the page This message is only displayed to administrators Config...

Page 397: ...apter Operating System See Security Manager in this chapter RADIUS Services See Server Configuration in the RADIUS Services chapter Aruba ClearPass Skin See Configuring the Aruba ClearPass Skin Plugin in this chapter Guest Manager See Default Settings for Account Creation in the Guest Management chapter SMS Services See Sending an SMS in the Guest Management chapter SMTP Services See SMTP Services...

Page 398: ...re default configuration link below the form A message alerts you that the change cannot be undone and a comparison of the current and default settings highlights the changes that will be made 5 Review the differences between the current settings and the default configuration To commit the change to the default settings click the Restore Default Configuration link Configuring the Aruba ClearPass S...

Page 399: ... ClearPass skin navigate to it in the Available Plugins list and click its Enable link The default skin is displayed on all visitor pages and on the login page if no other skin is specified for it However you can override this for a particular operator profile an individual operator or give the login page a different appearance than the rest of the application You can also specify a skin for guest...

Page 400: ... you use an NTP server that is available on your local network This will improve timekeeping and will eliminate the need for additional Internet traffic for the time server To use a public NTP server enter the following hostnames 0 pool ntp org 1 pool ntp org 2 pool ntp org You can also use NTP pool servers located in your region For more information refer to the NTP Pool Project Web site http www...

Page 401: ...settings will not take effect until the system is rebooted For this reason it is recommended that you always reboot after modifying any of these parameters System Log Configuration The System Log Configuration form allows you to modify options related to locally stored system log files including the HTTP access log HTTP error log and the general purpose system message log You can also define a rem...

Page 402: ...y page opens Log files are rotated and expired logs are cleared according to the database maintenance schedule you define See Managing Data Retention Log Collector Storing Incoming Syslog Messages Your ClearPass Guest server can also act as a syslog server To configure the ClearPass Guest server to receive syslog messages sent by remote hosts in the network mark the check box in the Log Collector ...

Page 403: ...ult option None Do not send application log messages to syslog stores all application generated messages in the separate application log If you select a specific syslog facility the minimum priority level for the corresponding syslog facility determines whether the syslog message is forwarded to the remote collector For details on defining a database maintenance schedule See Changing Database Conf...

Page 404: ... been defined messages that match the rules defined in this form will be sent to the specified syslog server The following priority levels are defined in the syslog protocol which is fully specified in RFC 3164 Click the Save Changes button to apply the new system log parameters The changes will take effect immediately Managing Data Retention The Data Retention Policy page Administrator System Con...

Page 405: ...ed how many weeks you want log files kept before they are deleted You can specify how many weeks a guest account persists after the account is disabled in the Guest Accounts field For mobile device certificates select the minimum delay in weeks required before an expired certificate or rejected request can be deleted The maximum period is the number of weeks after which an expired certificate is a...

Page 406: ...t field that accepts multiple name value pairs You can also add comments by entering lines starting with a character The Database Maintenance of this form allows you to adjust the time or times at which the system will run maintenance tasks and remove expired log files You should adjust the maintenance schedule to coincide with those times when your system is least in use A periodic maintenance sc...

Page 407: ...ize may be increased to allow larger content items to be uploaded or larger backup files to be restored Use the Enable zlib output compression check box to compress output sent to the Web server This option may provide faster loading pages particularly on slow networks but may also increase the CPU load on the server Click the Save Changes button to apply the new Web application configuration para...

Page 408: ... HTTP connections also known as pipelining may be enabled using the Enable persistent HTTP connections check box This feature is only supported for HTTP 1 1 compliant clients Click the Save Changes button to apply the new Web server configuration parameters Changing the parameters requires the Web server to be restarted which will be performed immediately Other users of the system may find the sys...

Page 409: ...an be downloaded for support purposes Adding Disk Space Storage capacity can be increased on VMware based deployments To increase available storage click the Add Space option on the System Information screen TheAdding Disk Space screen appears Follow instructions on this page ...

Page 410: ...410 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...

Page 411: ...lugins you have installed additional message sources may also be included in the system log viewer The information shown in the table is a summary of the log message Click a log entry in the table to view the details of the log message Use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual...

Page 412: ...he timestamp source level and message The details follow on lines that start with a space 2010 10 04 14 15 31 10 ClearPass Guest info Guest account created for 98084707 XML document xml the exported data is contained within the system logs element s records element Use the Range option and the Download Limit field to specify whether the current page or all matching log messages are included in the...

Page 413: ...records using the form displayed when you click the Search tab Click the Reset Form button to clear the search and return to displaying all records in the log Exporting the Application Log Use the Export tab to save the log in other formats including HTML text CSV TSV and XML You can select options to print email or download the data ...

Page 414: ...414 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...

Page 415: ...y a captive portal to the login page Existing customers may log in with their Hotspot username and password to start browsing New customers click the Hotspot Sign up link On page 1 the customer selects one of the Hotspot plans you have created On page 2 the customer enters their personal details including credit card information if purchasing access The customer s transaction is processed and if a...

Page 416: ...ng by navigating to Customization Hotspot Manager and selecting the Manage Hotspot Sign up command This allows you to change user interface options and set global preferences for the self provisioning of visitor accounts The Enable visitor access self provisioning check box must be ticked for self provisioning to be available ...

Page 417: ... However in this situation the MAC address of the customer will not be available and no automatic redirection to the customer s home page will be made You may want to recommend to your customers that JavaScript be enabled for best results Look and Feel The skin of a Web site is its external look and feel It can be thought of as a container that holds the application its style sheet font size and c...

Page 418: ...the application Plans that you have enabled have their name in bold with the following icon Plans that have not been enabled do not have names in bold and their icon is a little different You are able to edit these plans delete these plans as well as add your own plans Once a plan has been deleted it is not possible to undo the deletion Modifying an Existing Plan Click the Edit link next to a plan...

Page 419: ... Hotspot visitors See Format Picture String Symbols in the Reference chapter for a list of the special characters that may be used in the Generated Username and Generated Password format strings Managing Transaction Processors Your hotspot plan must also identify the transaction processing gateway used to process credit card payments ClearPass Guest supports plugins for the following transaction p...

Page 420: ...ansaction processor list When you select an individual processors in the list the list displays a menu that allows you to perform the following actions Edit changes the properties of the specified transaction processor Delete removes the processor from the Transaction Processors list Duplicate creates a copy of a transaction processor Show Usage opens a window in the Transaction Processors list th...

Page 421: ...about basic HTML syntax You are able to use Smarty functions on this page See Smarty Template Syntax in the Reference chapter for further information on these You are able to insert content items such as logos or prepared text See Customizing Self Provisioned Access in the Guest Management chapter for details on how to do this Click the Save Changes button after you have entered all the required d...

Page 422: ... able to give this page a title some introductory text and a footer The Introduction and the Footer are HTML text that may use template syntax See Smarty Template Syntax in the Reference chapter Customize Page Two On page 2 you can make changes to the content displayed when the customer enters their personal details including credit card information if purchasing access The progress of the user s ...

Page 423: ...ClearPass Guest 3 9 Deployment Guide Hotspot Manager 423 ...

Page 424: ...arty Template Syntax in the Reference chapter for details about the template syntax you may use to format the content on this page View Hotspot User Interface The Hotspot manager allows you to view and test Hotspot self provisioning pages as well as log in to and view the Hotspot self service portal that allows customers to view their current account expiration date purchase time extensions log ou...

Page 425: ... need to recover a failed cluster Accessing High Availability Use the High Availability command link available from the Administrator start page to access the clustering and replication features Alternatively use the High Availability navigation menu to jump directly to any of the high availability features About High Availability Systems Terminology Concepts A cluster consists of a primary node a...

Page 426: ...work architecture for a high availability cluster Figure 50 Network architecture of high availability cluster The key points to note about this architecture are The RADIUS and Web server protocols HTTP and HTTPS are supported by the cluster The cluster has three IP addresses each node has its own IP address and there is a virtual IP address for the cluster which will always be assigned to the prim...

Page 427: ...e Detection Failure detection is accomplished using a keep alive test The primary and secondary nodes verify that each is able to communicate with the other node by sending network requests and answering with a response This takes place at the Keep Alive Rate specified in the cluster configuration which by default is once every 2 seconds If several consecutive keep alive tests have failed the clus...

Page 428: ...r Fields defined in Guest Manager See Customization of Fields in the Guest Managment chapter Forms and views defined in Guest Manager See Customization of Forms and Views in the Guest Managment chapter Guest self registration pages See Customizing Self Provisioned Access in the Guest Managment chapter Instances of reports that have previously been run See Report History in the Report Management ch...

Page 429: ...has been offline for the downtime threshold which is 30 seconds by default Once failover has occurred the cluster status will be displayed on the secondary node as The secondary node has taken over the cluster services because the primary node is down In the failover state the secondary node will assume control of the cluster and will take over the cluster s IP address This will restore network se...

Page 430: ...ess Cluster Status The current status of the cluster is shown at the top of each page that is related to High Availability Services for an explanation of each possible status and the recommended action to take if any Table 36 Cluster Status Descriptions Status Description This system is not part of a high availability cluster To create a new cluster and make this server the primary node use the Cr...

Page 431: ...automatically If the secondary node needs to be replaced the cluster must be rebuilt See Recovering From a Hardware Failure in this chapter The secondary node is running but the primary node is down or stopped The primary is no longer available Check the Remote Status on the secondary node to determine the cause of the problem The cluster IP address is inaccessible and network services are unavail...

Page 432: ...es an IPv4 multicast address and port number By default these values are 226 94 1 1 on UDP port 4000 If this address and port combination overlaps an existing solution on your network you can adjust them when initializing the cluster configuration If this multicast address is already in use the cluster initialization will not work and you will need to choose a different address Click the Advanced ...

Page 433: ...eriod Hostname parameters are as follows Each component of the hostname must not exceed 63 characters The total length of the hostname must not exceed 255 characters Only letters numbers and the hyphen and period characters are allowed Hostnames may start with numbers and may contain only numbers You can select a single virtual IP address by entering one IP address in the Virtual IP Address field ...

Page 434: ... the Join Cluster command link Use the Cluster Configuration form to enter the shared secret for the cluster and the IP address of the primary node Click the Prepare Node button to save and verify the settings for the secondary node Cluster Initialization To complete the setup of the cluster return to the primary node after preparing the secondary node and click the Confirm Node Settings button Ea...

Page 435: ... clients should be configured with the cluster IP address Operators should use the cluster s IP address when provisioning guest accounts Configure NAS devices to redirect visitors to the cluster s IP address for Web login pages Only the IP address in the redirection URL should be changed the remainder of the redirection URL should not be altered The network administrator should use the node IP add...

Page 436: ... procedure to repair the cluster and return to a normal operating state 1 This procedure assumes that the primary node has experienced a temporary outage and the cluster has failed over to the secondary node 2 Ensure that the primary node and the secondary node are both online 3 Log into the secondary node Due to failover this node will be assigned the cluster s virtual IP address 4 Click Cluster ...

Page 437: ... replacement primary node 3 Ensure that the replacement primary node and the secondary node are both online 4 Log into the secondary node Due to failover this node will be assigned the cluster s virtual IP address 5 Click Cluster Maintenance and then click the Destroy Cluster command link 6 A progress meter is displayed while the cluster is destroyed The virtual IP address of the cluster will be u...

Page 438: ...Log into the current secondary node of the cluster 2 Click Cluster Maintenance and then click the Swap Primary Server command link 3 A progress meter is displayed while the primary node is switched The cluster s virtual IP address will be temporarily unavailable while the swap takes place 4 The swap is complete The secondary node is now the new primary node for the cluster The cluster is back in a...

Page 439: ...mary Server command to make the secondary node the new primary node or you can cause the cluster to failover to the secondary by disconnecting the primary node Brief network outages are permissible and will not cause failover provided that the network outage is shorter than the downtime threshold of the cluster During a failover from the primary to the secondary node the network services provided ...

Page 440: ...440 High Availability Services ClearPass Guest 3 9 Deployment Guide ...

Page 441: ...ngle brackets with a forward slash for example p Use the following standard HTML tags in customization Table 38 Standard HTML Tags Item HTML Syntax Basic Content Heading level 1 h1 Main Heading h1 Heading level 2 h2 Subheading h2 Heading level 3 h3 Section heading h3 Regular paragraph text p Paragraph text p Line break br br equivalent syntax XHTML Bullet list ul li List item text li ul Numbered l...

Page 442: ...le Uses CSS formatting div div class Uses predefined style div Hypertext Hyperlink a href url Link text to click on a Inline image img src url img src url XHTML equivalent Floating image img src url align left Table 39 Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the mate...

Page 443: ...bstitution in the templates may be done with the syntax variable as shown below The current page s title is title Template File Inclusion To include the contents of another file this can be done with the following syntax include file public included_file html Note that Smarty template syntax found in these files is also processed as if the file existed in place of the include tag itself nwaTop Tab...

Page 444: ...condition is true use the following syntax if username tr td class nwaBody Username td td class nwaBody username td tr else No user name no table row if The condition tested in the if if block should be a valid PHP expression Note that the else tag does not require a closing tag Script Blocks The brace characters and are specially handled by the Smarty template engine Using text that contains thes...

Page 445: ...m starting at 0 for the first item smarty foreach name iteration counter for the current item starting at 1 for the first item smarty foreach name total value indicating the total number of items in the collection Note that the content after a foreachelse tag is included only if the foreach block would otherwise be empty Modifiers Smarty provides modifiers that can be used to gain greater control ...

Page 446: ...ions so that any embedded HTML is not interpreted by the browser nwa_commandlink nwa_commandlink nwa_commandlink Smarty registered block function Generates a command link consisting of an icon main text and explanatory text Command links are block elements and are roughly the equivalent of a form button A command link is typically used to represent a choice the user should make to proceed The comm...

Page 447: ...k nwa_iconlink nwa_iconlink Smarty registered block function Generates a combined icon and text link to a specified URL Usage example nwa_iconlink icon images icon info22 png text More Information more_information php nwa_iconlink The icon parameter is the SRC to the image of the icon This should normally be a relative path The text parameter is the text to display next to the icon This will also ...

Page 448: ...waIndent style If novspace 1 is specified the block uses a DIV element rather than a P element If neither icon nor type is supplied the default behavior is to insert an info type image Specifying a type is equivalent to specifying an icon width height and alt parameter and may also include a class depending on the type selected Usage example nwa_icontext struct error nwa_icontext The struct parame...

Page 449: ...ery function The following parameters control how the result should be processed _assign Name of a page variable to store the output if not set output is sent to the browser as the result of evaluating the template function _output Index of item to return from the RPC result if not set the complete result is returned This may be of use when an array containing multiple values is returned and only ...

Page 450: ... value to assign to var The various request variables may also be accessed using one of two supported methods nwa_assign var _GET get_variable value nwa_assign var smarty get get_variable value The variables that can be accessed this way are _GET smarty get _POST smarty post _REQUEST smarty request _SESSION smarty session _COOKIE smarty cookies and _ENV smarty env Assigning to values in _SESSION w...

Page 451: ...ion control HTML of a particular type Blocks are individual components of the navigation area which basically consist of HTML Blocks for actual navigation items have substitution tags in the form tagname The recognized tags are described in the table below When used with the block parameter the nwa_nav control does not generate any HTML When used with the type parameter the nwa_nav control uses th...

Page 452: ...ve level2_parent_inactive level3_active level3_inactive enter_level1 enter_level2 enter_level3 exit_level1 exit_level2 exit_level3 nwa_plugin nwa_plugin Smarty registered template function Generates plugin information based on the parameters specified Specifying which plugin The id parameter specifies a plugin ID The name parameter specifies a plugin name or plugin filename The page parameter spec...

Page 453: ... access The name parameter is the name of the privilege to check If name is prefixed with a the output is included only if that privilege is NOT granted inverts the sense of the test An optional level parameter may be specified which is the level of access to the privilege required default is 0 or any access nwa_replace nwa_replace 1 2 nwa_replace Smarty registered block function Replace 1 2 etc w...

Page 454: ...parameters for this block function are video required the YouTube video ID to embed width required the width in pixels of the video height required the height in pixels of the video autoplay optional if true auto play the video chrome optional if true use the chromed player that is provide a user experience with playback controls version optional the minimum version required to play the video onen...

Page 455: ... 2008 nwatimeformat Modifier The nwatimeformat modifier takes one argument the format description The minutes_to_natural argument converts an argument specified in minutes to a text string describing an equivalent but more natural measurement for the time interval hours days or minutes depending on the value An example of this usage is for the expire_postlogin field which has a value measured in m...

Page 456: ...a decimal number a single digit is preceded by a space 1 to 31 h Same as b H Hour as a decimal number 00 to 23 I Hour as a decimal number 01 to 12 m Month as a decimal number 01 to 12 M Minute as a decimal number 00 to 59 p AM or PM r Local time using 12 hour clock I M p R Local time using 24 hour clock H M S Second as a decimal number 00 to 60 T Current time H M S u Weekday as a decimal number 1 ...

Page 457: ... NwaByteFormatBase10 NwaByteFormatBase10 bytes unknown null Formats a non negative size in bytes as a human readable number bytes KB MB GB etc Assumes base 10 rules in measurement that is 1 KB 1000 bytes 1 MB 1000 KB etc If a negative value is supplied returns the unknown string If a non numeric value is supplied that value is returned directly NwaComplexPassword NwaComplexPassword len 8 Generates...

Page 458: ...rated password The password returned will be at least upper lower digit symbol characters in length Any length beyond the required minimum will be made up of any allowed characters lower specifies the minimum number of lowercase characters to include or 1 to not use any lowercase characters upper specifies the minimum number of uppercase characters to include or 1 to not use any uppercase characte...

Page 459: ...additional parsing options described in the table below Table 44 Parsing Options Function Description fs The field separator character default is comma rs The record separator character default is newline n quo The quote character default is double quote excel_compatible If true recognize syntax as well as default true dos_compatible If true convert r n line endings to n default true encoding If s...

Page 460: ...t least one digit punctuation At least one symbol complex At least one of each uppercase letter lowercase letter digit and symbol NwaSmsIsValidPhoneNumber NwaSmsIsValidPhoneNumber phone_number Validates a phone number supplied in E 164 international dialing format including country code Any spaces and non alphanumeric characters are removed If the first character is a plus sign the phone number is...

Page 461: ...3 Field Form and View Reference GuestManager Standard Fields The table below describes standard fields available for the GuestManager form Table 45 NwaVLookup Options Option Description value The value to look for table A 2D array of data to search for example a data table returned by NwaCsvCache or NwaParseCsv column_index The desired index of the data range_lookup Specifies whether to find an ex...

Page 462: ...visitor accounts captcha Special field used to enable the use of a CAPTCHA security code on a form This field should be used with the user interface type CAPTCHA security code and the standard validator NwaCaptchaIsValid in order to provide the standard security code functionality change_of_ authorization Boolean flag indicating that any existing sessions for a visitor account should be disconnect...

Page 463: ...ed This field is available when modifying an account using the change_expiration or guest_edit forms dynamic_session_time Integer The maximum session time that would be allowed for the account if an authorization request was to be performed immediately Measured in seconds Set to 0 if the account is either unlimited dynamic_is_expired is false or if the account has expired dynamic_is_expired is tru...

Page 464: ...It may be set to one of the following values expire_postlogin to set the post login expiration time to the value in the expire_postlogin field plus X or minus X where X is a time measurement to extend or reduce the post login expiration timer by X minutes but may have a ywdhms suffix to indicate years weeks days hours minutes seconds respectively A number to set the post login expiration time to t...

Page 465: ...me but may be 0 to disable activation time schedule_after to set the activation time to the current time plus the number of hours in the schedule_after field plus X where X is a time measurement to extend the activation time by X The time measurement is normally hours but may have a ywdhms suffix to indicate years weeks days hours minutes or seconds respectively Alternatively this operation may be...

Page 466: ...to be created or updated This can be used to verify that a password has been typed correctly This field controls account creation and modification behavior it is not stored with created or modified visitor accounts password_action String Controls the password changing behavior for a guest account This field may be set to one of the following values empty string Default behavior that is guests are ...

Page 467: ...by the random_password_length field nwa_strong_password to create a password using a combination of digits uppercase letters lowercase letters and some punctuation Certain characters are omitted from the password The length of the password is specified by the random_password_length field nwa_complex_password to create a complex password string which contains uppercase letters lowercase letters dig...

Page 468: ...ds is specified by the random_username_length field random_username_picture String The format string to use when creating a username if the random_username_method field is set to nwa_picture_password See Format Picture String Symbols in this chapter for a list of the special characters that may be used in the format string remote_addr String The IP address of the guest at the time the guest accoun...

Page 469: ... of the account This field may be up to 64 characters in length visitor_company String The visitor s company name visitor_name String The visitor s full name vvisitor_phone String The visitor s contact telephone number Table 47 Hotspot Standard Fields Field Description address String The visitor s street address card_code String The 3 or 4 digit cardholder verification code printed on the credit c...

Page 470: ...hat a SMS receipt should be automatically sent upon creation of the account sms_auto_send_field String This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the SMS plugin configuration is used Additionally the special values _Disabled and _Enabled may be used to never send an SMS or always send an SMS respectively sms_enabled Boolean ...

Page 471: ...ceipt configuration is used Additionally the special value _None indicates that the visitor should not be sent any email smtp_enabled String This field may be set to a non zero value to enable sending an email receipt If unset the default value from the email receipt configuration is used The special values _Auto Always auto send guest receipts by email _AutoField Auto send guest receipts by email...

Page 472: ...om the email receipt configuration is used smtp_warn_before_cc_action String This field overrides how copies are sent as indicated under Logout Warnings on the email receipt to send copies of email receipts It may be one of never always_cc always_bcc conditional_cc or conditional_bcc If blank or unset the default value from the email receipt configuration is used warn_before_from_sponsor String Th...

Page 473: ... the validator IsInOptionsList Checks against a list of options in the policy definition IsNonEmpty Checks that the value is a non empty string length non zero and not all whitespace or a non empty array IsNonNegative Checks that the value is numeric and non negative IsRegexMatch Checks that the value matches a regular expression supplied as the argument the validator The regular expression should...

Page 474: ...ostnameCidr Checks that the value is a valid IP address or hostname which may also have an optional N suffix indicating the network prefix length in bits CIDR notation IsValidHostnamePort Checks that the value is a valid IP address or hostname which may optionally include a port number specified with the syntax hostname port IsValidIpAddr Checks that the value is a valid IP address IsValidLdapAttr...

Page 475: ...p www example com the scheme is http the hostname is www example com and the path is The validator argument may optionally be an array containing a scheme key that specifies an array of acceptable URL protocols IsValidUsername Checks that the value is a valid username Usernames cannot be blank or contain spaces NwaCaptchaIsValid Checks that the value matches the security code generated in the CAPT...

Page 476: ...s a Boolean value as a string If the argument is 0 or 1 a 0 or 1 is returned for false and true respectively If the argument is a string containing a character the string is split at the separator and used for false and true values If the argument is an array the 0 and 1 index values are used for false and true values Otherwise the string values false and true are returned NwaByteFormat Formats a ...

Page 477: ...rray by splitting the string at each comma and forming an array of all the substrings created in this way NwaNumberFormat Formats a numeric value as a string If the argument is null or not supplied the current locale s settings are used to format the numeric value The argument may be an array or a numerica value If the argument is an array it will override the current locale s settings see below f...

Page 478: ... Nwa_BooleanText data enabled Enabled Disabled Displays either Enabled or Disabled depending on the value of the enabled field parseInt data do_expire 0 Nwa_DateFormat data expire_time Y m d H M N A Displays N A if the account has no expiration time or a date and time string if an expiration time has been set JavaScript functions Nwa_BooleanText value if_true if_false if_undefined Returns the valu...

Page 479: ...words has not been set and the if_undefined parameter was provided returns if_undefined Otherwise the number is converted to a string using the number of decimal places specified in decimals default 0 the decimal point character in dec_point default and the thousands separator character in thousands_sep default Nwa_TrimText value length Trims excessively long strings to a maximum of length charact...

Page 480: ...ame of the attribute to look up The attribute name is not case sensitive If the attribute was not included with the Access Request returns NULL Example usage As a condition expression for an attribute return GetAttr Calling Station Id 00 01 02 44 55 66 As an attribute value GetAttr Calling Station Id ShowAttr ShowAttr raw false Show the attributes passed with the RADIUS Access Request Writes to st...

Page 481: ...ptionally to_time is used with the criteria to narrow the search If to_time is not specified from_time is a look back time that is the time interval in seconds before the current time If to_time is specified the interval considered is between from_time and to_time in_out may be in to count only input octets out to count only output octets or any other value to count both input and output octets to...

Page 482: ... Calling Station Id attribute the mac_format argument may be specified This should be a sprintf style format string that accepts 6 arguments the octets of the MAC address The default if not specified is the IEEE 802 standard format 02X 02X 02X 02X 02X 02X that is uppercase hexadecimal with each octet separated with a hyphen This string matches what ClearPass Guest sees from the NAS The time interv...

Page 483: ...sed See GetTraffic for details on how to specify the time interval GetCallingStationTime GetCallingStationTime from_time to_time null mac_format null Calculate sum of session times in a specified time interval Because different NAS equipment can send differently formatted MAC addresses in the Calling Station Id attribute the mac_format argument may be specified This should be a sprintf style forma...

Page 484: ...Sessions GetIpAddressSessions from_time null to_time null Calculate the number of sessions for accounting records matching a specific IP address The IP address attribute is looked up automatically from the RADIUS Access Request Framed IP Address attribute See GetTraffic for details on how to specify the time interval See GetIpAddressTraffic for additional details on the ip_addr argument GetUserAct...

Page 485: ...turn value GetIpAddressCurrentSession GetIpAddressCurrentSession ip_addr null Looks up the current most recent active session for the specified client IP address If ip_addr is not specified it defaults to the current value of smarty server REMOTE_ADDR which may not be the same value as the IP address of the session if there is a NAT See GetCurrentSession for details of the return value GetCallingS...

Page 486: ...sionTimeRemaining username format relative Calculates the session time remaining for a given user account if the user account was to be authenticated at the moment of the call The username parameter is required This is the username for the authentication The format parameter is optional and defaults to relative if not otherwise specified This parameter may be one of the following values relative o...

Page 487: ...server will cache too many requests and some new requests may get blocked See max_requests below The useful range of values is 2 to 10 max_requests 1024 The maximum number of requests which the server keeps track of This should be 256 multiplied by the number of clients for example with 4 clients this number should be 1024 If this number is too low then when the server becomes busy it will not res...

Page 488: ... or password to lowercase before or after attempting to authenticate If set to before the server will first modify the request and then try to authenticate the user If set to after the server will first attempt to authenticate using the values provided by the user If that fails it will reprocess the request after modifying it as you specify below This is as close as ClearPass Guest can get to case...

Page 489: ...n running Allowed values are no and yes Table 58 Proxy Configuration Settings Value Description proxy_requests yes Turns proxying of RADIUS requests on or off The server has proxying turned on by default If your system is not set up to proxy requests to another server then you can turn proxying off here This will save a small amount of resources on the server If you have proxying turned off and yo...

Page 490: ...pool You probably don t want too many spare threads around otherwise they ll be sitting there taking up resources and not doing anything productive The default configuration should be adequate for most situations thread max_servers 32 Limit on the total number of servers running If this limit is ever reached clients will be locked out so it should not be set too low It is intended mainly as a brak...

Page 491: ... Password attribute module pam yes Pluggable Authentication Modules for Linux module unix yes Unix etc passwd style authentication unix cache no Cache etc passwd etc shadow and etc group for authentication The default is to not cache them Allowed values no yes unix cache_reload 600 If the cache is enabled reloads its contents every cache_reload seconds Use 0 to disable module mschap yes Microsoft ...

Page 492: ...num_sql_socks 5 The number of SQL connections to make to the database server sql connect_failure_retry_delay 60 The number of seconds to delay retrying on a failed database connection per socket sql safe_characters not set A list of characters that may be stored in database fields without being escaped This may be set to the value all to indicate all standard ASCII characters This string should no...

Page 493: ...er which supports that EAP type If another module is NOT configured to handle the request then the request will still end up being rejected eap cisco_accounting_username_bug no Cisco AP1230B firmware 12 2 13 JA1 has a bug When given a User Name attribute in an Access Accept it copies one more byte than it should Work around this issue by adding an extra zero byte module eap_md5 yes Enables md5 EAP...

Page 494: ... protocol which can be described as EAP inside of Diameter inside of TLS inside of EAP inside of RADIUS The TTLS module needs the TLS module to be installed and configured in order to use the TLS tunnel inside of the EAP packet You will still need to configure the TLS module even if you do not want to deploy EAP TLS in your network Users will not be able to request EAP TLS as it requires them to h...

Page 495: ...here is another incompatible implementation of MS CHAPv2 in EAP by Cisco which is not currently supported Table 63 LDAP Module Settings Setting Description module ldap no Lightweight Directory Access Protocol LDAP This module definition allows you to use LDAP for authorization and authentication Auth Type LDAP ldap server ldap example com Set the LDAP server hostname ip address You can also pass a...

Page 496: ...p ldap_debug 0 Debug flags for LDAP SDK see OpenLDAP documentation Example LDAP_DEBUG_FILTER LDAP_DEBUG_CONNS ldap ldap_debug 0x0028 ldap identity not set The DN under which LDAP searches are done ldap password not set Password which authenticates the identity DN If not set the default is to perform an anonymous bind with no password required NOTE this implies that searches will be done over an un...

Page 497: ...et to yes and the attribute exists the user is allowed to get remote access If the attribute exists and is set to FALSE the user is denied remote access If the attribute does not exist the user is denied remote access by default If access_attr_used_for_allow is set to no and the attribute exists the user is denied remote access If it does not exist the user is allowed remote access ldap password_h...

Page 498: ... GroupOfUniqueNames uniquemember Ldap UserDn ldap groupmembership_attribute not set The attribute in the user entry that states the group the user belongs to The attribute can either contain the group name or the group DN If it contains the group DN groupmembership_attribute will also be used to find the group s name The attribute will be used after a search based on the groupname_attribute and gr...

Page 499: ... should be matched See Regular Expressions in this chapter for information about the supported syntax for regular expressions module attr_rewrite name replacewith not set The replacement value which will be used for the attribute value if the attribute matches the searchfor regular expression Backreferences to the matching components of the searchfor regular expression are supported 0 will contain...

Page 500: ...he client in an Access Accept and should be sent unmodified by the client to the accounting server as part of the Accounting Request packet if accounting is supported Vendor Specific This attribute is available to allow vendors to support their own extended Attributes not suitable for general usage Session Timeout This attribute sets the maximum number of seconds of service to be provided to the u...

Page 501: ...erty specifies when the account will expire badPasswordTime The badPasswordTime property specifies when the last time the user tried to log onto the account using an incorrect password badPwdCount The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password codePage The codePage property specifies the code page for the user s language o...

Page 502: ...nly the string a a Any string ending with a Any single character A literal abc Any of the characters a b or c a z0 9A Z Any alphanumeric character a z Any character not in the set a through z a Matches zero or one a a Matches one or more a aa aaa a Matches zero or more empty string a aa aaa a b Alternate matches Matches an a or b a z Grouping matches sequentially within parentheses a Non greedy ze...

Page 503: ...erprise network infrastructure CA See Certificate Authority captive portal Implemented by NAS Provides access to network only to authorized users certificate authority Entity in a public key infrastructure system that issues certificates to clients A certificate signing request received by the CA is converted into a certificate when the CA adds a signature that is generated with the CA s private k...

Page 504: ... LayerSecurity RFC 5216 A certificate based authentication method supporting mutual authentication integrity protected ciphersuite negotiation and key exchange between two endpoints form Screen that collects data using fields field Single item of information about a visitor account guest See Visitor intermediate CA Certificate authority with a certificate that was issued by another certificate aut...

Page 505: ... the sender knows the private key The private key is also used to decrypt a message that was encrypted with the sender s public key only the sender can decrypt it public key The part of a public private key pair that is made public The public key is used to encrypt a message the recipient s private key is required to decrypt the message A large part of a digital certificate is the certificate owne...

Page 506: ...client certificate depending on the type of device user database Database of the guests on the system view Table containing data Used to interactively display data such as visitor accounts to operators visitor guest Someone who is permitted to access the Internet through your Network Access Server VPN Virtual private network Enables secure access to a corporate network when located remotely VSA Ve...

Page 507: ...erver time configuration 399 system control 401 system information 408 system logs 411 Web server settings 408 Apple Captive Network Assistant 136 application log 412 attributes 119 attribute values 145 conditions 119 120 deleting values 146 editing 144 editing values 145 RADIUS 119 499 role 119 tags 120 value expressions 122 vendor 144 authentication 25 29 205 AAA 113 configuring for Active Direc...

Page 508: ... 188 certificate signing request 379 classifier 338 field 230 GRE tunnel 366 guest account 205 hotspot plan 419 LDAP server 190 LDAP translation rule 196 multiple guest accounts 207 220 NAS 125 notifications disk space 391 operator profile 180 operator profiles 180 output filter 345 output series 342 print template 272 RADIUS server certificate 149 report 348 report parameters 330 self registratio...

Page 509: ...g attribute 144 attribute values 145 base field 234 253 expiration time guest account 213 external authentication server 162 field 231 form 232 form fields 234 forms 233 forms and views 232 guest account 194 214 guest self registration 256 multiple guest accounts 214 print templates 274 vendor 143 view 232 252 views 232 email guest self registration receipts 264 receipts 207 SMTP services 310 enco...

Page 510: ...d_field 310 470 sms_enabled 309 470 sms_handler_id 309 470 sms_phone_field 309 470 sms_template_id 309 470 sms_warn_before_message 310 470 smtp_auto_send_field 314 smtp_cc_action 314 smtp_cc_list 314 smtp_email_field 314 smtp_enabled 314 smtp_receipt_format 314 smtp_subject 314 471 smtp_template_id 314 471 smtp_warn_before_cc_action 315 472 smtp_warn_before_cc_list 315 472 smtp_warn_before_receipt...

Page 511: ...213 Edit 194 214 Email receipt 207 Export 220 Filtering 212 215 281 297 Import 216 List 211 Manage multiple 214 Paging 212 Print 214 Receipts 207 Reset password 212 Scratch cards 208 Selection row 216 SMS receipt 207 View passwords 225 XML export 220 guest accounts creating 205 creating multiple 207 220 editing expiration 213 exporting 220 filtering 212 215 importing 216 Guest management Custom fi...

Page 512: ...tallation Administrator password 38 Complete 47 Default network settings 33 Default password 35 Hardware 33 Hostname 39 HTTP proxy 41 License agreement 38 NAS list 44 Network interfaces 40 Password 37 Setup wizard 37 SMTP configuration 42 SNMP configuration 42 Subscription ID 45 Time server 43 Update plugins 46 Virtual machine 34 installing RADIUS server certificate 150 Intermediate certificate 38...

Page 513: ... SSL 379 Static routes 365 System hostname 39 Traceroute 372 View DHCP leases 371 VLAN support 367 network configuring 357 diagnostics 360 GRE tunnel 366 security settings 391 setup 357 Network access control 146 Network Access Server 29 124 Network access server Setup wizard 44 network configuration defaults 33 Network interfaces 361 394 nodes primary 425 replication 426 secondary 425 notificaito...

Page 514: ...ive Directory 161 active sessions 294 attr_rewrite module 117 attributes 119 499 authentication log 114 certificate authority CA 150 certificate creation 149 clients 124 configuration 115 487 databases 140 debugging 113 114 dictionary 141 digital certificate 147 disconnecting session 296 300 dynamic authorization 113 126 exporting certificate 152 exporting dictionary 142 external authentication 16...

Page 515: ...e 320 Export 322 Grouping 326 History 318 Local RADIUS accounting 325 Managing 318 Parameters 329 Print 318 319 Reset to defaults 323 Run default 318 Run options 319 Run preview 318 Select fields 333 Skin 329 View CSV 318 View HTML 318 View Text 318 reports exporting 322 importing 323 predefined 317 resetting password 212 RADIUS dictionary 142 Restart services 401 restarting RADIUS server 113 Rest...

Page 516: ... for session 301 Guest account receipt 207 Guest self registration receipts 265 SMS Services Credits available 305 Guest receipts 305 Low credit warning 305 Send 304 SMS services 302 configuring 302 sending message 304 SMTP configuration 378 SMTP Services 310 SNMP 375 access 376 Community string 377 Supported MIBs 377 Source filters 335 sponsors 29 SSL Certificate details 382 High Availability 427...

Page 517: ...ion 408 system logs 411 views 29 229 column format 254 customization 232 duplicating 233 editing 232 252 Field Editor 253 guest_export 220 229 guest_multi 214 229 guest_sessions 229 295 guest_users 211 229 virtual appliance 34 VMware ESXi 34 virtual IP address 426 virtual machine 34 NTP and timekeeping 43 NTP configuration 400 visitors 29 account 29 VLAN RADIUS Attributes 123 VLAN interface 367 VS...

Page 518: ...518 Index ClearPass Guest 3 9 Deployment Guide ...

Reviews:

No comments

Related manuals for ClearPass Guest 3.9

MAIL - BROWSING SMARTPHONE

Brand: Blackberry Pages: 25

CONTRIBUTE-USING CONTRIBUTE

Brand: MACROMEDIA Pages: 214

DEEP FREEZER PROFESSIONAL

Brand: FARONICS Pages: 31

Brand: Model Technology Pages: 37

COLDFUSION STUDIO 4.5-USING COLDFUSION...

Brand: MACROMEDIA Pages: 236

ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI MAIL SERVER

Brand: KAPERSKY Pages: 295

Brand: Nokia Pages: 84

APPLICATION STACK 1.3 RELEASE

Brand: Red Hat Pages: 26

Brand: DigiDesign Pages: 39

Doctor Pro TM-2430-13

Brand: A&D Pages: 69

Brand: 3Com Pages: 44

ITANIUM ARCHITECTURE - SOFTWARE DEVELOPERS VOLUME 3 REV 2.3

Brand: Intel Pages: 1898

Brand: AMX Pages: 3

Brand: MACROMEDIA Pages: 678

Brand: Native Instruments Pages: 16

Brand: ICP Pages: 60

Storage Software PathManager

Brand: NEC Pages: 65

GY-HM700U - Prohd Compact Shoulder Solid State Camcorder

Brand: JVC Pages: 780

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands