background image

64

Dell Networking W-ClearPass Policy Manager 6.0 | User Guide

The following additional settings have been introduced for Profile support:

l

Read ARP Table Info - Enable this setting if this is a Layer 3 device, and you want to use ARP table on this
device as a way to discover endpoints in the network. Static IP endpoints discovered this way are further probed
via SNMP to profile the device.

l

Force Read - Enable this setting to ensure that all CPPM nodes in the cluster read SNMP information from this
device regardless of trap configuration on the device. This option is especially useful when demonstrating static
IP-based device profiling because this does not require any trap configuration on the network device.

Figure 36:

SNMP Read/Write Settings Tabs

In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured
devices. The default behaviour is for a CPPM node in the cluster to read network device information only for devices
configured to send traps to that CPPM node.

Subnet Scan

A network subnet scan is used to discover IP addresses of devices in the network. The devices discovered this way
are further probed using SNMP to fingerprint and assign a Profile to the device.Network subnets to scan. Subnets to
scan are configured per CPPM Zone. This is particularly useful in deployments that are geographically distributed. In
such deployments, it is recommended that you assign the CPPM nodes in a cluster to multiple “Zones” (from
Administration > Server Configuration > Manage Policy Manager Zones) depending on the geographical area served
by that node, and enable Profile on at least one node per zone.

Figure 37:

Configuration > Profile Settings

Summary of Contents for Networking W-ClearPass Policy Manager 6.0

Page 1: ...Dell Networking W ClearPass Policy Manager 6 0 User Guide ...

Page 2: ...including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes software from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks co...

Page 3: ...ity 35 Analysis and Trending 37 Endpoint Profiler 37 System Monitor 38 Audit Viewer 40 Event Viewer 43 Data Filters 44 Add a Filter 45 Policy Manager Policy Model 49 Services Paradigm 49 Viewing Existing Services 52 Adding and Removing Services 52 Links to Use Cases and Configuration Instructions 53 Policy Simulation 54 Add Simulation Test 56 Import and Exporting Simulations 59 Import Simulations ...

Page 4: ...e Service 80 TACACS Use Case 83 Configuring the Service 83 Single Port Use Case 87 Services 89 Architecture and Flow 89 Start Here Page 90 Policy Manager Service Types 92 Services 101 Adding Services 102 Modifying Services 104 Reordering Services 106 Authentication and Authorization 109 Architecture and Flow 109 Configuring Authentication Components 110 Adding and Modifying Authentication Methods ...

Page 5: ...dpoints 164 Adding and Modifying Static Host Lists 166 Additional Available Tasks 167 Posture 169 Posture Architecture and Flow 169 Configuring Posture 171 Adding and Modifying Posture Policies 172 Configuring Posture Policy Plugins 173 ClearPass Windows Universal System Health Validator NAP Agent 176 ClearPass Windows Universal System Health Validator OnGuard Agent 192 ClearPass Linux Universal S...

Page 6: ... 218 RADIUS Enforcement Profiles 221 RADIUS CoA Enforcement Profiles 223 SNMP Enforcement Profiles 224 TACACS Enforcement Profiles 224 Application Enforcement Profiles 226 CLI Enforcement Profile 227 Agent Enforcement Profiles 228 Post Authentication Enforcement Profiles 228 Configuring Enforcement Policies 229 Network Access Devices 233 Adding and Modifying Devices 233 Adding a Device 233 Additio...

Page 7: ...Drop Subscriber 260 System Tab 260 Multiple Active Directory Domains 262 Services Control Tab 264 Service Parameters Tab 264 System Monitoring Tab 272 Network Interfaces Tab 273 Creating GRE tunnels 273 Creating VLAN 274 Log Configuration 275 Local Shared Folders 277 Application Licensing 278 Adding a License 279 Activating an Application License 279 Updating a License 280 SNMP Trap Receivers 280 ...

Page 8: ...ate 294 Create Certificate Signing Request 296 Export Server Certificate 298 Import Server Certificate 298 Certificate Trust List 298 Add Certificate 299 Revocation Lists 299 Add Revocation List 300 RADIUS Dictionaries 301 Import RADIUS Dictionary 302 Posture Dictionaries 302 TACACS Services 303 Fingerprints 304 Attributes 305 Add Attribute 306 Import Attributes 307 Export Attributes 308 Export 30...

Page 9: ...local passwd 322 Configure Commands 322 date 322 dns 323 hostname 323 ip 323 timezone 324 Network Commands 324 ip 324 nslookup 325 ping 325 reset 326 traceroute 326 Service commands 327 action 327 Show Commands 328 all timezones 328 date 328 dns 328 domain 329 hostname 329 ip 329 license 329 timezone 330 version 330 System commands 330 boot image 330 gen support key 331 DellNetworking W ClearPass ...

Page 10: ... backup 335 dump certchain 335 dump logs 336 dump servercert 336 exit 337 help 337 krb auth 337 krb list 338 ldapsearch 338 restore 338 quit 339 Rules Editing and Namespaces 341 Namespaces 341 Variables 347 Operators 348 Software Copyright and License Statements 351 PostgreSQL Copyright 351 GNU LGPL 351 GNU GPL 357 Lighthttpd License 362 Apache License 362 OpenSSL License 365 OpenLDAP License 371 ...

Page 11: ...l Networking W ClearPass Policy Manager platform such as Guest Onboard Profile OnGuard QuickConnect and Insight simplify and automate device configuration provisioning profiling health checks and guest access With built in RADIUS SNMP and TACACS protocols Dell Networking W ClearPass Policy Manager provides device registration device profiling endpoint health assessments and comprehensive reporting...

Page 12: ...12 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 13: ...wing table Table 1 Device Ports Key Port Description A Serial Configures the ClearPass Policy Manager appliance initially via hardwired terminal B eth0 Management gigabit Ethernet Provides access for cluster administration and appliance maintenance via web access CLI or internal cluster communications Configuration required C eth1 Data gigabit Ethernet Provides point of contact for RADIUS TACACS W...

Page 14: ...way optional Data Port Subnet Mask optional Primary DNS Secondary DNS NTP Server optional Perform the following steps to set up the Policy Manager appliance 1 Connect and power on Using the null modem cable provided connect a serial port on the appliance to a terminal then connect power and switch on The appliance immediately becomes available for configuration Use the following parameters for the...

Page 15: ...onfiguring NTP servers Enter the option or press any key to quit 2 Enter Primary NTP Server pool ntp org Enter Secondary NTP Server time nist gov Do you want to configure the timezone y n y After the timezone information is entered you are asked to confirm the selection 6 Commit or restart the configuration Follow the prompts Proceed with the configuration y Y n N q Q y Y to continue n N to start ...

Page 16: ...ey 3 Generate password recovery and support keys Enter the option or press any key to quit 4 To generate the recovery key select option 1 or 3 if you want to generate a support key as well 5 Once the password recovery key is generated email the key to Dell technical support A unique password will be generated from the recovery key and emailed back to you 6 Enter the following at the command prompt...

Page 17: ...erate a support key 3 Generate password recovery and support keys Enter the option or press any key to quit 5 To generate the support key select option 2 or 3 if you want to generate a password recovery key as well 6 Once the password recovery key is generated email the key to Dell technical support A unique password can now be generated by Dell technical support to log into the support shell Dell...

Page 18: ...18 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 19: ...s where the health state was deemed to be healthy based on the posture data sent from the client Unhealthy requests are those requests whose health state was deemed to be quarantined posture data received but health status is not compliant or unknown no posture data received This includes RADIUS and WebAuth requests The default data filters Health Requests and Unhealthy Requests are used to plot t...

Page 20: ... into each of the built in device categories For example selecting SmartDevice shows the different kinds of smartdevices identified by Profile This shows a table of the last few successful authentications Clicking on a row drills down into the Access Tracker and shows successful requests sorted by timestamp with the latest request showing first This shows a table of the last few failed authenticat...

Page 21: ...learPass Guest application This application opens in a new tab l ClearPass Onboard links to the ClearPass Onboard screen within the ClearPass Guest application This application opens in a new tab This shows links to the Dell applications that are integrated with Policy Manager E g GuestConnect Insight This shows the status of all nodes in the cluster The following fields are shown for each node l ...

Page 22: ...22 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 23: ...y on page 35 n Analysis and Trending on page 37 n Endpoint Profiler on page 37 n System Monitor on page 38 l Audit Viewer on page 40 l Event Viewer on page 43 l Data Filters on page 44 Access Tracker The Access Tracker provides a real time display of system activity with optional auto refresh at Monitoring Live Monitoring Access Tracker Click on Edit to change the Access Tracker display parameters...

Page 24: ...e previous step to Today Save Cancel Save or cancel edit operation To display a specific set of records use the simple filter controls The filter controls enable you to filter by Protocol Type User Service Name MAC Address or Status Note that this filter is applied on top of the display constraints configured previously See table above Table 4 Access Tracker Simple Filter Container Description Fil...

Page 25: ...ent to the network device in chronological order Table 6 Session Details Popup Actions Container Description Change Status This button allows you to change the access control status of a session This function is only available for RADIUS and WebAuth l Agent This type of control is available for a session where the endpoint has the OnGuard Agent installed Actions allowed are Bounce Send Message and...

Page 26: ...access device by means of RADIUS TACACS accounting records at Monitoring Live Monitoring Accounting Figure 3 Accounting Edit Mode Table 7 Accounting Container Description Select Server Select server for which to display dashboard data Select Filter Select filter to constrain data display Modify Modify the currently displayed data filter Add Go to Data Filters page to create a new data filter Selec...

Page 27: ...l edit operation Show n records Show 10 20 50 or 100 rows Once selected this setting is saved and available in subsequent logins Click on any row to display the corresponding Accounting Record Details Figure 4 RADIUS Accounting Record Details Summary tab DellNetworking W ClearPass Policy Manager 6 0 User Guide 27 ...

Page 28: ...28 DellNetworking W ClearPass Policy Manager 6 0 User Guide Figure 5 RADIUS Accounting Record Details Auth Sessions tab ...

Page 29: ...Figure 6 RADIUS Accounting Record Details Utilization tab DellNetworking W ClearPass Policy Manager 6 0 User Guide 29 ...

Page 30: ...ession identifier you can correlate this record with a record in Access Tracker Account Session ID A unique ID for this accounting record Start and End Timestamp Start and end time of the session Status Current connection status of the session Username Username associated with this record Termination Cause The reason for termination of this session Service Type The value of the standard RADIUS att...

Page 31: ...ive Time How long the session was active Account Delay Time How many seconds the network device has been trying to send this record for subtract from record time stamp to arrive at the time this record was actually generated by the device Account Input Octets Octets sent and received from the device port over the course of the session Account Output Octets Account Input Packets Packets sent and re...

Page 32: ...32 DellNetworking W ClearPass Policy Manager 6 0 User Guide Figure 8 TACACS Accounting Record Details Request tab ...

Page 33: ...Figure 9 TACACS Accounting Record Details Auth Sessions tab DellNetworking W ClearPass Policy Manager 6 0 User Guide 33 ...

Page 34: ...thentication authorization and accounting records Start and End Timestamp Start and end time of the session Username Username associated with this record Client IP The IP address and tty of the device interface Remote IP IP address from which Admin is logged in Flags Identifier corresponding to start stop or update accounting record Privilege Level Privilege level of administrator 1 lowest to 15 h...

Page 35: ...endpoints that have Dell OnGuard persistent or dissolvable agent at Monitoring Live Monitoring OnGuard Activity This screen also presents configuration tools to bounce an endpoint and to send unicast or broadcast messages to all endpoints running the OnGuard agent Note that bouncing of endpoints will only work with endpoints running the persistent agent Figure 11 Fig OnGuard Activity Table 10 OnGu...

Page 36: ...e URL that is displayed along with the Display Message l Endpoint Status No change No change is made to the status of the endpoint The existing status of Known Unknown or Disabled continues to be applied Access control is granted or denied based on the endpoint s existing status Allow network access Always allow network access Whitelist this endpoint Note that this action just sets the status of t...

Page 37: ... Figure 12 Analysis and Trending To add additional filters refer to Data Filters on page 44 l Select Server Select a node from the cluster for which data is to be displayed l Update Now Click on this button to update the display with the latest available data l Customize This Click on this link to customize the display by adding filters up to a maximum of 4 filters l Toggle Chart Type Click on thi...

Page 38: ...dpoint Profiler Details System Monitor The System Monitor is available by navigating to Monitoring Live Monitoring System Monitor l Select Server Select a node from the cluster for which data is to be displayed l Update Now Click on this button to update the display with the latest available data The System Monitor Page includes two tabs l System Monitor For the selected server provides load stati...

Page 39: ...e selected server and process provides critical usage statistics including CPU Virtual Memory and Main Memory Use Select Process to select the process for which you want to see the usage statistics DellNetworking W ClearPass Policy Manager 6 0 User Guide 39 ...

Page 40: ...cy Manager 6 0 User Guide Figure 16 Figure Process Monitor Graphs Audit Viewer The Audit Viewer display provides a dynamic report of Actions filterable by Action Name and Category of policy component and User at Monitoring Audit Viewer ...

Page 41: ... Once selected this setting is saved and available in subsequent logins Click on any row to display the corresponding Audit Row Details l For Add Actions a single popup displays containing the new data Figure 18 Audit Row Details Old Data tab For Modify Actions a popup with three tabs displays comparing the old data and the new DellNetworking W ClearPass Policy Manager 6 0 User Guide 41 ...

Page 42: ...42 DellNetworking W ClearPass Policy Manager 6 0 User Guide Figure 19 Audit Row Details Old Data tab Figure 20 Audit Row Details New Data tab ...

Page 43: ...evel not request related Events filterable by Source Level Category and Action at Monitoring Event Viewer Figure 22 Event Viewer Table 12 Event Viewer Container Description Select Server Select the server for which to display accounting data Filter Select the filter by which to constrain the display of accounting data DellNetworking W ClearPass Policy Manager 6 0 User Guide 43 ...

Page 44: ...Data Filters The Data Filters provide a way to filter data limit the number of rows of data shown by defining custom criteria or rules that is shown in Access Tracker on page 23 Syslog Export Filters on page 285 Analysis and Trending on page 37 and Accounting on page 26 components in Policy Manager It is available at Monitoring Data Filters Figure 24 Data Filters Policy Manager comes pre configure...

Page 45: ...All TACACS requests l Unhealthy Requests All requests that were not deemed healthy per policy l WebAuth Requests All Web Authentication requests requests originated from the Dell Guest Portal Table 13 Data Filters Container Description Add Filter Click to open the Add Filter wizard Import Filters Click to open the Import Filters popup Export Filters Click to open the Export Filters popup This expo...

Page 46: ...ion is not recommended For users who need to utilize this however we recommend contacting Support l Select Attributes This option is selected by default and enables the Rules tab If this option is selected use the Rules tab to configure rules for this filter Custom SQL If Specify Custom SQL is selected then this field populates with a default SQL template In the text entry field enter attributes f...

Page 47: ...red conditions Type This indicates the namespace for the attribute l Common These are attributes common to RADIUS TACACS and WebAuth requests and responses l RADIUS Attributes associated with RADIUS authentication and accounting requests and responses l TACACS Attributes associated with TACACS authentication accounting and policy requests and responses l Web Authentication Policy Policy Manager po...

Page 48: ...48 DellNetworking W ClearPass Policy Manager 6 0 User Guide Container Description Value The value of the attribute ...

Page 49: ...n Import and Exporting Simulations on page 59 Services Paradigm Services are the highest level element in the Policy Manager policy model They have two purposes l Unique Categorization Rules per Service enable Policy Manager to test Access Requests Requests against available Services to provide robust differentiation of requests by access method location or other network vendor specific attributes...

Page 50: ...AC AUTH MAC AUTH must be used exclusively in a MAC based Authentication Service When the MAC AUTH method is selected Policy Manager 1 makes internal checks to verify that the request is indeed a MAC Authentication request and not a spoofed request and 2 makes sure that the MAC address of the device is present in the authentication source Some Services for example TACACS contain internal authentica...

Page 51: ...er service An Internal Posture Policy tests Requests against internal Posture rules to assess health Posture rule conditions can contain attributes present in vendor specific posture dictionaries E Posture Servers Zero or more per service Posture servers evaluate client health based on specified vendor specific posture credentials typically posture credentials that cannot be evaluated internally b...

Page 52: ...me of a Service to display its details Figure 30 Details for an individual service Adding and Removing Services You can add to the list of services by working from a copy importing from another configuration or creating a service from scratch l Create a template by copying an existing service In the Services page click a service s check box then click Copy l Clone a service by import of a previous...

Page 53: ...page 102 Authentication Method 802 1x Wireless Use Case on page 67 demonstrates the principle of multiple authentication methods in a list When Policy Manager initiates the authentication handshake it tests the methods in priority order until one is accepted by the client Web Based Authentication Use Case on page 73 has only a single authentication method which is specifically designed for authent...

Page 54: ...y the Dell Web Portal and returns a corresponding posture token Adding and Modifying Posture Policies on page 172 Posture Server 802 1x Wireless Use Case on page 67 appends a third party posture server to evaluate health policies based on vendor specific posture credentials Adding and Modifying Posture Servers on page 199 Audit Server MAC Authentication Use Case on page 79 uses an Audit Server to ...

Page 55: ...tion triggers an audit on the specified device and displays the results l Enforcement Policy Given the service name and the associated enforcement policy a role or a set of roles the system posture status and an optional date and time the enforcement policy simulation evaluates the rules in the enforcement policy and displays the resulting enforcement profiles and their contents l Chained Simulati...

Page 56: ...test All namespaces relevant to service rules creation are loaded in the Attributes editor l Returns Results tab Service Name or status message in case of no match Type Role Mapping l Input Simulation tab Select Service Role Mapping Policy is implicitly selected because there is only one such policy associated with a service Authentication Source User Name and Date Time l Input Attributes tab Use ...

Page 57: ...t Simulation tab Select Service Enforcement Policy is implicit by its association with the Service Authentication Source optional User Name optional Roles Dynamic Roles optional System Posture Status and Date Time optional l Input Attributes tab Use the Rules Editor to create a request with the attributes you want to test Connection and RADIUS namespaces are loaded in the attributes editor l Retur...

Page 58: ...ontext are loaded in the attributes editor l Returns Results tab Role s Post Status Enforcement Profiles and Status Messages Test Date Time Use the calendar widget to specify date and time for simulation test Next Upon completion of your work in this tab click Next to open the Attributes tab Start Test Run test Outcome is displayed in the Results tab Save Cancel Click Save to commit or Cancel to d...

Page 59: ...nst the specified policy component s What is shown in the results tab again depends on the type of simulation Figure 34 Add Simulation Results Tab Import and Exporting Simulations Import Simulations Navigate to Configuration Policy Simulation and select the Import Simulations link DellNetworking W ClearPass Policy Manager 6 0 User Guide 59 ...

Page 60: ...ort Simulations Navigate to Configuration Policy Simulation and select the Export Simulations link This task exports all simulations Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export Export To export just one simulation select it using the check box at the left and click Export Your browser will display its normal Save As dialog in...

Page 61: ...l DeviceCategory This is the broadest classification of a device It denotes the type of the device Examples include Computer Smartdevice Printer Access Point etc l DeviceFamily This element classifies devices into a category this is organized based on the type of OS or type of vendor For example Windows Linux and Mac OS X are some of the families when the category is Computer Apple Android are exa...

Page 62: ...ip address ip_addr netmask ip helper address dhcp_server_ip ip helper address cppm_ip end end Notice that multiple ip helper address statements can be configured to send DHCP packets to servers other than the DHCP server ClearPass Onboard ClearPass Onboard collects rich and authentic device information from all devices during the onboarding process Onboard then posts this information to Profile vi...

Page 63: ...derive a profile SNMP Endpoint information obtained by reading SNMP MIBs of network devices is used to discover and profile static IP devices in the network The following information read via SNMP is used l sysDescr information from RFC1213 MIB is used to profile the device This is used both for profiling switches controllers routers configured in CPPM and for profiling printers and other static I...

Page 64: ... Tabs In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices The default behaviour is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node Subnet Scan A network subnet scan is used to discover IP addresses of devices in the network The devices discovered this ...

Page 65: ...e 2 is intended to refine the results of profiling Example With DHCP options Stage 1 can identify that a device is Android Stage 2 uses rules to combine this with MAC OUI to further classify an android device as Samsung Android HTC Android etc Post Profile Actions After profiling an endpoint profiler can be configured to perform CoA on the Network Device to which an endpoint is connected Post prof...

Page 66: ...r to Update Portal for more information The Profiler User Interface CPPM provides admin interfaces to search and view profiled endpoints It also provides basic statistics on the profiled endpoints The Cluster Status Dashboard widget shows basic distribution of device types See Policy Manager Dashboard fore more information on Dashboard widgets In addition the Monitoring and Reporting Live Monitori...

Page 67: ...y Manager Service to identify and evaluate an 802 1X request from a user logging into a Wireless Access Device The following image illustrates the flow of control for this Service Figure 39 Flow of Control Basic 802 1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802 1X service 1 Create the Service ...

Page 68: ...a pre configured Service Type l Service tab l Type selector 802 1X Wireless l Name Description freeform l Upon completion click Next to Authentication The following fields deserve special mention n Monitor Mode Optionally check here to allow handshakes to occur for monitoring purposes but without enforcement n Service Categorization Rule For purposes of this Use Case accept the preconfigured Servi...

Page 69: ...cial mention n Strip Username Rules Optionally check here to pre process the user name to remove prefixes and suffixes before sending it to the authentication source NOTE To view detailed setting information for any preconfigured policy component select the item and click View Details 3 Configure Authorization Policy Manager fetches attributes for role mapping policy evaluation from the Authorizat...

Page 70: ... Settings Create the new Role Mapping Policy l Roles tab l Add New Role Mapping Policy link Add new Roles names only l Policy tab l Policy Name freeform ROLE_ENGINEER l Save button l Repeat for ROLE_FINANCE l When you are finished working in the Policy tab click the Next button in the Rules Editor Create rules to map client identity to a Role l Mapping Rules tab l Rules Evaluation Algorithm radio ...

Page 71: ... Manager that is not in the form of internal posture policies Currently Policy Manager supports the following posture server interface Microsoft NPS RADIUS Refer to the following table to add the external posture server of type Microsoft NPS to the 802 1X service Table 26 Posture Navigation and Settings Navigation Setting Add a new Posture Server l Posture tab l Add new Posture Server button Confi...

Page 72: ...ime to Evaluation Profiles Policy Manager applies all matching Enforcement Profiles to the Request In the case of no match Policy Manager assigns a default Enforcement Profile Table 27 Enforcement Policy Navigation and Settings Navigation Setting Configure the Enforcement Policy l Enforcement tab l Enforcement Policy selector Role_ Based_Allow_Access_ Policy For instructions about how to build suc...

Page 73: ...osture agents The following figure illustrates the overall flow of control for this Policy Manager Service Figure 40 Flow of Control of Web Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth based Guest access 1 Prepare the switch to pre process WebAuth requests for the Policy Manager Dell WebAuth service ...

Page 74: ...database 4 Configure a Posture Policy NOTE For purposes of posture evaluation you can configure a Posture Policy internal to Policy Manager a Posture Server external or an Audit Server internal or external Each of the first three use cases demonstrates one of these options This use case demonstrates the Posture Policy As of the current version Policy Manager ships with five pre configured posture ...

Page 75: ...l Posture tab l Enable Validation Check check box l Add new Internal Policy link Name the Posture Policy and specify a general class of operating system l Policy tab l Policy Name freeform IPP_ UNIVERSAL l Host Operating System radio buttons Windows l When finished working in the Policy tab click Next to open the Posture Plugins tab Select a Validator l Posture Plugins tab l Enable Windows Health ...

Page 76: ...orrelate validation results with posture tokens l Rules tab l Add Rule button opens popup l Rules Editor popup l Conditions Actions match Conditions Select Plugin Select Plugin checks to Actions Posture Token l In the Rules Editor upon completion of each rule click the Save button l When finished working in the Rules tab click the Next button Add the new Posture Policy to the Service Back in Postu...

Page 77: ...guration of Role Mapping or Posture Evaluation NOTE The SNMP_POLICY selected in this step provides full guest access to a Role of Guest with a Posture of Healthy and limited guest access Table 31 Enforcement Policy Navigation and Settings Navigation Setting Add a new Enforcement Policy l Enforcement tab l Enforcement Policy selector SNMP_POLICY l Upon completion click Save 6 Save the Service Click...

Page 78: ...78 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 79: ...wing image illustrates the overall flow of control for this Policy Manager Service In this service an audit is initiated on receiving the first MAC Authentication request A subsequent MAC Authentication request forcefully triggered after the audit or triggered after a short session timeout uses the cached results from the audit to determine posture and role s for the device ...

Page 80: ...cation for Network Devices Configuring the Service Follow these steps to configure Policy Manager for MAC based Network Device access 1 Create a MAC Authentication Service Table 32 MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service l Services l Add Service link ...

Page 81: ...vigation Settings Select an Authentication Method and two authentication sources one of type Static Host List and the other of type Generic LDAP server that you have already configured in Policy Manager l Authentication tab l Methods This method is automatically selected for this type of service MAC AUTH l Add l Sources Select drop down list Handhelds Static Host List and Policy Manager Clients Wh...

Page 82: ...information for this client to the request for passing to Enforcement Select an Enforcement Policy 4 Select the Enforcement Policy Sample_Allow_Access_Policy Table 35 Enforcement Policy Navigation and Settings Navigation Setting Select the Enforcement Policy l Enforcement tab l Use Cached Results check box Select Use cached Roles and Posture attributes from previous sessions l Enforcement Policy s...

Page 83: ...ns to Network Access Devices via TACACS The following image illustrates the overall flow of control for this Policy Manager Service Figure 42 Administrator connections to Network Access Devices via TACACS Configuring the Service Perform the following steps to configure Policy Manager for TACACS based access 1 Create a TACACS Service ...

Page 84: ...tication data will be stored in the Active Directory Table 37 Active Directory Navigation and Settings Navigation Settings Select an Active Directory server that you have already configured in Policy Manager l Authentication tab l Add l Sources Select drop down list AD Active Directory l Add l Upon completion click Next to Enforcement Policy 3 Select an Enforcement Policy Select the Enforcement Po...

Page 85: ...4 Save the Service Click Save The Service now appears at the bottom of the Services list DellNetworking W ClearPass Policy Manager 6 0 User Guide 85 ...

Page 86: ...86 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 87: ...se Case This Service supports all three types of connections on a single port The following figure illustrates both the overall flow of control for this hybrid service in which complementary switch and Policy Manager configurations allow all three types of connections on a single port ...

Page 88: ...88 DellNetworking W ClearPass Policy Manager 6 0 User Guide Figure 43 Flow of the Multiple Protocol Per Port Case ...

Page 89: ...in which they are tested against requests l Children of Policy Manager which tests requests against their Rules to find a matching Service for each request The flow of control for requests parallels this hierarchy l Policy Manager tests for the first Request to Service Rule match l The matching Service coordinates execution of its policy components l Those policy components process the request to ...

Page 90: ... From the Configuration Start Here page you can create a new service by clicking on any of the pre configured Policy Manager Service Types Each of the service types is listed in a graphical list with a description of each type Figure 44 Start Here page After you select a service type the associated service wizard is displayed with a clickable diagram that shows on top of the wizard The following i...

Page 91: ...Figure 45 Service Wizard with Clickable Flow The rest of the service configuration flow is as described in Policy Manager Service Types DellNetworking W ClearPass Policy Manager 6 0 User Guide 91 ...

Page 92: ... the 802 1X supplicants and the type of authentication methods you choose to deploy The common types are PEAP EAP TLS EAP FAST or EAP TTLS These methods are automatically selected Non tunneled EAP methods such as EAP MD5 can also be used as authentication methods The Authentication sources used for this type of service can be one or more instances of the following Active Directory LDAP Directory S...

Page 93: ...pics Adding and Modifying Posture Policies on page 172 and Adding and Modifying Posture Servers on page 199 By default this type of service does not have Audit checking enabled To enable posture checking for this service select the Audit End hosts check box on the Service tab Select an Audit Server either built in or customized Refer to Configuring Audit Servers on page 204 for audit server config...

Page 94: ...hen select the RADIUS CoA action You can also create a new action by selecting the Add new RADIUS CoA Action link To create an authorization source for this service click on the Authorization tab This tab is not visible by default To enable Authorization for this service select the Authorization check box on the Service tab Policy Manager fetches role mapping attributes from the authorization sour...

Page 95: ... unknown end hosts only or For all end hosts Known end hosts are defined as those clients that are found in the authentication source s associated with this service Performing audit on a client is an asynchronous task which means the audit can be performed only after the MAC authentication request has been completed and the client has acquired an IP address through DHCP Once the audit results are ...

Page 96: ...description of the different tabs MAC Authentication MAC based authentication service for clients without an 802 1X supplicant or a posture agent printers other embedded devices and computers owned by guests or contractors The network access device sends a MAC authentication request to Policy Manager Policy Manager can look up the client in a white list or a black list authenticate and authorize t...

Page 97: ...ouncing the port triggers a new 802 1X MAC authentication request by the client If the audit server already has the posture token and attributes associated with this client in its cache it returns the token and the attributes to Policy Manager l Trigger RADIUS CoA action This option sends a RADIUS Change of Authorization command to the network device by Policy Manager Refer to the 802 1X Wireless ...

Page 98: ...UALS WebAuth that categorizes request into this type of service There is also an external service rule that is automatically added when you select this type of service Host CheckType EQUALS Health Web based Open Network Access This type of service is similar to other Web based services except that authentication and health checking are not performed on the endpoint A Terms of Service page as confi...

Page 99: ... RADIUS request that needs to be proxied to another RADIUS server a Proxy Target NOTE No default rule is associated with this service type Rules can be added to handle any type of standard or vendor specific RADIUS attributes Typically proxying is based on a realm or domain of the user trying to access the network NOTE Authentication Posture and Audit tabs are not available for this service type R...

Page 100: ...that this tab is not enabled by default Select the Authorization check box on the Service tab to enable this feature A role mapping policy can be associated with this service from the Roles tab The result of evaluating a TACACS enforcement policy is one or more TACACS enforcement profiles For more information on TACACS enforcement profiles see TACACS Enforcement Profiles on page 224 for more infor...

Page 101: ...osts options to enable additional tabs Refer to the 802 1X Wireless on page 92 service type for a description of these tabs Services You can use these service types as configured or you can edit their settings Figure 46 Service Listing Page The Services page includes the following fields Table 40 Services page Label Description Add Service Add a service Import Services Import previously exported s...

Page 102: ...displayed next to the status icon Reorder The Reorder button below the table is used for reorder services Copy Create a copy of the service An instance of the name prefixed with Copy_of_ is created Export Export the selected services Delete Delete the selected services For additional information refer to the following sections l Adding Services on page 102 l Modifying Services on page 104 l Reorde...

Page 103: ...1 for an exhaustive list of namespaces and their descriptions To create new Services you can copy or import other Services for use as is or as templates or you can create a new Service from scratch Name Label for a Service Description Description for a Service optional Monitor Mode Optionally check the Enable to monitor network access without enforcement to allow authentication and health validati...

Page 104: ...sults are available there should be a way for Policy Manager to re apply policies on the network device This can be accomplished in one of the following ways n No Action The audit will not apply policies on the network device after this audit n Do SNMP bounce This option will bounce the switch port or to force an 802 1X reauthentication both done via SNMP Note Bouncing the port triggers a new 802 ...

Page 105: ... authentication and health validation exchanges will take place between endpoint and Policy Manager but without enforcement In monitor mode no enforcement profiles and associated attributes are sent to the network device More Options Select the available check box es to view additional configuration tab s The options that are available depend on the type of service currently being modified TACACS ...

Page 106: ...utes defined in RFC 2865 and associated RFCs As the name suggests RADIUS namespace is only available when the request type is RADIUS l Any other supported namespace See Namespaces on page 341 for an exhaustive list of namespaces and their descriptions Name of attribute Drop down list of attributes present in the selected namespace Operator Drop down list of context appropriate with respect to the ...

Page 107: ... Reordering Services Label Description Move Up Move Down Select a service from the list and move it up or down Save Save the reorder operation Cancel Cancel the reorder operation DellNetworking W ClearPass Policy Manager 6 0 User Guide 107 ...

Page 108: ...108 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 109: ...ethod of type MAC_AUTH can be associated with MAC authentication service type l Authentication Source In Policy Manager an authentication source is the identity store Active Directory LDAP directory SQL DB token server against which users and devices are authenticated Policy Manager first tests whether the connecting entity device or user is present in the ordered list of configured Authentication...

Page 110: ...Service you can add or modify authentication method or source by opening the Service Configuration Services then select then opening the Authentication tab l For a new Service the Policy Manager wizard automatically opens the Authentication tab for configuration l Outside of the context of a particular Service you can open an authentication method or source by itself Configuration Authentication M...

Page 111: ...n page 92 for more information Sequence of Authentication Sources 1 Select a Source then Move Up Move Down or Remove 2 Select View Details to view the details of the selected authentication source 3 Select Modify to modify the selected authentication source This launches the authentication source configuration wizard for the selected authentication source n To add a previously configured Authentic...

Page 112: ... AUTH must be used exclusively in a MAC based Authentication Service When the MAC_AUTH method is selected Policy Manager makes internal checks to verify that the request is indeed a MAC_ Authentication request and not a spoofed request NOTE In tunneled EAP methods authentication and posture credential exchanges occur inside of a protected outer tunnel From the Services page Configuration Service y...

Page 113: ...TLS on page 118 l EAP PEAP on page 119 l EAP FAST on page 121 l MAC AUTH on page 126 l CHAP and EAP MD5 on page 127 PAP The PAP method contains one tab General Tab The General tab labels the method and defines session details Figure 55 PAP General Tab Table 47 PAP General Tab Parameter Description Name Description Freeform label and description DellNetworking W ClearPass Policy Manager 6 0 User Gu...

Page 114: ...D5 and SHA1 MSCHAP The MSCHAP method contains one tab General Tab The General tab labels the method and defines session details Figure 56 MSCHAP General Tab Table 48 MSCHAP General Tab Parameter Description Name Description Freeform label and description Type In this context always MSCHAP EAP MSCHAP v2 The EAP MSCHAPv2 method contains one tab General Tab The General tab labels the method and defin...

Page 115: ... Description Name Description Freeform label and description Type In this context always EAP MSCHAPv2 EAP GTC The EAP GTC method contains one tab General Tab The General tab labels the method and defines session details DellNetworking W ClearPass Policy Manager 6 0 User Guide 115 ...

Page 116: ... Table 50 EAP GTCGeneral Tab Parameter Description Name Description Freeform label and description Type In this context always EAP GTC Challenge Specify an optional password EAP TLS The EAP TLS method contains one tab General Tab The General tab labels the method and defines session details ...

Page 117: ...certificate comparison identity matching upon presenting Policy Manager with a client certificate l To skip the certificate comparison choose Do not compare l To compare specific attributes choose Compare Common Name CN Compare Subject Alternate Name SAN or Compare CN or SAN l To perform a binary comparison of the stored in the client record in Active Directory or another LDAP compliant directory ...

Page 118: ...ement URL here EAP TTLS The EAP TTLS method contains two tabs General Tab The General tab labels the method and defines session details Figure 60 EAP TTLS General Tab Table 52 EAP TTLS General Tab Parameter Description Name Description Freeform label and description Type In this context always EAP TTLS Session Resumption Caches EAP TTLS sessions on Policy Manager for reuse if the user client recon...

Page 119: ...e drop down list then click Add The list can contain multiple inner methods which Policy Manager will send in priority order until negotiation succeeds l To remove an inner method from the displayed list select the method and click Remove l To set an inner method as the default the method tried first select it and click Default EAP PEAP The EAP PEAP method contains two tabs General Tab The General...

Page 120: ... to Policy Manager within the session timeout interval If session timeout value is set to 0 the cached sessions are not purged Fast Reconnect Enable this check box to allow fast reconnect when fast reconnect is enabled the inner method that happens inside the server authenticated outer tunnel is also bypassed This makes the process of re authentication faster For fast reconnect to work session res...

Page 121: ...ds for the EAP PEAP method Figure 63 EAP PEAP Inner Methods Tab Select any method available in the current context from the drop down list Functions available in this tab include l To append an inner method to the displayed list select it from the drop down list then click Add The list can contain multiple inner methods which Policy Manager will send in priority order until negotiation succeeds l ...

Page 122: ... session timeout interval If session timeout value is set to 0 the cached sessions are not purged Fast Reconnect Enable to allow fast reconnect When enabled the inner method of the server authenticated outer tunnel is also bypassed This makes the process of re authentication faster For fast reconnect to work session resumption must be enabled End Host Authentication Refers to establishing the EAP ...

Page 123: ...nner methods for the EAP FAST method Figure 65 Inner Methods Tab l To append an inner method to the displayed list select it from the drop down list then click Add The list can contain multiple inner methods which Policy Manager will send in priority order until negotiation succeeds l To remove an inner method from the displayed list select the method and click Remove l To set an inner method as t...

Page 124: ...ntication select the Authorization PAC check box Authorization PAC results from a prior user authentication and authorization When presented with a valid Authorization PAC Policy Manager skips the inner user authentication handshake within EAP FAST Specify the Authorization PAC Expire Time the time until the PAC expires and must be replaced by automatic or manual provisioning in hours days weeks m...

Page 125: ...ager provisions the end host with an appropriate PAC tunnel or machine l If both anonymous and authenticated provisioning modes are enabled and the end host sends a cipher suite that supports server authentication Policy Manager picks the authenticated provisioning mode l Otherwise if the appropriate cipher suite is supported by the end host Policy Manager performs anonymous provisioning Allow Aut...

Page 126: ...tected outer tunnel the end host is authenticated by the server inside this tunnel When enabled the server can require the end host to send a certificate inside the tunnel for the purpose of authenticating the end host MAC AUTH The MAC AUTH method contains one tab General Tab The General tab labels the method and defines session details Figure 68 MAC AUTH General Tab Table 56 MAC Auth General Tab ...

Page 127: ... for example Novell eDirectory OpenLDAP or Sun Directory Server Retrieve role mapping attributes by using filters Kerberos service Policy Manager can perform standard PAP GTC or tunneled PAP GTC for example EAP PEAP EAP GTC authentication against any Kerberos 5 compliant server such as the Microsoft Active Directory server It is mandatory to pair this Source type with an authorization source ident...

Page 128: ...ng policy need not be specified for user accounts in the local database However if new custom attributes are assigned to a user local or guest account in the local database these can be used in role mapping policies The local user database is pre configured with a filter to retrieve the password and the expiry time for the account Policy Manager can perform MSCHAPv2 and PAP GTC authentication agai...

Page 129: ...Host List on page 147 l HTTP on page 148 Generic LDAP or Active Directory Both LDAP and Active Directory based server configurations are similar At the top level there are buttons to n Clear Cache Clears the attributes cached by Policy Manager for all entities that authorize against this server n Copy Creates a copy of this authentication authorization source The Generic LDAP and Active Directory ...

Page 130: ...urce from the drop down list and click Add to add it to the list of authorization sources Click Remove to remove it from the list If Policy Manager authenticates the user or device from this authentication source then it also fetches role mapping attributes from these additional authorization sources NOTE As described in additional authorization sources can be specified at the Service level Policy...

Page 131: ...y server l TCP port at which the LDAP or Active Directory Server is listening for connections The default TCP port for LDAP connections is 389 The default port for LDAP over SSL is 636 Connection Security l Select None for default non secure connection usually port 389 l Select StartTLS for secure connection that is negotiated over the standard LDAP port This is the preferred way to connect to an ...

Page 132: ...you should be able to browse the directory hierarchy by clicking on Search Base DN Search Scope Scope of the search you want to perform starting at the Base DN l Base Object Search allows you to search at the level specified by the base DN l Subtree Search allows you to search the entire subtree under the base DN including at the base DN level l One Level Search allows you to search up to one leve...

Page 133: ...iptions l Filter Name Name of the filter l Attribute Name Name of the LDAP AD attributes defined for this filter l Alias Name For each attribute name selected for the filter you can specify an alias name l Enabled As Specify whether value is to be used directly as a role or attribute in an Enforcement Policy This bypasses the step of having to assign a role in Policy Manager through a Role Mapping...

Page 134: ...with name of the connecting host if available dNSHostName operatingSystem and operatingSystemServicePack attributes are fetched with this filter query l Onboard Device Owner This is the filter for retrieving the name of the owner the onboard device belongs to This query finds the user in the ACtive Directory sAMAccountName Onboard Owner objectClass user Onboard Owner is populated by Policy Manager...

Page 135: ...y mode Selecting a leaf node a node that has no children brings up the attributes associated with that node Figure 75 AD LDAP Configure Filter Browse Tab Table 62 AD LDAP Configure Filter Popup Browse Tab Navigation Description Find Node Go Go directly to a given node by entering its Distinguished Name DN and clicking on the Go button AD LDAP Configure Filter Filter Tab The Filter tab provides an ...

Page 136: ...Filter Popup Filter Tab Parameter Description Find Node Go Go directly to a given node by entering its Distinguished Name DN and clicking on the Go button Select the attributes for filter This table has a name and value column There are two ways to enter the attribute name l By going to a node of interest inspecting the attributes and then manually entering the attribute name by clicking on Click ...

Page 137: ...le if you select sAMAccountName the row in the filter table will show this attribute with a value of alice assuming you picked Alice s record as a sample user node Step 3 Enter value optional After Step 3 you have values for a specific record Alice s record in this case Change the value to a dynamic session attribute that will help Policy Manager to associate a session with a specific record in LD...

Page 138: ...have entered the values for all dynamic parameters click on Execute to execute the filter query You see all entries that match the filter query Click on one of the entries nodes and you see the list of attributes for that node You can now click on the attribute names that you want to use as role mapping attributes Name Alias Name Enable as Role Name This is the name of the attribute Alias Name A f...

Page 139: ...r is used by Policy Manager to search for the user or device record If not specified authentication requests will be rejected Figure 79 Modify Default Filters The attributes that are defined for the authentication source show up as attributes in role mapping policy rules editor under the authorization source namespace Then on the Role Mappings Rules Editor page the Operator values that display are...

Page 140: ...kup server details Figure 80 Kerberos General Tab Table 66 Kerberos General Tab Parameter Description Name Description Freeform label and description Type In this context Kerberos Use for Authorization Disabled in this context Authorization Sources You must specify one or more authorization sources from which to fetch role mapping attributes Select a previously configured authentication source fro...

Page 141: ...b Parameter Description Hostname Port Host name or IP address of the kerberos server and the port at which the token server listens for kerberos connections The default port is 88 Realm The domain of authentication In the case of Active Directory this is the AD domain Service Principal Name The identity of the service principal as configured in the Kerberos server Service Principal Password Passwo...

Page 142: ...ainst this authentication source then Policy Manager also fetches role mapping attributes from the same source if this setting is enabled This check box is enabled by default Authorization Sources You can specify additional sources from which to fetch role mapping attributes Select a previously configured authentication source from the drop down list and click Add to add it to the list of authoriz...

Page 143: ...ostname or IP address of the database server Port Optional Specify a port value if you want to override the default port Database Name Enter the name of the database to retrieve records from Login Username Password Enter the name of the user used to log into the database This account should have read access to all the attributes that need to be retrieved by the specified filters Enter the password...

Page 144: ...ame selected for the filter you can specify an alias name l Enabled As Indicates whether the filter is enabled as a role or attribute type Note that this can also be blank Add More Filters Brings up the filter creation popup Configure Filter Popup The Configure Filter popup defines a filter query and the related attributes to be fetched from the SQL DB store Figure 85 Generic SQL DB Filter Configu...

Page 145: ...thentication source contains four tabs Three of these tabs are used to configure primary and backup servers session details and the filter query and role mapping attributes to fetch The Summary tab provides a summary of the configuration General Tab The General tab labels the authentication source and defines session details authorization sources and backup server details Figure 86 Token Server Ge...

Page 146: ... Manager fetches role mapping attributes regardless of which authentication source the user or device was authenticated against Server Timeout This is the time in seconds that Policy Manager waits before attempting to fail over from primary to the backup servers in the order in which they are configured Backup Servers Priority To add a backup server click Add Backup When the Backup 1 tab appears y...

Page 147: ...e drop down to help select the attributes Figure 88 Token Server Attributes Tab Static Host List The Static Host List authentication source contains three tabs Two of the tabs are used to configure primary and backup servers session details and the list of static hosts The Summary tab provides a summary of the configuration General Tab The General Tab labels the authentication source Figure 89 Sta...

Page 148: ...ick on Remove to remove the selected static host list Click on View Details to view the contents of the selected static host list Click on Modify to modify the selected static host list NOTE Only Static Host Lists of type MAC Address List or MAC Address Regular Expression can be configured as authentication sources Refer to Adding and Modifying Static Host Lists on page 166for more information HTT...

Page 149: ... remove it from the list If Policy Manager authenticates the user or device from this authentication source then it also fetches role mapping attributes from these additional authorization sources NOTE As described in Services additional authorization sources can be specified at the Service level Policy Manager fetches role mapping attributes regardless of which authentication source the user or d...

Page 150: ...tered in the field above Attributes Tab The Attributes tab defines the HTTP query filters and the attributes to be fetched by using those filters Figure 93 HTTP Attributes Tab Table 78 HTTP Attributes Tab Filter List Tab Parameter Description Filter Name Attribute Name Alias Name Enabled As Listing column descriptions l Filter Name Name of the filter l Attribute Name Name of the SQL DB attributes ...

Page 151: ...ce record in DB Name Alias Name Data Type Enabled As Name This is the name of the attribute Alias Name A friendly name for the attribute By default this is the same as the attribute name Data Type Specify the data type for this attribute such as String Integer Boolean etc Enabled As Specify whether value is to be used directly as a role or attribute in an Enforcement Policy This bypasses the step ...

Page 152: ...152 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 153: ... apply to a list users A role can be l Discovered by Policy Manager through role mapping Adding and Modifying Role Mapping Policies on page 155 Roles are typically discovered by Policy Manager by retrieving attributes from the authentication source Filter rules associated with the authentication source tell Policy Manager where to retrieve these attributes l Assigned automatically when retrieving ...

Page 154: ...est access l Other Default role for other user or device l TACACS API Admin API administrator role for Policy Manager admin l TACACS Help Desk Policy Manager Admin Role limited to views of the Monitoring screens l TACACS Network Admin Policy Manager Admin Role limited to Configuration and Monitoring UI screens l TACACS Read only Admin Read only administrator role for Policy Manager Admin l TACACS ...

Page 155: ... You can also configure additional roles Refer to Adding and Modifying Roles on page 158 for more information Adding and Modifying Role Mapping Policies From the Services page Configuration Service you can configure role mapping for a new service as part of the flow of the Add Service wizard or modify an existing role mapping policy directly from the Configuration Identity Role Mappings page Figur...

Page 156: ...ck on View Details to view the details of the default role Click on Modify to modify the default role Click on Add new Role to add a new role Mapping Rules Tab The Mapping Rules tab selects the evaluation algorithm adds edits removes rules and reorder rules On the Mapping Rules tab click the Add Rule button to create a new rule or select an existing rule by clicking on the row and then click the E...

Page 157: ...uthentication Sources on page 127 Only those attributes that have been configured to fetched are shown in the attributes dropdown l Certificate l Connection l Date l Device l Endpoint l GuestUser l Host l LocalUser l Onboard l TACACS l RADIUS All enabled RADIUS vendor dictionaries Name of attribute Drop down list of attributes present in the selected namespace Operator Drop down list of context ap...

Page 158: ...ab list In this interface you can select a rule click and the background changes color and then use the various widgets to Move Up Move Down Edit the rule or Remove the rule Adding and Modifying Roles Policy Manager lists all available roles in the Roles page From the menu select Configuration Identity Roles Figure 100 Roles You can configure a role from within a Role Mapping Policy Add New Role o...

Page 159: ...s The endpoints table lists the endpoints that have authenticated requests to Policy Manager These entries are automatically populated from the 802 1X MAC based authentications and web authentications processed by Policy Manager These can be further modified to add tags known unknown disabled status A static host list comprises of list of MAC and IP addresses These can be used as white or black li...

Page 160: ...eld can also be populated with any string Each time you enter a new custom attribute it is available for selection in Attribute dropdown for all local users NOTE All attributes entered for a local user are available in the role mapping rules editor under the LocalUser namespace Additional Available Tasks l To edit a local user in the Local Users listing page click on the name to display the Edit L...

Page 161: ...st user name Sponsor Name Sponsor who sponsored the guest Guest Type USER for guest users and DEVICE for devices registered from the GuestConnect product Status Enabled Disabled status Expired Whether the guest device account has expired Source Application Where this account was created From Policy Manager or the GuestConnect guest provisioning product In the Guest Users listing l To add a guest u...

Page 162: ...ser Figure 106 Add New Guest Device Table 85 Add New Guest User Device Parameter Description Guest Type Add a guest user or a guest device User ID Name Password Verify Password Guest User only Freeform labels and password Click Auto Generate to auto generate a password for the guest user ...

Page 163: ...rs NOTE All attributes entered for a guest user are available in the role mapping rules editor under the GuestUser namespace l To edit a guest user in the Guest Users listing page double click on the name to display the Edit Local User popup l To delete a guest user in the Guest Users listing page select it via check box and click Delete l To export a guest user in the Guest Users listing page sel...

Page 164: ...se the Enable Device check box to enable or disable the device Figure 108 View Onboard Devices Adding and Modifying Endpoints Policy Manager automatically lists all endpoints that have authenticated in the Endpoints page Configuration Identity Endpoints Figure 109 Endpoints Listing l To view the authentication details of an endpoint select an endpoint by clicking on its check box and then click th...

Page 165: ...locked from the Endpoint Activity table in the Live Monitoring section Attributes Add custom attributes for this endpoint Click on the Click to add row to add custom attributes You can enter any name in the attribute field All attributes are of String datatype The value field can also be populated with any string Each time you enter a new custom attribute it is available for selection in Attribute...

Page 166: ...isting page click the Export All Endpoints link in the upper right corner of the page To import endpoints in the Endpoints listing page click the Import Endpoints link in the upper right corner of the page Adding and Modifying Static Host Lists A static host list comprises a named list of MAC or IP addresses which can be invoked the following ways l In Service and Role mapping rules as a component...

Page 167: ...ic Host List Additional Available Tasks l To edit a Static Host List from the Static Host Lists listing page click on the name to display the Edit Static Host List popup l To delete a Static Host List from the Static Host Lists listing page select it via check box and click the Delete button l To export a Static Host List in the Static Host Lists listing page select it via check box and click the ...

Page 168: ...168 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 169: ...est for specific attributes of client health and correlate the results to return Application Posture Tokens for processing by Enforcement Policies l Posture Server Policy Manager can forward all or part of the posture data received from the client to a Posture Server The Posture Server evaluates the posture data and returns Application Posture Tokens Policy Manager supports the Microsoft NPS Serve...

Page 170: ...plication checks l Services to be running or not running l Processes to be running or not running Each configured health check returns an application token representing health l Healthy Client is compliant there are no restrictions on network access l Checkup Client is compliant however there is an update available This can be used to proactively remediate to healthy state l Transient Client evalu...

Page 171: ...ected on the Service tab in order for Posture to be enabled Figure 116 Posture Features at the Service Level You can configure the following features of posture Table 88 Posture Features at the Service Level Configurable Component How to Configure Sequence of Posture Policies Select a Policy then select Move Up Move Down Remove or View Details l To add a previously configured Policy select from th...

Page 172: ... Keys Services and processes and product version update specific checking for Antivirus Antispyware and Firewall applications Checks for peer to peer applications or networks patch management applications hotfixes USB devices virtual machines and network devices l If you have ClearPass Linux NAP Agent running on a Linux client CentOS Fedora Red Hat Enterprise Linux SUSE Linux Enterprise Desktop us...

Page 173: ...on Posture Posture Policies then click on its name in the Posture Policies listing page When you click Add Posture Policy from any of these locations Policy Manager displays the Add Posture Policy page which contains three configurable tabs l The Policy tab labels the policy and defines operating system and the type of deployed agent Figure 117 Add Posture Policy Policy Tab Table 89 Add Posture Po...

Page 174: ...above and Linux OSes supported by ClearPass Linux NAP Agent Host Operating System Select Linux Windows or Mac OS X Note that Mac OS X is not available if the Posture Agent is NAP l The Posture Plugins tab provides a selector for posture policy plugins Select a plugin by enabling its check box then click Configure Figure 118 Add Posture Policy Posture Plugins Tab Windows NAP Agent Figure 119 Add Po...

Page 175: ...versal System Health Validator OnGuard Agent on page 195 The Rules tab matches posture checking outcomes 1 Select one of the following plugin checks l Passes all System Health Validator SHV checks l Passes one or more SHV checks l Fails all SHV checks l Fails one or more SHV checks 2 Select the plugin 3 Specify one of the following posture tokens l Healthy Client is compliant there are no restrict...

Page 176: ...finished Figure 123 Fig Add Posture Policy Rules Tab ClearPass Windows Universal System Health Validator NAP Agent The ClearPass Windows Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration Figure 124 ClearPass Windows Universal System Health Validator NAP Agent ...

Page 177: ...gets for specifying specific services to be explicitly running or stopped Figure 125 Services Page Table 90 Services Page Parameter Description Auto Remediation Enable to allow auto remediation for service checks Automatically stop or start services based on the entries in Service to run and Services to stop configuration User Notification Enable to allow user notifications for service check polic...

Page 178: ...nt on the system Figure 126 Processes Page Overview Table 91 Process Page Overview Pre Add Parameter Description Auto Remediation Enable to allow auto remediation for registry checks Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration User Notification Enable to allow user notifications for registry check policy...

Page 179: ... pathname for the process should be checked ProgramFiles Mozilla Firefox firefox exe Typically this expands to C Program Files Mozilla Firefox firefox exe l If None is specified in the Process Location field then entering temp usurf exe in this field specifies that the following full pathname for the process should be checked c temp foo exe Note that when the agent looks for running processes on t...

Page 180: ... whose name matches regardless of the location from which these processes were started l MD5 Sum This specifies one or more comma separated MD5 checksums of the process executable file For example if there are multiple versions of the process executable you can specify the MD5 sums of all versions here The agent enumerates all running processes on the system computes the MD5 sum of the process exe...

Page 181: ...or registry checks Automatically add or remove registry keys based on the entries in Registry keys to be present and Registry keys to be absent configuration User Notification Enable to allow user notifications for registry check policy violations Registry keys to be present absent Click Add to specify a registry key to be added either to the Registry keys to be present or Registry keys to be abse...

Page 182: ...key When you save your Registry details the key information appears in the Registry page list Figure 132 Registry Keys Page Overview Post Add AntiVirus In the Antivirus page you can specify that an Antivirus application must be on and allows drill down to specify information about the Antivirus application Click An Antivirus Application is On to configure the Antivirus application information Figu...

Page 183: ...Application is On l Auto Remediation l User Notification l Display Update URL l Check the Antivirus Application is On check box to enable testing of health data for configured Antivirus application s l Check the Auto Remediation check box to enable auto remediation of anti virus status l Check the User Notification check box to enable user notification of policy violation of anti virus status l Ch...

Page 184: ...tion with ClearPass portal At Least In Last N Updates requires registration with ClearPass Portal l Engine version check Same choices as product version check l Data file version check Same choices as product version check l Data file has been updated in Specify the interval in hours days weeks or months l Last scan has been done before Specify the interval in hours days weeks or months l Real tim...

Page 185: ...sconfiguration instructions Firewall In the Firewall page you can specify that a Firewall application must be on and allows drill down to specify information about the Firewall application Figure 141 Firewall Page Overview Before In the Firewall page click A Firewall Application is On to configure the Firewall application information Figure 142 Firewall Page Detail 1 When enabled the Firewall deta...

Page 186: ... check box to check whether any firewall application any vendor is running on the end host Firewall Page Detail 1 l Add l Trashcan icon l To configure firewall application attributes for testing against health data click Add l To remove configured firewall application attributes from the list click the trashcan icon in that row Firewall Page Detail 2 Product Version Configure the specific settings...

Page 187: ...pplications This scrolling list contains a list of applications or networks that you can select and move to the Applications to stop panel Click the or to add or remove respectively the applications or networks from the Applications to stop box Patch Management In the Patch Management page you can specify that a patch management application must be on and allows drill down to specify information a...

Page 188: ...k the User Notification check box to enable user notification of policy violation of patch management status l Uncheck the Uncheck to allow any product check box to check whether any patch management application any vendor is running on the end host Patch Management Page Detail 1 l Add l Trashcan icon l To configure patch management application attributes for testing against health data click Add ...

Page 189: ...ations for hotfixes check policy violations Available Hotfixes The first scrolling list lets you select the criticality of the hotfixes Based on this selection the second scrolling list contains a list of hotfixes that you can select and move to the Hotfixes to be present panel using their associated widgets Click the or to add or remove respectively the hotfixes from the Hotfixes to run boxes USB...

Page 190: ...ines Table 102 Virtual Machines Parameter Description Auto Remediation Enable to allow auto remediation for virtual machines connected to the endpoint User Notification Enable to allow user notifications for virtual machine policy violations Allow access to clients running on Virtual Machine Enable to allow clients that running a VM to be accessed and validated Allow access to clients hosting Virt...

Page 191: ...Parameter Description Allow Network Connections Type Allow Only One Network Connection Allow One Network Connection with VPN Allow Multiple Network Connections User Notification Enable to allow user notifications for hotfixes check policy violations Network Connection Types Click the or to add or remove Others Wired and Wireless connection types Remediation Action for USB Mass l No Action Take no ...

Page 192: ... Hosted Wireless Networks If Allow Adhoc Hosted Wireless Networks is disabled then specify whether to take no action when a adhoc wireless networks exists or to disable all adhoc hosted wireless networks ClearPass Windows Universal System Health Validator OnGuard Agent The ClearPass Windows Universal System Health Validator OnGuard Agent page popup appears in response to actions in the Posture Plu...

Page 193: ... Available Services This scrolling list contains a list of services that you can select and move to the Services to run or Services to stop panels using their associated widgets Insert To add a service to the list of selectable services enter its name in the text box adjacent to this button then click Insert Delete To remove a service from the list of selectable services select it and click Delete...

Page 194: ...iew where you can specify Firewall parameters specifically with respect to which ports may be open or blocked Figure 157 Firewall view Select Antivirus Check then click Add in the view that appears to specify Antivirus details Figure 158 Antivirus Check view When you save your Antivirus configuration it appears in the Antivirus page list ...

Page 195: ...uard Agent The ClearPass Linux Universal System Health Validator OnGuard Agent page popup appears in response to actions in the Posture Plugins tab of the Posture configuration When you select Linux and OnGuard Agent from the posture policy page The dissolvable agent version of the ClearPass Linux Universal System Health Validator supports all the features supported by the ClearPass Linux Universa...

Page 196: ...onfiguration pages l In the Antivirus page you can specify that an Antivirus application must be on and allows drill down to specify information about the Antivirus application Click on An Antivirus Application is On to configure the Antivirus application information Figure 161 Antivirus Page Overview Before When enabled the Antivirus detail page appears Figure 162 Antivirus Page Detail 1 Click Ad...

Page 197: ...ntispyware page list The configuration elements are the same for anti virus and antispyware products Refer to the anti virus configuration instructions above l In the Firewall page you can specify that a Firewall application must be on and allows drill down to specify information about the Firewall application In the Firewall page click A Firewall Application is On to configure the Firewall applic...

Page 198: ...ator Windows Security Health Validator OnGuard Agent This validator checks for the presence of specific types of security applications An administrator can use the check boxes to restrict access based on the absence of the selected security application types Figure 165 Windows Security Health Validator ...

Page 199: ...or current Windows Service Packs The OnGuard Agent also supports legacy Windows operating systems such as Windows 2000 and Windows Server 2003 An administrator can use the check boxes to enable support of specific operating systems and to restrict access based on service pack level Figure 167 Windows System Health Validator OnGuard Agent Overview Adding and Modifying Posture Servers Policy Manager...

Page 200: ...hese locations Policy Manager displays the Posture Servers configuration page Figure 169 Add Posture Server Page Depending on the Protocol and Requested Credentials different tabs and fields appear Refer to Microsoft NPS on page 200 Microsoft NPS Use the Microsoft NPS server when you want Policy Manager to have health NAP Statement of Health SoH credentials evaluated by the Microsoft NPS Server Ta...

Page 201: ...r RADIUS message exchange the same secret has to be entered on the RADIUS server Microsoft NPS side Timeout How many seconds to wait before deeming the connection dead if a backup is configured Policy Manager will attempt to connect to the backup server after this timeout For the backup server to be invoked on primary server failover check the Enable to use backup when primary does not respond che...

Page 202: ...202 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 203: ...ple printers PDAs or guest users may not be able to send posture credentials or identify themselves A Policy Manager Service can trigger an audit by sending a client ID to a pre configured Audit Server which returns attributes for role mapping and posture evaluation Architecture and Flow Audit servers are configured at a global level Only one audit server may be associated with a Service The flow ...

Page 204: ...g Audit Servers The Policy Manager server contains built in Nessus version 2 X and NMAP servers For enterprises with existing audit server infrastructure or otherwise preferring external audit servers Policy Manager supports these servers externally This section contains the following topics l Built In Audit Servers on page 205 l Custom Audit Servers on page 207 l Nessus Scan Profiles on page 211 ...

Page 205: ...work port scans The health evaluation always returns Healthy The port scan gathers attributes that allow determination of Role s through post audit rules NOTE For Policy Manager to trigger an audit on an end host it needs to get the IP address of this end host The IP address of the end host is not available at the time of initial authentication in the case of 802 1X and MAC authentication requests...

Page 206: ...SNMP NOTE Bouncing the port triggers a new 802 1X MAC authentication request by the client If the audit server already has the posture token and attributes associated with this client in its cache it returns the token and the attributes to Policy Manager Modifying Built In Audit Servers To reconfigure a default Policy Manager Audit Servers 1 Open the audit server profile Navigate to Configuration ...

Page 207: ... the flow of the Add Service wizard navigate to Configuration Posture Audit Servers then click Add Audit Server l To modify an existing audit server navigate to Configuration Posture Audit Server and select an audit server 2 Add a custom audit server When you click Add Audit Server Policy Manager displays the Add Audit Server page Configuration settings vary depending on audit server type l NESSUS...

Page 208: ...escription Type For purposes of an NESSUS type Audit Server always NESSUS In Progress Posture Status Posture status during audit Select a status from the drop down list Default Posture Status Posture status if evaluation does not return a condition action match Select a status from the drop down list The Primary Server and Backup Server tabs specify connection information for the NESSUS audit serv...

Page 209: ... Edit Scan Profile to create other profiles and add them to the Scan Profile list Refer to Nessus Scan Profiles on page 211 The Rules tab provides specifies rules for post audit evaluation of the request to assign a role Refer to Post Audit Rules on page 215 NMAP Audit Server Policy Manager uses the NMAP Audit Server interface exclusively for network port scans The health evaluation always returns...

Page 210: ...m label and description Type For purposes of an NMAP type Audit Server always NMAP In Progress Posture Status Posture status during audit Select a status from the drop down list Default Posture Status Posture status if evaluation does not return a condition action match Select a status from the drop down list The NMAP Options tab specifies scan configuration ...

Page 211: ...Progress Timeout l Port Range Range of ports to scan NMAP option p l Host Timeout Give up on target host after this long NMAP option host timeout l In Progress Timeout How long to wait before polling for NMAP results The Rules tab provides specifies rules for post audit evaluation of the request to assign a role Refer to Post Audit Rules on page 215 Nessus Scan Profiles A scan profile contains a s...

Page 212: ...for scan profile configuration l The Profile tab identifies the profile and provides a mechanism for selection of plugins n From the Filter plugins by family drop down list select a family to display all available member plugins in the list below You may also enter the name of a plugin in Filter plugins by ID or name text box n Select one or more plugins by enabling their corresponding check boxes...

Page 213: ...ile Configuration Profile Tab l The Selected Plugins tab displays all selected plugins plus any dependencies To display a synopsis of any listed plugin click on its row DellNetworking W ClearPass Policy Manager 6 0 User Guide 213 ...

Page 214: ... plugin click on its corresponding trashcan icon To change the vulnerability level of any listed plugin click on the link to change the level to one of HOLE WARN INFO NOTE This tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status Figure 182 Nessus Scan Profile Configuration Selected Plugins Tab Figure 183 Nessus Scan Profile Configuration Selected Plugin...

Page 215: ...aspect of the client s status in such cases login information might be among the preference fields Figure 184 Nessus Scan Profile Configuration Preferences Tab Upon saving the profile plugin and preference information for your new or modified plugin you can go to the Primary Backup Servers tabs and select it from the Scan Profile drop down list Post Audit Rules The Rules tab specifies rules for po...

Page 216: ...he rules Edit Rule Brings up the selected rule in edit mode Remove Rule Remove the selected rule Figure 186 All Audit Server Configurations Rules Editor Table 115 All Audit Server Configurations Rules Editor Parameter Description Conditions The Conditions list includes five dictionaries Audit Status Device Type Output Msgs Mac Vendor Network Apps Open Ports and OS Info Refer to Namespaces on page ...

Page 217: ...cement Policy contains a rule or set of rules for matching Conditions role posture and time to Actions Enforcement Profiles For each request it yields one or more matches in the form of Enforcement Profiles from which Policy Manager assembles access control attributes for return to the originating NAD subject to the following disambiguation rules l If an attribute occurs only once within an Enforc...

Page 218: ...e referenced in an enforcement policy that is associated with a Service to be evaluate From the Enforcement Policies page Configuration Enforcement Policies you can configure an Enforcement Profile for a new enforcement policy as part of the flow of the Add Enforcement Policy wizard or modify an existing Enforcement Profile directly Configuration Enforcement Profiles then click on its name in the ...

Page 219: ...down action on a Cisco Ethernet switching device n Cisco Reuthenticate Session Trigger a session reauthentication on a Cisco device n HP Terminate Session Terminate a session on an HP device n Dell Terminate Session Terminate a session on a Dell Wireless Controller l There are four built in TACACS profiles that are mapped to the different administrator roles available in Policy Manager These profi...

Page 220: ...forcement profile that encapsulates CoA actions sent to the network device Note that the system comes pre packaged with default Enforcement Profiles for Disconnect Terminate Session actions for the different supported vendor devices there is no need to create profiles for these actions l TACACS Based Enforcement TACACS based enforcement profile with UI customized for TACACS service command authori...

Page 221: ...P Application RADIUS_CoA Action Relevant only for RADIUS type enforcement profiles Accept Deny or Drop the request Device Group List Associate the profile with pre configured Device Groups l Add New Device Group to add a new device group l Add to add a device group from this drop down list l Remove View Details Modify to remove view the details of or modify the selected enforcement profile respect...

Page 222: ...nt B Filter ID Based Enforcement C Cisco Downloadable ACL Enforcement D Cisco We Authentication Enforcement E Generic RADIUS Enforcement F Figure 190 RADIUS Enforcement Profile Attributes Tab Figure 191 RADIUS Enforcement Profile Attributes Tab Generic RADIUS Enforcement Profile ...

Page 223: ...request or authentication handshake or as derived by the Policy Manager policy system For example to set the name of the VLAN to the name of the role enter Tips Role as the value for RADIUS IETF Tunnel Private Group Id These dynamic values must be entered in the following format without any spaces namespace attribute name For convenience the value field also has a drop down that contains all the a...

Page 224: ...are applied Reset Connection is a primitive that does different actions based on the capabilities of the network device For devices that support the 802 1X re authentication Policy Manager triggers a re authentication in other cases it bounces the port TACACS Enforcement Profiles TACACS Enforcement Profiles contain attribute value pairs and other permissions related to administrative access to a n...

Page 225: ...X Wireless WCS HTTP CiscoWLC Common and PPP LCP Service Attributes Once the services have been selected you can select the attributes to send for those services Some services have pre defined attributtes which are automatically populated by Policy Manager in a drop down list in the Name field You can also add custom attributes in the Name field Add service attributes corresponding to the services ...

Page 226: ...and l Action Click on Enable to permit check box to permit use of this command argument If this box is unchecked the column shows Deny and the command argument is not allowed l Click Trashcan to delete the command argument l Unmatched Arguments Select Permit radio button to permit this command even if Policy Manager receives arguments for the command that it does not recognize Select Deny radio bu...

Page 227: ...le defined in the GuestConnect application Spon sor Email Enter the email address of the sponsor CLI Enforcement Profile CLI Enforcement Profiles contain attribute value pairs related to authorization of users devices via CLI commands executed on a target network device Figure 196 CLI Enforcement Profile Attributes Tab Table 122 CLI Enforcement Profiles Attributes tab Container Description Target ...

Page 228: ...e endpoint Session Timeout in seconds Timeout after which the OnGuard agent forces a reauthentication on the endpoint Post Authentication Enforcement Profiles Post Authentication Enforcement Profiles contain combinations of type attribute names and values related to post authentication You can add more context to a user who is authenticated earlier and this information is used for subsequent reque...

Page 229: ...tart Date from the Name drop down list and specify the start date in the Value field If you have configured to disconnect users or devices that exceed bandwidth or session related limits then the users or devices that exceed the specified limit get added to the blacklist user repository You must add the Blacklist User Repository as an authentication source so that such users are denied access For ...

Page 230: ...r and authentications performed via Dell OnGuard Both SNMP and CLI SSH Telnet based Enforcement Profiles can be sent to the network device based on the type of device and the use case Default Profile An Enforcement Policy applies Conditions roles health and time attributes against specific values associated with those attributes to determine the Enforcement Profile If none of the rules matches Pol...

Page 231: ...ibutes from the following namespaces Tips Role Tips Posture and Date NOTE The value field for the Tips Role attribute can be a role defined in Policy Manager or a role fetched from the authorization source Refer to to see how Enable as Role can be turned on for a fetched attribute Role names fetched from the authorization source can be entered freeform in value field To commit the rule click Save ...

Page 232: ...232 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 233: ... Device Groups on page 237 l Adding and Modifying Proxy Targets on page 240 Adding and Modifying Devices To connect with Policy Manager using the supported protocols a NAD must belong to the global list of devices in the Policy Manager database Policy Manager lists all configured devices in the Devices page Configuration Network Devices From this interface Figure 203 Network Devices Page Adding a ...

Page 234: ...atically enabled Enable RADIUS CoA RADIUS CoA Port Enable RADIUS Change of Authorization RFC 3576 5176 for this device Set the UDP port on the device to send CoA actions Default value is 3799 Attributes Add custom attributes for this device Click on the Click to add row to add custom attributes By default four custom attributes appear in the Attribute dropdown Location OS Version Device Type Devic...

Page 235: ...le this setting if this is a Layer 3 device and you intend to use the ARP table on this device as a way to discover endpoints in the network Static IP endpoints discovered this way are further probed via SNMP to profile the device Read ARP Table Info Enable this setting to ensure that all CPPM nodes in the cluster read SNMP information from this device regardless of the trap configuration on the d...

Page 236: ...opup NOTE In large or geographically spread cluster deployments you do not want all CPPM nodes to probe all SNMP configured devices The default behavior is for a CPPM node in the cluster to read network device information only for devices configured to send traps to that CPPM node Figure 207 CLI Settings Tab Table 130 CLI Settings tab Container Description Allow CLI Access Toggle to enable disable...

Page 237: ...lick Export In the Export to File popup you can choose to encrypt the exported data with a key This protects data such as shared secret from being visible in the exported file To import it back you specify the same key that you exported with l To export a single device from the configuration select it via the check box on the left and then click Export In the Save As popup specify a file path and ...

Page 238: ...238 DellNetworking W ClearPass Policy Manager 6 0 User Guide Figure 208 Device Groups Page To add a Device Group click Add Device Group Complete the fields in the Add New Device Group popup ...

Page 239: ...e 209 Add New Device Group Popup Table 131 Add New Device Group popup Container Description Name Description Format Specify identity of the device DellNetworking W ClearPass Policy Manager 6 0 User Guide 239 ...

Page 240: ... Device Group click Import Device Groups in the Import from File popup browse to select a file then click Import l To export all Device Groups from the configuration click Export Devices in the Export to File popup specify a file path then click Export l To export a single Device Group from the configuration select it using the check box on the left then click Export in the Save As popup specify a...

Page 241: ...able 132 Add Proxy Target popup Container Description Name Description Freeform label and description Hostname Shared Secret RADIUS Hostname and Shared Secret Use the same secret that you entered on the proxy target refer to your RADIUS server configuration RADIUS Authentication Port Enter the UDP port to send the RADIUS request Default value for this port is 1812 RADIUS Accounting Port Enter the ...

Page 242: ...uration click Export Proxy Targets In the Export to File popup specify a file path and then click Export l To export a single Proxy Target from the configuration select it check box on left then click Export In the Save As popup specify a file path and then click Export l To delete a single Proxy Target from the configuration select it via the check box on the left and then click Delete Commit the...

Page 243: ... 246 l Server Configuration on page 247 l Log Configuration on page 275 l Local Shared Folders on page 277 l Application Licensing on page 278 l SNMP Trap Receivers on page 280 l Syslog Targets on page 283 l Syslog Export Filters on page 285 l Server Certificate on page 293 l Messaging Setup on page 289 l Endpoint Context Servers on page 291 l Certificate Trust List on page 298 l Revocation Lists ...

Page 244: ...age 244 l Import Users on page 245 l Export Users on page 246 l Export on page 246 Figure 212 Admin Users Table 133 Admin Users Container Description Add User Opens the Add User popup form Import Users Opens the Import Users popup form Export Users Exports all users to an XML file Export Exports a selected to an XML file Delete Deletes a selected User Add User Select the Add User link in the upper...

Page 245: ...assword Privilege Level Select Privilege Level Help Desk l Super Administrator l Network Administrator l Receptionist or any other custom privilege level Add Cancel Add or dismiss changes Import Users Select the Import Users link in the upper right portion of the page Figure 214 Import Admin Users DellNetworking W ClearPass Policy Manager 6 0 User Guide 245 ...

Page 246: ...rs Click Export Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export Export Select the Export button on the lower right portion of the page To export a user select it check box at left and click Export Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export Admin Privileges ...

Page 247: ...leges you can edit or create new ones and import these back into Policy Manager Export Select the Export button on the lower right side of the page To export just one admin privilege select it check box at left and click Export Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export Server Configuration The Policy Manager Server Configur...

Page 248: ...uration Clicking on the server row provides the following interfaces for configuration l System Tab on page 260 l Services Control Tab on page 264 l Service Parameters Tab on page 264 l System Monitoring Tab on page 272 l Network Interfaces Tab on page 273 Set Date Time Navigate to Administration Server Manager Server Configuration and click on the Set Date and Time link This opens by default on t...

Page 249: ... with a Network Time Protocol Server enable this check box and specify the NTP servers Only two servers may be specified NTP Servers After configuring the date and time select the time zone on the Time zone on publisher tab This displays a time zone list alphabetical order Select a time zone and click Save Note that this option is only available on the publisher To set time zone on the subscriber ...

Page 250: ...ange Cluster Password Navigate to Administration Server Manager Server Configuration and click on the Change Cluster Password link Use this function to change the cluster wide password NOTE Changing this password also changes the password for the CLI user appadmin Figure 220 Change Cluster Password ...

Page 251: ...nd multiple geographic zones it is not necessary to share all of this runtime state across all nodes in the cluster For example when endpoints present in one geographical area are not likely to authenticate or be present in another area When endpoints present in one geographical area are not likely to authenticate or be present in another area it is more efficient from a network bandwidth usage an...

Page 252: ... any external server that can aggregate these events or to an external dedicated ClearPass Insight server for multiple CPPM clusters you have to configure an external NetEvents Target Figure 222 NetEvents Targets Table 140 NetEvents targets Container Description Target URL HTTP URL for the service that support POST and requires Authentication using Username Password NOTE For an external Insight se...

Page 253: ...ner Description Publisher IP Specify publisher address and password Note that the password specified here is the password for the CLI user appadmin Publisher Password Restore the local log database after this operation Enable to restore the log database following addition of a subscriber node Do not backup the existing databases before this operation Enable this check box only if you do not requir...

Page 254: ...ins file with the extension tar gz Enter secret for the file if any Always leave this blank Import Cancel Load the plugins or dismiss If there are a large number of plugins the load time can be in the order of minutes Cluster Wide Parameters Navigate to the Administration Server Manager Server Configuration page and click on the Cluster Wide Parameters link Figure 225 Cluster Wide Parameters ...

Page 255: ...ert notifications are generated for system events logged at this level or higher Selecting INFO generates alerts for INFO WARN and ERROR messages Selecting WARN generates alerts for WARN and ERROR messages Selecting ERROR generates alerts for ERROR messages Alert Notification Timeout This indicates how often in hours alert messages are generated and sent out Selecting Disabled disables alert gener...

Page 256: ...ts cleanup interval This controls the cleanup interval of expired guest accounts this is number of days after expiry that the cleanup happens No cleanup is performed if the value is 0 Profiled endpoints cleanup interval Enter a value in days Profile subnet scan interval Enter a value in hours Database user appexternal password For this connection to the database enter the password for the appexter...

Page 257: ... of the information collection When finished 7 Click Close to finish or click Download File to save the log file to your computer NOTE The following information is useful if you are attempting to open a capture file cap or pcap using WireShark First untar or unzip the file based on the file extension When the entire file is extracted navigate to the PacketCapture folder Within this folder you will...

Page 258: ...ame that begins with tmp Inside that folder you will find one folder for each of the 4 types of information you wanted to save For example if you selected System logs and Diagnostic dumps you will have folders with the name SystemLogs and DiagnosticDumps Inside each of those folders will be files containing various types of information Some of those files are in additional sub folders Backup Navig...

Page 259: ...is if you do not want to backup password fields in configuration database Backup databases for installed applications Select this option if you want the backup to include databases for installed applications Restore Navigate to the Administration Server Manager Server Configuration page and click on the Restore button Note that this action can also be performed using the restore CLI command Figure...

Page 260: ...le version Restore cluster server node entries from backup Enable to include the cluster server node entries in the restore Do not backup the existing databases before this operation Enable this option if you do not want to backup the existing databases before performing a restore Shutdown Reboot Navigate to the Administration Server Manager Server Configuration page and click on the Shutdown or R...

Page 261: ...cations Enable Insight Enable the Insight reporting tool on this node Management Port IP Address Management interface IP address You access the Policy Manager UI via the management interface Management Port Subnet Mask Management interface Subnet Mask Management Port Default Gateway Default gateway for management interface Data External Port IP Address Data interface IP address All authentication ...

Page 262: ...ctory domain creates a computer account for the CPPM node in the AD database If you need to authenticate users belonging to multiple AD forests or domains in your network and there is no trust relationship between these entities then you must join CPPM to each of these untrusting forests or domains NOTE There is no need to join CPPM to multiple domains belong to the same AD forest because a one wa...

Page 263: ...ve Domain button which replaces the Join Domain button once you join the domain After leaving the domain join again with the right NETBIOS name Domain Controller name conflict In some deployments especially if there are multiple domain controllers or if the domain name has been wrongly entered in the last step the domain controller FQDN returned by the DNS query can be different from what was ente...

Page 264: ...er Service Parameters Table 148 Service Parameters tab Policy Server Service Parameter Description Machine Authentication Cache Timeout This specifies the time in seconds for which machine authentication entries are cached by Policy Manager Authentication Thread Pool Size This specifies the number of threads to use for LDAP AD and SQL connections LDAP Primary Retry Interval Once a primary LDAP ser...

Page 265: ...er of request processing threads Maximum number of threads used to process requests Audit Primary Retry Interval Once a primary audit server is down Policy Manager connects to one of the backup servers This parameter specifies how long Policy Manager waits before it tries to connect to the primary server again Audit IP Lookup Session Timeout Temporary session timeout returned for a request that tr...

Page 266: ...S packets Main Authentication Port Ports on which radius server listens for authentication requests Default values are 1645 1812 Accounting Port Ports on which radius server listens for accounting requests Default values are 1646 1813 Maximum Request Time Maximum time allowed for a processing a request after which it is considered timed out Cleanup Time Time to cache the response sent to a RADIUS ...

Page 267: ...d pool to process requests EAP FAST Master Key Expire Time Lifetime of a generated EAP FAST master key Master Key Grace Time Grace period for a EAP FAST master key after its lifetime If a client presents a PAC that is encrypted using the master key in this period after its TTL it is accepted and a new PAC encrypted with the latest master key is provisioned on the client PACs are valid across clust...

Page 268: ... posture services Figure 236 ClearPass System Services Parameters Table 151 Service Parameters ClearPass system services Service Parameter Description PHP System Configuration Memory Limit Maximum memory that can be used by the PHP applications Form POST Size Maximum HTTP POST content size that can be sent to the PHP application File Upload Size Maximum file size that can be uploaded into the PHP ...

Page 269: ...etwork Services Parameters Table 152 Service Parameters ClearPass network services Service Parameters Description DhcpSnooper MAC to IP Request Hold time Number of seconds to wait before responding to a query to get IP address corresponding to a MAC address Any DHCP message received in this time period will refresh the MAC to IP binding Typically audit service will request for a MAC to IP mapping ...

Page 270: ...rocessing IP Address Cache Timeout Duration in seconds for which MAC to IP lookup response is cached Uplink Port Detection Threshold Limit for the number of MAC addresses found behind a port after which the port is considered an uplink port and not considered for SNMP lookup and enforcement SNMP v2c Trap Community Community string that must be checked in all incoming SNMP v2 traps SNMP v3 Trap Use...

Page 271: ... SNMP mechanism The network device deduction can take some time This parameter specifies the maximum time to wait for Policy Manager to determine the network device to which the client is connected Figure 238 System Monitor Service Parameters Table 153 Services Parameters tab System monitor service Service Parameter Description Free Disk Space Threshold This parameter monitors the available disk s...

Page 272: ...ce Figure 239 System Monitoring Tab Table 154 System Monitoring tab details Service Parameter Description System Location System Contact Policy Manager appliance location and contact information SNMP Configuration Version V1 V2C or V3 SNMP Configuration Community String Read community string SNMP Configuration SNMP v3 Username Username to use for SNMP v3 communication SNMP Configuration SNMP v3 Se...

Page 273: ...acy Key Network Interfaces Tab Navigate to the Network Interfaces tab to create GRE tunnels and VLANs related to guest users Figure 240 Network Interfaces Tab Creating GRE tunnels The administrator can create a generic routing encapsulation GRE tunnel This protocol can be used to create a vir tual point to point link over standard IP network or the internet Navigate to the Network Interfaces tab a...

Page 274: ...he list of network interfaces Local Inner IP Local IP address of the tunnel network interface Remote Outer IP IP address of the remote tunnel endpoint Remote Inner IP Remote IP address of the tunnel network interface Enter a value here to automatically create a route to this address through the tunnel Create Cancel Commit or dismiss changes Creating VLAN Navigate to the Network Interfaces tab and ...

Page 275: ...ss IP address of the VLAN Netmask Netmask for the VLAN Create Cancel Commit or dismiss changes Your network infrastructure must support tagged 802 1Q packets on the physical interface selected VLAN ID 1 is often reserved for use by certain network management components avoid using this ID unless you know it will not conflict with a VLAN already defined in your network Log Configuration The Policy ...

Page 276: ... l WARN l ERROR l FATAL If this option is disabled then all module level logs are set to the default log level Default Log Level This drop down is available if the Module Log Level Settings option is disabled This sets the default logging level for all modules Available options include the following l DEBUG l INFO l WARN l ERROR l FATAL Set this option first and then override any modules as necess...

Page 277: ...en override the Syslog Filter level The current Syslog Filter level is based on the default log level specified on the Service Log Configuration tab Restore Defaults Save Click Save to save changes or Restore Defaults to restore default settings Local Shared Folders To view backup files log files and generated reports navigate to Administration Server Manager Local Shared Folders Select the specif...

Page 278: ...Activating an Application License l Updating a License NOTE On a VM instance of CPPM the permanent license must be entered These licenses are listed in the tables on the License Summary tab There is one entry per server node in the cluster All application licenses are listed on the Applications tab In this release you can add and activate OnGuard Guest and Onboard application licenses The Summary ...

Page 279: ...cription Select Server Select a server from the drop down menu Product Select a product from the drop down menu License Key Enter the license key for the new license Activating an Application License Adding an application license adds an Application tab on the Licensing page Once you add or update an application license it must be activated To activate a license 1 Go to Administration Server Manag...

Page 280: ...rface is up or down l Process monitoring information Check for the processes that should be running Maximum and minimum number of allowed instances Sends traps if there is a change in value of maximum and minimum numbers l Disk usage Check for disk space usage of a partition The agent can check the amount of available disk space and make sure it is above a set limit The value can be in as well Sen...

Page 281: ...er Opens the Export Trap Server popup Export Opens the Export popup Delete To delete an SNMP Trap Configuration select it using the check box at the left and then click Delete Add SNMP Trap Server To add a trap server navigate to Administration External Servers SNMP Trap Receivers and select the Add SNMP Trap Server link Figure 252 Add SNMP Trap Server DellNetworking W ClearPass Policy Manager 6 0...

Page 282: ... Cancel to dismiss Import SNMP Trap Server To import a trap server navigate to Administration External Servers SNMP Trap Receivers and select the Import SNMP Trap Server link Figure 253 Fig Import SNMP Trap Server Table 162 Import SNMP Trap Server Container Description Select File Browse to the SNMP Trap Server configuration file to be imported Enter secret for the file if any If the file was expo...

Page 283: ...t Viewer and event records seen in the Event Viewer This information can be sent to one or more syslog targets servers You configure syslog targets from this page The Policy Manager Syslog Targets page at Administration External Servers Syslog Targets provides the following interfaces for configuration l Add Syslog Target on page 284 l Import Syslog Target on page 284 l Export Syslog Target on pag...

Page 284: ...Syslog server hostname or IP address Description Freeform description Server Port Port number for sending the syslog messages by default port 514 Save Cancel Click Save to commit the configuration or Cancel to dismiss Import Syslog Target Navigate to Administration External Servers Syslog Targets and select Import Syslog Target Figure 256 Import Syslog Target Table 165 Import from file Container D...

Page 285: ...utton To export a syslog target select it check box at left and click Export Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export Syslog Export Filters Policy Manager can export session data seen in the Access Tracker audit records seen in the Audit Viewer and event records seen in the Event Viewer You configure Syslog Export Filters ...

Page 286: ...Filters Add Import Syslog Filter Opens Import Syslog Filter popup Export Syslog Filter Opens Export Syslog Filter popup Enable Disable Click the toggle button Enable Disable to enable or disable the syslog filter Export Opens Export popup Delete To delete a Syslog Filter select it check box at left and click Delete Add Syslog Filter To add a Syslog Filter navigate to Administration External Server...

Page 287: ... tab a new tab Filter and Columns appears In this tab you specify the Data Filter See Adding Data Filters you want to use Specifying a data filter filters the rows that are sent to the syslog target You may also select the columns that are sent to the syslog target This form provides two methods for configuring data filters Option 1 allows you to choose from pre defined field groups and to select ...

Page 288: ...up seven pre defined columns When you click Logged in users the seven columns automatically appear in the Selected Columns list Additional Fields are available to add to the reports You can select the type of attributes which are the different table columns available in the session database from the Available Columns Type drop down list Policy Manager populates these column names by extracting the...

Page 289: ...orts all configured syslog filters Click Export Syslog Filter Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the Syslog Filer configuration Export Navigate to Administration External Servers Syslog Filters and select Export button To export a syslog filter select it check box at left and click Export Your browser will display its normal Sa...

Page 290: ...igure the same settings for both your SMTP and SMS email servers This box is checked by default Server name Fully qualified domain name or IP address of the server Username password If your email server requires authentication for sending email messages enter the credentials here Default from address All emails sent out will have this from address in the message Use SSL Use secure SSL connection f...

Page 291: ...ovider Provider Name Name of the provider Mail Address Domain name of the provider Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from MDM vendors and Dell W series IAPs and RAPs Navigate to Administration External Servers Endpoint Context Servers DellNetworking W ClearPass Policy Manager 6 0 User Guide 291 ...

Page 292: ...e lost data and other administrative services Information gathered from mobile devices can include policy breaches data consumption and existing configuration settings Refer to the following table for MDM server configuration information Table 172 MDM Configuration Container Description Select Vendor Choose one of the following l Airwatch l JAMF l MaaS360 l MobileIron l SOTI Server Name Enter the ...

Page 293: ... Platform ID Billing ID If MaaS360 is specified as the vendor then enter the access key application ID version platform ID and billing ID associated with this MDM server These values are provided by the vendor Server Certificate The Policy Manager Server Certificate menu at Administration Certificates Server Certificates provides the following interfaces for configuration l Create Self Signed Cert...

Page 294: ...quest popup Select Server Select a server in the cluster for server certificate operations Export Opens the Export popup Import Opens the Import popup Create Self Signed Certificate Navigate to Administration Certificates Server Certificate and click the Create Self Signed Certificate link This opens the Create Self Signed Certificate form Figure 265 Create Self Signed Certificate After you click ...

Page 295: ...sion section or other meaningful name This field is optional State ST State country and or another meaningful location These fields are optional Country C Location L Subject Alternate Name SAN Alternative names for the specified Common Name Note that if this field is used then SAN has to be in the form email email_address URI uri IP ip_address dns dns_name or rid id This field is optional Private ...

Page 296: ... on the Install button to install the certificate on the selected server NOTE All services are restarted you must relogin into the UI to continue Create Certificate Signing Request Navigate to Administration Certificates Server Certificates and click on the Create Certificate Signing Request link This task creates a self signed certificate to be signed by a CA Figure 267 Create Certificate Signing...

Page 297: ... name This field is optional State ST State country and or another meaningful location These fields are optional Country C Location L Subject Alternate Name SAN Alternative names for the specified Common Name Note that if this field is used then SAN has to be in the form email email_address URI uri IP ip_address dns dns_name or rid id This field is optional Private Key Password Specify and verify ...

Page 298: ...ort Server Certificate link This link provides a form that enables you to save the file ServerCertifcate zip The zip file has the server certificate crt file and the private key pvk file Import Server Certificate Navigate to Administration Certificates Server Certificates and select the Import Server Certificate link Figure 269 Import Server Certificate Table 176 Import Server Certificate Containe...

Page 299: ...e certificate is signed by this CA to be trusted Add Certificate Navigate to Administration Certificates Certificate Trust List and select the Add Certificate link Figure 271 Add Certificate Table 178 Add Certificate Container Description Certificate File Browse to select certificate file Add Certificate Cancel Click Add Certificate to commit or Cancel to dismiss the popup Revocation Lists To disp...

Page 300: ... Certificate Revocation List Table 180 Add Revocation List Container Description File File enables the Distribution File option Distribution File Specify the distribution file e g C distribution crl verisign com Class3InternationalServer crl to fetch the certificate revocation list URL URL enables the Distribution URL option Distribution URL Specify the distribution URL e g http crl verisign com C...

Page 301: ... to see all IETF attributes and their data type Figure 275 RADIUS IETF Dictionary Attributes Table 181 RADIUS Dictionary Attributes Container Description Export Click to save the dictionary file in XML format You can make modifications to the dictionary and import the file back into Policy Manager Enable Disable Enable or disable this dictionary Enabling a dictionary makes it appear in the Policy ...

Page 302: ...to Administration Dictionaries RADIUS Figure 276 Import RADIUS Dictionary Table 182 Import RADIUS Dictionary Container Description Select File Browse to select the file that you want to import Enter secret for the file if any If the file that you want to import is password protected enter the secret here Posture Dictionaries To add a new vendor posture dictionary click on Import Dictionary To edit...

Page 303: ...to save the posture dictionary file in XML format You can make modifications to the dictionary and import the file back into Policy Manager TACACS Services To view the contents of the TACACS service dictionary sorted by Name or Display Name navigate to Administration Dictionaries TACACS Services To add a new TACACS service dictionary click on the Import Dictionary link To add or modify attributes ...

Page 304: ...naries To export a specific service dictionary select a service and click on Export To see all the attributes and their data types click on a service row For example click on shell service to see all shell service attributes and their data type Figure 279 Fig Shell Service Dictionary Attributes Fingerprints The Device Fingerprints table shows a listing of all the device fingerprints recognized by ...

Page 305: ...ttributes The Administration Dictionaries Attributes page allows you to specify unique sets of criteria for LocalUsers GuestUsers Endpoints and Devices This information can then be with role based device policies for enabling appropriate network access The Attributes page provides the following interfaces for configuration DellNetworking W ClearPass Policy Manager 6 0 User Guide 305 ...

Page 306: ...ty Data Type Is Mandatory or Allow Multiple settings Name The name of the attribute Entity Shows whether the attribute applies to a LocalUser GuestUser Device or Endpoint Data Type Shows whether the data type is string integer boolean list text date MAC address or IPv4 address Is Mandatory Shows whether the attribute is required for a specific entity Allow Multiple Shows whether multiple attribute...

Page 307: ... Specify whether the data type is string integer boolean list text date MAC address or IPv4 address Is Mandatory Specify whether the attribute is required for a specific entity Allow Multiple Specify whether multiple attributes are allowed for an entity Note that multiple attributes are not permitted if Is Mandatory is specified as Yes Import Attributes Select Import Attributes on the upper right ...

Page 308: ...le and the private key pvk file Export Select the Export button on the lower right side of the page To export just one attribute select it check box at left and click Export Your browser will display its normal Save As dialog in which to enter the name of the XML file to contain the export OnGuard Settings Navigate to the Administration Agents and Software Updates OnGuard Settings page Use this pa...

Page 309: ...s for the different agent deployment packages Managed Interfaces Select the type of interfaces that OnGuard will manage on the endpoint Mode Select one of l Authenticate no health checks l Check health no authentication OnGuard does not collect username password l Authenticate with health checks OnGuard collects username password and also performs health checks on the endpoint Username Password te...

Page 310: ...nts and Software Updates Guest Portal page Click on any of the four editable sections of this page to customize the content for your enterprise Figure 286 Guest Portal Table 190 Guest Portal Container Description Global Portal Settings Attribute names and value configuration for the portal l UsernameFormat Format of username sent in authentication requests This can be used in service rules Authent...

Page 311: ... with optional health checks Dual mode User is presented with a simple HTML form User can choose to load the Java applet by clicking on a link on this page the java applet dissolvable agent also collects health information l No Authentication and no health checks HTML form User is presented with a simple HTML form for the username which is hidden Authentication Details Click within the Enter Authe...

Page 312: ... in the header Footer Message Click to enter text that will display in the footer Copyright Message Click to enter copyright text Save Cancel Click Save to save changes or Cancel to keep the default page Figure 287 Custom HTML Template Upload Update Portal Navigate to Administration Agents and Software Updates Software Updates Use the Software Updates page to register for and to receive live updat...

Page 313: ...k this button to save the Subscription ID entered in the textbox This button is enabled only on publisher node Reset Performs an undo of any unsaved changes made in the Subscription ID field Note that this does not clear the textbox Posture Profile Data Updates Import Updates Use Import Updates to import upload the Posture and Profile Data into this server if this server is not able to reach the w...

Page 314: ...pdate dialog box showing the log messages generated during the install Installed This link appears when an update has been installed Clicking on this link displays the Install Update dialog box showing the log messages generated during the install Install Error This link appears when an update install encountered an error Clicking on this link displays the Install Update dialog box showing the log...

Page 315: ...and successful or failed installation of updates The ClearPass Policy Manager server contacts the webservice server every hour in the background to download any newly available Posture Profile Data Updates and every time the Software Updates page is visited for a current list of Firmware Patch Updates The webservice itself is refreshed with the Antivirus and Antispyware data hourly with Windows Up...

Page 316: ...on and server parameters are also restored Upgrade the Image on All Appliances Perform these steps to upgrade the image on all appliances in an Policy Manager cluster 1 Upgrade publisher Policy Manager first and reboot into the new image 2 On the first boot after upgrade all old configuration data is restored Verify that all configuration and services are intact In the cluster servers screen all s...

Page 317: ...l Show Commands on page 328 l System commands on page 330 l Miscellaneous Commands on page 333 Available Commands Command ad auth See Miscellaneous Commands on page 333 ad netleave See Miscellaneous Commands on page 333 ad netjoin See Miscellaneous Commands on page 333 ad testjoin See Miscellaneous Commands on page 333 alias See Miscellaneous Commands on page 333 backup See Miscellaneous Commands ...

Page 318: ...us Commands on page 333 dump logs See Miscellaneous Commands on page 333 dump servercert See Miscellaneous Commands on page 333 exit See Miscellaneous Commands on page 333 help See Miscellaneous Commands on page 333 krb auth See Miscellaneous Commands on page 333 krb list See Miscellaneous Commands on page 333 ldapsearch See Miscellaneous Commands on page 333 network ip network nslookup network pi...

Page 319: ... hostname show ip showlicense show timezone show version system boot image system gen support key system update system restart system shutdown system install license system upgrade Cluster Commands The Policy Manager command line interface includes the following cluster commands l drop subscriber on page 320 l list on page 320 l make publisher on page 320 DellNetworking W ClearPass Policy Manager ...

Page 320: ...d and the current node is a subscriber Policy Manager drops the current node s Do not reset the database on the dropped node By default Policy Manager drops the current node if a subscriber from the cluster Table 194 Drop Subscriber Commands Example appadmin cluster drop subscriber f i 192 168 1 1 s list Lists the cluster nodes Syntax cluster list Example appadmin cluster list cluster list Publish...

Page 321: ...2 168 1 1 p alore l reset database Resets the local database and erases its configuration Syntax cluster reset database Returns appadmin cluster reset database WARNING Running this command will erase the Policy Manager configuration and leave the database with default configuration You will lose all the configured data Do not close the shell or interrupt this command execution Continue y Y y set c...

Page 322: ...ssword alore Configure Commands The Policy Manager command line interface includes the following configuration commands l date on page 322 l dns on page 323 l hostname on page 323 l ip on page 323 l timezone on page 324 date Sets System Date Time and Time Zone Syntax configure date d date t time z timezone or configure date s ntpserver z timezone Where Flag Parameter Description s ntpserver Option...

Page 323: ... 1 192 168 1 2 Example 3 appadmin configure dns 192 168 1 1 192 168 1 2 192 168 1 3 hostname Configures the hostname Syntax configure hostname hostname Example appadmin configure hostname sun us arubanetworks com ip Configures IP address netmask and gateway Syntax appadmin configure ip mgmt data ipaddress netmask netmask address gateway gateway address Where Flag Parameter Description ip mgmt data...

Page 324: ... list custom routes to the data or management interface routing table Syntax network ip add mgmt data i id s SrcAddr d DestAddr Add a custom routing rule Where Flag Parameter Description mgmt data Specify management or data interface i id id of the network ip rule If unspecified the system will auto generate an id Note that the id determines the priority in the ordered list of rules in the routing...

Page 325: ...ip add data s 192 168 5 12 Example 3 appadmin network ip list nslookup Returns IP address of host using DNS Syntax nslookup q record type host Where Flag Parameter Description record type Type of DNS record For example A CNAME PTR host Host or domain name to be queried Table 200 Nslookup Commands Example 1 appadmin nslookup sun us arubanetworks com Example 2 appadmin nslookup q SRV arubanetworks c...

Page 326: ...68 5 10 t sun us arubanetworks com reset Reset network data port Syntax network reset port Where Flag Parameter Description port Required Name of network port to reset Table 202 Reset Commands Example appadmin network reset data traceroute Prints route taken to reach network host Syntax network traceroute host Where Flag Parameter Description host Name of network host Table 203 Traceroute Commands...

Page 327: ...policy server tips admin server tips system auxiliary server tips radius server tips tacacs server tips dbwrite server tips repl server or tips sysmon server Table 204 Action Commands Example 1 appadmin service activate tips policy server Example 2 appadmin service list all service list Policy server tips policy server Admin UI service tips admin server System auxiliary services tips system auxili...

Page 328: ...on page 329 l timezone on page 330 l version on page 330 all timezones Interactively displays all available timezones Syntax show all timezones Example appadmin show all timezones Africa Abidjan Africa Accra WET Zulu date Displays System Date Time and Time Zone information Syntax show date Example appadmin show date Wed Oct 31 14 33 39 UTC 2012 dns Displays DNS servers Syntax show dns Example appa...

Page 329: ...NS information for the host Syntax show ip Example appadmin show ip show ip Device Type Management Port IP Address 192 168 5 227 Subnet Mask 255 255 255 0 Gateway 192 168 5 1 Device Type Data Port IP Address not configured Subnet Mask not configured Gateway not configured DNS Information Primary DNS 192 168 5 3 Secondary DNS not configured Tertiary DNS not configured license Displays the license k...

Page 330: ...el Syntax show version Example appadmin show version Policy Manager software version 2 0 1 6649 Policy Manager model number ET 5010 System commands The Policy Manager command line interface includes the following system commands l boot image on page 330 l gen support key on page 331 l install license on page 331 l restart on page 331 l shutdown on page 332 l update on page 332 l upgrade on page 33...

Page 331: ...gen support key system gen support key Support key 01U2FsdGVkX1 WS9jZKQajERyzXhM8mF6zAKrzxrHvaM install license Replace the current license key with a new one Syntax system install license license key Where Flag Parameter Description license key Mandatory This is the newly issued license key Table 206 Install License Commands Example appadmin system install license restart Restart the system Synta...

Page 332: ...u want to continue y Y y update Manages updates Syntax system update i user hostname filename http hostname filename system update u patch name system update l Where Flag Parameter Description i user hostname filename http hostname filename Optional Install the specified patch on the system u patch name Optional Uninstall the patch For exact patch names refer to l in this table l Optional List the...

Page 333: ...cy Manager command line interface includes the following miscellaneous commands l ad auth on page 333 l ad netjoin on page 334 l ad netleave on page 334 l ad testjoin on page 334 l alias on page 334 l backup on page 335 l dump certchain on page 335 l dump logs on page 336 l dump servercert on page 336 l exit on page 337 l help on page 337 l krb auth on page 337 l krb list on page 338 l ldapsearch ...

Page 334: ...TBIOS name Where Flag Parameter Description domain controller domain name Required Host to be joined to the domain domain NETBIOS name Optional Table 210 Ad Netjoin Commands Example appadmin ad netjoin atlas us arubanetworks com ad netleave Removes host from the domain Syntax ad netleave Example appadmin ad netleave ad testjoin Tests if the netjoin command succeeded Tests if Policy Manager is a me...

Page 335: ...ration to this file Syntax backup f filename L P Where Flag Parameter Description f filename Optional Backup target If not specified Policy Manager will auto generate a filename L Optional Do not backup the log database configuration P Optional Do not backup password fields from the configuration database Table 212 Backup Commands Example appadmin backup f PolicyManager data tar gz Continue y Y y ...

Page 336: ...et for concatenated logs s yyyy mm dd Optional Date range start default is today e yyyy mm dd Optional Date range end default is today n days Optional Duration in days from today t log type Optional Type of log to collect h Specify print help for available log types Table 214 Dump Logs Commands Example 1 appadmin dump logs f tips system logs tgz s 2007 10 06 e 2007 10 17 t SystemLogs Example 2 app...

Page 337: ...ported commands netjoin Join host to the domain netleave Remove host from the domain network Network troubleshooting commands quit Exit the shell restore Restore Policy Manager database service Control Policy Manager services show Show configuration details system System commands krb auth Does a kerberos authentication against a kerberos server such as Microsoft AD Syntax krb auth user domain Wher...

Page 338: ...tname Specifies the username and the full qualified domain name of the host The B command finds the bind DN of the LDAP directory Table 217 LDAP Search commands Example appadmin ldapsearch B admin corp ad acme com restore Restores Policy Manager configuration data from the backup file Syntax restore user hostname backup filename l i c C p s Where Flag Parameter Description user hostname backup fil...

Page 339: ...sword fields present s Optional Restore cluster server node entries from the backup Node entries disabled on restore Example appadmin restore user hostname tmp tips backup tgz l i c s quit Exits shell Syntax quit Example appadmin quit DellNetworking W ClearPass Policy Manager 6 0 User Guide 339 ...

Page 340: ...340 DellNetworking W ClearPass Policy Manager 6 0 User Guide ...

Page 341: ...e data type of the attribute The drop down menu shows the operators appropriate for data type on the left that is the attribute l Value The value is the value of the attribute Again depending on the data type of the attribute the value field can be a free form one line edit box a free form multi line edit box a drop down menu containing pre defined values enumerated types or a time or date widget ...

Page 342: ...oduct The administration interface does provide a way to add new dictionaries into the system See Posture Dictionaries on page 302 for more information Posture namespace has the notation Vendor Application where Vendor is the name of the Company that has defined attributes in the dictionary and Application is the name of the application for which the attributes have been defined The same vendor ty...

Page 343: ...t you have defined when you created an instance of this authentication source The attribute names are pre poluated for administrative convenience n Sources This is the list of the authorization sources from which attributes were fetched for role mapping Authorization namespaces appear in the following editing contexts n Role mapping policies l Date Namespace The date namespace has three pre define...

Page 344: ...le mapping policies l Authentication Namespace The authentication namespace can be used in role mapping policies to define roles based on what kind of authentication method was used or what the status of the authentication is The attribute names and possible values with descriptions are shown in the table below Table 220 Authentication Namespace Attributes Attribute Name Values InnerMethod PAP CHA...

Page 345: ...urce l Unknown Client Client MAC address was not found in an authentication source Username The username as received from the client after the strip user name rules are applied Full Username The username as received from the client before the strip user name rules are applied Source The name of the authentication source used to authenticate the user Authentication namespace appears in the followin...

Page 346: ...ckType are present when Policy Manager acts as a Web authentication portal l Endpoint Namespace Endpoint namespace has the following attributes Disabled By Disabled Reason Enabled By Enabled Reason Info URL Use these attributes look for attributes of authenticating endpoints present in the Policy Manager endpoints list l Device Namespace Device namespace has the attributes associated with the netw...

Page 347: ...rmation string returned by NMAP Open Ports The port numbers of open applications on the host l Tacacs Namespace Tacacs namespace has the attributes associated with attributes available in a TACACS request Available attributes are AvendaAVPair UserName and AuthSource l Application Namespace Application namespace has a name attribute This attribute is an enumerated type currently containing the foll...

Page 348: ...the attribute for which the operator is being used Wherever the data type of the attribute is not known the UI treats that attribute as a string type The following table lists the operators presented for common attribute data types Table 224 Attribute Operators Attribute Type Operators String EQUALS NOT_EQUALS CONTAINS NOT_CONTAINS BEGINS_WITH NOT_BEGINS_WITH ENDS_WITH NOT_ENDS_WITH BELONGS_TO NOT...

Page 349: ...DAY TUESDAY WEDNESDAY When Policy Manager is aware of the values that can be assigned to BELONGS_TO operator it populates the value field with those values in a multi select list box you can select the appropriate values from the presented list Otherwise you must enter a comma separated list of values EQUALS_ IGNORE_ CASE For string data type true if the run time value of the attribute matches the...

Page 350: ... FINANCE MATCHES_ ALL For list data types true if all of the run time values in the list are found in the configured values E g Tips Role MATCHES_ALL HR ENG FINANCE In this example if the run time values of Tips Role are HR ENG FINANCE MGR ACCT the condition evaluates to true MATCHES_ EXACT For list data types true if all of the run time values of the attribute match all of the configured values E...

Page 351: ...to use copy modify and distribute this software and its documentation for any purpose without fee and without a written agreement is hereby granted provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES INCL...

Page 352: ...recipients so that they can relink them with the library after making changes to the library and recompiling it And you must show them these terms so they know their rights Our method of protecting your rights has two steps 1 copyright the library and 2 offer you this license which gives you legal permission to copy distribute and or modify the library Also for each distributor s protection we wan...

Page 353: ...ms A work based on the Library means either the Library or any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work f...

Page 354: ...is you must alter all the notices that refer to this License so that they refer to the ordinary GNU General Public License version 2 instead of to this License If a newer version than version 2 of the ordinary GNU General Public License has appeared then you can specify that version instead if you wish Do not make any other change in these notices Once this change is made in a given copy it is irr...

Page 355: ...y the work with a written offer valid for at least three years to give the same user the materials specified in Subsection 6a above for a charge no more than the cost of performing this distribution c If distribution of the work is made by offering access to copy from a designated place offer equivalent access to copy the above specified materials from the same place d Verify that the user has alr...

Page 356: ...cumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed t...

Page 357: ...N ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS GNU GPL Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your free...

Page 358: ...t must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Pr...

Page 359: ... announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a wo...

Page 360: ... to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you...

Page 361: ...me to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version pu...

Page 362: ... of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of the incremental nor the names of its contributors may be used to endorse or promote products derived from this software without specifi...

Page 363: ...nal version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner For the purposes of this definition submitted means any form of electronic verbal or written communication sent to th...

Page 364: ...itions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License without any additional terms or conditions Notwithstanding the above nothing herein shall supersede or modify the terms of any separate license agreement yo...

Page 365: ...ved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in ...

Page 366: ...rse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product ...

Page 367: ...NCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software writ...

Page 368: ...form with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cry...

Page 369: ...g conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of...

Page 370: ...NY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINES...

Page 371: ... license revision or under the terms of any subsequent revision of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR ...

Page 372: ...ART PROVIDED BY GENIVIA INC AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR P...

Reviews: