® System . Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Links to Use Cases and Configuration Instructions Policy Simulation Add Simulation Test Import and Exporting Simulations Import Simulations Export Simulations Export ClearPass Policy Manager Profile Device Profile Collectors DHCP Sending DHCP Traffic to CPPM Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 4
Adding Services Modifying Services Reordering Services Authentication and Authorization Architecture and Flow Configuring Authentication Components Adding and Modifying Authentication Methods MSCHAP EAP-MSCHAP v2 EAP-GTC EAP-TLS EAP-TTLS EAP-PEAP EAP-FAST MAC-AUTH CHAP and EAP-MD5 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 5
Windows Security Health Validator - NAP Agent Windows Security Health Validator - OnGuard Agent Windows System Health Validator - NAP Agent Windows System Health Validator - OnGuard Agent Adding and Modifying Posture Servers Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 6
Additional Available Tasks Adding and Modifying Device Groups Additional Available Tasks Adding and Modifying Proxy Targets Add a Proxy Target Additional Available Tasks Administration Admin Users Add User Import Users Export Users Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 7
Adding a License Activating an Application License Updating a License SNMP Trap Receivers Add SNMP Trap Server Import SNMP Trap Server Export all SNMP Trap Servers Export a Single SNMP Trap Server Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 8
Add Attribute Import Attributes Export Attributes Export OnGuard Settings Guest Portal Update Portal Install Update dialog box Updating the Policy Manager Software Upgrade the Image on a Single Policy Manager Appliance Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 9
Configure Commands date hostname timezone Network Commands nslookup ping reset traceroute Service commands <action> Show Commands all-timezones date domain hostname license timezone version System commands boot-image gen-support-key Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 10
Rules Editing and Namespaces Namespaces Variables Operators Software Copyright and License Statements PostgreSQL Copyright GNU LGPL GNU GPL Lighthttpd License Apache License OpenSSL License OpenLDAP License gSOAP Public License Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Dell Networking W-ClearPass Policy Manager platform provides role- and device-based network access control across any wired, wireless and VPN. Software modules for the Dell Networking W-ClearPass Policy Manager platform, such as Guest, Onboard, Profile, OnGuard, QuickConnect, and Insight simplify and automate device configuration, provisioning, profiling, health checks, and guest access.
Configuration required. Data (gigabit Provides point of contact for RADIUS, TACACS+, Web Authentication and other data- eth1 Ethernet) plane requests. Configuration optional. If not configured, requests redirected to the management port. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Flow Control: None 2. Login Later, you will create a unique appliance/cluster administration password. For now, use the following preconfigured credentials: login: appadmin password: eTIPS123 This starts the Policy Manager Configuration Wizard. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Updates > Software Updates page to view and download any available software updates. Refer to "Updating the Pol- icy Manager Software " on page 315 for more information. Powering Off the System Perform the following to power off the system gracefully without logging in: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
4. To generate the recovery key, select option 1 (or 3, if you want to generate a support key, as well). 5. Once the password recovery key is generated, email the key to Dell technical support. A unique password will be generated from the recovery key and emailed back to you.
Page 17
5. To generate the support key, select option 2 (or 3, if you want to generate a password recovery key, as well). 6. Once the password recovery key is generated, email the key to Dell technical support. A unique password can now be generated by Dell technical support to log into the support shell.
This shows a table of the last few authentications. Clicking on a row drills down into the Access Tracker and shows requests sorted by timestamp with the latest request showing first. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 20
Tracker and shows the requests that were categorized into that specific service. This shows a table of last few system level events. Clicking on a row drills down into the Event Viewer Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 21
ClearPass Onboard links to the ClearPass Onboard screen within the ClearPass Guest application. This application opens in a new tab. This shows links to the Dell applications that are integrated with Policy Manager. E.g., GuestConnect, Insight. This shows the status of all nodes in the cluster. The...
The Access Tracker provides a real-time display of system activity, with optional auto-refresh, at: Monitoring > Live Monitoring > Access Tracker. Click on Edit to change the Access Tracker display parameters. Figure 2: Fig: Access Tracker (Edit Mode) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 24
Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent Records logins. Table 5: Access Tracker Session Types Container Description RADIUS All RADIUS transactions (802.1X, MAC-Auth, generic RADIUS) TACACS+ All TACACS+ transactions Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Export this transaction and download as a compressed (.zip extension) file. The compressed file contains the session-specific logs, the policy XML for the transaction, and a text file containing the Access Tracker session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Select Date Select the number of days prior to the configured date for which Accounting data is to be Range displayed. Valid number of days is 1 day to a week. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 27
Show 10, 20, 50 or 100 rows. Once selected, this setting is saved and available in subsequent records logins. Click on any row to display the corresponding Accounting Record Details. Figure 4: RADIUS Accounting Record Details (Summary tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 28
Figure 5: RADIUS Accounting Record Details (Auth Sessions tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 29
Figure 6: RADIUS Accounting Record Details (Utilization tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 30
Current connection status of the session Username Username associated with this record Termination The reason for termination of this session Cause Service The value of the standard RADIUS attribute ServiceType Type Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 31
Shows details of RADIUS attributes sent and received from the network device during the initial authentication and subsequent reauthentications (each section in the details tab corresponds to a “session” in Policy Manager. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 32
Figure 8: TACACS+ Accounting Record Details (Request tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 33
Figure 9: TACACS+ Accounting Record Details (Auth Sessions tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 34
Flags Identifier corresponding to start, stop or update accounting record Privilege Level Privilege level of administrator: 1 (lowest) to 15 (highest). Authentication Identifies the authentication method used for the access. Method Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
(shell), etc. OnGuard Activity The OnGuard Activity screen shows the realtime status of all endpoints that have Dell OnGuard persistent or dissolvable agent, at: Monitoring > Live Monitoring >OnGuard Activity. This screen also presents configuration tools to bounce an endpoint and to send unicast or broadcast messages to all endpoints running the OnGuard agent.
Page 36
This action results in tags being created for the specified endpoint in the Endpoints table (Configuration > Identity > Endpoints). One or more of the following tags are created: Disabled by, Disabled Reason, Enabled by, Enabled Reason, Info URL. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Category, OS Family, and Device Name items that you selected. Click on the Change Selection link to change the selection criteria used to list the devices. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Update Now- Click on this button to update the display with the latest available data. The System Monitor Page includes two tabs: System Monitor. For the selected server, provides load statistics, including CPU, memory, swap memory, physical disk space, and swap disk space: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 39
Process Monitor. For the selected server and process, provides critical usage statistics, including CPU, Virtual Memory, and Main Memory. Use Select Process to select the process for which you want to see the usage statistics. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Figure Process Monitor Graphs Audit Viewer The Audit Viewer display provides a dynamic report of Actions, filterable by Action, Name and Category (of policy component), and User, at: Monitoring > Audit Viewer. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 41
For Add Actions, a single popup displays, containing the new data. Figure 18: Audit Row Details (Old Data tab) For Modify Actions, a popup with three tabs displays, comparing the old data and the new. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 42
Figure 19: Audit Row Details (Old Data tab) Figure 20: Audit Row Details (New Data tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Event Viewer Table 12: Event Viewer Container Description Select Server Select the server for which to display accounting data. Filter Select the filter by which to constrain the display of accounting data. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager. It is available at: Monitoring> Data Filters. Figure 24: Data Filters Policy Manager comes pre-configured with the following data filters: All Requests - Shows all requests (without any rows filtered) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Successful Requests - All authentication requests that were successful. TACACS Requests - All TACACS requests Unhealthy Requests - All requests that were not deemed healthy per policy. WebAuth Requests - All Web Authentication requests (requests originated from the Dell Guest Portal). Table 13: Data Filters...
Page 46
NOTE: We recommend that users who choose this method contact Support. Support can assist you with entering the correct information in this template. The Rules tab displays only when Select Attributes is selected on the Filter tab. Figure 26: Add Filter (Rules tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 47
Web Authentication requests. Example: Auth Method, Auth Source, Enforcement Profiles Name Name of the attributes corresponding to the selected namespace (Type) Operator A subset of string data type operators (EQUALS, NOT_EQUALS, LESS_THAN, LESS_THAN_OR_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUALS, CONTAINS, NOT_CONTAINS, EXISTS, NOT_EXISTS) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 48
Container Description Value The value of the attribute Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The following image illustrates and describe the basic Policy Manager flow of control and its underlying architecture. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 50
Policy Manager does not make this tab available. Zero or more An Authentication Source is the identity repository against which Policy Authentication per service Manager verifies identity. It supports these Authentication Source types: Source Microsoft Active Directory Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 51
One or more Enforcement Policy Profiles contain attributes that define a client’s scope of Enforcement per service access for the session. Policy Manager returns these Enforcement Profile Profile attributes to the switch. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
In the Services page, click a service’s check box, then click the Export a Service link and provide the output filepath. Later, you can import this service by clicking Import a Service and providing the filepath. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Guest Users. " MAC Authentication Use Case " on page 79 uses a Static Host List for authentication of the MAC address sent by the switch as the device’s username. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Posture Policies " on page uses an internal posture policy that evaluates the health of the originating client, based on attributes submitted with the request by the Dell Web Portal, and returns a corresponding posture token. "802.1x Wireless Use Case" on page 67 "Adding and Modifying...
Page 55
Make a copy the selected policy simulation. The copied simulation is renamed with a prefix of Copy_Of_. Export Opens the Export popup. Delete Click to delete a selected (check box on left) Policy Simulation. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Returns (Results tab): Role(s) - including authorization source attributes fetched as roles. Type Input (Simulation tab): Select Service (Posture policies are implicitly selected by their association with the service). Posture Validation. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 57
NOTE: Authentication Source and User Name inputs are used to derive dynamic values in the enforcement profile that are fetched from authorization source. These inputs are optional. NOTE: Dynamic Roles are attributes (that are enabled as a role) fetched from the authorization Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 58
In the Attributes tab, enter the attributes of the policy component to be tested. The namespaces loaded in the Type column depend on the type of simulation (See above). NOTE: The Attributes tab will not display if you select the Audit Policy component in the Simulation tab. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
What is shown in the results tab again depends on the type of simulation. Figure 34: Add Simulation (Results Tab) Import and Exporting Simulations Import Simulations Navigate to Configuration > Policy Simulation and select the Import Simulations link. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To export just one simulation, select it (using the check box at the left) and click Export. Your browser will display its normal Save As dialog, in which to enter the name of the XML file to contain the export. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Timestamp when the device was first discovered Timestamp when the device was last seen Collectors Collectors are network elements that provide data to profile endpoints. The following collectors send endpoint attributes to Profile. DHCP ClearPass Onboard Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Apart from fingerprints, DHCP also provides hostname and IP address. Sending DHCP Traffic to CPPM Perform the following steps to configure your Dell W-Series Controller and Cisco Switch to send DHCP Traffic to CPPM. interface <vlan_name>...
IP addresses. ActiveSync Plugin ActiveSync plugin is software provided by Dell to be installed on Microsoft Exchange servers. When a device communicates with exchange server using active sync protocol, it provides attributes like device-type and user-agent. These attributes are collected by the plugin software and is send to CPPM profiler. Profiler uses dictionaries to derive profiles from these attributes.
Page 64
Administration > Server Configuration > Manage Policy Manager Zones) depending on the geographical area served by that node, and enable Profile on at least one node per zone. Figure 37: Configuration > Profile Settings Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 65
(category, family, and name). Figure 38: Services > Edit > Profiler tab settings Fingerprint Dictionaries CPPM uses a set of dictionaries and built-in rules to perform device fingerprinting. The following dictionaries are Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 66
Live Monitoring > Endpoint Profiler page detailed device distribution information along with a list of endpoints. From this page, you can also search for endpoint profiles based on category, family, name, etc. Refer to Endpoint Profiler for more information. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 39: Flow of Control, Basic 802.1X Configuration Use Case Configuring the Service Follow the steps below to configure this basic 802.1X service: 1. Create the Service Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 68
NOTE: Policy Manager fetches attributes used for role mapping from the Authorization Sources (that are associated with the authentication source). In this example, the authentication and authorization source are one and the same. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 69
Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping). 4. Apply a Role Mapping Policy Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 70
Upon completion of each rule, click the Save button ( in the Rules Editor) > When you are finished working in the Mapping Rules tab, click the Save button (in the Mapping Rules tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 71
Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server. Next (button): from Primary Server to Backup Server. To complete your work in these tabs, click the Save button. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 72
For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies " on page 229. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Flow-of-Control of Web-Based Authentication for Guests Configuring the Service Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 1. Prepare the switch to pre-process WebAuth requests for the Policy Manager Dell WebAuth service. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 74
Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal , which captures username and password and optionally launches an agent that returns posture data. 2. Create a WebAuth-based Service.
Page 75
When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > Enable Windows Health System Validator > Configure (button) > Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 76
Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button The following fields deserve special mention: Default Posture Token. Value of the posture token to use if health status is not available. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 77
Remediation URL. URL of remediation server. 5. Create an Enforcement Policy. Because this Use Case assumes the Guest role, and the Dell Web Portal agent has returned a posture token, it does not require configuration of Role Mapping or Posture Evaluation.
Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Follow these steps to configure Policy Manager for MAC-based Network Device access. 1. Create a MAC Authentication Service. Table 32: MAC Authentication Service Navigation and Settings Navigation Settings Create a new Service: Services > Add Service (link) > Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 81
An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 82
Role), in this use case Policy Manager applies post-audit rules against attributes captured by the Audit Server to infer Role(s). 5. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager Service. Figure 42: Administrator connections to Network Access Devices via TACACS+ Configuring the Service Perform the following steps to configure Policy Manager for TACACS+-based access: 1. Create a TACACS+ Service. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 84
Enforcement Policy Navigation and Settings Navigation Setting Select the Enforcement Policy: Enforcement (tab) > Enforcement Policy (selector): Device Command Authorization Policy When you are finished with your work in this tab, click Save. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 85
4. Save the Service. Click Save. The Service now appears at the bottom of the Services list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The following figure illustrates both the overall flow of control for this hybrid service, in which complementary switch and Policy Manager configurations allow all three types of connections on a single port: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 88
Figure 43: Flow of the Multiple Protocol Per Port Case Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Service from using Service creation Wizard. Top-Down Approach - Start with the Service creation wizard, and create the associated policy components as and when you need them, all in the same flow. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
After you select a service type, the associated service wizard is displayed with a clickable diagram that shows on top of the wizard. The following image displays the flow with all available configuration options for 802.1X Wireless: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 91
Figure 45: Service Wizard with Clickable Flow The rest of the service configuration flow is as described in Policy Manager Service Types. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Service-specific policy components (called out with legend below) Template for wireless hosts connecting through a Dell W-Series 802.11 wireless access device or controller, with authentication via IEEE 802.1X. Service rules are customized for a typical Dell W-Series Mobility Controller deployment.
Page 93
IP address through DHCP. Once the audit results are available,there should be a way for Policy Manager to re-apply policies on the network device. This can be accomplished in one of the following ways: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 94
"Configuring a Role Mapping Policy " on page 154. By default, this type of service does not have Posture checking enabled. To enable posture checking for this service select the Posture Compliance check box on the Service tab. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 95
Optionally configure Profiler settings. Select one or more Endpoint Classification items from the drop down list, then select the RADIUS CoA action. You can also create a new action by selecting the Add new RADIUS CoA Action link. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 96
You can also specify the role mapping policy, based on categorization of the MAC addresses in the authorization sources. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 97
Web-based authentication service for guests or agentless hosts, via the Dell built-in Portal. The user is redirected to the Dell captive portal by the network device, or by a DNS server that is set up to redirect traffic on a subnet to a specific URL. The web page collects username and...
Page 98
This type of service is the same as regular 802.1X Wired Service, except that posture and audit policies are not configurable when you use this template. 802.1X Wired - Identity Only Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 99
Failover mode, requests can be dispatched to the first proxy target in the ordered list of targets, and then subsequently to the other proxy targets, sequentially, if the prior requests failed. When you Enable proxy for accounting requests accounting requests are also sent to the proxy targets. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 100
For more information on TACACS+ enforcement profiles, see "TACACS+ Enforcement Profiles " on page 224 for more information. This type of service provides authentication and authorization to users of Dell applications: GuestConnect and Insight. Application Enforcement Profiles can be sent to these or other generic applications for authorizing the users.
You can use these service types as configured, or you can edit their settings. Figure 46: Service Listing Page The Services page includes the following fields. Table 40: Services page Label Description Add a service Service Import Import previously exported services Services Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Add Service option. Click on Add Service in the upper-right corner to add a new service. Figure 47: Add Service Page The Add Service tab includes the following fields. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 103
If this is enabled, then enter the Remediation URL. Finally, specify the Posture Server from the drop down menu or add a new server by clicking the Add new Posture Server link. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Modifying Services Navigate to the Configuration > Services page to view available services. You can use these service types as configured, or you can edit their settings. Figure 48: Service Listing Page Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 105
The rules editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries depending on Service type. When working with service rules, you can select from the following namespace dictionaries: Application: The type of application for this service. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
1. To reorder services, navigate to the Configuration > Services page. The following page displays. Figure 50: Service Reorder Button 2. Click the Reorder button located on the lower-right portion of the page to open the Reordering Services form. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 107
Table 44: Reordering Services Label Description Move Up/Move Down Select a service from the list and move it up or down Save Save the reorder operation Cancel Cancel the reorder operation Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
It also, optionally, can retrieve attributes from authorization sources configured for the Service. The flow of control for authentication takes these components in sequence: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
For a new Service, the Policy Manager wizard automatically opens the Authentication tab for configuration. Outside of the context of a particular Service, you can open an authentication method or source by itself: Configuration > Authentication > Methods or Configuration > Authentication > Sources. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
(and to remove prefixes and suffixes) before authenticating it to the which usernames are authentication source. present Adding and Modifying Authentication Methods Policy Manager supports specific EAP and non-EAP, tunneled and non-tunneled, methods. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 112
Authentication > Methods, then click on its name in the Authentication Methods listing). When you click Add New Authentication Method from any of these locations, Policy Manager displays the Add Authentication Method popup. Figure 54: Add Authentication Method (popup) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The PAP method contains one tab. General Tab The General tab labels the method and defines session details. Figure 55: PAP General Tab Table 47: PAP General Tab Parameter Description Name/Description Freeform label and description. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Name/Description Freeform label and description. Type In this context, always MSCHAP. EAP-MSCHAP v2 The EAP-MSCHAPv2 method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Description Name/Description Freeform label and description. Type In this context, always EAP-MSCHAPv2. EAP-GTC The EAP-GTC method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Freeform label and description. Type In this context, always EAP-GTC. Challenge Specify an optional password. EAP-TLS The EAP-TLS method contains one tab. General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 117
LDAP-compliant directory) and presented certificates, choose Compare Binary. Verify Certificate Select Optional or Required if the certificate should be verified by the Online Certificate Status using OCSP Protocol (OCSP). Select None to not verify the certificate. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Caches EAP-TTLS sessions on Policy Manager for reuse if the user/client reconnects to Policy Resumption Manager within the session timeout interval. Session Timeout How long (in hours) to retain cached EAP-TTLS sessions. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To set an inner method as the default (the method tried first), select it and click Default. EAP-PEAP The EAP-PEAP method contains two tabs: General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 120
Enable EAPoUDP support. When EAPoUDP support is enabled Policy Manager does not expect Support user authentication to happen within the protected tunnel. Microsoft NAP Enable while Policy Manager establishes the protected PEAP tunnel with a Microsoft NAP- Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To set an inner method as the default (the method tried first), select it and click Default. EAP-FAST The EAP-FAST method contains four tabs: General Tab The General tab labels the method and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 122
Choose Using Client Certificate to use a certificate. Certificate Type of certificate comparison (identity matching) upon presenting Policy Manager with a Comparison client certificate: To skip the certificate comparison, choose Do not compare. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 123
To remove an inner method from the displayed list, select the method and click Remove. To set an inner method as the default (the method tried first), select it and click Default. PACs Tab The PACs tab enables/disables PAC types: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 124
This is typically a short-lived PAC (specified in hours, rather than months and years). PAC Provisioning Tab The PAC Provisioning tab controls anonymous and authenticated modes: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 125
Manager certificate. Policy Manager performs anonymous provisioning. Accept end- Once the authenticated provisioning mode is host after complete and the end-host is provisioned with a authenticated PAC, Policy Manager rejects end-host provisioning Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
In this context, always MAC-AUTH. Allow Unknown Enables further policy processing of MAC authentication requests of unknown clients. End-Hosts If this is not enabled, Policy Manager automatically rejects a request whose MAC address is Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
SecurID) fetch role mapping attributes from any other configured When using a token server Authorization Source. as an authentication source, use the administrative interface to optionally configure a separate authorization server. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 128
Add Service wizard), or modify an existing authentication source directly (Configuration > Authentication > Sources, then click on its name in the listing page). Figure 69: Authentication Sources Listing Page Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Copy: Creates a copy of this authentication/authorization source. The Generic LDAP and Active Directory authentication sources contain three tabs: General Tab The General tab labels the authentication source and defines session details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 130
Cache Timeout Policy Manager caches attributes fetched for an authenticating entity. This parameter controls the number of seconds for which the attributes are cached. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 131
NOTE: For Active Directory, the bind DN can also be in the administrator@domain format (e.g., administrator@acme.com). Password for the administrator DN entered in the Bind DN field. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 132
(Available only for retrieved. This is not available for Active Directory. Generic LDAP directory) User Certificate Enter the name of the attribute in the user record from which user certificate can be retrieved. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 133
Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy. Add More Filters Brings up the filter creation popup. This is described in the next image. The following table describes the available directories. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 134
DN of the user record (UserDN, which is populated after the Authentication filter query is executed. The attribute fetched with this filter query is cn, which is the name of the group (this is aliased to a more readable name: groupName) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 135
AD/LDAP Configure Filter, Filter Tab The Filter tab provides an LDAP browser interface to define the filter search query. Through this interface you can define the attributes used in the filter query. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 136
To aid in populating the value with dynamic session attribute values, a drop down with the commonly used namespace and attribute names is presented (See image below). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 137
The Attributes tab defines the attributes to be fetched from Active Directory or LDAP directory. Each attribute can also be “Enabled as Role,” which means the value fetched for this attribute can be used directly in Enforcement Policies (See "Configuring Enforcement Policies " on page 229.) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 138
The Configuration tab shows the filter and attributes configured in the Filter and Attributes tabs, respectively. From this tab, you can also manually edit the filter query and attributes to be fetched. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 139
Data type specified here. If, for example, you modify the Active Directory department to be an Integer rather than a String, then the list of Operator values will populate with values that are specific to Integers. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Add to add it to the list of authorization sources. Click Remove to remove it from the list. NOTE: As described in “Services,” additional authorization sources can be specified at the Service level. Policy Manager fetches role mapping attributes regardless of which Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Summary tab provides a summary of the configuration. For a configured Generic SQL DB authentication source, buttons on the main page enable you to: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 142
Service level. Policy Manager fetches role mapping attributes regardless of which authentication source the user or device was authenticated against. Backup Servers To add a backup server, click Add Backup. When the Backup 1 tab appears, you can specify Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 143
Select the ODBC driver (Postgres or MSSQL in this release) to connect to database. Attributes Tab The Attributes tab defines the SQL DB query filters and the attributes to be fetched by using those filters. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 144
Table 71: Generic SQL DB Configure Filter Popup Parameter Description Filter Name Name of the filter Filter Query A SQL query to fetch the attributes from the user or device record in DB Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Token Server General Tab Parameter Description Name/Description Freeform label and description. Type In this context, Token Server Use for This check box instructs Policy Manager to fetch role mapping attributes (or authorization Authorization Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 146
Host name or IP address of the token server, and the UDP port at which the token server listens for Name/Port RADIUS connections. The default port is 1812. Secret RADIUS shared secret to connect to the token server. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Summary tab provides a summary of the configuration. General Tab The General Tab labels the authentication source. Figure 89: Static Host List (General Tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Summary tab provides a summary of the configuration. General Tab The General tab labels the authentication source and defines session details, authorization sources, and backup server details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 149
Move Down to change the server priority of the backup servers. This is the order in which Policy Manager attempts to connect to the backup servers. Primary Tab The Primary tab defines the settings for the primary server. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 150
Alias Name: For each attribute name selected for the filter, you can specify an alias name. Enabled As: Indicates whether an attribute has been enabled as a role. Add More Filters Brings up the filter creation popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 151
Enabled As: Specify whether value is to be used directly as a role or attribute in an Enforcement Policy. This bypasses the step of having to assign a role in Policy Manager through a Role Mapping Policy. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"Adding and Modifying Guest Users " on page 161). Associated directly with a static host list , again through role mapping ("Adding and Modifying Static Host Lists " on page 166). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
You can also configure other roles. Refer to "Adding and Modifying Roles " on page 158. Configuring a Role Mapping Policy After authenticating a request, an Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Policy tab labels the method and defines the Default Role (the role to which Policy Manager defaults if the mapping policy does not produce a match for a given request). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Edit Rule button or Remove Rule button. Figure 98: Role Mapping (Mapping Rules Tab) When you select Add Rule or Edit Rule, Policy Manager displays the Rules Editor popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 157
Operators have their obvious meaning; for stated definitions of operator meaning, refer to "Operators" on page 348. Value of Depending on attribute data type, this may be a free-form (one or many line) edit box, a drop-down list, attribute or a time/date widget. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Role Mapping Policy of any Service. When you click Add Roles from any of these locations, Policy Manager displays the Add New Role popup. Figure 101: Add New Role Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager lists all local users in the Local Users page (Configuration > Identity > Local Users): Figure 102: Fig: Local Users Listing To add a local user, click Add User to display the Add Local User popup. Figure 103: Add Local User Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To export a local user, in the Local Users listing page, select it (via the check box) and click Export. To export ALL local users, in the Local Users listing page, click Export Users. To import local users, in the Local Users listing page, click Import Users. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Where this account was created: From Policy Manager or the GuestConnect guest provisioning Application product. In the Guest Users listing: To add a guest user or device, click Add User. This opens the Add New Guest User popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 162
Add a guest user or a guest device User ID/ Name /Password/ Freeform labels and password. Verify Password (Guest User Click Auto Generate to auto-generate a password for the guest user. only) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The Configuration > Identity > Onboard Devices page lists all devices that have authenticated. The information within this page includes the device name, owner, status, whether the device is expired, and the expiry time. Figure 107: Onboard Devices Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To view the authentication details of an endpoint, select an endpoint by clicking on its check box, and then click the Authentication Records button. This opens the Endpoint Authentication Details popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 165
NOTE: All attributes entered for an endpoint are available in the role mapping rules editor under the Endpoint namespace. To edit an endpoint, in the Endpoints listing page, click on the name to display the Edit Endpoint popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
NOTE: Only static host lists of type MAC address are available as authentication sources. A static host list often functions, in the context of the Service, as a white list or a black list. Therefore, they are configured independently at the global level. Figure 113: Static Host Lists (Listing Page) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To export ALL Static Host Lists, in the Static Host Lists listing page, click the Export Static Host Lists link. To import Static Host Lists, in the Static Host Lists listing page, click the Import Static Host Lists link Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager supports two types of Audit Servers: NMAP audit server, primarily to derive roles from post-audit rules; NESSUS audit server, primarily used for vulnerability scans (and, optionally, post-audit rules). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 170
Transient. Client evaluation is in progress; typically associated with auditing a client. The network access granted is interim. Quarantine. Client is out of compliance; restrict network access, so the client only has access to the remediation servers. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To edit the selected posture policy, click Modify and refer to Modifying Posture Policies " on page 172. Default Posture Token The default posture token is UNKNOWN (100) Remediation End-Hosts Select this check box to enable auto-remediation action on non-compliant Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Checks for peer-to-peer applications or networks, patch management applications, hotfixes, USB devices, virtual machines, and network devices. Windows System Health Validator. Configurable checking for required operating system versions and service packs. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
OnGuard Agent - Use this to configure posture policies for guest or web portal based use cases (via a dissolvable Java-applet based agent), or for use cases where ClearPass (persistent) OnGuard Agent is installed on the endpoint. Currently, the following OSes are Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 174
Add Posture Policy (Posture Plugins Tab) - Windows NAP Agent Figure 119: Add Posture Policy (Posture Plugins Tab) - Linux NAP Agent Figure 120: Add Posture Policy (Posture Plugins Tab) - Windows OnGuard Agent Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 175
Quarantine. Client is out of compliance; restrict network access, so the client only has access to the remediation servers. Infected. Client is infected and is a threat to other systems in the network; network access should be denied or severely restricted. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The ClearPass Windows Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration. Figure 124: ClearPass Windows Universal System Health Validator - NAP Agent Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 177
Services to stop panels (using their associated widgets). This list is different for the different OS types. Click the >> or << to add or remove, respectively, the services from the Service to run or Services to stop boxes. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 178
Click Add to specify a process to be added, either to the Processes to be present or Processes to be absent lists. present/absent Click Add for Process to be present to display the Process page detail. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 179
Enter a user friendly name for the process. This is displayed in end-user facing messages. Display name When you save your Process details, the key information appears in the Processes to be present page list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 180
One or more of the matching processes are then terminated. Enter the Enter a user friendly name for the process. This is displayed in end-user facing messages. Display name Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 181
Click Add to specify a registry key to be added, either to the Registry keys to be present or Registry keys to be absent lists. present/absent Click Add for either condition to display the Registry page detail. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 182
Antivirus application. Click An Antivirus Application is On to configure the Antivirus application information. Figure 133: Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 183
Check the User Notification check box to enable user notification of policy User Notification violation of anti-virus status. Display Update Check the Display Update URL check box to show the origination URL of the update. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 184
AntiSpyware application information. Figure 137: AntiSpyware Page (Overview Before) When enabled, the AntiSpyware detail page appears. Figure 138: AntiSpyware Page (Detail 1) Click Add to specify product, and version check information. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 185
Firewall Page (Overview Before) In the Firewall page, click A Firewall Application is On to configure the Firewall application information. Figure 142: Firewall Page (Detail 1) When enabled, the Firewall detail page appears. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 186
The Peer To Peer page provides a set of widgets for specifying specific peer to peer applications or networks to be explicitly stopped. When you select a peer to peer network, all applications that make use of that network are stopped. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 187
On to configure the patch management application information. Figure 146: Patch Management Page (Overview - Before) When enabled, the Patch Management detail page appears. Figure 147: Patch Management Page (Detail 1) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 188
UI. Select the Patch Mgmt product - Select a vendor from the list Product version is at least - Enter version number Status check type - No check, Enabled, Disabled Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 189
Click the >> or << to add or remove, respectively, the hotfixes from the Hotfixes to run boxes. USB Devices The USB Devices page provides configuration to control USB mass storage devices attached to an endpoint. Figure 151: USB Devices Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 190
Pause all Virtual Machines running on Host - Pause the VM clients that are running on Host. Network Connections The Network Connections page provides configuration to control network connections based on connection type. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 191
Click the >> or << to add or remove Others, Wired, and Wireless connection types. Remediation Action for USB Mass No Action - Take no action; do not eject or disable the attached Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
ClearPass Linux Universal System Health Validator - NAP Agent The ClearPass Linux Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 193
Firewall Check and Antivirus Check. Enable the check box in either page display its respective configuration view: NOTE: The configurations done in the General Configuration section apply to all operating systems whose checks have been turned Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 194
Select Antivirus Check, then click Add in the view that appears to specify Antivirus details. Figure 158: Antivirus Check view When you save your Antivirus configuration, it appears in the Antivirus page list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
ClearPass Mac OS X Universal System Health Validator - OnGuard Agent The ClearPass Mac OS X Universal System Health Validator page popup appears in response to actions in the Posture Plugins tab of the Posture configuration. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 196
Figure 161: Antivirus Page (Overview - Before) When enabled, the Antivirus detail page appears. Figure 162: Antivirus Page (Detail 1) Click Add to specify product and version check information. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
This validator checks for the presence of specific types of security applications. An administrator can use the check boxes to restrict access based on the absence of the selected security application types. Figure 165: Windows Security Health Validator Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Windows System Health Validator - OnGuard Agent (Overview) Adding and Modifying Posture Servers Policy Manager can forward all or part of the posture data received from the client to Posture Servers. The Posture Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Server Type Always Microsoft NPS. Default Posture Posture token assigned if the server is unreachable or if there is a posture check failure. Select Token a status from the drop-down list. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 201
Manager will attempt to connect to the backup server after this timeout. For the backup server to be invoked on primary server failover, check the Enable to use backup when primary does not respond check box. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Architecture and Flow Audit servers are configured at a global level. Only one audit server may be associated with a Service. The flow-of- control of the audit process occurs as follows: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager supports these servers externally. This section contains the following topics: "Built-In Audit Servers" on page 205 "Custom Audit Servers" on page 207 "Nessus Scan Profiles" on page 211 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
DHCP Server documentation for configuring such static bindings. Note that Policy Manager does not issue IP address; it just examines the DHCP traffic in order to derive the IP address of the end-host. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Nessus plugins. You can download others from http://www.tenablesecurity.com, in the form all-2.0.tar.gz. To upload them to the built-in Policy Manager Audit Server, navigate to Administration > Server Manager > Server Configuration, select Upload Nessus Plugins, and then select the downloaded file. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
NESSUS Audit Server Policy Manager uses the NESSUS Audit Server interface primarily to perform vulnerability scanning. It returns a Healthy/Quarantine result. The Audit tab identifies the server and defines configuration details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 208
Posture status if evaluation does not return a condition/action match. Select a status from Status the drop-down list. The Primary Server and Backup Server tabs specify connection information for the NESSUS audit server. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager uses the NMAP Audit Server interface exclusively for network port scans. The health evaluation always returns Healthy. The port scan gathers attributes that allow determination of Role(s) through post-audit rules. The Audit tab labels the Server and defines configuration details. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 210
Posture status during audit. Select a status from the drop-down list. Status Default Posture Posture status if evaluation does not return a condition/action match. Select a status from Status the drop-down list. The NMAP Options tab specifies scan configuration. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
A scan profile contains a set of scripts (plugins) that perform specific audit functions. To Add/Edit Scan Profiles, select Add/Edit Scan Profile (link) from the Primary Server tab of the Nessus Audit Server configuration. The Nessus Scan Profile Configuration page displays. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 212
Select one or more plugins by enabling their corresponding check boxes (at left). Policy Manager will remember selections as you select other plugins from other plugin families. When finished, click the Selected Plugins tab. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 213
Figure 180: Nessus Scan Profile Configuration (Profile Tab) The Selected Plugins tab displays all selected plugins, plus any dependencies. To display a synopsis of any listed plugin, click on its row. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 214
This tells Policy Manager the vulnerability level that is considered to be assigned QUARANTINE status. Figure 182: Nessus Scan Profile Configuration (Selected Plugins Tab) Figure 183: Nessus Scan Profile Configuration (Selected Plugins Tab) - Vulnerability Level Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Primary/Backup Servers tabs and select it from the Scan Profile drop-down list. Post-Audit Rules The Rules tab specifies rules for post-audit evaluation of the request to assign a role. Figure 185: All Audit Server Configurations (Rules Tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 216
Network-Apps, Open-Ports, and OS-Info.. Refer to "Namespaces" on page 341. Actions The Actions list includes the names of the roles configured in Policy Manager. Save To commit a Condition/Action pairing, click Save. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
If a device group is not associated with the enforcement profile, attributes in that profile are sent regardless of where the request originated. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Enforcement Profile for a new enforcement policy (as part of the flow of the Add Enforcement Policy wizard), or modify an existing Enforcement Profile directly (Configuration > Enforcement > Profiles, then click on its name in the Enforcement Profile listing). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 219
[HP - Terminate Session] - Terminate a session on an HP device. [Dell - Terminate Session] - Terminate a session on a Dell Wireless Controller. There are four built-in TACACS+ profiles that are mapped to the different administrator roles available in Policy Manager.
Page 220
Policy Manager comes pre-packaged with several enforcement profile templates: VLAN Enforcement - All RADIUS attributes for VLAN enforcement are pre-filled in this template. Dell RADIUS Enforcement - RADIUS tempate that can be filled with attributes from the Dell RADIUS dictionaries loaded into Policy Manager.
The “Target Device” attribute specifies the device on which the “Command” attribute is executed. Agent Enforcement - Enforcement profile that encapsulates attributes sent to Dell OnGuard agent. Attributes can be specified to bounce the client or to send a custom message to the client.
Page 222
A - VLAN Enforcement; B - Filter ID Based Enforcement; C - Cisco Downloadable ACL Enforcement; D - Cisco We Authentication Enforcement; E - Generic RADIUS Enforcement; F - Figure 190: RADIUS Enforcement Profile (Attributes Tab) Figure 191: RADIUS Enforcement Profile (Attributes Tab) - Generic RADIUS Enforcement Profile Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The RADIUS (standard and vendor-specific) shown here are base on the CoA Template selected from the drop down. Fill in values for all entries marked “Enter value here”. The other pre-filled attributes must not be deleted, since the device requires these to be present. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The built-in TACACS+ enforcement profiles can also be used to log into the Policy Manager UI. TACACS+ enforcement profiles use ARAP, Policy Manager:HTTP, PIX Shell, PPP:IP, PPP:IPX, PPP:LCP, Wireless-WCS:HTTP, CiscoWLC:Common and Shell namespaces to define service attributes. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 225
Selected Services. Policy Manager ships configured with attributes for some of the listed services. Selections in the Commands tab configure commands and arguments allowed/disallowed for the selected Service Type. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Application Enforcement Profiles Application Enforcement Profiles contain attribute-value pairs and other permissions related to authorization of users of Dell Applications - GuestConnect and Insight. There are three different types of application enforcement profile templates that can be selected: ClearPass Insight Enforcement - Attributes for users of Insight application.
Enter the device on which the CLI commands are executed. Typically, this is the edge device on Device which the user/endpoint connected (%{Connection:NAD-IP-Address}). Command Multiple commands (separated by a new line) that are executed on the target device. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Agent Enforcement Profiles Agent Enforcement Profiles contain attribute-value pairs related to enforcement actions sent to Dell OnGuard Agent. Figure 197: Agent Enforcement Profile (Attributes Tab) Table 123: Agent Enforcement Profiles (Attributes tab) Container Description Bounce Client If checked, the endpoint is bounced by the OnGuard agent (this feature is only available...
Enforcement Policies, then click on its name in the Enforcement Policies listing page). Figure 199: Enforcement Policies Listing Page When you click Add Enforcement Policy, Policy Manager displays the Add Enforcement Policy wizard page: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 230
Below). NOTE: Web-based Authentication or WebAuth (HTTPS) is the mechanism used by authentications performed via a browser, and authentications performed via Dell OnGuard. Both SNMP and CLI (SSH/Telnet) based Enforcement Profiles can be sent to the network device based on the type of device and the use case.
Page 231
If the rule conditions match, attributes from the selected enforcement profiles are sent to Network Access Device. If a rule matches and there are multiple enforcement profiles, the enforcement profile disambiguation rules apply. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Adding a Device To add a device, click the Add Device link, and then complete the fields in the Add Device popup. The tabs and fields are described in the images that follow. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 234
NOTE: All attributes entered for a device are available in the role mapping rules editor under the Device namespace. Add/Cancel Click Add to commit or Cancel to dismiss the popup. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 235
This option is especially useful when demonstrating static IP-based device profiling because this does not require any trap configuration on the network device. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 236
Allow CLI Access Toggle to enable/disable CLI access. Access Type Select SSH or Telnet. Policy Manager uses this access method to log into the device CLI. Port SSH or Telnet TCP port number. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
(or regular expression-based variation), or devices previously configured in the Policy Manager database. Policy Manager lists all configured device groups in the Device Groups page: Configuration > Network > Device Groups. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 238
Figure 208: Device Groups Page To add a Device Group, click Add Device Group. Complete the fields in the Add New Device Group popup: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 239
Figure 209: Add New Device Group Popup Table 131: Add New Device Group popup Container Description Name/ Description/ Specify identity of the device. Format Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Proxy targets are configured at a global level. They can then used in configuring RADIUS proxy Services. (Refer to "Policy Manager Service Types" on page 92.) Policy Manager lists all configured proxy servers in the Proxy Servers page: Configuration > Network > Proxy Servers. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Enter the UDP port to send the RADIUS request. Default value for this port is 1812. Port RADIUS Accounting Enter the UDP port to send the RADIUS accounting request. Default value for this port is Port 1813. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To delete a single Proxy Target from the configuration, select it (via the check box on the left), and then click Delete. Commit the deletion by selecting Yes. Dismiss the popup by selecting No. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Exports all users to an XML file. Export Exports a selected to an XML file. Delete Deletes a selected User. Add User Select the Add User link in the upper right portion of the page. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Add/Cancel Add or dismiss changes. Import Users Select the Import Users link in the upper right portion of the page. Figure 214: Import (Admin) Users Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To display available Admin Privileges, navigate to the Administration > Users and Privileges > Admin Privileges page. Figure 215: Admin Privileges Import Admin Privileges Select the Import Admin Privileges link on the upper right side of the page. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"Network Interfaces Tab" on page 273 Set Date/Time Navigate to Administration > Server Manager > Server Configuration, and click on the Set Date and Time link. This opens by default on the Date &Time tab. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 249
Select a time zone and click Save. Note that this option is only available on the publisher. To set time zone on the subscriber, select the specific server and set time zone from the server-specific page. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Navigate to Administration > Server Manager > Server Configuration, and click on the Change Cluster Password link. Use this function to change the cluster-wide password. NOTE: Changing this password also changes the password for the CLI user - 'appadmin'. Figure 220: Change Cluster Password Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
You can configure Zones in CPPM to match with the geographical areas in your deployment. There can be multiple Zones per cluster, and each Zone has a number of CPPM nodes that share runtime state. Figure 221: Policy Manager Zones Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
In the Policy Manager cluster environment, the Publisher node acts as master. An Policy Manager cluster can contain only one Publisher node. Administration, configuration, and database write operations may occur only on this master Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Enable this check box only if you do not require a backup to the existing databases before this operation database. Upload Nessus Plugins Navigate to the Administration > Server Manager > Server Configuration page, and click on the Upload Nessus Plugins link. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Load the plugins, or dismiss. If there are a large number of plugins, the load time can be in the order of minutes. Cluster-Wide Parameters Navigate to the Administration > Server Manager > Server Configuration page, and click on the Cluster-Wide Parameters link. Figure 225: Cluster-Wide Parameters Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 255
This controls how often (in days) endpoints with a status of Known or Disabled are cleaned up from disabled the endpoints table. endpoints cleanup interval Unknown This controls how often (in days) endpoints with a status of Unknown are cleaned up from the endpoints endpoints table. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
These files are saved in Local Shared Folders and can be downloaded to your computer. To collect logs 1. Go to Administration > Server Manager > Server Configuration, 2. Click Collect Logs. The Collect Logs dialog box appears. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
You will need an application that can read and unpack a GZip file to view the files in a log file. NOTE: Dell cannot recommend specific software for viewing the contents of files compressed with GZip. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Navigate to the Administration > Server Manager > Server Configuration page, and click on the Back Up button. Note that this action can also be performed using the " " CLI command backup Figure 227: Backup Popup Figure 228: Post-Backup Popup Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Restore file location Select either Upload file to server or File is on server. Upload file path Browse to select name of backup file (shown only when Upload file to server radio Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Navigate to the Administration > Server Manager > Server Configuration page, and click on a server name in the table. The Server Configuration form opens by default on the System tab. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 261
Data interface IP address. All authentication and authorization requests arrive on the data IP Address interface. Data/External Port: Data interface Subnet Mask Subnet Mask Data/External Port: Default gateway for data interface Default Gateway Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Leave Domain - Click on this button to disassociate this Policy Manager appliance from an Active Directory domain. NOTE: For most use cases, if you have multiple nodes in the cluster, you must join each node to the same Active Directory domain. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 263
Check this box to use the Administrator user name to join the domain default domain admin user User User ID of the domain administrator account Name Password Password of the domain administrator account Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Once a primary LDAP server is down, Policy Manager connects to one of the backup servers. Retry Interval This parameter specifies how long Policy Manager waits before it tries to connect to the Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 265
IP address for the MAC address of the host before proceeding with audit Figure 234: RADIUS Server Service Parameters Table 149: Service Parameters tab - Radius server Service Description Parameter Proxy Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 266
Maximum number of Local DB DB connections opened Authentication Source Connection Count AD/LDAP Maximum number of AD/LDAP connections opened Authentication Source Connection Count SQL DB Maximum number of SQL DB Authentication Source Connection Count Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 267
Whether PACs generated by this server are valid across the cluster or not across cluster Accounting Log Accounting Store the Interim-Update packets in session logs. Interim-Update Packets Figure 235: TACACS+ Service Parameters Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 268
You can use the ClearPass system service parameters for PHP configuration as well as if all your http traffic flows through a proxy server. Policy Manager relies on an http connection to the Dell update portal in order to download the latest version information for posture services.
Page 269
Typically, audit service will request for a MAC to IP mapping as soon the RADIUS request is received, but the client may take some more time receive and IP address through DHCP. This wait period takes into account the latest DHCP IP address that the client got Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 270
SNMP v3 authentication key and privacy key for incoming traps Authentication SNMP v3 Trap Privacy Key Device Info This specifics the time (in minutes) between polling for device information. Poll Interval Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 271
15-min averages, respectively. If any of these loads exceed the associated maximum value, average then system sends traps to the configured trap servers. Threshold 5 Min CPU load average Threshold Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Username to use for SNMP v3 communication SNMP v3: Username SNMP Configuration: One of NOAUTH_NOPRIV (no authentication or privacy), AUTH_NOPRIV (authenticate, SNMP v3: Security Level but no privacy), AUTH _PRIV (authenticate and keep the communication private) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The administrator can create a generic routing encapsulation (GRE) tunnel. This protocol can be used to create a vir- tual point-to-point link over standard IP network or the internet. Navigate to the Network Interfaces tab and click Create Tunnel. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Enter a value here to automatically create a route to this address through the tunnel. Create/Cancel Commit or dismiss changes. Creating VLAN Navigate to the Network Interfaces tab and click Create VLAN. Figure 242: Creating VLAN Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
VLAN already defined in your network. Log Configuration The Policy Manager Log Configuration menu at Administration > Server Manager > Log Configuration provides the following interface for configuration: Figure 243: Log Configuration (Services Level tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 276
(listed in decreasing level of verbosity): Level DEBUG INFO WARN ERROR FATAL Restore Click Save to save changes or Restore Defaults to restore default settings. Defaults/Save Figure 244: Log Configuration (System Level tab) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Automated Backup files - Database backup files backed up automatically on a daily basis (tar.gz format) Select any file in the list to download it to your local machine. The browser download box appears. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
In this release, you can add and activate OnGuard, Guest, and Onboard application licenses. The Summary section shows the number of purchased licenses for Policy Manager, OnGuard,Guest, and Onboard. Figure 246: Licensing Page - License Summary tab Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
1. Go to Administration > Server Manager > Licensing. 2. Click the Applications tab. Figure 249: Licensing Page - Applications tab 3. Click Activate in the Activation Status column. 4. Click OK. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"Add SNMP Trap Server " on page 281 "Import SNMP Trap Server " on page 282 "Export all SNMP Trap Servers " on page 282 "Export a Single SNMP Trap Server " on page 283 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Add SNMP Trap Server To add a trap server, navigate to Administration > External Servers > SNMP Trap Receivers and select the Add SNMP Trap Server link. Figure 252: Add SNMP Trap Server Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To export all SNMP trap servers, navigate to Administration > External Servers > SNMP Trap Receivers and select the Export SNMP Trap Server link. This link exports all configured SNMP Trap Receivers. Click Export Trap Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Opens the Import Syslog Target popup. Export Syslog Target Opens the Export Syslog Target popup. Export Opens the Export popup. Delete To delete a Syslog Target, select it (check box at left) and click Delete. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To delete a Syslog Filter, select it (check box at left) and click Delete. Add Syslog Filter To add a Syslog Filter, navigate to Administration > External Servers > Syslog Filters > Add Syslog Filter. Refer to the following image. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 287
SQL by clicking the link below the text entry field. NOTE: We recommend that users who choose the Custom SQL method contact Support. Support can assist you with entering the correct information in this template. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
From here you can click >> to add the selected column to the Selected Columns list. Click << to remove a column from the Selected Columns list. Import Syslog Filter Navigate to Administration > External Servers > Syslog Filters > Import Syslog Filter. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
XML file to contain the export. Messaging Setup The Policy Manager Messaging Setup menu at Administration > Server Manager > Messaging Setup provides the following interface for configuration: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 290
Use secure SSL connection for communications with the server. Port This is TCP the port number that the SNMP server listens on. Connection timeout Timeout for connection to the server (in seconds). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Domain name of the provider Endpoint Context Servers Policy Manager provides the ability to collect endpoint profile information from MDM vendors and Dell W-series IAPs and RAPs. Navigate to Administration > External Servers > Endpoint Context Servers. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Enter the MDM server name. Username/password Enter the Username and Password for the MDM server. The frequency in minutes in which the MDM server is polled. This defaults to 60 minutes. The Update Frequency Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Navigate to Administration > Certificates > Server Certificate and click the Create Self-Signed Certificate link. This opens the Create Self-Signed Certificate form. Figure 265: Create Self-Signed Certificate After you click Submit, you will be prompted to install the self-signed certificate Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 295
, URI: uri , IP:ip_ address , dns: dns_name , or rid: id . Name (SAN) This field is optional. Private Key Specify and verify password. Password This field is required. Verify Private Key Password Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Figure 267: Create Certificate Signing Request A generated certificate signing request displays after you click Submit. Copy the certificate and paste it into the Web form as part of the enrollment process. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 297
This field is optional. Private Key Specify and verify password. Password This field is required. Verify Private Key Password Key Length Select length for the generated private key: 512, 1024 , or 2048. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To display the list of trusted Certificate Authorities (CAs), navigate to Administration > Certificates > Certificate Trust List. To add a certificate, click Add Certificate; to delete a certificate, select the check box to the left of the certificate and then click Delete. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To display available Revocation Lists, navigate to Administration > Certificates > Revocation Lists. To add a revocation list, click Add Revocation List. To delete a revocation list, select the check box to the left of the list and then click Delete. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Select Update whenever CRL is updated to update the CRL at intervals specified in the list. Or select Update Periodically update to check periodically and at the specified frequency (in days). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Policy Manager. Enable/Disable Enable or disable this dictionary. Enabling a dictionary makes it appear in the Policy Manager rules editors (Service rules, Role mapping rules, etc.). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
XML file, and then import the dictionary. To view the contents of the Posture dictionary, sorted by Vendor Name, Vendor ID, Application Name, or Application ID, navigate to: Administration > Dictionaries > Posture. Fig: Posture Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
To add a new TACACS+ service dictionary, click on the Import Dictionary link. To add or modify attributes in an existing service dictionary, select the dictionary, export it, make edits to the XML file, and import it back into Policy Manager. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Fig: Shell Service Dictionary Attributes Fingerprints The Device Fingerprints table shows a listing of all the device fingerprints recognized by the Profile module. These fingerprints are updated from the Dell Update Portal (See "Update Portal " on page 312 for more information.)
The Administration > Dictionaries > Attributes page allows you to specify unique sets of criteria for LocalUsers, GuestUsers, Endpoints, and Devices. This information can then be with role-based device policies for enabling appropriate network access. The Attributes page provides the following interfaces for configuration: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Mandatory Allow Shows whether multiple attributes are allowed for an entity. Multiple Add Attribute To add a new Attribute dictionary, select Add Attribute in the upper right portion of the page. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
NOTE: The imported file is in XML format. To view a sample of this XML format, export a dictionary file and open it in an XML viewer. Figure 284: Import from file Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Microsoft Windows and MAC OS X operating systems and placed at a fixed URL on the Policy Manager appliance. This URL can then be published to the user community. The agent deployment packages can also be downloaded to another location. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 309
TLS echange with Policy Manager. Agent action when This setting determines what the agent does when an update is available. Options are an update is Ignore, Download Installer, Notify User. available Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
(Authentication:Full-Username attribute) to write different service rules for different portals. SharedSecret : Secret shared with a Wireless Controller (for example, Xirrus Wireless Controller) when Policy Manager is configured as an external captive portal on the network device. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 311
Use default template to edit the different fields as described above. To import a custom HTML file to be used as the guest portal, select Upload custom template. Note that the Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Use the Software Updates page to register for and to receive live updates for: Posture updates, including Antivirus, Antispyware, and Windows Updates Profile data updates, including Fingerprint Software upgrades for the ClearPass family of products Patch binaries, including Onboard, Guest Plugins and Skins Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 313
NOTE: This button is enabled only on publisher node. Firmware & Patch Updates Import If the server is not able to reach the webservice server, click Import Updates to import the latest Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Install button is clicked. If the popup is closed, it can be brought up again by clicking the ‘Install in progress…’ link while and installation is in progress or by clicking the ‘Installed’, ‘Install Error’, ‘Needs Restart’ links after the installation is completed. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Subscriber node. A Policy Manager cluster can contain only one Publisher node. Cluster commands can be used to change the state of the node, hence the Publisher can be made a Subscriber. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Fix the problem by adding the subscriber back into the cluster from the CLI. All node configuration, including certificates, log configuration and server parameters are restored (as long as the node entry exists in the publisher with Cluster Sync=false). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"Miscellaneous Commands" on page 333 ad testjoin "Miscellaneous Commands" on page 333 alias "Miscellaneous Commands" on page 333 backup "Miscellaneous Commands" on page 333 cluster drop-subscriber cluster list cluster make-publisher Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 318
"Miscellaneous Commands" on page 333 krb list "Miscellaneous Commands" on page 333 ldapsearch "Miscellaneous Commands" on page 333 network ip network nslookup network ping network traceroute network reset quit "Miscellaneous Commands" on page 333 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Cluster Commands The Policy Manager command line interface includes the following cluster commands: "drop-subscriber" on page 320 "list" on page 320 "make-publisher" on page 320 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Publisher Management port IP=192.168.5.227 Data port IP=None [local machine] make-publisher Makes this node a publisher. Syntax cluster make-publisher Example [appadmin]# cluster make-publisher ******************************************************** * WARNING: Executing this command will promote the Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
********************************************************* Continue? [y|Y]: set-cluster-passwd Changes the cluster password on all publisher nodes. Executed on the publisher; prompts for the new cluster password. Syntax cluster set-cluster-passwd Returns [appadmin]# cluster set-cluster-passwd cluster set-cluster-passwd Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Synchronize time with specified NTP server. Required. -d <date> Syntax: yyyy-mm-dd Optional. -t <time> Syntax: hh:mm:ss Optional. -z <timezone> Syntax: To view the list of supported timezone values, enter: show all-timezones. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Optional. Specifies the destination ip address or network (for example, 192.168.5.0/24) or 0/0 -d <DestAddr> (for all traffic). Only one of SrcAddr or DstAddr must be specified. Syntax network ip del <-i <id>> Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Host or domain name to be queried. Example 1 [appadmin]# nslookup sun.us.arubanetworks.com Example 2 [appadmin]# nslookup -q SRV arubanetworks.com ping Tests reachability of the network host. Syntax network ping [-i <SrcIpAddr>] [-t] <host> Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
[ tips-radius-server ] Tacacs server [ tips-tacacs-server ] Async DB write service [ tips-dbwrite-server ] DB replication service [ tips-repl-server ] System monitor service [ tips-sysmon-server ] Example 3 [appadmin]# service status tips-domain-server Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
[appadmin]# show date Wed Oct 31 14:33:39 UTC 2012 Displays DNS servers. Syntax show dns Example [appadmin]# show dns show dns =========================================== DNS Information ------------------------------------------- Primary 192.168.5.3 Secondary DNS <not configured> Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"install-license" on page 331 "restart" on page 331 "shutdown" on page 332 "update" on page 332 "upgrade" on page 332 boot-image Sets system boot image control options. Syntax system boot-image [-l] [-a <version>] Where: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Install-License Commands Flag/Parameter Description Mandatory. <license-key> This is the newly issued license key. Example [appadmin]# system install-license restart Restart the system Syntax system restart Example [appadmin]# system restart system restart ********************************************************* Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Uninstall the patch. (For exact patch names, refer to [-l] in this table.) Optional. List the patches installed on the system. Example [appadmin]# system update upgrade Upgrades the system. Syntax system upgrade <filepath> Where: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
"krb auth" on page 337 "krb list" on page 338 "ldapsearch" on page 338 "quit" on page 339 "restore" on page 338 ad auth Authenticate the user agains AD. Syntax ad auth --username=<username> Where: Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Tests if the netjoin command succeeded. Tests if Policy Manager is a member of the AD domain. Syntax ad testjoin Example [appadmin]# ad testjoin alias Creates or removes aliases. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Does a kerberos authentication against a kerberos server (such as Microsoft AD) Syntax krb auth <user@domain> Where: Table 216: Kerberos Authentication Commands Flag/Parameter Description <user@domain> Specifies the username and domain. Example [appadmin]# krb auth mike@corp-ad.acme.com Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Specify filepath of restore source. filename> Restore configuration database (default). Do not restore configuration database. Optional. If it exists in the backup, restore log database. Optional. Ignore version mismatch errors and proceed. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
There are multiple namespaces exposed in the rules editing interface. The namespaces exposed depend upon what you are editing. For example, when you are editing posture policies you work with the posture namespace; when you Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 342
These attribute names are pre- populated in the UI for administrative convenience. For Policy Manager to fetch the values of attributes from Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 343
The connection namespace has the following pre-defined attributes: Table 219: Connection Namespace Pre-defined Attributes Attribute Description Src-IP-Address Src-IP-Address and Src-Port are the IP address and port from which the request (RADIUS, TACACS+, etc.) originated Src-Port Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 344
Tunnel - A tunnel PAC was used to establish the outer tunnel in the EAP-FAST authentication method Machine - A machine PAC was used to establish the outer tunnel in the EAP-FAST authentication method; machine PAC is used for machine authentication (See EAP-FAST in Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 345
Subject-DN, Subject-DC, Subject-UID, Subject-CN, Subject-GN, Attributes associated with the subject (user or Subject-SN, Subject-C, Subject-L, Subject-ST, Subject-O, machine, in this case). Not all of these fields Subject-OU, Subject-emailAddress are populated in a certificate. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 346
Note that these attribtues can be used only if you have pre- populated the values for these attributes when a guest user is configured in Policy Manager. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
See "Adding and Modifying Authentication name} Sources " on page 127. MAC address of client in aa:bb:cc:dd:ee:ff format {RADIUS:IETF:MAC- Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
EQUALS, NOT_EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUALS, LESS_THAN, LESS_ THAN_OR_EQUALS, IN_RANGE BELONGS_TO, NOT_BELONGS_TO List (Example: EQUALS, NOT_EQUALS, MATCHES_ANY, NOT_MATCHES_ANY, MATCHES_ALL, NOT_ Role) MATCHES_ALL, MATCHES_EXACT, NOT_MATCHES_EXACT Group BELONGS_TO_GROUP, NOT_BELONGS_TO_GROUP, and all string data types (Example: Calling-Station- Id, NAS-IP- Address) Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 349
EQUALS E.g., RADIUS:IETF:NAS-Port GREATER_THAN_OR_EQUALS 10 LESS_ For integer, time and date data types, true if the run-time value of the attribute is less than the THAN configured value. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 350
For group data types, true if the run-time value of the attribute belongs to the configured group (either TO_GROUP a static host list or a network device group, depending on the attribute). E.g., RADIUS:IETF:Calling-Station-Id BELONGS_TO_GROUP Printers. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS-IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. GNU LGPL Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 352
However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 353
The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 354
Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 355
8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 356
NO WARRANTY Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 358
License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 359
Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 360
Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 361
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Apache License Version 2.0, January 2004 Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 363
You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 364
License. However, in accepting such obligations, You may act only on Your own behalf Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
* notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * 3. All advertising materials mentioning features or use of this Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 366
* 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 367
* OF THE POSSIBILITY OF SUCH DAMAGE. * ============================================== * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 368
* included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * Copyright remains Eric Young's, and as such any Copyright notices in Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 369
* documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
Page 370
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." Dell Networking W-ClearPass Policy Manager 6.0 | User Guide...