background image

0511287-01 | Mar 2013

1

Dell Networking W-ClearPass Policy Model 6.0

An Introduction

From the point of view of a network device or other entities that need authentication services, Policy Manager
appears as a RADIUS,  or Web Authentication server; however, its rich and extensible policy model
allows it to broker security functions across a range of existing network infrastructure, identity stores, health/posture
services and client technologies within the Enterprise.

Services Paradigm

Services

are the highest level element in the Policy Manager policy model. They have two purposes:

l

Unique

Categorization Rules

(per Service) enable Policy Manager to test Access Requests ("Requests") against

available Services to provide robust differentiation of requests by access method, location, or other network
vendor-specific attributes.

NOTE: Policy Manager ships configured with a number of basic Service types. You can flesh out these Service types, copy them for

use as templates, import other Service types from another implementation (from which you have previously exported them), or

develop new Services from scratch.

l

By wrapping a specific set of

Policy Components

, a Service can coordinate the flow of a request, from

authentication, to role and health evaluation, to determination of enforcement parameters for network access.

Figure 1

:

Dell Networking W-ClearPass Policy Manager Flow of Control

and

Table 1

:

Policy Manager Service

Components

illustrate and describe the basic Policy Manager flow of control and its underlying architecture.

Summary of Contents for Powerconnect W-ClearPass Hardware Appliances

Page 1: ...s Requests Requests against available Services to provide robust differentiation of requests by access method location or other network vendor specific attributes NOTE Policy Manager ships configured with a number of basic Service types You can flesh out these Service types copy them for use as templates import other Service types from another implementation from which you have previously exported...

Page 2: ...EAP non tunneled EAP TLS or EAP MD5 l Non EAP non tunneled CHAP MS CHAP PAP or MAC AUTH l MAC_AUTH must be used exclusively in a MAC based Authentication Service When the MAC_AUTH method is selected Policy Manager 1 makes internal checks to verify that the request is indeed a MAC Authentication request and not a spoofed request and 2 makes sure that the MAC address of the device is present in the ...

Page 3: ...cy Manager evaluates Requests against Role Mapping Policy rules to match Clients to Role s All rules are evaluated and Policy Manager may return more than one Role If no rules match the request takes the configured Default Role Some Services for example MAC based Authentication may handle role mapping differently l For MAC based Authentication Services where role information is not available from ...

Page 4: ...les G Enforcement Policy One per service mandatory Policy Manager tests Posture Tokens Roles and system time against Enforcement Policy rules to return one or more matching Enforcement Policy rules to return one or more matching Enforcement Profiles that define scope of access for the client H Enforcement Profile One or more per service Enforcement Policy Profiles contain attributes that define a ...

Reviews: