Dell Powerconnect W-ClearPass Virtual Appliances Quick Start Manual
Contents
1. lt Back to Services Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Table 9 Posture Policy Navigation and Settings NEU Enl Create a Posture Policy Posture tab gt Enable Validation Check check box gt Add new Internal Policy link gt Name the Posture Policy and specify a general class of operating system Policy tab gt Policy Name freeform PP_ UNIVERSAL gt Host Operating System radio buttons Windows gt When finished working in the Policy tab click Next to open the Posture Plugins tab Select a Validator Posture Plugins tab gt Enable Windows Health System Validator gt Configure button gt Configure the Validator Windows System Health Validator popup gt Enable all Windows operating systems check box gt Enable Service Pack levels for Windows 7 Vista XP Server 2008 Server 2008 R2 and Server 2003 check boxes gt Save button gt Setting Service Authentication Authorization Roles Enforcement Summary Posture Policies Posture Policies Add new Posture Policy Selectto Add y Default Posture Token UNKNOWN 100 Remediate End Hosts Enable auto remediation of non compliant end hosts Remediation URL Posture Servers Posture Servers Add new Posture Serve Select to Add lt accro services next gt E E Configuration Posture Posture Policies Add Posture Policies Posture Plugin2. gt Upon completion click Next to configure Authentication Services Monitor Mode More Options Type 1 Radius IETF 2 Radius IETF 3 Connection 4 Click to add lt Back to Services 2 Set up Authentication Configuration Services Add Service gt Import Services Export Services Configuration Services Add Authentication Authorization Roles Enforcement Audit Profiler Summary MAC Authentication MAC based Authentication service O Enable to monitor network access without enforcement v Authorization Z Audit End hosts Wi Profile Endpoints Matches ANY or ALL of the following conditions Name Operator Value T Ethernet 15 Wireless 19 802 11 fa 8 Call Check 10 Ba f NAS Port Type BELONGS_TO Service Type EQUALS Client Mac Address EQUALS Radius IETF User Name Ba I Note that you can select any type of authentication authorization source for a MAC Authentication service Only a Static Host list of type MAC Address List or MAC Address Regular Expression shows up in the list of authentication sources of type Static Host List Refer to Adding and Modifying Static Host Lists Adding and Modifying Static Host Lists in the Dell Networking W ClearPass Policy Manager User Guide for more information You can also select any other supported type of authentication source Table 12 Authentication Method Navigation and Settings AEA Enl Select an Authentication Method a
3. that might be taken against it with respect to infringement of copyright on behalf of those vendors Mar 2013 0511278 01 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Contents Contammo Policy Manager T 5 F TTT Policy Manager ee ance es een 5 Server Port Overview 2 2 2 0 00 2 c cece ns 5 Server Fort Configuration Sn re ee 5 A Subset of Useful CLI Commands 0 0 0 eee eee ee ee eee eee cece ce eeeeeenees 7 Neeessins Poley Manager coxa bocce see ces ee ee einer ee area 9 NCCE SSI OTA T ne a ae nee ea ee era 10 Oae T Basic Services u yq 11 802 1x Wireless Use Case vesccinioccionidoseorareaarcicrieclriia eternos 13 ETT The AS een 13 Web Based Authentication Use Case uouuuuoeoooeennnnnnnnnnnnnnnnnnnsnnnnnneeeeeeeeeeennnenn 19 Contisurino ue SCIVICC a nennen en aa ar ee ra ee Pe ee 19 MAC Authentication Use Case nee aa teo opener 25 ERT EIN SOVICE een geet eas ee ee een 26 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 1 Configuring Policy Manager This Quick Start Guide for the Dell Networking W ClearPass Policy Manager System Policy Manager describes the steps for installing the appliance using the Command Line Interface CLI and using the User Interface UI to ensure that the required services are running Installing Policy Manager The Policy Manager se
4. 600 Data Bits 8 Par ty None Stop Bits Flow Control None 2 Login Later you will create a unique appliance cluster administration password For now use the preconfigured credentials login appadmin password eTIPS123 This starts the Policy Manager Configuration Wizard 3 Configure the appliance Replace the bolded placeholder entries in the following illustration with your local information Enter hostname hyperion us arubanetworks com Enter Management Port IP Address 192 168 5 10 Enter Management Port Subnet Mask 255 255 255 0 Enter Management Port Gateway 192 168 5 1 Enter Data Port IP Address 192 168 7 55 Enter Data Port Subnet Mask 255 255 255 0 Enter Data Port Gateway 192 168 7 1 Enter Primary DNS 198 168 5 3 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Enter Secondary DNS 192 168 5 1 4 Change your password Use any string of at least six characters kkkkkkkkkkkk kkkkkkkkkkkk Going forward you will use this password for cluster administration and management of the appliance 5 Change system date time Do you want to configure system date time information y n y Please select the date time configuration options 1 Set date time manually 2 Set date time by configuring NTP servers Enter the option or press any key to quit 2 Enter Primary NTP Server pool ntp org Enter Secondary NTP Server time nist gov Do you want to configure the timezone y n y Once the tim
5. Default Posture Token Value of the posture token to use if health status is not available Remediate End Hosts When a client does not pass posture evaluation redirect to the indicated server for remediation Remediation URL URL of remediation server 5 Create an Enforcement Policy Because this Use Case assumes the Guest role and the Dell Web Portal agent has returned a posture token it does not require configuration of Role Mapping or Posture Evaluation Es NOTE The SNMP_POLICY selected in this step provides full guest access to a Role of Guest with a Posture of Healthy and limited guest access 22 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Table 10 Enforcement Policy Navigation and Settings NEU Enl Add a new Enforcement Policy Enforcement tab gt Enforcement Policy selector SNMP POLICY Upon completion click Save 6 Save the Service Click Save The Service now Service Authentication Authorization Roles Posture Summary Use Cached Results Use cached Roles and Posture attributes from previous sessions Enforcement Policy SNMP Policy Add new Enforcement Policy Enforcement Policy Details Description Default Profile Restricted SNMP VLAN Rules Evaluation Algorithm evaluate all Conditions Enforcement Profiles Tips Role EQUALS Guest 1 AND Tips Posture EQUALS HEALTHY 0 ee EA appears at the bottom of the Services l st Dell Net
6. Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Copyright Information Copyright 2013 Aruba Networks Inc Aruba Networks trademarks include the Aruba Networks logo Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo and Aruba Mobility Management System Dell the DELL logo and PowerConnect are trademarks of Dell Inc All rights reserved Specifications in this manual are subject to change without notice Originated in the USA All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes software from Litech Systems Design The IF MAP client library copyright 2011 Infoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions
7. Rules tab gt Add Rule button opens popup gt Rules Editor popup gt Conditions Actions match Conditions Select Plugin Select Plugin checks to Actions Posture Token gt In the Rules Editor upon completion of each rule click the Save button gt When finished working in the Rules tab click the Next button Add the new Posture Policy to the Service Back in Posture tab gt Internal Policies selector IPP_ UNIVERSAL XP then click the Add button Policy Posture Plugins Summary Rules Evaluation Algorithm First applicable Conditions Passes all SHV checks Windows System Health Validator Fails one or more SHV checks Windows System Health Validator Add Rule MoveUp MoveDown Rules Editor Select Plugin Checks Passes all SHV checks Select Plugins O windows System Health Validator Posture Token HEALTHY 0 lt Back to Services Service Authentication Authorization Roles Posture Policies Posture Token HEALTHY QUARANTINE Edit Rule Remove Rule id Enforcement Summary Posture Policies IPP_UNIVERSAL Add new Posture Policy Select Default Posture Token UNKNOWN 100 y View Details BR Remediate End Hosts O Enable auto remediation of non compliant end hosts Remediation URL Posture Servers Posture Servers Select lt Back to Services The following fields deserve special mention Add new Posture Server
8. W SK platform 6 Change the password Navigate to Administration gt Admin Users then use the Edit Admin User popup to change the administration password Admin Users Filter User ID contains Show All C UserID A Name Privilege Level 1 0 admin Super Admin Super Administrator Showing 1 1 of 1 User ID admin Name Super Admin Password Verify Password 66666664 Privilege Level Super Administrator Save Cancel Accessing Help The Policy Manager User Guide in PDF format 1s built within the help system here https lt hostname gt tipshelp html en where lt hostname gt is the hostname you configured during the initial configuration All Policy Manager user interface screens have context sensitive help To access context sensitive help click on the Help link at the top nght hand corner of any screen Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 3 Checking Basic Services To check the status of service navigate to Administration gt Server Configuration then click on a row to select a server e The System tab displays server identity and connection parameters o The Service Control tab displays all services and their current status If a service is stopped you can use its Start Stop button toggle to restart it Service Parameters System Monitoring Service Name Status Async DB write service Running Async network services Running DB change notif
9. ab gt v Policy Mapping Rules Summary Rules Eval uati on Al gorithm ra d I 0 b utto n Rules Evaluation Algorithm Select first match O Select all matches Select all matches gt Mu urn nu Conditions Role Name Ad d R ul e b utto n 0 p e n S p 0 p u p gt 1 Authorization AD department CONTAINS engineer Role_Engineer 2 Authorization AD department CONTAINS finance ROLE_FINANCE Ad d R ul e b utto n gt MoveUp MoveDown EditRule Remo Rules Editor popup gt Rules Editor C on d iti ons Acti ons m atc h C 0 n d iti 0 n S to ren gt ANY or ALL of the following conditions Type Name Operator Value Actions drop down list gt Mie sn era va Upon completion of each rule click the er Save button in the Rules Editor gt When you are finished working in the es Guest Mapping Rules tab click the Save button in TACACS API Admin TACACS Help Desk TACACS Network Admi the Mapping Rules tab TAGACS Pond only Advi TACACS Receptionist TACACS Super Admin lt Back to Role Mappings Actions Ad d th e n ew R 0 e M a p p I n g P ol I Cy to th e Service Authentication Authorization Posture Audit Enforcement Summary S e rvi Ce Role Mapping Policy i iv Rss Back in Roles tab gt Role Mapping Policy Detail Description Role Mapping Policy selector RMP_ Default Role Guest Rules Evaluation Algorithm evaluate all DEPARTMENT gt Conditions Ro
10. apping rules appending any match multiple roles acceptable to the request for use by the Enforcement Policy In the event of role mapping failure Policy Manager assigns a default role In this Use Case create the role mapping policy RMP DEPARTMENT that distinguishes clients by department and the corresponding roles ROLE ENGINEERING and ROLE FINANCE to which it maps Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 15 Table 4 Role Mapping Navigation and Settings Navigation Settings C re ate th e n ew R 0 e M a p p n g P 0 cy Service Authentication Authorization Posture Enforcement Audit Profiler Summary R ol e S ta b gt Role Mapping Policy Select Modify Add new Role Mapping Policy Role Mapping Policy Details Add New Role Mapping Policy link gt Be Default Role Rules Evaluation Algorithm Conditions eae new Roles names only Configuration identity Role Mappings Add Policy tab gt Role Mappings Policy Name freeform ROLE_ENGINEER gt Pro msn rates summary Save button gt Policy Name RMP_DEPARTMENT Repeat for ROLE_FINANCE gt When you are finished working in the Policy Be Guest eee tab click the Next button in the Rules vlore Editor ROLE FINANCE Add New Role Description ROLE_ENGINEER Description Save Cancel Create rules to map client identity to a Role ee Role Mappings Mapping Rules t
11. ata ports configure ip lt mgmt data gt lt ipadd gt netmask lt netmask address gt gateway lt gateway address gt where Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Flag Parameter Description Network interface type mgmtor data Server ip address netmask lt netmask address gt Netmask address gateway lt gateway address gt Gateway address To configure the date time and time zone optional ip lt mgmt data gt lt ip address gt configure date d lt date gt t lt time gt z lt timezone gt To configure the hostname to the node configure hostname lt hostname gt If you are using Active Directory to authenticate users be sure to join the Policy Manager appliance to that domain as well ad netjoin lt domain controller domain name gt domain NETBIOS name where Flag Parameter Description lt domain controller domain Required name gt Host to be joined to the domain Optional domain NETBIOS name Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 2 Accessing Policy Manager Use Firefox 3 0 or higher or Internet Explorer 7 0 5 or higher to perform the following steps l Open the administrative interface Navigate to https lt hostname gt tips where lt hostname gt is the hostname you configured during the initial configuration 2 Enter License Key 3 Click on the Activate Now link You have 28 day s
12. based Service Table 7 Service Navigation and Settings Navigation Settings Create a new Service Services gt Add Service gt Configuration Services Services Add Service Import Services Export Services Name the Service and select a pre configured Service Type Service tab gt Type selector Dell Web Based Authentication gt Name Description freeform gt Upon completion click Next 3 Set up the Authentication lt Back to Services Configuration Services Add Services Authentication Authorization Roles Posture Enforcement Summary Type Web based Authentication Name Description Web Based Authentication for Guests Monitor Mode Enable to monitor network access without enforcement More Options v Authorization Posture Compliance Service Rule Matches ANY or amp ALL of the following conditions Type Name Operator Value 1 Host CheckType 2 Click to add MATCHES_ANY Authentication a Method The Policy Manager WebAuth service authenticates WebAuth clients internally b Source Administrators typically configure Guest Users in the local Policy Manager database 4 Configure a Posture Policy NOTE For purposes of posture evaluation you can configure a Posture Policy internal to Policy Manager a Posture Server external or an Audit Server internal or external Each of the first three use cases demonstrates one of these options Th
13. d Services In thi 802 1X wireless requests Table 1 802 1X Create Service Navigation and Settings NEU Enl Settings s Use Case you select a Service that supports Create a new Service Services gt Add Service link gt Configuration Services Services Add Service gt Import Services Export Services Authentication Authorization Name the Service and select a pre configured Service Type Service tab gt ocr ee Type selector 802 1X Wireless gt Name Description freeform gt Upon completion click Next to Authentication Monitor Mode More Options Service Rule Type Name 1 Radius IETF NAS Port Type 2 Radius IETF Service Type 3 Click to add lt Back to Services The following fields deserve special mention Roles Posture Enforcement Audit Profiler Summary gt 802 1X Wireless Access Service Enable to monitor network access without enforcement 7 Authorization Posture Compliance V Audit End hosts IM Profile Endpoints Matches ANY or ALL of the following conditions Operator Value EQUALS Wireless 802 11 19 Login User 1 Framed User 2 BELONGS_TO Authenticate Only 8 Monitor Mode Optionally check here to allow handshakes to occur for monitoring purposes but without enforcement Service Categorization Rule For purposes of this Use Case accept the preconfigured Service Categorization Rules for thi
14. e Modify Add new Enforcement Policy Enforcement Policy Details Description Enforcement Policy for Unmanaged Clients Default Profile Deny Access Profile Rules Evaluation Algorithm first applicable from previous sessions gt Enforcement Policy selector UnmanagedClientPolicy Conditions Enforcement Profiles Tips Role EQUALS Printers WIRELESS_EMPLOYEE_NETWORK Tips Role EQUALS IP Phones WIRELESS_EMPLOYEE_NETWORK Tips Role EQUALS Handhelds WIRELESS_GUEST_NETWORK When you are finished with your work in this tab click Save Tips Role EQUALS Role Engineer Tips Role EQUALS eTIPS Guest Tips Role EQUALS Unknown Client WIRELESS_EMPLOYEE_NETWORK WIRELESS_GUEST_NETWORK WIRELESS_CAPTIVE_NETWORK Unlike the 802 1X Service which uses the same Enforcement Policy but uses an explicit Role Mapping Policy to assess Role in this use case Policy Manager applies post audit rules against attributes captured by the Audit Server to infer Role s 5 Save the Service Click Save The Service now appears at the bottom of the Services list Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 27 28 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide
15. ezone information is entered you are asked to confirm the selection 6 Commit or restart the configuration Follow the prompts y Y to continue n N to start over again alo to quit Enter the choice Y Successfully configured Policy Manager appliance KKEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKEKK Initial configuration is complete Use the new login password to login to the CLI Exiting the CLI session in 2 minutes Press any key to exit now A Subset of Useful CLI Commands The CLI provides a way to manage and configure Policy Manager information Refer to Appendix A Command Line Interface in the User Guide for more detailed information on the CLI The CLI can be accessed from the console using a serial port interface or remotely using SSH KEKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Dell W ClearPass Policy Manager 6 0 2 49062 a KE KA KK AK KK AK HK AK AK IK KK KH TH A KH TA A IK TA I TI KA IK TFA KH TA TA IK TA A IK AAA AAA IK TA AK TI KA IK KA KH TA A IK AK AK AK KK AKA Logged in as group Local Administrator appadmin hyperion us arubanetworks com The following subset of CLI commands may be useful at this point To view the Policy Manager data and management port IP address and DNS configuration show ip To reconfigure DNS or add a new DNS configure dns lt primary gt secondary tertiary To reconfigure or add management and d
16. f Web Based Authentication for Guests Service SERVICE Web Based Aulhentication Policy Manager categorizes request by Service Type NO AUTHENTICATION METHOD Policy Manager intemal method authenticates captured Dell Web Portal login Authentication Source AUTHENTICATION SOURCE Local User Repository Validate client identity against the specified source Role Mapping ROLE MAPPING using attributes from AUTHORIZATION SOURCE or using built in Guest role Posture eee Pacer Map client identity to role Evaluation IPP_UNIVERSAL Evaluate posture return Enforcement posture token representing i pi Policy ENFORCEMENT POLICY SNMP_POLICY Based on posture token Enforcement ENFORCEMENT POLICY rolea and system time map Profile Guest_Limited client to an Enforcement Guest Full Profile Return connection attributes representing assigned access to the switch Configuring the Service Perform the following steps to configure Policy Manager for WebAuth based Guest access l Prepare the switch to pre process WebAuth requests for the Policy Manager Dell WebAuth service Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests to the Dell Guest Portal which captures username and password and optionally launches an agent that returns posture data Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 19 Eu 20 2 Create a WebAuth
17. gt ie Role information found in cache on Validate client identity against IL gt second pass on first pass Role Mapping the specified source optional otherwise skip to audit server asas ee D S ma a a n anm k 1 Audit Server POSTURE AUDIT SERVER optional Posture information found incacheon 7 Nessus or NMAP audit with post audit second pass if audit performed by rules cache the results NESSUS server on first pass skip to On second pass after Authentication 5 Audit Server skip to Enforcement Test Posture Evaluate Role ENFORCEMENT POLICY o Enforcement Profile Role Based Access Policy ENFORCEMENT PROFILE Based on posture token VLAN_ENFORCEMENT QUARANTINE roles and system time map VLAN_ENFORCEMENT FULL ACCESS 2 client to an Enforcement Return connection attributes Profile representing assigned access to the switch Enforcement Policy Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 25 26 Configuring the Service Follow these steps to configure Policy Manager for MAC based Network Device access l Create a MAC Authentication Service Table 11 MAC Authentication Service Navigation and Settings NEU Enl Settings Create a new Service Services gt Add Service link gt Services Name the Service and select a pre configured Service Type Service tab gt Type selector MAC cae Authentication gt Name Description freeform
18. h Policy Manager assigns a default Enforcement Profile Table 6 Enforcement Policy Navigation and Settings Navigation Configure the Enforcement Policy Service Authentication Roles Posture Audit Profiler Summary Enforcem ent ta b gt Use Cached Results Use cached Roles and Posture attributes from previous sessions Enforcement Policy selector Role_ Enforcement Policy Sample Allow Access Policy gt Add new Enforcement Policy Enforcement Policy Details S Description Sample policy to allow network access Based Al l UW Ac C ess Pol l cy Default Profile Allow Access Profile Rules Evaluation Algorithm evaluate all Conditions Enforcement Profiles 3 co ial BELONGS_TO Monday Tuesday Wednesday Thursday Friday Saturday Allow Access Profile lt Back to Services For instructions about how to build such an Enforcement Policy refer to Configuring Enforcement Policies Configuring Enforcement Policies in the Dell Networking W ClearPass Policy Manager User Guide 7 Save the Service Click Save The Service now appears at the bottom of the Services list Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 5 Web Based Authentication Use Case This Service supports known Guests with inadequate 802 1X supplicants or posture agents The following figure illustrates the overall flow of control for this Policy Manager Service Figure 2 Flow of Control o
19. ication server Running DB replication service Running Domain service Running Policy server Running Radius server Running System auxiliary services Running PIPA IN pin ep System monitor service Running fer o Tacacs server Running lt Back to Server Configuration Save Cancel You can also start an individual service from the command line service start lt service name gt or all services from the command line service start all The following three use cases illustrate the process of configuring Policy Manager for basic 802 1x WebAuth and MAC Bypass Services 802 1x Wireless Use Case on page 13 Web Based Authentication Use Case on page 19 MAC Authentication Use Case on page 25 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 12 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 4 802 1x Wireless Use Case The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802 1X request from a user logging into a Wireless Access Device The following image illustrates the flow of control for this Service Figure 1 Flow of Control Basic 802 1X Configuration Use Case Service SERVICE 802 1X Wireless Policy Manager categorizes Authentication request by Service Type Method AUTHENTICATION METHOD 4 methods specified illustrating principle of list from which methods Authentication are tested by Policy Manager i
20. is use case demonstrates the Posture Policy As of the current version Policy Manager ships with five pre configured posture plugins that evaluate the health of the client and return a corresponding posture token To add the internal posture policy IPP_ UNIVERSAL XP which as you will configure it in this Use Case checks any Windows XP clients to verify the most current Service Pack Table 8 Local Policy Manager Database Navigation and Settings Navigation Select the local Policy Manager database Authentication tab gt Sources Select drop down list Local User Repository gt Add gt Strip Username Rules check box gt Enter an example of preceding or following separators if any with the phrase user representing the username to be returned For authentication Policy Manager strips the specified separators and any paths or domains beyond them Upon completion click Next until you reach Enforcement Policy Service Authentication Authorization Roles Posture Enforcement Summary Local User Repository Local SQL DB a Authentication Sources Add new Authentication Source Up Move Down View Details Modify Selectto Add X Y Enable to specify a comma separated list of rules to strip username prefixes or suffixes user If username precedes domain name use user lt separator gt e g user Otherwise use lt separator gt user e g user Strip Username Rules
21. le U po n c 0 m pl eti 0 n c i c k N ext to P 0 stu re 1 Authorization AD department CONTAINS engineer Role_Engineer 2 Authorization AD department CONTAINS finance ROLE_FINANCE 5 Configure a Posture Server Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide NOTE For purposes of posture evaluation you can configure a Posture Policy internal to Policy Manager a Posture Server Es external or an Audit Server internal or external Each of the first three use cases demonstrates one of these options here the Posture Server Policy Manager can be configured for a third party posture server to evaluate client health based on vendor specific credentials typically credentials that cannot be evaluated internally by Policy Manager that is not in the form of internal posture policies Currently Policy Manager supports the following posture server interface Microsoft NPS RADIUS Refer to the following table to add the external posture server of type Microsoft NPS to the 802 1X service Table 5 Posture Navigation and Settings Navigation Setting Ad d a n ew P 0 stu re S e rve F Service Authentication Authorization Roles Enforcement Audit Profiler Summary Posture tab gt a Add new Posture Server button gt Selectto Add Default Posture Token UNKNOWN 100 Remediate End Hosts Enable auto remediation of non compliant end hosts Remediation URL Posture Servers Posture Se
22. learPass Policy Manager 6 0 Quick Start Guide Navigation Settings Guest Device Repository Local SOL DB Endpoints Repository Local SOL DB Onboard Devices Repository Local SOL DB gt Admin User Repository Local SOL DB gt AmigoPod AD Active Directory gt Add gt Upon completion Next to configure Authorization The following field deserves special mention Strip Username Rules Optionally check here to pre process the user name to remove prefixes and suffixes before sending it to the authentication source Es NOTE To view detailed setting information for any preconfigured policy component select the item and click View Details 3 Configure Authorization Policy Manager fetches attributes for role mapping policy evaluation from the Authorization Sources In this use case the Authentication Source and Authorization Source are one and the same Table 3 802 1X Configure Authorization Navigation and Settings Navigation Settings Configure Service level authorization source In this use case there is nothing to configure he lo lat C c k th e N ext b utto n 1 Local User Repository Local SQL DB Local User Repository Local SQL DB U po n c om pl eti on c i c k Next to Rol e Additional authorization sources from saani enni attributes S Mapping Selectto Add 4 Apply a Role Mapping Policy Policy Manager tests client identity against role m
23. n order of priority Source Initiate authentication based on specified method AUTHENTICATION SOURCE 2 sources specified Policy Manager authenticates requests against the sources in order of priority Validate client identity against Role Mapping the specified source ROLE MAPPING using attributes from AUTHORIZATION SOURCES RMP_DEPARTMENT Posture cliant department mapping Evaluation Map client identity to role POSTURE SERVER PS_NPS Enforcement Evaluate posture return Poli posture token representing oucy health ENFORCEMENT POLICY Role Based Allow Access Policy Enforcement x Based on posture token role Profile and system time map client to an Enforcement Profile ENFORCEMENT PROFILES AllowAccess DenyAccess Return connection attributes representing assigned access to the switch Configuring the Service Follow the steps below to configure this basic 802 1X service l Create the Service The following table provides the model for information presented in Use Cases which assume the reader s ability to extrapolate from a sequence of navigational instructions left column and settings in summary form in the right column at each step Below the table we call attention to any fields or functions that may not have an immediately obvious mean ng Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 13 Es 14 Policy Manager ships with fourteen preconfigure
24. nd two authentication sources one of type Static Host List and the other of type Generic LDAP server that you have already configured in Policy Manager Authentication tab gt Methods This method is automatically selected for this type of service MAC AUTH gt Add gt Sources Select drop down list Handhelds Static Host List and Policy Manager Clients White List Generic LDAP gt Add gt Upon completion Next to Audit 3 Configure an Audit Server Settings Service Authentication Authorization Roles Enforcement Audit Profiler Summary Authentication Methods MAC AUTH Add new Authentication Method Select Authentication Sources Handhelds Static Host List Add new Authentication Source Select Strip Username Rules Ol Enable to specify a comma separated list of rules to strip username prefixes or suffixes lt Back to Services This step is optional if no Role Mapping Policy is provided or if you want to establish health or roles using an audit An audit server determines health by performing a detailed system and health vulnerability analysis Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide NESSUS You can also configure the audit server NMAP or NESSUS with post audit rules that enable Policy Manager to determine client identity Table 13 Audit Server Navigation and Settings Navigation Settings Configure the Audit Server Audit tab gt Audi
25. rver requires initial port configuration Server Port Overview Policy Manager Backplane P Power Button A Senial port B Management port C Data port BE load A B C as described in the following table Port Description Configures the Policy Manager Serial appliance initially via hardwired terminal Provides access for cluster administration and appliance maintenance via web access CLI or internal cluster communications Configuration required Management gigabit Ethernet Provides point of contact for RADIUS TACACS Web Authentication and other data plane requests Configuration optional If not configured requests redirected to the management port Data gigabit Ethernet Server Port Configuration Before starting the installation gather the following required information Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Required Item Item Information Hostname Policy Manager server Data Port IP Address must not be in the same subnet as the Management Port IP Address Data Port Subnet Mask optional To set up the Policy Manager appliance Data Port IP Address optional l Connect and power on Using the null modem cable provided connect a serial port on the appliance to a terminal then connect power and switch on The appliance immediately becomes available for configuration Use the following parameters for the serial port connection Bit Rate 9
26. rvers Selectto Add Configure Posture settings primary Server Backup Server Summary Posture Server tab gt a Name freeform PS_NPS Due Server Type radio button Microsoft NPS e Default Posture Token selector UNKOWN nr A Next to Primary Server Configure connection settings Dociusn Sonne Backup Server Summary Primary Backup Server tabs Enter RADIUS Server Name connection information for the RADIUS a posture server Next button from Primary Server to Backup Server Speck nis To complete your work in these tabs click the Save button Timeout seconds Add the new Posture Server to the Service sense amtbentication authorization S Enforcoment Audita profiler Summary Back in the Posture tab gt aa Posture Servers selector PS_NPS then click the Add button Default Posture Token UNKNOWN 100 y C l C k th e N ext b utto n x Remediate End Hosts Enable auto remediation of non compliant end hosts Remediation URL Add new Posture Policy Posture Servers Posture Servers PS_NPS RADIUS ae Add new Posture Server 6 Assign an Enforcement Policy Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 17 Enforcement Policies contain dictionary based rules for evaluation of Role Posture Tokens and System Time to Evaluation Profiles Policy Manager applies all matching Enforcement Profiles to the Request In the case of no matc
27. s Rules Summary Policy Name IPP_UNIVERSAL Description endpoints Posture Agent NAP Agent OnGuard Agent Persistent or Dissolvable Host Operating System O windows O Linux Mac OS X Posture Plugins Rules Summary Select one more plugins Plugin Name Plugin Configuration Status ClearPass Windows Universal System Health Validator Configure View v Windows System Health Validator View Not Configured Windows Security Health Validator Configure Windows System Health Validator Client computers can connect to your network subject to the following checks Windows 7 Windows 7 clients are allowed Restrict clients which have Service Pack less than v Windows Vista Windows Vista clients are allowed Restrict clients which have Service Pack less than Y Windows XP Windows XP clients are allowed Restrict clients which have Service Pack less than Yi Windows Server 2008 Windows Server 2008 clients are allowed Restrict clients which have Service Pack less than Yi Windows Server 2008 R2 Windows Server 2008 R2 clients are allowed Restrict clients which have Service Pack less than Yi Windows Server 2003 Windows Server 2003 clients are allowed v Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 21 Navigation When finished working in the Posture Plugin tab click Nextto move to the Rules tab Set rules to correlate validation results with posture tokens
28. s Type 2 Configure Authentication Follow the instructions to select EAP FAST one of the pre configured Policy Manager Authentication Methods and Active Directory Authentication Source AD an existing enterprise NOTE Policy Manager fetches attributes used for role mapping from the Autho external Authentication Source within your rization Sources that are associated with the authentication source In this example the authentication and authorization source are one and the same Table 2 Configure Authentication Navigation and Settings Navigation Authentication Select an Authentication Method and Service an Active Directory server that you ree have already configured in Policy Manager Authentication tab gt Authorization Roles Posture EAP PEAP EAP FAST EAP TLS EAP TTLS Selectto Add Authentication Sources Methods Select a method from the drop down list Add gt Selectto Add Strip Username Rules Sources Select drop down list Local User Repository Local SOL DB Guest User Repository Local SOL DB lt Back to Services Dell Netw Local User Repository Local SQL DB lt Enforcement Audit Profiler Summary Add new Authentication Method Add new Authentication Source Move Ur Move Down Remove View Details Modify Enable to specify a comma separated list of rules to strip username prefixes or suffixes orking W C
29. t End Hosts enable gt Audit Server selector NMAP Trigger Conditions radio button For MAC authentication requests Audit Server Nmap Audit Service Authentication Authorization Roles Audit Trigger Conditions Always When posture is not available For MAC authentication request For known end hosts only For unknown end hosts only 9 For all end hosts Action after audit No Action Do SNMP bounce Trigger RADIUS CoA action Bi View Detais Enforcement Profiler Summary Add new Audit Server Reauthenticate client check box aaa Enable Upon completion of the audit Policy Manager caches Role NMAP and NESSUS and Posture NESSUS then resets the connection or the switch reauthenticates after a short session timeout triggering a new request which follows the same path until it reaches Role Mapping Posture Audit this appends cached information for this client to the request for passing to Enforcement Select an Enforcement Policy 4 Select the Enforcement Policy Sample Allow Access Policy Table 14 Enforcement Policy Navigation and Settings Navigation S D e ct th D E n fo rceme nt P 0 C y Service Authentication Authorization Roles Audit Profiler Summary Enfor cem ent t a b gt Use Cached Results M Use cached Roles and Posture attributes from previous sessions Use Cached Results check box Select Use cached Roles and Posture attributes Enforcement Policy UnmangedClientPolicy
30. to activate the product Activate Now Username Password User Type Local Network 4 Activate the product If the appliance is connected to the Internet click on the Activate Now button If not click on the Download button to download the Activation Request Token Contact Dell Support and provide your technician with the downloaded token in an email attachment Once you receive the Activation Key from Dell Support save it to a known location on your computer Come back to this screen and click on the Browse button to select the Activation Key Upload the key by clicking on the Upload button The product is now activated You have 87 day s to activate the product Online Activation Offline Activation If you are not connected to the Internet you can download an Activation Request Token and obtain the Activation Key offline Step 1 Download an Activation Request Token Email the Activation Request Token to Dell Support See dell com support Upload the Activation Key received from Dell Support ML Step 2 Update License Update License Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide 5 Login Username admin Password eTIPS123 ClearPass Policy Manager Username 0 Password Login ClearPass Insight ClearPass Guest y ClearPass Onboard Copyright 2013 Aruba Networks All rights reserved ClearPass Policy Manager 6 1 0 47876 on CP H
31. working W ClearPass Policy Manager 6 0 Quick Start Guide 23 24 Dell Networking W ClearPass Policy Manager 6 0 Quick Start Guide Chapter 6 MAC Authentication Use Case This Service supports Network Devices such as printers or handhelds The following image illustrates the overall flow of control for this Policy Manager Service In this service an audit is initiated on receiving the first MAC Authentication request A subsequent MAC Authentication request forcefully triggered after the audit or triggered after a short session timeout uses the cached results from the audit to determine posture and role s for the device Figure 3 Flow of Control of MAC Authentication for Network Devices Note regarding color coding This service optionally gathers information via Audit Server on the first pass than re authenticates the client after a short session timeout on the second pass It re authenticates allowing Policy Manager to use Role and Posture information from cache to perform Enforcement Authentication SERVICE Method 1 e Mac Auth Bypass Policy Manager categorizes 1 request by Service Type gt gt AUTHENTICATION METHOD 3 MAC Auth I Initiate authentication Authentication based on specified method Source AUTHENTICATION SOURCE Role Mapping For MAC Bypass one option is a Static Hosts List SHL or can be any other supported authentication source A ROLE MAPPING optional A S
Download Pdf Manuals
Related Search