Dell Powerconnect W-ClearPass Hardware Appliances Deployment Guide
Contents
1. mmmmmmmmmmu eee eee e cence eee eeeeeeeeeeeeees 241 Role Based Access Control for Multiple Operator Profiles 242 Operator Profiles 22wwmmmmmmmmwmm umu m mwanam cece ee eeeeeceeceeeeees 242 Creating an Operator Profile 0 02 2 o ollie cece eee eee eee ee eee ee ee eeeeeeeeeeee 242 Configuring the User Interface _ 22 2 e cece cece ee eeeceeeeeeeeees 245 Customizing Forms and Views 2 eee cece cece ccc c cece aaa aLL Laaa aLL LDAA aa LLa aana LLa 245 Operator Profile Privileges _ 02 2 2 o eee ccc cece eee ee eee eee cece eee aa LLa aaan 246 Managing Operator Profiles 222wmmmmmmmmmmamu Laaa aaa 24 Configuring AirGroup Operator Device Limit 2222022220me2 20 247 Local Operator Authentication 22mmmmmmu nu LAAL LL LLa aaa LLa aaa 241 Creating a New Operator 2 aaaaaa aaao anaana aoaaa aaa aaah aaa 22a eee eee eee eee LLL LLLA aLL Laaa aaan 248 External Operator Authentication 22mmmmmmu LLLA ALLL a aaa L Laana 248 Manage LDAP Operator Authentication Servers _ 2 2 22 eee cece cece eee cece cee ooann onanan 249 Creating an LDAP Server mmmmmmu nz mw wa2. 22222220 187 Email Receipts and SMTP Services 22mee2mmmme mwm m cece eee eeeeseeeeseeseeseees 189 About Email Receipts wwmmmmmmmmmamu mum mwanam um cece eee LaaLa LLa aana 189 Configuring Email Receipts 2 2 02 eee cece cece cence eee aLL LLLA aLL Laaa aa LLa aaa 190 Email Receipt Options 2 02 2 ieee eee eee LLL LLLA aLL Lhaaa aLaaa 190 About Customizing SMTP Email Receipt Fields 192 Customizing Print Templates wmmmmmmmmwmamu nm eee cece eee eeeeeeeeeeees 194 Creating New Print Templates 0 2 lee cee cee eee eee cece eee nu eeeeeeeeees 194 Print Template Wizard __ 2 2 2 eee eee eee eect eee LLL anaana 196 Modifying Wizard Generated Templates 22 2 2 2 eee cece cee cece cece e cece ee oaaao ooann 196 Setting Print Template Permissions 2 2 02 2 e aoaaa cece cece cece eee e Laaa eee eeeeeeeceeeeeeees 197 Customize SMS Receipt 02 2 cece eee cee eee eee eee LLALL LLLA ALLL Laaa aLL aoaaa 198 SMS Receipt Fields 2mm2mmmmem mme m ceeeeseeeeeceeeeseeseeeees 199 Dell Networking W ClearPass Guest 6 0 Deployment Guide 7 Configuring Access Code Logins 22 wmmmmmemmwmmu e Laaa seen
3. 22mmmemmmeem mme meme 107 Configuring Certificate Properties for Device Provisioning 107 Configuring Revocation Checks and Authorization 109 Configuring Provisioning Settings for iOS and OSX oaaao cee eee ee eee cece eeeees 110 Configuring Instructions for iOS and OSX 22 2 eee eee cee eee cece ee anaona nannan 111 Dell Networking W ClearPass Guest 6 0 Deployment Guide 5 Configuring Reconnect Behavior for iOS and OSX _ _ 2 ce eee cece eee eceeeeeee 111 Configuring Provisioning Settings for Legacy OS X Devices 112 Configuring Provisioning Settings for Windows Devices 222me2 eee 113 Configuring Provisioning Settings for Android Devices _ _ 22 2222 eee eee eee eee eee cece eeeeeeee 114 Configuring Options for Legacy OS X Windows and Android Devices 116 Configuring Network Settings for Device Provisioning 22 2 eee eee eee eee cece cee cecceceeeeeeeeees 117 Configuring Basic Network Access Settings _ 02 2222 oaaao aoaaa oaaao aaao oaaao oaaao aaao ooann 118 Configuring 802 1X Authentication Network Settings 2 2 22 eo cece cece eee eee cece eee eeeeees 120 Configuring Device Authentication Settings 2 02 2 eee cee eee cee eee eee e cee eee
4. OSX 10 5 6 W Enable OS X 10 5 Leopard and 10 6 Snow Leopard device provisioning Devices Downloads and executes an OS X application on a user s device to complete provisioning Instructions These options control the text shown during provisioning for OS X 10 5 6 Leopard Snow Leopard devices nwa_text id 10893 lt p gt To apply the network profile you meed to download and start the QuickConnect application lt p gt nwa_text assign var link_ text value 10899 NwaText Download and start the QuickConnect network configuration application assign var link_ command value 10898 NwaText Start QuickConnect Before Provisioning Insert content item Ivi These instructions are shown to the user before they provision an OS X 10 5 6 Leopard Snow Leopard device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions inwa tezkt id 10892 lt p gt QuickConnect will now apply the metwork profile to your device lt p gt nwa_text After Provisioning Insert content item iy These instructions are shown to the user after they have provisioned an OS X 10 5 6 Leopard Snow Leopard device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions 2 To enable provisioning OS X 10 5 and 10 6 devices mark the check box in the OS X 10 5 6 Devices row
5. 2 22 2 eee ee eee eee eee ee eee ee eee cece cece ee eeceeeeeeeeeees 209 Creating a New Transaction Processor _ 2 2 2 cece eee e cece eee cece LLa aa eee ee eeeeeeseeeeeeee 209 Managing Existing Transaction Processors 22 2 e eee eee eee cece eee cece cece cece eeeeeeeeeees 210 Managing Customer Information 22mmmmmmm mum eee eee eee eee Laaa aaao 210 Managing Hotspot Invoices 2 22 o elie cee eee ee eee cece eee cece cece eee eeeeeeeeeeees 210 Customizing the User Interface ww mmmmmmmma eee scene eeeeeeees 211 Customizing Visitor Sign Up Page One 0 22 2 eee aaah a222 oaa eee ece eee eee eeeeeeees 212 Customizing Visitor Sign Up Page TWO 2 20 222 eee cee cee eee cece um eee ee eeeeeeeeee 212 Customizing Visitor Sign Up Page Three 2 2 e cece aana 215 Viewing the Hotspot User Interface __ _ _ 02 2 ollie eee eee eee eee eens anana 222 217 Administration 0000000000000000 000000000 A 000P A 00DA D aa an1 onnan 219 AirGroup Services o oo aaaa aoaaa aoaaa aaao aa aaa a AALL LLLA LLLA ALLL LL LLL Laaa a LLa aaan a LLa 220 Configuring the AirGroup Services Plugin oaaao aoaaa oaaao aaao aoaaa oaaao ee cee aao 2a anoa aaoo annona 220 Creating AirGroup Administrators 2 2 2 2 22 ccc cece cee eee cece cece cece cece eeeeeeeeeeeeees
6. The plain text format print template to use when generating an SMS receipt 40 Rank i Rank ordering number for this receipt action Default Action Icon Optional custom icon to use for this receipt action Action Text Optional custom label to use for this receipt action These options under Enabled are available to control delivery of SMS receipts 182 Editing SMS Delivery of Guest Receipts Dell Networking W ClearPass Guest 6 0 Deployment Guide e Disable sending guest receipts by SMS SMS receipts are never sent for a guest registration e Always auto send guest receipts by SMS An SMS receipt is always generated using the selected options and will be sent to the visitor s phone number e Auto send guest receipts by SMS with a special field set If the Auto Send Field is set to a non empty string or a non zero value an SMS receipt will be generated and sent to the visitor s phone number The auto send field can be used to create an opt in facility for guests Use a check box for the auto_send_sms field and add it to the create_user form or a guest self registration instance and SMS messages will be sent to the specified phone number only if the check box has been selected e Display a link enabling a guest receipt via SMS A link is displayed on the receipt page if the visitor clicks this link an SMS receipt will be generated and sent to the visitor s phone numb
7. A The page title to display on the login page if Serrmsg inwa icontext type Terror i Serrmsg escape f nwa_icontext fit lt p gt Please login to the network using your ClearPass Header HTML username and password lt p gt Insert content item HTML template code displayed before the login form lt p gt Need an account lt a href Sqs r metadata register page rawurlencode php Ssmarty Server QUERY STRING rawurlencode gt Click Here lt a gt lt p gt Footer HTML Insert content item HTML template code displayed after the login form The login message page is displayed after the login form has been submitted while the guest is being redirected to the NAS for login The title and message displayed on this page can be customized Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing Login Page Properties 185 Network Login In Progress Title The page title to display while logging into the NAS Please wait while you are logged into the network Login Message Insert content item HTML template code displayed while the login attempt is in progress The login delay can be set this is the time period in seconds for which the login message page 1s displayed Automatic Login Options controlling automatically logging in from the receipt form seconds The time in seconds to delay while displaying the login message Sav
8. amp Username Activation Expiration 09609879 Contractor Active 40 minutes ago 2012 10 27 15 50 8 09641588 Contractor Active 12 minutes ago 2012 10 27 16 18 8 41915905 Contractor Active 40 minutes ago 2012 10 27 15 50 57744937 Contractor Active 12 minutes ago 2012 10 27 16 18 8 60600985 Contractor Active 12 minutes ago 2012 10 27 16 18 91972747 Contractor Active 40 minutes ago 2012 10 27 15 50 ipod Contractor Expired 1 1 days ago Expired sham a Contractor Expired 1 2 days ago Expired O tom a Guest Expired N A Expired Showing 1 9of9 Cc Refresh e 20 rows per page lv The Username Role State Activation and Expiration columns display information about the visitor accounts that have been created The value in the Expiration column is colored red if the account will expire within the next 24 hours The expiration time is additionally highlighted in boldface if the account will expire within the next hour In addition icons in the Username column indicate the account s activation status ae account is active yaa _Visitor account was created but is not activated yet 2_Visitor account was disabled by Administrator 4 Visitor account has expired oO Visitor account was deleted You can use the Filter field to narrow the search parameters You may enter a simple substring to match a portion of the username or any other fields that are configured for sea
9. The guest self registration process is displayed in graphical form shown below in Figure 28 The workflow for the guest is shown using solid orange arrows while the administrator workflow is shown with dotted blue arrows To access this page in the WebUI l Navigate to Configuration gt Guest Self Registration 2 Select an entry in the Guest Self Registration list then click Edit 3 The Customize Guest Registration workflow page appears as shown below Editing Self Registration Pages Dell Networking W ClearPass Guest 6 0 Deployment Guide 173 Figure 28 Guest Self Registration Workflow Diagram passers 4 Master Enable Abc Disabled Message i i Define Fields mil Rename Page Y 4 v Aa _ Register Page i _ Receipt Page TEON i Submit Title Abc Title fbe User Database ts Abo Header Abe Header Abc E Abo Title gt Form Redirect Submit ji i Form Abc Login Guest gt Actions Message Abe Footer Abo Footer 4 A Redirect ey Self Service Portal z TR Choose Skin o Ca _ Login Page _j Change Password S Login Delay J Summary Page 4 Reset Password za NAS Vendor Settings Administrator A guest self registration page consists of many different settings which are divided into groups across several pages Click an icon or label in the diagram to jump directly to the editor for that item Configuring Basic Properties for Self Registration C
10. a Self signed certificate for the certificate t Root certificate ca authority Intermediate certificate F Profile signing certificate profile signing Issued by the certificate authority n bed l The type shown depends on the kind of Certificate signing request tls client or trusted certificate requested Rejected certificate signing request tls client or trusted ee KANGA vat we administrator decision Issued by the root CA or another intermediate Device certificate Issued to iOS and OS X 10 7 devices only E3 Client certificate E Identity certificate issued to a specific user s device Server certificate Identity certificate issued to a server Pi Code signinoceninoate Used for signing the Windows provisioning application m Certificate that has been administratively meveke ECM de a revoked and is no longer valid a Expired certificate m TAR ali outside its validity period and Searching for Certificates in the List The Filter field can be used to quickly search for a matching certificate Type a username into this field to locate all certificates matching that username quickly The filter is applied to all columns displayed in the list view To search by another field such as MAC address device type or device serial number click the lillColumns tab select the appropriate column s and then click the amp Save and Reload button The list view will refresh to update the results of the filter Click the GClear Filter li
11. 5 To preview and verity the appearance of the email receipt you can send yourself or another person a test message In the Test Mail Settings area enter the test message recipient s email address then click Send Test Message The test message is sent immediately Figure 31 Example of Email Receipt Test Message Content Welcome Test Receipt your account has been created and Is now ready to use WiFi Network Aruba Visitor Account and Wi Fi Instructions Make sure your wireless adapter is set to dynamically obtain an IP address Connect to the wireless network Aruba Enter credentials Username test example com Password password Account expires Friday December 7 2012 12 32 Copyright 9 2012 Aruba Networks Inc All rights reserved 6 When all fields on the form are completed click Save and Close About Customizing SMTP Email Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields You do this on a per user basis smtp_enabled This field may be set to a non zero value to enable sending an email receipt If unset the default value from the email receipt configuration is used The special values Auto Always auto send guest receipts by email _AutoField Auto send guest receipts by email with a special field set Click Display a link enabling a guest receipt via email and _Cc Send an email to a list of fixed addresses may also
12. 9 To commit your changes and create the device click Create MAC The Account Details and print options are displayed For more information see Viewing and Printing Device Details on page 49 Creating Devices During Self Registration MAC Only This section describes how to configure a guest self registration so that it creates a MAC device account Once the guest is registered future authentication can take place without the need for the guest to enter their credentials A registration can be converted to create a MAC device instead of standard guest credentials This requires a vendor passing a mac parameter in the redirect URL ClearPass Guest does not support querying the controller or DHCP servers for the client s MAC based on IP To edit the registration form fields go to Configuration gt Forms and Views In the guest_register row click the Edit Fields link The Customize Form Fields page opens If you do not see mac or mac auth in the list click the Customize fields link above the list Click the Edit link in the field s row In the Define Custom Field form edit the registration form fields Add or enable mac UI Hidden field Field Required checked Validator IsValidMacAddress Add or enable mac_auth UI Hidden field Any other expiration options role choice surveys and so on can be entered as usual Dell Networking W ClearPass Guest 6 0 Deployment Guide Creating Devices During Self Registration MAC Only
13. Checks that the value is a valid IP address or hostname which may optionally include a port number specified with the syntax hostname port IsValidIpAddr Checks that the value is a valid IP address Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field Validation Functions 299 IsValidLdapAttribute Checks that the value is a valid LDAP attribute name that is a string that starts with a letter and which contains only letters numbers underscore _ and hyphen IsValidNetmask Checks that the value is a valid network mask in dotted quad notation that is an IP address such as 255 255 255 128 that contains a single string of N 1 bits followed by 32 N 0 bits IsValidNumber Checks that the value is numeric that is an integer or a decimal value The validator argument may be an array containing one or more of the following additional options no_negative if set to true negative numbers are not accepted as a valid value no zero if set to true zero is not accepted as a valid value only_integer if set to true decimal numbers are not accepted and only integer values are valid IsValidPassword2 Checks that the value is a valid password that satisfies certain requirements The validator argument must be an array describing which of the following requirements to check To perform any password checking the minimum_length and complexity_mode fields must be specified
14. In a cluster of CPPM servers devices can be onboarded through any node or authenticated through any node Each CPPM server has a different certificate used for both SSL and RADIUS server identity In the default configuration these are self signed certificates that is they are not issued by a root CA This configuration of multiple self signed certificates will not work for Onboard Although a single self signed certificate can be trusted multiple self signed certificates are not There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster Use the Onboard certificate authority Create a certificate signing request on each CPPM node sign the certificates using Onboard and install them in CPPM You can then onboard devices on any node in the cluster and can perform secure EAP authentication from a provisioned device to any node in the cluster Use a commercial certificate authority to issue CPPM server certificates Verify that the same root CA is at the top of the trust chain for every server certificate and that it 1s the trusted root certificate for Onboard Provisioning and authentication will then work across the entire cluster Revoking Unique Device Credentials Because each provisioned device uses unique credentials to access the network it is possible to disable network access for an individual device This offers a greater degree of control than traditional user bas
15. 3 Inthe Display Function drop down list select NwaExplodeComma The form expands to include the Display Param and Display Arguments rows 4 Inthe Display Param text field enter the value self Be sure to include the leading underscore character Click Save Changes Example If the layout is set to vertical and the following options are specified AP Group Location 1 Location One AP Group Location 2 Location Two AP Location 3 Location Three The user interface appears as follows Dell Networking W ClearPass Guest 6 0 Deployment Guide Example 149 Register Shared Device LibraryPrinter2 Enter a name to identify the device AA BB CC DD EE FF Enter the MAC address of the device Device Name MAC Address Location One E Location Two Location Three Select the location IDs where this device will be shared Leave blank to share with all locations Shared Locations Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g userl user2 user3 or blank for all users Shared Roles List the user roles that will be able to use this device Use a comma separated list e g role1 role2 role3 or blank for all roles fi Register Shared Device Customizing Forms and Views You are able to view a list of forms and views From this list view you can change the layout of forms or views add new fields to a form or view or alter the behavior
16. To disconnect multiple sessions click the Manage Multiple tab The form expands to include the Manage Reauthorize Profiles Multiple Sessions form For more information see Disconnecting Multiple Active Sessions on page 62 e To view and work with the guest accounts associated with a session click the session s row in the list then click its List Accounts link The Guest Manager Accounts view opens See Managing Guest Accounts on page 34 for more information e To display only sessions that meet certain criteria click the Filter tab For more information see Filtering the List of Active Sessions on page 61 e To send SMS notifications to visitors click the SMS tab For more information see Sending Multiple SMS Alerts on page 63 e To include additional fields in the Active Sessions list or delete fields from it click the More Options tab The Customize View Fields page opens For more information see Editing Forms on page 152 e You can use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual page number to jump directly to that page n 2 m hi Session States A session may be in one of three possible states e T Active An active session is one for which the RADIUS server has received an accounting start message and has not received a stop message which indicates that service is be
17. 3 Inthe Before Provisioning text box enter the instructions that are shown to the user before they provision their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 4 Inthe After Provisioning text box enter the instructions that are shown to the user after they have provisioned their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed You may use the Insert content item drop down list to add an image file or other content item 6 When your entries are complete in this tab click Save Changes You can click Next to continue to the next tab or Previous to return to the previous tab Configuring Provisioning Settings for Windows Devices To specify provisioning settings related to Windows devices 1 Go to Onboard gt Provisioning Settings and click the Windows tab Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Provisioning Settings for Windows Devices 113 Device Provisioning Settings cD General 95 iOS 805 X 7 Legacy OS X AY Windows i Android Cs Onboard Client Windows Provisioning These options control Windows device provisioning ae Enable Windows XP Vista and 7 or later device provisioning Windows Devices Downloads and executes a Windows application on a user s device to comp
18. A field that is currently in use on a form or view may not be deleted Displaying Forms that Use a Field Click the Show Forms link to see a list of forms that use the selected field The list displays the forms that use the selected field It also allows you to edit the form s fields by clicking on the E Edit Fields link Clicking on the Use link opens the form using that field If the field is used on multiple forms you are able to select which form you would like to view Displaying Views that Use a Field You are able to click the Show Views link to see a list of views that use the selected field The list displays the views that use the selected field It also allows you to edit the view s fields by clicking on the Edit Fields link Clicking on the Use link displays the view If the field is used on multiple views you are able to select which view you would like to see Customizing AirGroup Registration Forms AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them If AirGroup Services is enabled AirGroup administrators can provision their organization s shared devices and manage access and AirGroup operators can register and provision a limited number of their own personal devices for sharing For complete AirGroup deployment information refer to the AirGroup Deployment Guide and the ClearP
19. Always auto send guest receipts by email An email receipt is always generated using the selected options and will be sent to the visitor s email address Auto send guest receipts by email with a special field set If the Auto Send Field is set to a non empty string or a non zero value an email receipt will be generated and sent to the visitor s email address The auto send field can be used to create an opt in facility for guests Use a check box for the auto_send_sms field and add it to the create_user form or a guest self registration instance and SMS messages will be sent to the specified phone number only if the check box has been selected Display a link enabling a guest receipt via email A link is displayed on the receipt page if the visitor clicks this link an email receipt will be generated and sent to the visitor s email address Send an email to a list of fixed addresses An email receipt is always generated using the selected options and will be sent only to the list of email addresses specified in the Copies To field Configuring Email Receipts i You can configure the default settings used when generating an email receipt by going to Configuration gt Email Receipt Email Receipt Configure the settings to use when emailing visitor account receipts See Email Receipt Options on page 190 for details about the email receipt options Email Receipt Option
20. Deployment Guide AA a Wa WA w Exchange ActiveSync Settings General Settings Common settings for the Virtual Private Network ee E Add this ActiveSync configuration to the device profile l Select this option to include this configuration in the device profile Account Name Name for the Exchange ActiveSync account ActiveSync Host Hostname or IP address of the server the device will connect to A hostname will only be accepted if the corresponding IP address can be resolved Send all communication through secure socket layer Use SSL ace Select this option to ensure that communications are encrypted Account Settings These options configure user account User provided entered by user on device Account Details Select how user account information is to be supplied Sync Settings These options configure mail synchronization 3days The number of past days of mail to synchronize E m E save Changes Mark the Add this ActiveSync configuration to the device profile check box to enable email account provisioning Days of Mail The Account Name text field specifies the name for this email account This will be displayed on the device in the Settings app and also within the Mail app to identify the mailbox To help the user identify this mailbox easily include your organization s name in the Account Name field For example use ACME Sprockets Mail In the Account Settings
21. Duration from seconds The value of the field is assumed to be a time period measured in seconds and is displayed as a duration for example 23 seconds 45 minutes Duration from minutes The value of the field is assumed to be a time period measured in minutes and is displayed as a duration for example 45 minutes 12 hours Use form options The value of the field is assumed to be one of the keys from the field s option list The value displayed is the corresponding value for the key Custom expression The Display Expression text area is displayed allowing a custom JavaScript expression to be entered See View Display Expression Technical Reference on page 303 for technical information about this display expression and a list of the functions that are available to format the value 170 View Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide The Display Expression is a JavaScript expression that is used to generate the contents of the column Generally this is a simple expression that returns an appropriate piece of data for display but more complex expressions can be used to perform arbitrary data processing and formatting tasks Customizing Self Provisioned Access Guest self registration allows an administrator to customize the process for guests to create their own visitor accounts Guest Self Registration Create and manage processes and forms for guest sel
22. E Hide when no options are selectable Select this option to automatically hide the form field when only one choice is available Layout Layout mode for the checklist options Collapse The Vertical and Horizontal layout styles control whether the radio buttons are organized in top to bottom or left to right order The default is Vertical if not specified e Static text The field s value is displayed as a non editable text string An icon image may optionally be displayed before the field s value A hidden element is also included for the field thereby including the field s value when the form is submitted Sample Field 0 oor for casei alee This is a sample field If the Hide when no options are selectable check box is selected in the Collapse row the field will be hidden if its value is blank To set the value of this field use the Initial Value option in the Form Validation Properties area of the form field editor 158 Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide Static text The kind of user interface element to use when entering or editing this field Sample Field User Interface Label j Label for this field to display on the form This is a sample field P Description a Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CS
23. Name Priority Server Type Default Profile A Test 3 9 50 Active Directory IT Administrators A LDAPserver2 50 Active Directory IT Administrators KA LDAPserverl1 50 Active Directory IT Administrators F Edit 3 Delete ES Duplicate 48 Disable Ho Ping of Test Auth 3 items O Reload 20 rows per page Select any of the LDAP servers in the list to display options to perform the following actions on the selected server Edit Opens the Server Configuration form where you can make changes to the properties of the LDAP Server Delete Removes the server from the LDAP server list e Duplicate Creates a copy of an LDAP server You can then click the Edit link to open the Server Configuration form and use original server s properties as a template for creating a new server e Disable Temporarily disables a server while retaining its entry the server list e V Enable Rcenables a disabled LDAP server Dell Networking W ClearPass Guest 6 0 Deployment Guide Advanced LDAP URL Syntax 251 SiPing Sends a ping message echo request to the LDAP server to verify connectivity between the LDAP server and the ClearPass Guest server o d Test Auth Adds a Test Operator Login area in the LDAP servers form that allows you to test authentication of operator login values o dTest Lookup Adds a Test Operator Lookup form in the LDAP servers list that allows you to look up sponsor names This option is only available
24. Offers full Internet access at 256 kbit sec F Edit F Edit Eg Edit F Edit SI Delete Delete Delete Delete e To create or edit an existing plan see Editing or Creating a Hotspot Plan on page 207 e To delete a plan click the 9 Delete button in the plan s row When a plan is deleted it is not possible to undo the deletion Editing or Creating a Hotspot Plan When you create or edit a hotspot plan you can customize which plans are available for selection and any of the plan s details such as its description cost to purchase allocated role and the format of the customer s generated username and password l To create or edit a plan first go to Configuration gt Hotspot Manager gt Manage Plans then e To create a new plan click the SPCreate Hotspot plan link in the upper right corner The Create Hotspot Plan form opens e To edit a plan click the L7 Edit link in the plan s row The Edit Hotspot Plan form opens The procedures are the same for both the Create Hotspot Plan and the Edit Hotspot Plan forms Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing or Creating a Hotspot Plan 207 Edit Hotspot Plan Plan Details Describe your Hotspot plan Hourly Access Plan Name The name of the plan Hotspot customers choose a plan based on its name Wireless access charged at 2 95 per hour Offers full Internet acces Description P Descript
25. Preview sly Show Usage E Permissions Access Details Access Details Q Access 0 Access i user useri Code Code Customize the Guest Accounts Form Next modify the Guest Accounts form to add a flag that to allows access code based authentication l A 3 9 5 username_auth checkbox setup for username based Es Edit ib Edit Base Field amp Remove gt Insert Before g Insert After X Disable Field Navigate to Configuration gt Forms amp Views In the Customize Forms amp Views list select create_multi and then click Edit Fields In the Edit Fields list look for a field named username_auth If the field exists but is not bolded and enabled select it and click Enable Field isitors will require the login screen Username Visitors equire the login scree Authentication authentication as well If the field does not exist select any field in the list for example num_accounts and select Insert After Click the Field Name drop down list select username_auth and allow the page to refresh The defaults should be acceptable but feel free to customize the label or description Click H Save Changes to save your settings Once the field is enabled or inserted you should see it bolded in the list of fields Create the Access Code Guest Accounts Once the account fields have been customized you can create new accounts l 2 Create Guest Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide Us
26. Se Access UP Protocols ay Authentication Trust iy Windows J Proxy Windows Networking Settings These settings are only applicable to Windows devices NAP Services O Enable NAP services Admin Username 7 Enter if configuration of networking requires administrator credentials Admin Password l Enter if configuration of networking requires administrator credentials IP Address Assign IP address using DHCP DNS Assign DNS using DHCP DNS Registration Register IP address with DNS Windows XP Networking Configure Using Use Windows to configure wireless Notification Icon Show icon in notification Notify Connectivity Notify when connectivity is limited a Previous m Next Save Changes Cancel Network Access Protection NAP is a feature in Windows Server 2008 that controls access to network resources based on a client computer s identity and compliance with corporate governance policy NAP allows network administrators to define granular levels of network access based on who a client is the groups to which the client belongs and the degree to which that client is compliant with corporate governance policy If a client is not compliant NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access Deploying NAP requires a NAP compatible authentication server so that appropriate policies may be implemented base
27. The most practical use for this capability is to hide a form field until a certain value of some other related field has been selected For example the default create user form has an Account Expiration drop down list One of the values in this list is special the l option displays the value Account expires at a specified time Account Account expires at specified time Expiration Account will not expire tion time of this a Now aed Tonight Expiration Time Friday night or accounts will e 1 hour from now 1 day from now Account Role 1 week from now Account expires after Account expires at specified time Password When this option is selected the form expands to include the Expires After row allowing the user to specify a time other than one of the options in the list The expire_time field uses the JavaScript expression expire_after value lt 0 for the Visible If option When the 1 option has been selected this condition will become true and the field will be displayed Additional examples of the Visible If conditional expressions can be found in the guest_edit form 168 Form Field Validation Processing Sequence Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing Views A view consists of one or more columns each of which contains a single field You can change which fields are displayed and how each field is displayed You can also define your own fields using the C
28. assign var link text value 10901 NwaText Download the metwork profile and install it using QuickConnect assign var link command value 10900 NwaText Install Network Profile Before Profile Install 4 WH jac Insert content item lv These instructions are shown to the user before they install the network profile on an Android device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions nwa_text id 10892 lt p gt QuickConnect will now apply the metwork profile to your device lt p gt nwa_text After Provisioning Z Insert content item lv These instructions are shown to the user after they have provisioned an Android device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Provisioning Settings for Android Devices 115 6 In the Before Profile Install text box enter the instructions that are shown to the user before they install the network profile on their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 7 In the After Provisioning text box enter the instructions that are shown to the user after they have provisioned their device The text can be entered as
29. if Sguest receipt u username lt div style display none gt if 58 User Detection on Landing Pages Dell Networking W ClearPass Guest 6 0 Deployment Guide and the first line of the footer be if Sguest_receipt u username lt div gt if Active Sessions Management Pit The RADIUS server maintains a list of active visitor sessions If your NAS equipment has RFC 3576 support the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session Active Sessions wie View active accounting sessions and disconnect or aed change authorization for sessions To view and manage active sessions for the RADIUS server go to Guest gt Active Sessions The Active Sessions list opens You can use this list to modify disconnect or reauthorize or send SMS notifications for active visitor sessions manage multiple sessions or customize the list to include additional fields o Quick Help t Manage Multiple 7 Filter a SMS g More Options Filter z Search all fields that have been configured for quick search Showing Active sessions only Username IP Address MAC Address 7 Session Start Session Session Time Traffic vyo sdas 5 5 5 238 001a73c9e5a1 controller 2012 10 29 12 31 6min 45sec 13 6 MB bad sdas be fe Pe Pe a 001a927f8fcf controller 2012 10 29 12 00 37min 38sec 42 3 MB i Show Details 1d Disconnect ly Reauthorize 8 List Accounts Showing 1 2 of 2 C Refresh 1 20 ro
30. is invalid OK Resolution When using HTTPS for device provisioning you must obtain a commercial SSL certificate Self signed SSL certificates and SSL server certificates that have been issued by an untrusted or unknown root certificate authority will cause iOS device provisioning to fail with the message The server certificate for is invalid A workaround for this issue is to install an appropriate root certificate on the 1OS device This root certificate must be the Web server s SSL certificate if it 1s a self signed certificate or the certificate authority that issued the SSL certificate This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices 132 Onboard Troubleshooting Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 5 Configuration Dell Networking W ClearPass Guest s built in Configuration editor lets you customize many aspects of the appearance settings and behavior of the application Areas you can customize include e Guest Manager configuration e Fields forms and views in ClearPass Guest e Guest self registration processes and forms e Format and appearance of visitor account receipts e Settings for emailing visitor account receipts e Self provisioning features of your wireless network e Content asset management e Visitor account provisioning services for IP phones e SMS visitor account
31. looked up automatically from the RADIUS Access Request Framed IP Address attribute See Get Traffic on page 274 for details on how to specify the time interval See GetIpAddressTraffic on page 272 for additional details on the ip addr argument GetlpAddressTime GetIpAddressTime ip addr from time null to time null Calculate sum of session times in a specified time interval The IP address is looked up automatically from the RADIUS Access Request Framed IP Address attribute See Get Traffic on page 274 for details on how to specify the time interval See GetIpAddressTraffic on page 272 for additional details on the ip addr argument GetlpAddress Traffic GetIpAddressTraffic ip addr from time null to time null in out null Calculate sum of traffic counters in a time interval The IP address used is determined based on the context If processing a RADIUS Access Request the IP address is determined using the F ramed IP Address attribute If 272 GetlpAddressCurrentSession Dell Networking W ClearPass Guest 6 0 Deployment Guide processing a HTTP request the current client IP address is assumed from SERVER TREMOTE ADDR Specifying an empty value for the IP address such as null false or empty string also causes the current client IP address to be used See Get Traffic on page 274 for details on how to specify the time interval GetSessions GetSessions S criteria f
32. nwa_nav type simple nwa_nav this generates the HTML KI Block types can be one of the following types enter levell item enter level2 item enter level3 item exit_levell_item exit_level2_item exit_level3_item between levell items between level2 items between level3 items levell active levell inactive level2 active level2 inactive level2 parent active level2 parent inactive level3 active level3_ inactive enter_levell enter_level2 enter_level3 exit_levell exit_level2 exit_level3 nwa_plugin nwa plugin Smarty registered template function Generates plugin information based on the parameters specified Specifying which plugin The id parameter specifies a plugin ID Dell Networking W ClearPass Guest 6 0 Deployment Guide nwa_plugin 277 The name parameter specifies a plugin name or plugin filename The page parameter specifies a page name provided by the plugin The privilege parameter specifies a privilege defined by the plugin If none of the above is specified the default is the same as specifying the page parameter with the current script name as argument that is the current page Specifying the output The notfound parameter specifies the return value if the plugin was not found default is the empty string The output parameter specifies the metadata field to return If output is not s
33. then no receipt is sent If it is _Enabled then continue processing If it is any other value assume the auto send field is the name of another guest account field Check the value of that field and if it is zero or the empty string then no receipt is sent Determine the phone number if the phone number field is set and the value of this field is at least 7 characters in length then use the value of this field as the phone number Otherwise if the value of the auto send field is at least 7 characters in length then use the value of this field as the phone number If the phone number is at least 7 characters long generate a receipt using the specified plain text print template and send it to the specified phone number Configuring Access Code Logins This section explains how to configure Guest Manager to create multiple accounts that have the ability to log in with only the username We will refer to this as an Access Code Customize Random Username and Passwords In this example we will set the random usernames and passwords to be a mix of letters and digits l ZA Navigate to Configuration gt Guest Manager The Configure Guest Manager form opens In the Username Type field select Random Letters and digits The generator matching the complexity will also include a mix of upper and lower case letters In the Username Length field select 8 characters Configure other settings See Default Settings f
34. 3600 Unit Time Length of time corresponding to a single unit of this plan This is measured in seconds enter 3600 for 1 hour hour s Unit Name s The name used to describe one or more units of this plan Fixed date Unit purchase is relative to the transaction time Cumulative usage Unit purchase is for total time spent online Update Plan Time Tracking 2 Inthe Plan Details area enter a name for the plan and descriptions to display in the UI and the customer INVOICE 3 To enable the plan leave the Enabled check box marked To disable the plan unmark this check box Disabled plans are not displayed to customers 4 Inthe User Account Details area you can specify the usage of numbers letters and symbols in the generated username and password To use only digits leave the value in the Generated Username and Generated Password fields set to To indicate a different combination of numbers letters or symbols use the following parameters e The number or hash symbol is replaced with a random digit 0 9 e The dollar symbol is replaced with a random letter e The underscore symbol _ 1s replaced with a random lowercase letter e The carat symbol is replaced with a random uppercase letter e The asterisk symbol is replaced with a random letter or digit e The at symbol is replaced with a random letter or digit excluding vowels e The exclamation symbol 1s rep
35. Depending on whether the MAC address matches a registered value you can also adjust which role is returned The controller must be configured with the appropriate roles and the reply attributes mapping to them as expected Edit the Value of the attribute within the role returning the role to the controller If you are on the registered MAC apply the Employee role otherwise set them as Guest lt MacEqual GetAttr Calling Station Id Suser mac Employee Guest Dell Networking W ClearPass Guest 6 0 Deployment Guide Importing MAC Devices 57 This can be expanded if you create multiple MAC fields Navigate to Customize gt Fields and duplicate mac Rename it as mac_byod and then add it to the create_user and guest_edit forms In this example the account has a registered employee device under mac and a registered BYOD device under mac_byod lt MacEqual GetAttr Calling Station Id Suser mac_byod BYOD MacEqual GetAttr Calling Station Id Suser mac Employee Guest User Detection on Landing Pages When mac is passed in the redirect URL the user is detected and a customized message displays on the landing page Navigate to Administration gt Plugin Manager gt Manage Plugins MAC Authentication Configuration and enable MAC Detect Edit the header of your redirect landing page login or registration and include the following lt pe it guest receipt u visitor name Welcome b
36. Disabled and Enabled may be used to never send email or always send email respectively smtp cc list This field specifies a list of additional email addresses that will receive a copy of the visitor account receipt If the value is default the default carbon copy list from the email receipt configuration is used 7 6 smtp_cc_action This field specifies how to send copies of email receipts It may be one of never always_ 2 6a 2 6a cc always _bec conditional_cc or conditional_bec If blank or unset the default value from the email receipt configuration is used The logic used to send an email receipt is If email receipts are disabled take no action Otherwise check the auto send field If it is Disabled then no receipt is sent If it is _Enabled then continue processing If it is any other value assume the auto send field is the name of another guest account field Check the value of that field and if it is zero or the empty string then no receipt 1s sent Determine the email recipients 4 Address the email to the value specified by the email field in the visitor account If the email field is _ None then do not send an email directly to the visitor Depending on the value of the Send Copies setting add the email addresses from the Copies To list to the emails Ce or Bcc list If there are any To Cc
37. Resetting Passwords with the Self Service Portal The self service portal includes the ability to reset a guest account s password The default user interface for the self service portal is shown below Dell Networking W ClearPass Guest 6 0 Deployment Guide Resetting Passwords with the Self Service Portal 187 Self Service Login Username Password Log In required field CR I ve forgotten my password a I don t hawe an account Clicking the Pye forgotten my password link displays a form where the user password may be reset Reset Password Username Reset Entering a valid username will reset the password for that user account and will then display the receipt page showing the new password and a login option if NAS login has been enabled This feature allows the password to be reset for any guest account on the system which may pose a security risk It is strongly recommended that when this feature of the self service portal is enabled guest registrations should also store a secret question secret answer field To enable a more secure password reset operation first enable the secret_question and secret answer fields to the registration form The default appearance of these fields is shown below Visitor Registration Your Name Please enter your full name Email Address Please enter your email address This will become your username to log into the
38. Revoking Credentials to Prevent Network Access 2 meemmmmem mme 70 Re Provisioning a Device _ 2 2 eee eee eee eee eee eee eee eee eee eee eeeeeeeeeeeseee 71 Network Requirements for Onboard _ 2 22 22 eee eee eee eee cece e cece ee eeeeeeeeees 71 Using Same SSID for Provisioning and Provisioned Networks 71 Using Different SSID for Provisioning and Provisioned Networks 71 Configuring Online Certificate Status Protocol 22 222222 72 Configuring Certificate Revocation List CRL 022 22 cece adandan ananiona 72 Network Architecture for Onboard 2mmmeemmmme eee ceeceeeeeeeees 72 Network Architecture for Onboard when Using ClearPass Guest 74 The ClearPass Onboard Process _ 222 2202 cece eee cece cece cece cece eee mama cee ceeceeseeeeeeseeeeees 715 Devices Supporting Over the Air Provisioning 2 22 2 cece eee ee eee cece cece cece eeeeeeeees 715 Devices Supporting Onboard Provisioning 22 2 cece eee cece eee cece eee cece eeeeeeeeees 76 Managing Provisioned Applications _ _ 2 2 ieee cece eee eee eee eee e cece anaana anaa 2222 78 Configuring the User Interface for Device Provisioning 2 2 cece eee
39. The label and description of the field is used to display a group heading on the form as shown below The field s value is not used and the field is not submitted with the form Group Heading This is a sample group heading When using this user interface element it 1s recommended that you use the nwalmportant CSS class to visually distinguish the group heading s title static group heading User Interface The kind of user interface element to use when entering or editing this field Group Heading Label Label for this field to display on the form This is a Sample group heading gt Description E Descriptive text for this field displayed with the user interface element nwalmportant c55 Class a Optional CSS class name to apply to this form field C55 Style Optional CSS style text to apply to this form field 160 Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide e Submit button The field is displayed as a clickable form submit button with the label of the field as the label of the button w Button Label Submit button lv The kind of user interface element to use when entering or editing this field User Interface Button Label Label o Label for this field to display on the form Description Descriptive text for this field displayed with the user interface element nwalmportant CSS Class p gt i Optional CSS class name to apply to this fo
40. Value indicating how to modify the expire_time field This field may be provided when creating or editing a visitor account It may be set to one of the following values none to disable the account expiration timer do_expire and expire_time will both be set to 0 now to disable the account immediately expire_time to use the expiration time specified in the expire_time field expire_after to set the expiration time to the current time plus the number of hours in the expire_after field plus X or minus X where X is a time measurement to extend or reduce the expiration time by X hours but may have a ywdhms suffix to indicate years weeks days hours minutes seconds respectively A time measurement X to set the expiration time to the current time plus X Any other value to leave expire_time unmodified This field controls account creation and modification behavior itis not stored with created or modified visitor accounts modify_expire_time String Value indicating how to modify the expire_usage field This field is only of use when editing a visitor account It may be set to one of the following values expire_usage to set the cumulative usage expiration timer to the value in the expire_ usage field modit ernie usiye plus X or minus x where X is a time measurement to extend or reduce the cumulative usage expiration timer by X seconds but may have a ywdhms suffix
41. cece cece eee c cece cece cece eee ceeeececeecececceceseeceeeees 28 Sponsored Guest ACCESS _ 12 12 elec e cece cece cece eee c cece eee e cee DDAA DDD ADDL aaa Danno aano oonan ona 28 Self Provisioned Guest ACCESS 22 2 c cee cee cece cece ee ceeceeceecceeceeceeceeceeceeeseeceeees 28 Using Standard Guest Management Features 2 02 o cece cece cece cee cece cece eee eceeeececeeceseseeees 29 Creating a Guest Account 22mmmmmmamwwwwman LLa aana LLa aana nanana annaa 29 Creating a Guest Account Receipt 02 occ cece ccc cece cece ccc cece cece eececcececeeceseeees 30 Creating Multiple Guest Accounts 22 2 oe e cece cece cece cece eee cece cee cececcececeececeseecesees 30 Creating Multiple Guest Account Receipts 02 2 c eee e cece cece cece ccc e cece ceceececeteeceeees 31 Creating a Single Password for Multiple Accounts 22mmmmemenmmmmmne 32 Managing Guest Accounts 02 2 2 e cece cece cece cece cece aaao cece e cece eee ceececescececeececesceeeees 34 Dell Networking W ClearPass Guest 6 0 Deployment Guide 3 Managing Multiple Guest Accounts mmmmmmm umu ahaaa Loana naaa 38 Importing Guest Accounts 2mmmmmmmu eee cee eee eee m www ninunue 40 Exporting Guest Account Information 2 aoaaa aoaaa aoaaa aoaaa eee eee e
42. data username bold Displays the username string as bold text data role_name Displays the name of the role Displays either Enabled or Disabled depending on the value of Nwa_BooleanText data enabled Enabled Disabled heenabled field parselnt data do_expire 0 Nwa_DateFormat Displays N A if the account has no expiration time or a date and data expire_time Y m d H M N A time string if an expiration time has been set JavaScript functions Nwa_BooleanText Returns the value of f_true or if false depending on whether the Dell Networking W ClearPass Guest 6 0 Deployment Guide View Display Expression Technical Reference 303 Description value evaluates to a Boolean true or false respectively If the value value if true if_falsel if_undefined has an undefined type in other words has not been set and the If undefined parameter was provided returns f_undefined Converts a numerical va ue UNIX time to a string using the date and time format string format The format string uses similar syntax Nwa_DateFormat va ue format to the NwaDateFormat function See Date Time Format String Reference on page 281 for a full list of the supported format strings Nwa_FloatFormat value decimals Converts a numerical va ue to a string with the number of decimal places specified in decimals Converts a numeric va ue measuring a time in minutes to a Nwa_MinutesToNatural va ue nat
43. displayed with the user interface element CSS Class i Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field ana images icon waming png Image to display with the user interface element Hide when no options are selectable Collapse Select this option to automatically hide the form field when only one choice is available Form Validation Properties These properties control how the value of this field is checked F Field value must be supplied Field Required q Select this option if the field cannot be omitted or left blank value for sample_field Value to initialize this field with when the form is first displayed No validation The function used to validate the contents of a field Initial Value Validator If the Hide when no options are selectable check box is selected in the Collapse row the field will be hidden if its value is blank Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field ae To set the value of this field use the Initial Value option in the Form Validation Properties area of the form field editor e Static text Options lookup The value of the field is assumed to be one of the keys from the field s option list The value displayed is the corresponding value for the key as a non editable text string An icon image may optionally be displayed before the field s value A hidden element is a
44. login and then on a regular schedule as specified by the password_action_recur field If the guest is required to change their password this will take place during a network login before the guest is redirected to the NAS for login Guest password changes are only supported for Web login pages and guest self registration pages that have the Perform a local authentication check option enabled The default behavior is to leave guest passwords under the control of the guest With the default behavior guests are not prevented from changing their password but are also not required to change it on any particular schedule password_action String Specifies a date or relative time after which a guest will be required to change their password Using this field also requires the password_action field to be set to the value recur The value of this field should be a relative time measurement indicated with a plus sign for example 15 days or 2 months password_action_recur Integer The time that the guest s password was last changed The password change time is password_last_change specified as a UNIX timestamp This field is automatically updated with the current time when the guest changes their password using the self service portal String This field contains a randomly generated password This field is set when modifying an account guest_edit form random_password String The length in characters of ran
45. m Save Changes m 2 The Invoice Title must be written in HTML See Basic HTML Syntax on page 261 for details about basic HTML syntax 3 Complete the rest of the fields appropriately You can use Smarty functions on this page See Smarty l emplate Syntax on page 264 for further information on these You can also insert content items such as logos or prepared text See Customizing Self Provisioned Access on page 171 for details on how to do this 4 Click Save Changes Customizing the User Interface Each aspect of the user interface your hotspot customers see can be customized Dell Networking W ClearPass Guest 6 0 Deployment Guide Customizing the User Interface 211 Customizing Visitor Sign Up Page One Page one of the guest self provisioning process asks the guest to select a plan An example of the default Choose Plan page is shown below Hotspot Sign Up Welcome to the Hotspot Sign Up Get connected to the Internet without wires in just three easy steps To get started select the type of wireless access you would like to purchase Choose Plan Free Access Free basic wireless access Limited to 64 kbit Web browsing traffic only and a maximum of one hour Hourly Access Wireless access charged at 2 95 per hour Offers full Internet access at 128 kbit sec 1 hour s MyPlan test plan 1 To customize how this page is displayed to the guest go to Conf
46. nasipaddress gt 192 168 2 20 Dell Networking W ClearPass Guest 6 0 Deployment Guide GetCallingStationTraffic 271 nasportid gt Tr nasporttype gt calledstationid gt callingstationid gt Tacctstarttime gt 1249258943 COMMECEINTO Start gt Tr acctstoptime gt NULL connectinro stop gt NULL acctsessiontime gt 0 vacetLinputoctets gt U racctoutputoctets gt Q acctterminatecause gt NULL servicetype gt framedipaddress gt 192 168 2 3 framedprotocol gt Tacctauthentic gt nastype gt Toisto 3916 nas name gt centos COtal CraLLLo gt U state gt stale orafi Input gt 0 Erari Hucpue gt Ttraffic usage gt 0 session time gt 29641260 GetipAddressCurrentSession GetIpAddressCurrentSession ip addr null Looks up the current most recent active session for the specified client IP address If ip_addr is not specified it defaults to the current value of smarty server REMOTE_ADDR which may not be the same value as the IP address of the session if there is a NAT See GetCurrentSession on page 271 for details of the return value GetlpAddressSessions GetIpAddressSessions ip addr from_time null to time null Calculate the number of sessions for accounting records matching a specific IP address The IP address attribute is
47. nwa_sequence If this field is not set the next available sequence number for the given multi_prefix is used Sequence numbering will start with 0 if no initial sequence number has been set l String The prefix of each username generated when creating guest accounts and the multi_prefix rns i i random username method field is set to nwa seguence String Network address mask to use for stations using the account This field may be up to 20 characters in length The value of this field is not currently used by the system However netmask a RADIUS user role may be configured to assign network masks using this field by adding the Framed IP Netmask attribute and setting the value for the attribute to lt user netmask Boolean If set prevents a user from changing their own password using the guest self rio password service portal Set this field to a non zero value or a non empty string to disable guest initiated password changes The default is to allow guest initiated password changes unless this field is set Boolean If set prevents a user from logging into the guest service portal Set this field to a no_portal non zero value or a non empty string to disable guest access to the self service portal The default is to allow guest access to the self service portal unless this field is set Boolean User does not receive a logout expiration warning The admin or user can opt out no_warn_before l l of this option by
48. ooo eee cece cece eee ee eee eee mma DLL LaLa Lanau 283 NwaDynamicLoad ww wwmmmmemunnun www ww wwmamannnun nin nn mwm mwm 283 NwaGeneratePictureString 22mmmmmmmmmmamun um mwmmam nunu ee eceeeeeeeeeees 283 NwaGenerateRandomPasswordMix mmmmmm mamaaa mwm mmama mamae mamii 284 NwaLettersDigitsPassword 222mmmmmmummmwmmm umu eee eeceseeeeeeeeeeeees 284 NwaLettersPassword 2mmmmmmme mm cece eee eee ee eeeeeeeeeeeeeereeeees 284 NwaMoneyFormat wmwmmmmmananunu cece cece eee eee eeeeeeeeeeeeeees 284 NwaParseCsv _ 02 2 aoaaa cece cece cee cee ee eee cece cece eee DDALL LDPD ces eeseeeeeceseesceseeseees 284 NwaParseXml 2mmmmmme me cece e eee ee eee ee ee eeeeeceseeeeeereeserereees 285 NwaPasswordByComplexity 22wmmmmmmmmmmmu cece cece eee cece ee eceeeeeeeeeeees 285 NwaSmslsValidPhoneNumber mmmemmmem mwm mw ee ceeeeeeeseeeeeseeees 286 NwaStrongPassword 2 aaao cece cece eee cee cece eee cece cece eee e eee e eee LLL aa aLL LLa aaan LLa 286 NwaVLookup ww wwmmmmmanunn L LLLA LLL LLL LL LLa ahaaa naaa 286 NwaWordsPassword 22 2 oaaao anaoa aoaaa e
49. password2 specifies the name of the field containing the duplicate password entry optional for password validation Defaults to password2 if not specified password2_required if nonzero indicates that the password2 entry must be supplied username specifies the name of the field containing the username If empty or unset the password is not checked against this field for a match minimum length specifies the minimum length of the password in characters disallowed_chars if set specifies characters that are not allowed in the password complexity_mode specifies the set of rules to use when checking the password complexity if set specifies rules for checking the composition of the password If unset defaults to a preset 7 lt 72 lt value for password complexity with modes none basic number 1 ne lt 3 punctuation and complex These rules check that passwords obey certain requirements according to the following table Table 38 Complexity Requirements Rule Set Min Length Description basic Bo Non space characters number eoo At least 1 digit punctuation n j At least 1 punctuation character non alphanumeric complex Bo At least 1 digit 1 non alphanumeric 1 uppercase and 1 lowercase letter IsValidSentence Checks that the value is considered to be a sentence that is a string which starts with an upper case letter and ends in a full s
50. s phone number visitor_phone Min Gami Hck The field which if it contains a non empty string or non zero value will cause an account receipt SMS to be automatically sent upon creation of a visitor account 50 Credit Warning When the number of available credits reaches this threshold a warning message is sent to the system administrator W Allow advanced SMS handlers Advanced Gateways _ Y Select this option to create more types of SMS gateways and define custom SMS gateways W Enable management of SMTP Carrier List SMS via SMTP Select this option to enable support for sending SMS messages via SMTP e mail Phone Number Normalization Options for the NwaNormalizePhoneNumber conversion function Use the visitor s value Default Number Format Optionally force the addition or removal of a country code Save Configuration SMS Receipt Select the print template to be used when an SMS receipt is created The print template used for the receipt must be in plain text format e Phone Number Field Select which guest account field contains the guest s mobile telephone number This field is used to determine the SMS recipient address Configuring the SMS Services Plugin 227 Auto Send Field Select a guest account field which if set to a non empty string or non zero value will trigger an automatic SMS when the guest account is created or updated The auto send field can be used to
51. the first column Specifies a comparison function to use for values if null the default is used simple equality operator or the and gt operators if using binary search The comparison function should take 2 arguments and return a value lt 0 0 gt 0 depending on the sort ordering of the arguments Be aware of the following differences from Excel VLOOKUP Column indexes are 0 based Column indexes can also be strings See NwaParseCsv on page 284 and NwaCsvCache on page 283 NwaWordsPassword NwaWords Password Slen Generates a password consisting of two randomly chosen words separated by a small number 1 or 2 digits that is in the format word XXword2 The random words selected will have a maximum length of len characters and a minimum length of 3 characters len must be at least 3 Field Form and View Reference This section describes the following GuestManager Standard Fields on page 287 Hotspot Standard Fields on page 294 SMS Services Standard Fields on page 295 SMTP Services Standard Fields on page 296 Format Picture String Symbols on page 297 Form Field Validation Functions on page 298 Form Field Conversion Functions on page 301 Form Field Display Formatting Functions on page 301 View Display Expression Technical Reference on page 303 GuestManager Standard Fields The table below describes standard fields available for the GuestManager form Table 32 Gue
52. the prefix means match any domain that ends with the given suffix A component can also be used inside the hostname and will match zero or more domain name components If the allow list is empty or unset the default behavior is to accept ALL domains other than those listed in the deny list If the deny list is empty or unset the default behavior is to deny ALL domains other than those listed in the allow list If both allow and deny lists are provided the default behavior is to accept a domain name that does not match any of the patterns provided The allow list is checked first followed by deny To obtain the opposite behavior specify the wildcard as the last entry in the deny list IsValidFileUpload Checks that the value is a file upload IsValidFutureDateTime Checks that the value is a valid time specification string according to the rules of the PHP function strtotime and that the time specification refers to a point in the future IsValidFutureTimestamp Checks that the value is a valid UNIX time referring to a point in the future IsValidHostname Checks that the value is a valid IP address or a hostname that resolves to an IP address IsValidHostnameCidr Checks that the value is a valid IP address or hostname which may also have an optional N suffix indicating the network prefix length in bits CIDR notation IsValidHostnamePort
53. title and content text and selecting the guest account fields to include A real time preview allows changes made to the design to be viewed immediately To use the Print Template Wizard first select a style of print template from the Style list Small thumbnail images are shown to indicate the basic layout of each style There are four built in styles Table Best for square or nearly square logo images and well suited for use with scratch card guest accounts e Simple Best for wide or tall logo images and for situations where an operator will print a page with guest account details e Centered Best for wide logo images less formal design e Label Printer These print template styles are designed for small thermal printers in various widths On screen assistance 1s provided when printing to ensure that a consistent result can be obtained Click the Preview at right or Preview at bottom link at the top of the page to move the real time preview of the print template Each of the basic styles provides support for a logo image title area subtitle area notes area and footer text These items can be customized by typing in an appropriate value in the Print Template Wizard Ki NOTE As the print template is a HTML template it is possible to use HTML syntax as well as Smarty template code in these areas See the Reference on page 261 chapter for reference material about HTML and Smarty template code The print templat
54. 101 devices 5 guest accounts 40 matching fields 41 trusted certificate 103 installing applications 78 K key 138 key type 108 L LDAP authenticating AirGroup users 221 creating translation rule 254 custom rules 256 matching actions 255 matching rules 255 operator logins 248 POSIX compliant servers 249 server creating 249 standard attributes 304 translation rules 249 translation rules creating 254 URL syntax 251 local operators 247 locations AirGroup 53 log files 237 logging passwords 140 MAC address formats 44 advanced features 57 authentication 44 registering devices 56 message sending SMS 232 MMS SMS template for 236 mobile carrier selecting 230 232 mobile settings country code 231 national prefix 231 multiple guest accounts creating 30 NAS 28 login 21 login guest self registration 183 national prefix 231 Network Access Server 21 network settings configuring 117 ntication 44 nwa_radius_query 269 0 Onboard date retention 66 Smarty template functions 80 Onboard module 65 Open SSL text format 97 operator creating 247 operator logins 241 advanced options 259 configuration 258 LDAP server creating 249 Dell Networking W ClearPass Guest 6 0 Deployment Guide password options 243 userroles 243 Operator logins LDAP 248 operator profiles 21 241 242 automatic logout 259 creating 242 privileges 246 operators 21 creating 248 local 247 login message 258 p passcode po
55. Certificate Validate the server certificate 2 Ifthe deployment is not using the built in CA you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server Only certificates included in this list will be trusted Enter each server name on a separate line You can use wildcards 3 In the Trusted Certificates row mark the check box for each server certificate that the client should trust You should include the root certificate that issued the authentication server s certificate and you should provide the certificate for each authentication server a provisioned device will use 4 You can use the Upload Certificate options to import additional trusted certificates or certificate signing requests Click Choose File to navigate to the file on your computer then click Upload The certificate is imported and the certificate name is displayed above the form You can click the Show certificate link next to the name to view certificate details The certificate is also displayed in the Certificate Management list with the type trusted 5 Inthe Dynamic Trust row you should avoid marking the Allow trust exceptions check box the network administrator should make all trust decisions Users will not generally review certificates for potential issues before accepting them If you wish to enable trust decisions to be made by the user you may unmark the Allow trust exceptions check
56. Changes to save your rule settings The Administration gt Operator Logins gt Translation Rules window shows a list of all configured translation rules LDAP Translation Rules Dell Networking W ClearPass Guest 6 0 Deployment Guide 255 i Quick Help Ps Create Expression Assign value to operator field 1 Override Display Name displayname 4 username instancetype usncreated 2 Removedttrs planar Remove attribute 4 usnchanged objectsid o 3 Ya MatchDomain memberof contains CN Domain Assign operator profile IT d Admins Administrators 4 YA wo memberof contains Assign operator profile IT af CN Administrators Administrators Es Edit Delete Ee Duplicate Disable 4 MoveUp Move Down memberof contains CN Group Assign operator profile Null 5 2 MatchGroup Name Profile Assign operator profile Null Profile S S 6 MatchName cn matches test Translation rules are processed in order until a matching rule is found that does not have the Fallthrough field set To edit the matching rule list select an entry in the table to display a menu that lets you perform the following actions o FEdit changes the configuration of matching rule e Delete removes matching rule from the list e Duplicate creates a duplicate copy of an existing rule e Disable temporarily disables the rule without deleting it from the rule list e Enable reenables a disabled o
57. Deployment Guide Creating a Single Password for Multiple Accounts 33 Account Details Username Password Role Current State Account Activation Account Expiration of 44937 1PWa4all Contractor Active Friday 26 October 2012 04 18 PM Saturday 27 October 2012 04 18 PM Account Details Username Password Role Current State Account Activation Account Expiration Account Details Username Password Role Current State Account Activation Account Expiration 09641588 1iPWaall Contractor Active Friday 26 October 2012 04 18 PM Saturday 27 October 2012 04 18 PM 60600985 1PW4all Contractor Active Friday 26 October 2012 04 18 PM Saturday 27 October 2012 04 18 PM Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts To open the Guest Manager Accounts list go to Guest gt List Accounts List Guest Accounts View a list of all current guest accounts You can modify and remove individual user accounts here The Guests Manager Accounts view opens This view guest_users may be customized by adding new fields or modifying or removing the existing fields See Customizing Fields on page 145 for details about this customization process The default settings for this view are described below 34 Managing Guest Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide
58. Device form During guest self registration by a Amigopod Deployment Guide Guest Management score 3 03 6 Click a result link The online help opens in a separate browser tab with the destination displayed 240 Viewing Documentation Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 8 Operator Logins An operator is a company s staff member who is able to log in to Dell Networking W ClearPass Guest Different operators may have different roles that can be specified with an operator profile These profiles might be to administer the ClearPass Guest network manage guests or run reports Operators may be defined locally in ClearPass Guest or externally in an LDAP directory server Accessing Operator Logins To access Dell Networking W ClearPass Guest s operator login features click the Administration link in the left navigation then click Operator Logins 4 Guest Onboard Configuration a Start Here J Data Retention Ge Import Configuration E Operator Logins Login Configuration g Profiles p Servers Translation Rules About Operator Logins Dell Networking W ClearPass Guest supports role based access control through the use of operator profiles Each operator using the application is assigned a profile which determines the actions that the operator may perform as well as global settings such as the look and feel of the user interface Dell Networking W ClearPass Gu
59. Edit To make changes to the gateway in this row click its Edit link The Edit SMS Gateway form opens See Editing an SMS Gateway on page 231 e Duplicate lo make a copy of the gateway to use as a base for a new gateway click the Duplicate link A new gateway is added to the list with the name Copy of lt original gateway gt e Delete To remove the gateway from the list click this link You are asked to confirm the deletion Click OK to delete the gateway e Make Default Click this link in a gateway s row to make it the default gateway for SMS messages e Send SMS Click this link in a gateway s row to send an SMS message via that gateway The row expands to include the New SMS Message form where you can enter the recipient s mobile phone number and the message text then send the message 3 To add a carrier to the list click the Create tab above the form The SMS SMTP Carrier Editor form is added at the top of the list See Creating a New SMS Gateway on page 229 Creating a New SMS Gateway An SMS gateway is automatically created and added to the SMS Gateways list when you enter your subscription ID in Dell Networking W ClearPass Policy Manager at Administration gt Agents and Software Updates gt Software Updates You can also use ClearPass Guest to create an SMS gateway To create a new SMS gateway l Go to Administration gt SMS Services gt SMS Gateways The SMS Gateways list view opens 2 C
60. Email Receipts and SMTP Services 189 3 Scroll to the Email Delivery section of the form and choose one of the options from the Enabled drop down list The form expands to include configuration options for email delivery Email Delivery Enabled Always auto send quest receipts by email Im Use Default Email Field The field containing the visitor account s email address Subject Line Template specifying the subject line for emailed visitor account receipts Leave blank to use the default Visitor account receipt for email Use Default GuestManager Receipt i The plain text or HTML print template to use when generating an email receipt Use Default No skin HTML only The format in which to send email receipts Use Default Use Bec if sending to a visitor Specify when to send visitor account receipts to the recipients in the Copies To list default An optional list of email addresses to which copies of visitor account receipts will be sent Email Receipt Email Skin Send Copies Copies To E Allow the reply to address to be overridden Reply To If checked the reply to address will be overridden by the sponsor email field Leave unchecked to use the global from address The following options are available in the Enabled drop down list to control email delivery Disable sending guest receipts by email Email receipts are never sent for a guest registration
61. Error The error message to display if the field s value is not supplied has an incorrect type or if conversion fails None Value Format The function used to format a field value after validation NwaDateFormat Display Function pay The function used to convert a field to a displayable value on the form expire_time Display Param Optional name of field whose value will be supplied as the argument to a display function Y tm td H 3M Display Arguments Optional value to supply as the argument to a display function In this case the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field for example 2008 01 01 to UNIX time for example 1199145600 The Validator for the expire_time field is IsValidFutureTimestamp which checks an integer argument against the current time The Value Formatter is applied after validation This may be used in situations where the validator requires the specific type of data supplied on the form but the stored value should be of a different type In the expire_time field example this is not required and so the value formatter is not used However if the Conversion function had not been used and the Validator had been set to IsValidFutureDateTime which checks a string date time value then the Value Formatter would need to be set to NwaConvertOptionalDateTime to perform the data convers
62. Form Field Validation Functions See Form Validation Properties on page 162 and Examples of Form field Validation on page 163 for details about using validation functions for form fields The built in validator functions are IsArrayKey Checks that the value is one of the keys in the array supplied as the argument to the validator IsArrayValue Checks that the value is one of the values in the array supplied as the argument to the validator IsEqual Checks that the value is equal to the value supplied as the argument to the validator allowing for standard type conversion rules IsGreaterThan Checks that the value is strictly greater than a specified minimum value supplied as the argument to the validator IsIdentical Checks that the value is equal to the value supplied as the argument to the validator and has the same type IsInRange Checks that the value is in a specified range between a minimum and maximum value The minimum and maximum values are specified as a 2 element array as the argument to the validator IsInOptionsList Checks against a list of options in the policy definition 298 Form Field Validation Functions Dell Networking W ClearPass Guest 6 0 Deployment Guide IsNonEmpty Checks that the value is a non empty string length non zero and not all whitespace or a non empty array IsNonNegative Checks that the value is numeric and non negative IsRegexMatch Checks that t
63. Guest requires provisioning the following Dell Networking W ClearPass Guest 6 0 Deployment Guide ClearPass Guest Deployment Process 21 Physical location rack space power and cooling requirements or deployment using virtualization Network connectivity VLAN selection IP address and hostname Security infrastructure SSL certificate Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest Table 4 Site Preparation Checklist v Policy Decision Security Policy Segregated guest accounts Type of network access Time of day access Bandwidth allocation to guests Prioritization of traffic Different guest roles IP address ranges for operators Enforce access via HTTPS Operational Concerns Who will manage guest accounts Guest account self provisioning What privileges will the guest managers have te meet Network Management Policy WA m a Shared secret format Zz Operator provisioning Network Provisioning Zz Physical location Network connectivity Security infrastructure 22 Site Preparation Checklist Dell Networking W ClearPass Guest 6 0 Deployment Guide Security Policy Considerations To ensure that your network remains secure decisions have to be made regarding guest access Do you wish to segregate guest access Do you want a different VLAN or different physical network infrastructure to be used by
64. Manual Reconnect Interface row enter the text that will be shown to the user if manual reconnect is allowed and applicable Enter the text as HI ML code You can use Smarty template functions If this field is left empty the default text will be displayed 5 In the Connect Success row enter the text that will be shown to the user after successful reconnect Enter the text as HTML code You can use Smarty template functions If this field is left empty the default text will be displayed 6 In the Connect Failure row enter the text that will be shown to the user after a failed reconnect or if the device does not support reconnection for example for iOS 4 and earlier devices Enter the text as HTML code You can use Smarty template functions If this field is left empty the default text will be displayed 7 In the After Connect row enter the text that will be shown after a reconnect attempt regardless of success or failure Enter the text as HTML code You can use Smarty template functions If this field is left empty the default text will be displayed T 1 Mark the check box in the Advanced Settings row The form expands to include these options O configure delay and timeout settings 2 In the Disconnect Delay row enter the duration in seconds for the Web server to wait after receiving a disconnect request before it sends the request to the controller This delay gives the client time to receive a valid HT
65. Multiple Active Sessions To disconnect multiple sessions click the Manage Multiple tab The Manage Multiple Sessions form opens Manage Multiple Sessions Action Disconnect Active Sessions Start Time The selected action will apply to sessions that started after this point Leave blank to use the earliest available session start time End Time The selected action will apply to sessions that started before this point Leave blank to use the current time Make Changes To close all active sessions leave the Start Time and End Time fields empty and click Make Changes All active sessions are closed and are removed from the Active Sessions list You can specify sessions in a time range 1 To close all sessions that started after a particular time click the button in the Start Time row The calendar picker opens Use the calendar to specify the year month and day and click the numbers in the Time fields to increment the hours and minutes All sessions that started after the specified date and time will be disconnected 2 To close all sessions that started before a particular time click the button in the End Time row The calendar picker opens Use the calendar to specify the year month and day and click the numbers in the Time fields to increment the hours and minutes All sessions that started before the specified date and time will be disconnected 3 Click Make Changes Th
66. Multiple Guest Accounts on page 38 in this chapter for details about this form Use the Delete tab to delete the visitor accounts that you have selected This option is not active if there are no visitor accounts selected Use the f Edit tab to make changes to multiple visitor accounts at once This option is not active if there are no visitor accounts selected Edit Guest Accounts No changes Z Select an option for changing visitor account passwords Password No changes v Select a new role for these visitor accounts Account Role No changes NA Select an option for changing the activation time of this account Account Activation No changes Account Expiration Select an option for changing the expiration time of this account Session Limit n P The number of simultaneous sessions allowed for these visitor accounts Type 0 for unlimited use Leave this field blank to not make any changes fe Make Changes Managing Multiple Guest Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide 39 The Edit Guest Accounts form may be customized by adding new fields or modifying or removing the existing fields See Customizing Self Provisioned Access on page 171 for details about this customization process This is the guest_multi_form form The Results tab will be automatically selected after you have made changes to one or more guest acco
67. Named arguments may also be supplied the arguments must be named identically to the function arguments listed in the documentation for the query function The following parameters control how the result should be processed _assign Name of a page variable to store the output if not set output is sent to the browser as the result of evaluating the template function _output Index of item to return from the RPC result if not set the complete result is returned This may be of use when an array containing multiple values is returned and only one of these values is required _default Default value to display or return if an error occurs or the _output field is not available in the result lt zi 22 2 lt gt For ease of use assign is also supported as a synonym for assign Dell Networking W ClearPass Guest 6 0 Deployment Guide nwa_quotejs 269 This template function does not generate any output if the _assign parameter is set The methods that are available for use with this function are listed below The Scriteria array consists of one or more criteria on which to perform a database search The array is used for advanced cases where pre defined helper functions do not provide required flexibility ChangeToRole ChangeToRole username Srole name Changes the RADIUS role assigned to the user If the user currently has active sessions this function will trigger an RFC 3576 Change of Authorizatio
68. The form expands to include configuration options The login page is also a separate page that can be accessed by guests using the login page URL The login page URL has the same base name as the registration page but with login appended To determine the login page URL for a guest self registration page first ensure that the Enable guest login to a Network Access Server option is checked and then use the Launch network login link from the self registration process diagram as shown below 8 Launch this guest registration page a Launch network login The options available under the Login Form heading may be used to customize the login page 184 Editing Login Page Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Customize Guest Registration Enabled W Enable guest login to a Network Access Server Login Form Options controlling the appearance of the NAS login form F Provide a custom login form Custom Form i selected you must supply your own HTML login form in the Header or Footer HTML areas h Override the default labels and error messages Custom Labels l f selected you will be able to alter labels and error messages for the current login form n WV Perform a local authentication check Pe Mah Chek If checked the username and password will be checked locally before proceeding to the NAS authentication This option should not be selected if an external aut
69. To help the user identify the connection easily include your organization s name in the Display Name field For example use ACME Sprockets VPN Select the appropriate Connection Type from the drop down list e IZ2TP Connection uses the Layer 2 Tunneling Protocol Complete the fields shown in the L2 TP Connection Settings section of the form e PPTP Connection uses the Point to Point Tunneling Protocol Complete the fields shown in the PPTP Connection Settings section of the form e IPSec Connection uses the Internet Protocol with security extensions Complete the fields shown in the IPSec Connection Settings section of the form The Authentication Type drop down list provides these options when configuring an PSec VPN Identity Certificate The client certificate issued during device provisioning will also be used as the identity certificate for VPN connections This option requires configuring your VPN server to allow IPSec authentication using a client certificate 126 Configuring an iOS Device VPN Connection Dell Networking W ClearPass Guest 6 0 Deployment Guide Shared Secret Group Name An optional group name may be specified A shared secret pre shared key 1s used to establish the IPSec VPN Authentication is performed with a username and password The Proxy Settings section of the form specifies a proxy server that is used when the VPN connection is active Select one of these
70. a group of friends or associates who are allowed to share them If AirGroup Services is enabled AirGroup administrators can provision their organization s shared devices and manage access and AirGroup operators can register and provision a limited number of their own personal devices for sharing For complete AirGroup deployment information refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation Registering Groups of Devices or Services This functionality is only available to AirGroup administrators To register and manage an organization s shared devices and configure device access l Log in as the AirGroup administrator and go to Guest gt Create Device The Register Shared Device form opens Register Shared Device libraryPrinter1 Device Name i Enter a name to identify the device 11 22 33 aa bb cc ae r MAC Address Enter the MAC address of the device Enter a list of location IDs where this dewice will be shared Shared Locations Usea comma separated list of tag value pairs tag may be AP Name AP Group or FOLN A fully qualified location name is lt ap name floor lt N gt lt building name gt lt campus Leave blank to share with all locations Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g userl user user3 or blank for all users Shared Roles List the user roles that will be able to use this dev
71. ability to customize the view Click a user account s row to select it You can then select from one of these actions o Reset password Changes the password for a guest account A new randomly generated password is displayed on the Reset Password form Reset Password Username 41915905 77876546 New password j This is the new password that will be assigned to this guest account Update Account Click Update Account to reset the guest account s password A new account receipt is displayed allowing you to print a receipt showing the updated account details ZI Change expiration Changes the expiration time for a guest account Change Expiration Username 41915905 Account Activation Friday 26 October 2012 03 50 PM Account Expiration Account will expire at Saturday 27 October 2012 03 50 PM No changes 2012 10 27 15 50 44 Account Expiration Select an option for changing the expiration time of this account NOTE This form change_expiration may be customized by adding new fields or modifying or removing the existing fields See Customizing Forms and Views on page 150 for details about this customization process Select an option from the drop down list to change the expiration time of the guest account Click 2 Update Account to set the new expiration time for the guest account A new account receipt is displayed allowing you to print a receipt showing the update
72. all the students e Inthe Auto Join row you can mark the Automatically join network check box to specify that the device should be automatically connected to the network when it is provisioned If only one network is available to the user the device will be connected automatically If multiple networks are available the user will be able to choose the network to connect to If the Automatically join network option is not selected on this form an option to manually connect to the network will be shown to the user 11 Do one of the following e Click the Next button to continue to the T Protocols tab o Click the Create Network button to make the new network configuration settings take effect e Click the Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring 802 1X Authentication Network Settings Click the Protocols tab to display the Enterprise Protocols form Network Settings Enterprise Protocols gt Access T Protocols ay Authentication Trust i Windows lt Proxy Enterprise Protocols Options for 802 1X protocols supported on the network IOS amp OS X EAP Accepted EAP Types MI tts C peap TTLS EAP FAST Select the authentication protocols to use when configuring an iOS or OS X 10 74 Lion or later device iOS amp OS X EAP Legacy OS X EAP PEAP with MSCHAPyv2 Legacy OS X EAP The authentication protocol to
73. an option for changing the expiration time of this account Sponsor s Name Device Name MAC Address Account Activation Account Expiration Contractor Account Role oo Role to assign to this visitor account Terms of Use 12 I am the sponsor of this visitor account and accept the terms of use p i Create MAC 2 In the Sponsor s Name row enter the name of the person sponsoring the visitor account Enter the name for the device in the Device Name row 4 Enter the address in the MAC Address row If you need to modify the configuration for expected separator format or case go to Administration gt Plugin Manager gt Manage Plugins and click the Configuration link for the MAC Authentication Plugin 5 Choose one of the options in the Account Activation drop down list You may choose to activate the account immediately at a preset interval of hours or days at a specified time or leave the account disabled Disable account Tomorrow Next Monday 1 hour from now 1 day from now 1 week from now Activate at specified time e If you choose Activate at a specified time the Activation Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date 50 Creating Devices Manually in ClearPass Guest Dell Network
74. and password of their guest account The NAS authenticates the user with the RADIUS protocol 5 ClearPass Policy Manager determines whether the user is authorized and if so returns vendor specific attributes 6 that are used to configure the NAS based on the users role and other policies 7 If the user s access is granted the NAS permits the guest access to the network based on the settings provided by the ClearPass Policy Manager server The NAS reports details about the user s session to the ClearPass Policy Manager server using RADIUS accounting messages 8 After the user s session times out 9 the NAS will return the user to an unauthorized state and finalize the details of the user s session with an accounting update 10 Key Features Refer to the table below for a list of key features and a cross reference to the relevant section of this deployment guide Table 2 List of Key features Feature Refer to Web server providing content delivery for guests aa Mana WA Customizing Self Provisioned Guest self registration Access on page 171 Visitor Management Using Standard Guest Create and manage visitor accounts individually or in groups Management Features on page 29 Manage active RADIUS sessions using RFC 3576 dynamic authorization support Active Sessions Management on page 59 Import and export visitor accounts Importing Guest Accounts on page 40 Create guest self registration forms oo
75. as the condition expression for a RADIUS role attribute Authorizes a user only if their total traffic in out in the past day does not exceed 10 MB Be aware that the attribute with this condition expression will never be included in the response return Get UserTraffic 86400 gt 10485760 amp amp AccessReject Like the above but only considers output that is user downloads return Get UserTraffic 86400 out gt 10455760 amp amp AccessReject Another way to limit the past 30 days downloads to 100 MB return GetUserTraffic now 86400 30 Snow out gt 100 1024 1024 amp amp AccessReject Limit by MAC address 50 MB download in past 24 hours return GetCallingStationTraffic 86400 out gt 50000000 amp amp AccessReject GetCurrentSession GectCurrentSession Scriteria Looks up the details for an active session based on the specified criteria Ki NOTE This is a multi purpose function that has a very flexible query interface for ease of use consider using one of the related functions GetCallingStationCurrentSession GetlpAddressCurrentSession or GetUserCurrentSession Returns null if there is no matching session otherwise returns a single session array a typical result follows array id gt T2073 acctsessionid gt 4a762dbf00000002 acctuniqueid gt c199b5a94ebf5184 username gt demo example com realm gt role name gt Guest
76. attributes using the rules defined in the LDAP translation rules In particular an operator profile will be assigned to the authenticated user with this process which controls what that user 1s permitted to do Creating an LDAP Server r To create an LDAP server go to Administration gt Operator Logins gt Servers then click the Create new LDAP server link in the upper right corner The Server Configuration form opens Server Configuration LDAPserver2 Name Enter a name for this authentication server Enabled W Use this server to authenticate operator logins 50 P i 1 riority 3 The priority rank of the service handler for authentication of local operators Lower numbers represent higher priorities Microsoft Active Directory Server Type YP Select the type of server you are connecting to Idap 10 100 8 62 DC abc de DC localdomain DC com Server URL l URL of the LDAP server e g Idap hostname or Idap 192 168 88 1 ou IT Services ou Departments dc amigopod dc com Bind DN abc de Administrator The Distinguished Name to use when binding to the LDAP server or empty to perform anonymous bind Bind Password ji The password to use when binding to the LDAP server or empty for an anonymous bind IT Administrators Default Profile Aa Select the default operator profile to assign to operators authorized by this server Sponsor Lookups Enable v
77. be displayed Requires a vendor that passed the mac as part of the redirection MAC Detect MI List Accounts Device Filter C Edit accounts Select which views should not display devices user accounts with the mac_auth field set Save Configuration On the controller the fields look as follows Figure 8 MAC Authentication Profile MAC Authentication Profile gt amigopod mac Show Reference Save As Reset Delimiter none i Case upper Max Authentication failures 0 Managing Devices To view the list of current MAC devices go to Guest gt List Devices 44 MAC Authentication in ClearPass Guest Dell Networking W ClearPass Guest 6 0 Deployment Guide List Devices View a list of all current devices The Guest Manager Devices page opens oO Quick Help ja Create Eg More Options Filter A MAC Address Activation Expiration gf 11 11 11 AA BB AA Guest Active N A No expiry gf 11 22 33 AA BB CC Guest Active N A No expiry gf 11 33 55 BB AA CC Guest Active N A No expiry ris 12 34 56 AB CD EF Guest Active N A No expiry 4 Change expiration amp Remove Es Edit be Sessions Print gT AA BB CC 11 11 11 Guest Active N A No expiry Showing 1 5of5 Refresh C 1 20 rows per page lv All devices created by one of methods described in the following section are listed Options on the form let you change a device s account expiration date remove ac
78. be used smtp subject This field specifies the subject line for the email message Template variables appearing in the value will be expanded If the value is default the default subject line from the email receipt configuration is used 192 About Customizing SMTP Email Receipt Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide smtp_template_id This field specifies the print template ID to use for the email receipt If blank or unset the default value from the email receipt configuration is used smtp_receipt_format This field specifies the email format to use for the receipt It may be one of plaintext No skin plain text only html embedded No skin HTML only receipt No skin Native receipt format default Use the default skin or the plugin ID of a skin plugin to specify that skin If blank or unset the default value from the email receipt configuration is used smtp email field This field specifies the name of the field that contains the visitors email address If blank or unset the default value from the email receipt configuration is used Additionally the special value _None indicates that the visitor should not be sent any email smtp auto send field This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the email receipt configuration is used Additionally the special values
79. box Be aware that this is an insecure configuration as a user can override a security warning if a man in the middle attack occurs 6 In the Android Trust area use the Trusted Certificate drop down list to select a certificate the device should trust Android supports only a single trusted certificate this must be the root CA that issued the authentication server s certificate Be aware that if None is selected 802 1x authentication might not work Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Trust Settings Manually 123 7 In the Windows Trust area mark the Validate the server certificate check box This ensures that the provisioned device will check the server certificate is valid before using the server for authentication If this check box is unmarked the configuration will not be secure An attacker could provide another server certificate which the client would not verify 8 Do one of the following e Click the Previous button to return to the Authentication tab e Click the Next button to continue to the Windows tab o Click the Create Network button to make the new network configuration settings take effect e Click the Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring Windows Specific Network Settings Click the M Windows tab to display the Windows Network Settings form Network Settings Windows Network Settings
80. cece ce ceeeeeeececesceceseeees 21 Operational CONCEMS w wmmmmmmwwwmnu mwm mwanam zww wwa LL LLa anaa muwa 21 Network Provisioning 2 0 eee cece cece cece ccc e cece cece cece eee ecee cece cececeeeeeeescecececeeeseneees 21 Site Preparation Checklist 0 0 2 2 o occ cece cece ce ccc cece cece eee ce cece ceceecececceceseeceseeees 22 Security Policy Considerations 2 2 2 ccc eee cece cece cece cece cece cece ce ceececesceceseeceserees 23 AirGroup Deployment Process 02 2 cece ee eee cece cece ccc cece cece cece ceceeceeeececesceceseeceees 23 Documentation and User Assistance 0 2 co cece eee ec cece cee cee cee ccc ce cee cecceccecceceececeeceeeeeees 24 Deployment Guide and Online Help _ 22 ccc ccc cee cece eee e cece ce eeececeececeececeees 24 Context Sensitive Help 0 lee ec ce cece cece cece cece aana cece ce ceececeseeceseececeececeeees 24 FOU HEID cere AA AA AA nicer AA AA AA AA AA AA Aa E 25 Quick Help eemmmwwmmnnnwwwmnnu Loa aaa mw mwani www wanu L Laaa LL anana non naaa 25 If You Need More Assistance mmmmmame um w mwan wwwwme eu w mw 25 UMA AA AA EE eae seated 25 Guest Manager ce 27 Accessing Guest Manager 2 22 0 e cece ccc eee cece cece cece cece cece cee ee ce ceececesceceseeceseeceseees 27 About Guest Management Processes 2 22
81. cece cee cence cee cece eee ALLL eee cece eeeeeeeeeeeeee 231 Sending an SMS ooa ccs dcawadoeonduiccaducnde se bbdeaswude comme yaceboksaddcuuucweldeeaacbeccumitdnesecencs 232 About SMS Credits 22mmmmmmmmem emma mwm eee eeeceseeseeeeseeneesenes 233 Dell Networking W ClearPass Guest 6 0 Deployment Guide About SMS Guest Account Receipts _ 2 02 22 cee cee eee cece cece eeeeeeeeees 233 SMS Receipt Options 0 ccc eee eee eee eee ee eee cece eee aLL Ladann naL 234 Working with the SMTP Carrier List _ 022 2222 c eee ee cee eee eeeeeeeeseeeeeee 234 Support Services _ 12 eee ee eee cee cee eee eee eee eee eee cence eee e eee ee eee eeeceseeeeeseeeereeseesees 236 Viewing the Application Log wmmmmmmmmmmmmun un eee eeeeeeeeeeees 237 Exporting the Application Log 2222mmmmmmmmmamanunun umu umummn 238 Contacting Support 22mmmeemmme me mem cece cece cece cece mwee Laa LLa 2222an 239 Viewing Documentation 2222mmmmmmmmmmamumununu mwm ww wwmamananu nunu 239 Operator LOGINS mmmmmm eeeeceeeeeeeeeceeeeseeseeeesteeectteseeeessee 241 Accessing Operator Logins wmmmmmmmmmma nu mwmwnu mum ence LLa anaana Laaa 241 About Operator Logins
82. client and server certificates using a local signing certificate which is an intermediate CA that is subordinate to the root certificate Use this option when you do not have an existing public key infrastructure PKI or if you want to completely separate the certificates issued for Onboard devices from your existing PKI Click the Root CA image in the Mode area then click Continue to proceed to the second step See Setting Up a Root Certificate Authority on page 82 e Intermediate CA The Onboard certificate authority 1s issued a certificate by an external certificate authority The Onboard certificate authority issues client and server certificates using this certificate Use this option when you already have a public key infrastructure PKI and would like to include the certificate issued for Onboard devices in that infrastructure Click the Intermediate CA image in the Mode area then click Continue to proceed to the second step See Setting Up an Intermediate Certificate Authority on page 84 Setting Up a Root Certificate Authority If you already have a certificate and private key for the certificate authority see Installing a Certificate Authority s Certificate on page 88 After you choose Root CA on the Certificate Authority Settings form and click Continue the Root Certificate Settings form opens The Root Certificate Settings form is used to configure the distinguished name and properties for the certificate autho
83. common terms used in ClearPass Guest and this guide Table 3 Common Terms Term Explanation Accounting Process of recording summary information about network access by users and devices Authentication Verification of a user s credentials typically a username and password Authorization Controls the type of access that an authenticated user is permitted to have Implemented by a Network Access Server to restrict network access to authorized users only Captive Portal 20 Visitor Management Terminology Dell Networking W ClearPass Guest 6 0 Deployment Guide Term Explanation In a user interface or database a single item of information about a user account In a user interface a collection of editable fields displayed to an operator Device that provides network access to users such as a wireless access point network Network Access Server switch or dial in terminal server When a user connects to the NAS device a RADIUS access request is generated by the NAS Characteristics assigned to a class of operators such as the permissions granted to those operators Operator Operator Login User of ClearPass Guest to create guest accounts or perform system configuration Print Template Formatted template used to generate guest account receipts Operator Profile Type of access being granted to visitors You can define multiple roles Such roles could include employee guest team member or press User Database Database li
84. configured to automatically send SMS receipts to visitors or to send receipts only on demand To manually send an SMS receipt l Navigate to the Guest gt List Accounts and click to expand the row of the guest to whom you want to send a receipt 2 Click Print to display the Account Details view then click the Send SMS receipt link The SMS Reciept form opens Use the fields on this form to enter the service to use the recipient s mobile phone number the mobile carrier and the message text For more information on SMS services see SMS Services on page 228 Dell Networking W ClearPass Guest 6 0 Deployment Guide Sending Multiple SMS Alerts 63 wa SOULS MORSE A CCOUnt Recep Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters Dell Networking W ClearPass Onboard automates 802 1X configuration and provisioning for bring your own device BYOD and IT managed devices Windows Mac OS X iOS and Android across wired wireless and VPNs ClearPass Onboard includes the following key features e Automatic configuration of network settings for wired and wireless endpoints e Provisioning of unique device credentials for BYOD and IT managed devices e Support for Windows Mac OS X iOS and Android devices
85. controller will send the IP to submit credentials Dynamic In multi controller deployments it is often required to post credentials to different addresses made available as Address part of the original redirection The address above will be used whenever the parameter is not available or fails the requirements below Default Destination Options for controlling the destination clients will redirect to after login Default URL Enter the default URL to redirect clients Please ensure you prepend http for any external domain Override Force default destination for all clients Destination If selected the client s default destination will be overridden regardless of its value If automatic guest login is not enabled the submit button on the receipt page will not be displayed and automatic NAS login will not be performed Editing Login Page Properties The login page is displayed if automatic guest login is enabled and a guest clicks the submit button from the receipt page to log in To edit the properties of the login page 1 Go to Configuration gt Guest Self Registration Click to expand the Guest Self Registration row in the form then click its Edit link The Customize Guest Self Registration diagram opens 2 In the Receipt Page area of the diagram click the Title or Login Message fields for the login page to edit the properties of the login page then mark the Enable guest login to a Network Access Server check box
86. e Use default The default user interface type defined for the field will be used e No user interface The field does not have a user interface specified Using this value will cause a diagnostic message to be displayed Form element is missing the ui element when using the form e CAPTCHA security code A distorted image of several characters will be displayed to the user as shown below Security Code mo Please enter the security code shown in this image The image may be regenerated or played as an audio sample for visually impaired users When using the recommended validator for this field NwaCaptchalsValid the security code must be matched or the form submit will fail with an error Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field Editor 153 User CAPTCHA security code Interface The kind of user interface element to use when entering or editing this field _ Security Code Label A Label for this field to display on the form Please enter the security code shown in a this image Description N Descriptive text for this field displayed with the user interface element C55 Class ma 7 Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field e Check box A check box is displayed for the field as shown below LI Checkbox text in HTML Sample Field ai 7 This is a sample fie
87. eee eee eee ec ceceeceeeeseeeees 79 Customizing the Device Provisioning Web Login Page 79 Using the nwa_mdps_config Template Function _ 02 0 oe elec cece eee eee eee eeee 80 Configuring the Certificate Authority 0 22 2 lool ccc cence cee eee eee eee ee eeeeeeeeeee 81 Setting Up the Certificate Authority 22222mmmmm2m mwm mum w wanume m mume 81 Setting Up a Root Certificate Authority 2222mmmmmmmm mwm eee cece Laana 82 Setting Up an Intermediate Certificate Authority 222222mm222mme 2 84 Obtaining a Certificate for the Certificate Authority 2 22222222222002 86 Using Microsoft Active Directory Certificate Services 222222me020m 86 Installing a Certificate Authority s Certificate 88 Renewing the Certificate Authority s Certificate 90 Configuring Data Retention Policy for Certificates 2 90 Uploading Certificates for the Certificate Authority 2 2 2222222me2 mme 91 Creating a Certificate 222mmmmem em mwm LA
88. field CSS Style Optional CSS style text to apply to this form field e Drop down list The field is displayed allowing a single choice from a drop down list SEE This is a sample field The text displayed for each option is the value from the options list When the form is submitted the key of the selected value becomes the value of the field If the Hide when no options are selectable check box is selected and there is only a single option in the drop down list it will be displayed as a static text item rather than as a list with only a single item in it Drop down list User Interface The kind of user interface element to use when entering or editing this field Sample Field Label z Label for this field to display on the form This is a sample field 4 Description 7 Descriptive text for this field displayed with the user interface element CSS Class o Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field Add No changes No Changes ges Select if you want the list to insert a No changes option to the default set Options Use options Generator The function used to generate the list of available options one Option One two Option Two three Option Three Wi Options vr List of options available Enter one or more lines containing key value pairs where the key and value are separated with
89. form The form expands to include the Carrier Lists options Use this drop down list to specify the SMS or MMS carrier Ki NOTE To be available in the drop down lists on this Carrier Lists form a carrier must first be enabled SMS Carriers 1A Test Carrier MMS Carriers 1A Test Carrier OK 3 To enable disable or delete a carrier click the carrier in the list The carrier s row expands to include the Edit Enable or Disable and Delete options e To enable a carrier click the Enable link in its row The carrier will then be available to work with and will be included in the drop down lists when you click the Display Lists link 4 The procedures for adding and for editing a carrier are the same e To add a carrier to the list click the Create tab above the form The SMS SMTP Carrier Editor form is added at the top of the list e To edit an existing carrier click the carner s row in the list The row expands to include the SMS SMTP Carrier Editor form for that carrier e When creating or editing a gateway to include the Mobile Carrier field in the visitor s registration form choose Registration form will have the visitor_carrier field in the Carrier Selection drop down list The Mobile Carrier field is also added to the Test SMS Settings area of the forms SMS SMTP Carrier Editor Enter the carrier s name This should be a value a user can easily identify Name Enable E Include
90. framework that supports multiple authentication methods EAP PEAP Protected EAP A widely used protocol for securely transporting authentication data across a network EAP TLS Extensible Authentication Protocol Transport LayerSecurity RFC 5216 A certificate based authentication method supporting mutual authentication integrity protected ciphersuite negotiation and key exchange between two endpoints form Screen that collects data using fields field Single item of information about a visitor account guest See Visitor intermediate CA Certificate authority with a certificate that was issued by another certificate authority See trust chain iOS Operating system from Apple Inc for mobile devices including the iPhone iPad and iPod Touch landing page See Web login LDAP Lightweight Directory Access Protocol communications protocol used to store and retrieve information about users and other objects in a directory Network Access Server NAS Device that provides network access to users such as a wireless access point network switch or dial in terminal server When a user connects to the NAS device a RADIUS user authentication request Access Request is generated by the NAS OCSP Online certificate status protocol RFC 2560 Protocol used to determine the current status of a digital certificate without requiring CRLs onboarding See device provisioning onboard capable device Device supported by the QuickConnect a
91. from a UNIX time to a date time string and the Display Argument specifies the format to use for the conversion See Form Field Display Formatting Functions on page 301 for a detailed list of the options available to you for the Display Function and Static Display Function The Enable If and Visible If options in the form field editor allow you to specify JavaScript expressions The result obtained by evaluating these expressions is used to enable disable or show hide the form field in real time while an operator is using the form Unlike the other parts of the form field editor the Enable If and Visible If expressions are evaluated by the operators Web browser These expressions are not used by the server for any other purpose The expression must be a Boolean expression in the JavaScript language statements and other code should not be included as this will cause a syntax error when the form is displayed in a Web browser Because of the scoping rules of JavaScript all of the user interface elements that make up the form are available as variables in the local scope with the same name as the form field Thus to access the current value of a text field named sample_field in a JavaScript expression you would use the code sample_field value Most user interface elements support the value property to retrieve the current value For check boxes however use the checked property to determine if the check box is currently selected
92. group choose one of the following options from the Account Details drop down list e User provided entered by user on device This option requires the user to enter their credentials on the device to access their email e Identity certificate created during provisioning This option uses the device s TLS client certificate to authenticate the user Using this option requires configuration of the ActiveSync server to authenticate a user based on the client certificate e Shared preset values testing only This option provides a fixed set of credentials to the device These settings cannot be modified for each user when provisioning a device so it 1s recommended that these settings only be used when testing Exchange integration 128 Configuring an iOS Device Email Account Dell Networking W ClearPass Guest 6 0 Deployment Guide Ki Dell Networking W ClearPass Guest 6 0 Deployment Guide Account Settings These options configure user account Shared preset values testing only a Account Details st Select how user account information is to be supplied Domain Domain for the account Both Domain and User must be blank for the device to prompt the user User Username for the account Both Domain and User must be blank for the device to prompt the user Email Address The address of the account Leave blank to use the default of User ActiveSync Host Password Fassword used when access
93. has been issued by another certificate authority This process is required when configuring an intermediate certificate authority a A private key is not required as the certificate authority has already generated one and used it to create the certificate signing request e Upload a certificate and private key to be used as the certificate authority s certificate This process may be used to configure a root certificate authority a A private key is required as the certificate authority s existing private key will be replaced Ki NOTE This form may be used multiple times in order to import each of the certificates in the trust chain Check the message displayed above the form to determine which certificate or type of file must be uploaded next To upload a certificate l Go to Onboard gt Certificate Authority Settings and choose either Root CA or Intermediate CA as appropriate For more information see Setting Up the Certificate Authority on page 81 2 On either the Root Certificate Settings or Intermediate Certificate Settings page click the Import Certificate link above the form The Step area of the CA Certificate Import form opens CA Certificate Import Step 1 Select the format of your certificate Copy and paste certificate as text Format sl P Upload certificate file pload Certificate 88 Installing a Certificate Authority s Certificate Dell Networking W ClearPass Guest 6 0 Deployment Gui
94. header row that specifies the field names This option is only required if the header row is not automatically detected Click 2 Nest Step to upload the account data In step 2 of 3 ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields are m to the data The first few records in the data will be displayed together with any automatically detected field names In this example the following data was used username visitor name password expire time demo005 Demo five secret005 2011 06 10 09 00 demo006 Demo six secret006 2011 06 11 10 00 demo007 Demo seven secret007 2011 06 12 11 00 demo008 Demo eight secret008 2011 06 13 12 00 demo009 Demo nine secret009 2011 06 13 12 00 demo010 Demo ten secret010 2011 06 13 12 00 demo011 Demo eleven secret0O11 2011 06 13 12 00 Because this data includes a header row that contains field names the corresponding fields have been automatically detected in the data username visitor name password ezpire time 2 demo00s5 Demo five secreto05 2011 06 10 09 00 3 demo006 Demo six secretooe 2011 06 11 10 00 4 demo007 Demo seven secretoO 2011 06 12 11 00 5 demo008 Demo eight secret00 amp 2011 06 13 12 00 6 demo00s Demo nine secretoo9 2011 06 13 12 00 7 demo0i Demo ten secretoiog 7011 06 13 12 00 8 demod0ll Demo eleven secret0lil 2011 06 13 12 00 Use the Match Fields form to identify which guest account fields are present in the imported dat
95. identify a server Certificate Authority Use this option when the certificate is for an subordinate certificate authority When this option is selected the issued certificate will contain an extension identifying it as an intermediate certificate authority and the extended key usage property will contain the three values Client Auth Server Auth and OCSP Signing Mark the Issue this certificate immediately check box to automatically issue the certificate Click the Submit Certificate Signing Request button to save your changes If the Issue this certificate immediately check box is marked the certificate will be issued immediately and will be displayed in the Certificate Management list view If the Issue this certificate immediately check box is not marked the certificate request will be displayed in the Certificate Management list view The certificate can then be issued or rejected at a later time Configuring Provisioning Settings i a To configure basic device provisioning settings go to Onboard gt Provisioning Settings or click the Provisioning Settings command link The Device Provisioning Settings page opens ia Provisioning Settings fa Configure basic settings for device provisioning This page is used to configure the settings for ClearPass Onboard device provisioning including The organization name displayed during device provisioning Properties for the certificate
96. if sponsor lookup has been enabled for the server on the Edit Authentication Server page LDAP Operator Server Troubleshooting You can use the LDAP Operator Servers list to troubleshoot network connectivity operator authentication and to look up operator usernames Testing Connectivity To test network connectivity between an LDAP server and the ClearPass Guest server click the Ping link in the server s row he results of the test appear below the server entry in the LDAP server table Testing Operator Login Authentication l To test authentication of operator login values select a server name in the LDAP Server table then click the d Test Auth link The Test Operator Login area is added to the page Name Priority Server Type Default Profile KA Test 3 9 50 Active Directory IT Administrators KA LDAPserver 50 Active Directory IT Administrators F Edit Delete ES Duplicate 48 Disable Ha Ping af Test Auth Test Operator Login MyUsername The username to use when testing authentication Test Username A TITITTITE TI Test Password a The password to use when testing authentication Advanced O Show detailed authorization info A LDAPserver1 IT Administrators 3 items O Reload 20 rows per page mi 2 Enter an operator username and password for the LDAP Server 3 Optional Click the Advanced check box to display detailed authorization information for the specified operator 4 Click Log I
97. issued and then click the Sign Request button The certificate will be issued and will then replace the certificate signing request in the list view e Reject request Displays the Reject Request form Use this action to reject the request for a certificate Rejected requests are automatically deleted according to the data retention policy 100 Working with Certificate Signing Requests Dell Networking W ClearPass Guest 6 0 Deployment Guide Reject Request Request Details Details about the request and its owner Name ISA Example Certificate Authority Country US State California Locality Sunnyvale Subject BE Organization SpiftfyWidgets Common Name Example Certificate Authority Email Address example spiffywidgets com Cuim E Reject this request Select this checkbox to confirm the rejection of this request G Reject Request SEREA Mark the Reject this request check box to confirm that the certificate signing request should be rejected and then click the Reject Request button e Delete request Removes the certificate signing request from the list This option is only available if the data retention policy is configured to permit the certificate signing requests s deletion See Configuring Data Retention Policy for Certificates on page 90 Delete Request Request Details Details about the request and its owner Name La Example Certificate Authority Country US State California L
98. it has been created using the wizard but subsequently modified See Modifying Wizard Generated Templates on page 196 in this chapter for further information Options to show where a print template is being used and to control individual permissions for a print template are also available when selecting a print template See Setting Print Template Permissions on page 197 amp Name Format Status Account List List Enabled A Download Receipt Plain Text Enabled GuestManager Receipt Page Enabled Es Edit ES Duplicate amp Delete t Preview Sy Show Usage Permissions One account per page Page Enabled LA SMS Receipt Plain Tezt Enabled Sa Sponsorship Confirmation Fage Enabled E Two column scratch cards 2 column list Enabled 7 print templates gt Reload 20 rows per page Plain text print templates may be used with SMS services to send guest account receipts see About SMS Guest Account Receipts on page 233 for details Because SMS has a 160 character limit the number of character used in the plain text template will be displayed below the preview If you are including a guest account s email address in the SMS remember to allow for lengthy email addresses up to 50 characters is a useful rule of thumb Creating New Print Templates To define a new print template click the Create new print template link This opens a window with four parts The first part lists the variables that can be used in the templat
99. l ime Format Syntax on page 279 for a list of available date time formats or use one of the following special format strings hhmmss hh mm ss time of day iso8601 iso8601t iso 8601 iso 8601t various ISO 8601 date formats with and without hyphen separators and the time of day longdate date and time in long form displaytime time of day returns the string following the if the time value is 0 or uses the format string before the otherwise recent for example 2 minutes ago 3 months ago NwaDateFormat Converts a time measurement into a description of the corresponding duration Format parameters seconds minutes hours days weeks Any format can be converted to another By default this function converts an elapsed time value specified in seconds to a value that is displayed in weeks days hours minutes and seconds Up to four additional arguments may be supplied to control the conversion in_format The current units of the value being converted seconds minutes hours days weeks max_format Controls the max increment you want displayed min_format Controls the min increment you want displayed Only whole numbers are printed default If set this value will be returned when the resulting duration after min_format is taken into account is 0 NwaDurationFormat NwaExplodeComma Converts a string to an array by splitting the string at each comma and forming an array of
100. length of the password is specified by the random_password_length field nwa_complex_password to create a complex password string which contains uppercase letters lowercase letters digits and symbol characters nwa_complexity_password is dynamic and matches your complexity setting for password generation For example if you require your passwords to have both letters and digits then this validator will confirm that the password has at least one of each nwa_words_password to create a random password using a combination of two randomly selected words and a number between 1 and 99 The maximum length of each of the randomly selected words is specified by the random password length field nwa_picture_password to create a password using the format string specified by the random_password_picture field random_password_picture String The format string to use when creating a random password if random_password_ method is set to nwa picture password The length in characters of randomly generated account usernames For nwa_words_password the random_username_length is the maximum length of the random words to use Two random words will be used to create the username joined together with a small number up to 2 digits For nwa picture password the random username length is ignored For nwa seguence the random username length is the length of the seguence number in the username the sequence number will be zero padded For example speci
101. limu meni meme weli 143 Customizing Fields 2 2 02 cece cece cece ccc nec e eee aAA ALLL LLALL LLLA L LLL anaana Laona 145 Creating a Custom Field 2 222mmmm meme m mme eeeeeeeeseeseeeees 145 Duplicating a Field 2 2 oll cc cece eee eee eee eee cece cece eeeeeeeeeeee 147 Editing a Field 0 2 oleic ee eee ee eee eee eee e eee e cece nn niuma 147 Deleting a Field 22222mmmmmmmmmmmanunun LLL LLa anaana 147 Displaying Forms that Use a Field mmmmmmmumummmmmmmmm 147 Displaying Views that Use a Field _ 0 2 lec eee eee cece ee eeeeeeeeee 147 Customizing AirGroup Registration Forms _ 2 2 222 2 eee e eee aoaaa aaa e cece e cece eee eeeeeeeeeeces 147 Configuring the Shared Locations and Shared Role Fields 147 Dell Networking W ClearPass Guest 6 0 Deployment Guide Example oes gece tence beivecdaccescedwedveodduun oueege adn lavelnceevesucabesdusucerdeuedeleddecouseegees 149 Customizing Forms and Views 2 2 cece cece cece eee c cece cece LLALL LLLA LALL LLa aLL LLa anana Laana 150 Editing Forms and Views _ _ 2 2 2 2 e cece eee cece cece eee cece ee eee cece eee eee eeeeeeeeeseeeeeee 151 Duplicating Forms and Views mmmmmmmm mwm mmwwwmwm
102. lines containing key value pairs where the key and value are separated with a vertical bar No sortin Sort 5 l l Method to use to sort the available options Collapse Hide when no options are selectable Select this option to automatically hide the form field when only one choice is available Layout Layout mode for the checklist options Vertical Columns Number of columns to draw in the checklist Advanced Properties These properties control conversion display and dynamic behaviours Advanced Show advanced properties NwalmplodeComma x Conversion ee The function used to convert an incoming field value prior to validation Type Error The error message to display if the field s value is not supplied has an incorrect type or if conversion fails Use default The function used to format a field value after validation NwaExplodeComma x The function used to convert a field to a displayable value on the form Value Format Display Function visitor name Display Param j l n Optional name of field whose value will be supplied as the argument to a display function For example suppose the first two check boxes are selected in this example with keys one and two The incoming value for the field will be an array containing 2 elements which can be written as array one two The NwalmplodeComma conversion is applied which converts the array value int
103. lost This is indicated with the warning message The print template code has been modified Making changes using the wizard will destroy any changes made outside of the wizard Setting Print Template Permissions On the Configuration gt Print Templates list view the Permissions link for a template can be used to control access to an individual print template at the level of an operator profile The Permissions link is only displayed if the current operator has the Object Permissions privilege This privilege is located in the Administrator group of privileges Edit Print Template Permissions Object GuestManager Receipt a IT Administrators Operators in this profile will always be granted full access to this object Owner Profile Permissions E Authenticated operators a Full access ownership a Guests Wr Full access ownership Select the permissions for this object Save Changes g Save and Reload The permissions defined on this screen apply to the print template identified in the Object line Access The owner profile always has full access to the print template To control access to this print template by other entities add or modify the entries in the Access list To add an entry to the list or remove an entry from the list click one of the icons in the row A amp Delete icon and an Add icon will then be displayed for that row Select one of the fol
104. message will time out 220 AirGroup Services Dell Networking W ClearPass Guest 6 0 Deployment Guide 6 In the Attempts row enter the maximum number of times the system should attempt to send an AirGroup message 7 Click Save Configuration Creating AirGroup Administrators AirGroup Administrators are users of Dell Networking W ClearPass Guest who can define and manage their organization s shared devices Devices can be shared globally or shared with restrictions based on the username role or location of the user trying to access the device The AirGroup Administrator profile is automatically created in ClearPass Guest when the AirGroup Services plugin is installed This profile is used to define the AirGroup Administrator role To create an AirGroup Administrator see Creating a New Operator on page 248 Creating AirGroup Operators AirGroup Operators are users of Dell Networking W ClearPass Guest who can provision a limited number of their own personal devices Each device provisioned by an operator is automatically shared with all of that operator s provisioned devices The operator can also define a group of other users who are allowed to share the operator s devices The AirGroup Operator profile is automatically created in ClearPass Guest when the AirGroup Services plugin is installed This profile is used to define the AirGroup Operator role To create an AirGroup Operator see Creating a New Operat
105. numbers was imported for pre registration each visitor s entries for those fields at registration must match Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on the form and the various conversion and display options Figure 26 Steps involved in form field processing Web Browser Conversion Form Submit Type Error E a i Check Type Form Field UI 5 l Validation Error Validator Options Generator i Value Formatter Display Formatting Form Processing Form Display Stored Value Server The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field For example consider a form field displayed as a date time picker such as the expire_time field used to specify an account expiration time on the create_user form The user interface is displayed as a text field but the value that is required for the form processing is a UNIX time integer value 166 Form Field Validation Processing Sequence Dell Networking W ClearPass Guest 6 0 Deployment Guide Advanced Properties These properties control conversion display and dynamic behaviours Advanced Show advanced properties NwaConvertOptionalDateTime x Conversion The function used to convert an incoming field value prior to validation Please enter a valid date and time Type
106. oaaao 22an 134 Content Manager 2mmmmmummmwmamu mum eee cece eee e LLLA L ce eeeeeseeeeseees 134 Uploading Content 02 2222 e eee e cence eee ce eeeeeeseeceeeeeeeees 135 Downloading Content 2 2 ccc eee cece LLALL LLLA LL LLa aaa Laaa 135 Additional Content Actions mmemmmm mm ceeeeeeceeeeeseeseeeees 136 Customizing Guest Manager 22mmmmmman mwm mwmmn cece cece ee eeeeeeeeeeeeees 137 Default Settings for Account Creation 222mmmmmmm mm e eee a22 aaa 137 About Fields Forms and Views 2 222 2 cee cece cece ccc e cece cece cece mama mmama mamaaa 141 Business Logic for Account Creation 2 22 o elec cece eee eee cece cece ee eeeeeeeeseeseeees 141 Verification Properties 0 0 2 oleic cece eee ee eee eee ee eee cece mm www wema une 141 Basic User Properties _ 0 0 2 2 cee eee eee eee eee ee eee eee e eee aoaaa anaana 141 Visitor Account Activation Properties _ 022 0202 lice eee eee ee eee eee aana 142 Visitor Account Expiration Properties 222222mmmmmmmmmmmeme ue 142 Other Properties oc dcec ecu wownsersoeechd debayediios dcadeusakemateeteee cease dedesheeebeceadewueisavosedoucds 143 Standard Forms and Views _ 02 02 22 eee eee eee cece eee cece eee cee cece ee eee eee
107. options in the Proxy Setup drop down list None No proxy server will be configured with this VPN profile Manual A proxy server will be configured with this VPN profile Specify the proxy server settings in the Server and Port fields If authentication is required to access this proxy you may specify the username and password using the Authentication and Password text fields Automatic The proxy server will be automatically configured with this VPN profile Specify the location of a proxy auto config file in the Proxy Server URL text field Click the Save Changes button to save the VPN connection profile and return to the main Onboard configuration user interface Configuring an iOS Device Email Account cA Uy To configure the Exchange ActiveSync settings that will be sent to a device go to Onboard gt Exchange ActiveSync or click the Exchange ActiveSync command link The Exchange ActiveSync Settings page opens ca Exchange ActiveSync Settings dpr Configure the Exchange ActiveSync settings that will be provisioned to devices This page is used to automatically configure an email account on the iOS device Use this option when you have an Exchange mail server and want to automatically provide the email settings to users provisioning their mobile devices Fu NOTE Onboard Exchange ActiveSync settings can only be used with iOS 4 and iOS 5 devices Other platforms are not supported Dell Networking W ClearPass Guest 6 0
108. or Bec recipients generate an email message using the specified print template and send it to the specified recipient list smtp warn before subject This field overrides what is specified in the subject line under Logout Warnings on the email receipt If the value is default the default subject line under the Logout Warnings section on the email receipt configuration 1s used smtp_warn_before_template_id This field overrides the print template ID specified under Logout Warnings on the email receipt If the value is default the default template ID under the Logout Warnings section on the email receipt configuration is used smtp_warn_before_receipt_format This field overrides the email format under Logout Warnings to use for the receipt It may be one of plaintext No skin plain text only html embedded No skin HTML only receipt No skin Native receipt format default Use the default skin or the plugin ID of a skin plugin to specify that skin If blank or unset the default value in the Email Field under the Logout Warnings on the email receipt configuration is used smtp_warn_before_cc_list This overrides the list of additional email addresses that receive a copy of the visitor account receipt under Logout Warnings on the email receipt If the value is default the default carbon copy list under Logout Warnings from the email receipt configuration is used D
109. organization name See Configuring Basic Provisioning Settings on page 107 Example organization_name lt h2 gt Welcome to nwa mdps config name organization name lt h2 gt Configuring the Certificate Authority ee To configure certificate authority settings Navigate to Onboard gt Certificate Authority Settings or click the Certificate Authority Settings command link Certificate Authority Settings Configure the certificate authority that will be used to issue digital certificates to devices The Certificate Authority Settings form opens This page is used to configure the Onboard certificate authority and to perform maintenance tasks for the CA Set up a root or intermediate certificate authority See Setting Up the Certificate Authority on page 81 Determine the OCSP URL for the certificate authority View the trust chain for the certificate authority See Uploading Certificates for the Certificate Authority on page 91 Renew the certificate authority s certificate See Renewing the Certificate Authority s Certificate on page 90 Configure the data retention policy applied to certificates issued by the authority See Configuring Data Retention Policy for Certificates on page 90 Import a private key certificate pair See Installing a Certificate Authority s Certificate on page 88 Ki NOTE For information on setting up certificates when using Onboard in a cluster see Certifica
110. placed on a user s computer by Web sites the user visits They are widely used in order to make Web sites work or work more efficiently as well as to provide information to the owners of a site Session cookies are temporary cookies that last only for the duration of one user session When a user registers or logs in via a W Series captive portal Dell uses session cookies solely to remember between clicks who a guest or operator is Dell uses this information in a way that does not identify any user specific information and does not make any attempt to find out the identities of those using its W Series ClearPass products Dell does not associate any data gathered by the cookie with any personally identifiable information PII from any source Dell uses session cookies only during the user s active session and does not store any permanent cookies on a user s computer Session cookies are deleted when the user closes his her Web browser Dell Networking W ClearPass Guest 6 0 Deployment Guide Field Help 25 26 Use of Cookies Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 3 Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W ClearPass Guest The Guest Manager module provides complete control over the user account creation process Guest Manager features for managing guest accounts let you e Create single or multiple guest accounts and receip
111. portal Access to the portal when it is disabled results in a disabled message being displayed this message may be customized using the Disabled Message field e The Disabled Users check box controls whether a user account that has been disabled is allowed to log in to the portal e The Change Password check box controls whether guests are permitted to change their account password using the portal e The Reset Password check box controls whether guests are permitted to reset a forgotten account password using the portal If this check box is enabled the Required Field may be used to select a field value that the guest must match in order to confirm the password reset request If the Auto login by IP address option is selected a guest accessing the self service portal will be automatically logged in if their client IP address matches the IP address of an active RADIUS accounting session that is the guest s HTTP client address is the same as the RADIUS Framed IP Address attribute for an active session The Password Generation drop down list controls what kind of password reset method is used in the portal The default option is Passwords will be randomly generated but the alternative option Manually enter passwords may be selected to enable guests to select their own password through the portal Click the b Save Changes button to return to the process diagram for self registration
112. quotes 284 NwaGenerateRandomPasswordMix Dell Networking W ClearPass Guest 6 0 Deployment Guide Soptions may be specified to control additional parsing options described in the table below Table 30 Parsing Options Function Description C If true recognize syntax as well as default true If set specifies the desired character set to convert to using the iconv function default is UTF 8 TRANSLIT son post processing option order string for NwaCreateUsortFunc to sort the records by the specified column s ost processing option starting offset of slice to return see array sli function slice_length ost processing option length of slice to return see arra function See NwaParseCsv on page 284 and NwaVLookup on page 286 NwaParseXml NwaParseXml xml text Parses a string as an XML document and returns the corresponding document structure as an associative array Returns an array containing the following elements error set if there was a problem parsing the XML message describes the parse error Otherwise the return is an array with these elements name name of the document element attributes attributes of the document element children array containing any child elements content element content text NwaPasswordByComplexity NwaPasswordByComplexity Slen Smode false Dell Networking W ClearPass Guest 6 0 Deployment Guide NwaParsexml
113. receipt configuration is used String This field overrides the Reply To field that is the sponsor email field of a user or the admin s email under the Logout Warnings on the email receipt If the value is default the Reply To field under Logout Warnings from the email receipt configuration is used String This field overrides the Override From field under the Logout Warnings on the email receipt If the value is default the Override From field under Logout Warnings from the email receipt configuration is used Format Picture String Symbols When generating a username or password using the nwa_picture password method a picture string should be provided to specity the format of generated username or password in the random_username_picture or random_ Dell Networking W ClearPass Guest 6 0 Deployment Guide Format Picture String Symbols 297 password_picture field The picture string is used as the username or password with the following symbols replaced with a random character Table 36 Picture String Symbols Symbol Replacement Random digit 0 9 Random letter A Z a z Random lowercase letter a z a aa KA kua iii e ee Any other alphanumeric characters in the picture string will be used in the resulting username or password Some examples of the picture string are shown below Table 37 Picture String Example Passwords HHH 3728 user H user3728 Vv vQU3n Bh7Pm
114. requests for the account will always fail Set this field to 1 to enable the account String Description of the account s expiration time This field is set when modifying an account This field is available on the change_expiration and guest_enable forms The value is generated from the do_expire expire_time expire_postlogin and expire_usage fields and may be one of the following Account will expire at date and time or interval after first login or after interval total usage expiration_time Account will expire at date and time or interval after first login Account will expire at date and time or after interval total usage Account will expire at date and time Expires nterval after first login or after interval total usage Expires nterval after first login Expires after interval total usage No expiration time set Integer Time at which the account will expire The expiration time should be specified as a UNIX timestamp expire_time Setting an expire_time value also requires a non zero value to be set for the do_expire field otherwise the account expiration time will not be used Set this field to 0 to disable this account expiration timer Integer The total time period in seconds for which the account may be used Usage is expire_usage calculated across all accounting sessions with the same username Set this field to 0 to disable this account expiration timer Dell Networking W ClearPass Guest 6 0 Deployment Guide GuestMana
115. required field are always validated including blank values Validation errors are displayed to the user by highlighting the field s that are in error and displaying the validation error message with the field per Visitors Name You cannot leave this field blank Name of the visitor 162 Form Validation Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Dell Networking W ClearPass Guest 6 0 Deployment Guide All fields must be successfully validated before any form processing can take place This ensures that the form processing always has user input that is known to be valid To validate a specific field choose a validator from the drop down list See Form Field Validation Functions on page 298 for a description of the built in validators The Validator Param is the name of a field on the form the value of which should be passed to the validator as its argument This could be used to validate one field based on the contents of another However in most deployments this does not need to be set Set the Validator Param to its default value Use argument to provide a fixed value as the argument to the validator The Validator Argument is used to provide further instructions to the selected validator Not all validators require an argument a validator such as IsValidE mail is entirely self contained and will ignore the Validator Argument Validators such as IsEqual IsInRange and IsRegexMatch
116. server will be configured if the device supports it Specify the proxy server settings in the Server and Server Port fields e Automatic The device will configure its own proxy server if the device supports it Specify the location of a proxy auto config file in the PAC URL text field e Do one of the following Click the Previous button to return to the M Windows tab o Click the Create Network button to make the new network configuration settings take effect Click the 9 Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring an 10S Device VPN Connection gt i T To configure the VPN settings that will be sent to a device go to Onboard gt VPN Settings or click the VPN Settings command link The VPN Settings page opens 4 VPN Settings ETA Configure the VPN settings that will be provisioned to devices Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Proxy Settings 125 This page is used to automatically configure virtual private networking VPN settings on the iOS device Use this option when you have deployed a VPN infrastructure and want to automatically provide the secure connection settings to users at the time of device provisioning Ki NOTE ClearPass Onboard VPN settings can only be used with iOS 4 and iOS 5 devices Other platforms are not supported VPN Settings General Settings Common settings for the Virt
117. setting the field to 1 String Comments or notes stored with the account This field may be up to 255 characters in multi initial sequence GuesiManager Standard Fields 291 Field Description Integer The number of accounts to create when using the create_multi form This field num_accounts AA i nat controls account creation behavior it is not stored with created visitor accounts String Password for the account This field may be up to 64 characters in length String Password for the account If this field is set its value must match the value of the password password field for the accountto be created or updated This can be used to verify that a password has been typed correctly This field controls account creation and modification behavior itis not stored with created or modified visitor accounts String Controls the password changing behavior for a guest account This field may be set to one of the following values empty string Default behavior that is guests are not required to change their password deny Prevents the guest from changing their password first Requires the guest to change their password on their first login next Requires the guest to change their password on their next login recur Require the guest to change their password on a regular schedule as specified by the password_action_recur field recur_next Require the guest to change their password on their next or first
118. skin plugins Skin plugins can also be enabled or disabled letting you choose which skin to use To view or change a plugin s configuration go to the Administration gt Plugin Manager page and click the List Available Plugins command Provides guest management and pletion integretion senices for the Policy Manager ClearPass Guest Services E Configuration About To view or change the configuration settings for a plugin click the plugin s Configuration link The Configure Plugin form shows the current configuration settings for a plugin and allows you to make changes to these settings 224 Configuring Plugins Dell Networking W ClearPass Guest 6 0 Deployment Guide Configure MAC Authentication 6 0 1 22683 F Allow users to be detected via their MAC address Provides access to user configuration for headers footers etc on login and registration pages Please note that a passed MAC can be easily changed by the user so personal details should not be displayed Requires a vendor that passed the mac as part of the redirection MAC Detect V List Accounts Device Filter Edit Accounts Select which views should not display devices user accounts with the mac_auth field set Save Configuration To undo any changes to the plugin s configuration click the plugin s E Restore default configuration link The plugin s configuration is restored to the factory default setting
119. smtp email field 193 smtp_enabled 192 smtp_receipt_format 193 smtp_subject 192 297 smtp_template_id 193 297 smtp_warn_before_cc_action 194 297 smtp_warn_before_cc_list 193 297 smtp_warn_before_receipt_format 193 smtp_warn_before_subject 193 297 smtp_warn_before_template_id 193 297 state 295 submit_free 295 username 141 196 visitor_accept_terms 295 visitor_carrier 296 visitor_fax 295 visitor_name 189 warn_before_from 194 297 warn_before_from_sponsor 194 297 zip 295 filtering application log 238 devices 45 guest accounts 35 38 sessions 61 Form field Display properties 153 Drop down list 156 Enable If 168 Hidden 156 Password 157 Radio Buttons 157 Static text 158 Static text Options lookup 160 Static text Raw value 159 Submit button 161 Text area 161 Text field 161 Validation errors 162 Dell Networking W ClearPass Guest 6 0 Deployment Guide Validation properties 162 Value conversion 166 Value formatter 167 Visible If 168 form fields advanced properties 165 CAPTCHA 153 check box 154 checklist 154 conversion functions 301 Date time picker 155 display functions 152 301 group heading 160 initial value 162 validator functions 298 value format functions 301 formats certificate 97 forms 21 141 144 change_expiration 144 create_multi 144 create user 144 customizing 150 duplicating 151 editing 151 152 form field editor 152 guest edit 144 guest multi form 40 144 guest regist
120. specifying the filter role id 2 3 custom_ field Value restricts the accounts displayed to those with lt h role IDs 2 and 3 Guest and Employee and with the field is less than or equal to named custom field set to Value matches the regular expression does not match the regular expression To restore the default view click the Clear Filter link Use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual page number to jump directly to that page n 2 gt hi To select a device click the device you want to work with Changing a Device s Expiration Date To change a device s expiration date click the device s row in the Guest Manager Devices list then click its Change expiration link The row expands to include the Change Expiration form Change Expiration Username 0 DE E2 C 235 B6 Account Expiration No expiration time set Account Expiration No changes Account will not expt n time of this account Account will not expire Now Tonight Friday night 88 30 84 40 Guesli hour from now 3B 40 1 day from now _ 1 week from now 9C 20 7B A7 IGuesi account expires after vA 24 Account expires at specified time l Inthe Account Expiration row choose one of the options in the drop down list to set an expiration date If you choose Account expires aft
121. the HREF of the link This HREF will be added to both the icon and the text If the content of the link is empty no link will be inserted This can be used to insert an icon and text as an inline group No HTML entity escaping is performed when inserting content using this function nwa_icontext nwa_icontext nwa_icontext Smarty registered block function Generates a block of text with a marker icon displayed in the top left Usage examples nwa _icontext icon images icon info22 png Text to display nwa_icontext nwa icontezt type info Information block nwa_icontext The icon parameter if specified is the SRC to the image of the icon This should normally be a relative path The width and height parameters if specified provide the dimensions of the icon to display If not specified this is automatically determined from the image The alt parameter if specified provides the alternate text for the icon The class parameter if specified is the style name to apply to a containing DIV element wrapped around the content If this is empty and a default 1s not provided through the type parameter no wrapper DIV is added The style parameter if specified is the CSS inline style to apply to a containing DIV element as for the class parameter The type parameter if specified indicates a predefined style to apply this may be one of the following error red cro
122. the Validity Period text field to specify the maximum length of time for which a client certificate issued during device provisioning will remain valid 4 The Clock Skew Allowance text field adds a small amount of time to the start and end of the client certificate s validity period This permits a newly issued certificate to be recognized as valid in a network where not all devices are perfectly synchronized For example if the current time is 12 00 and the clock skew allowance is set to the default value of 15 minutes then the client certificate will be issued with a not valid before time of 11 45 In this case if the authentication server that receives the client certificate has a time of 11 58 it will still recognize the certificate as valid If the clock skew allowance was set to 0 minutes then the authentication server would not recognize the certificate as valid until its clock has reached 12 00 The default of 15 minutes is reasonable If you expect that all devices on the network will be synchronized then the value may be reduced A setting of 0 minutes is not recommended as this does not permit any variance in clocks between devices When issuing a certificate the certificate s validity period is determined as follows Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Basic Provisioning Settings 107 The not valid before time is set to the current time less the clock skew allowanc
123. the form s row in the Customize Forms amp Views list and then click the Edit Fields link The Customize Form Fields view opens i Quick Help FS Preview Form Description Name of the person sponsoring this 10 sponsor_name text Sponsor s Name visitor account Email of the person sponsoring this visitor account i or nan ex Jisitor s Name Name ofthe visitor Es Edit ih Edit Base Field Remove gt Insert Before z5 Insert After X Disable Field Lael 15 sponsor_email text Sponsor s Email 25 visitor_phone text Phone Number The visitor s phone number 30 visitor_company text Company Name Company name of the visitor The visitor s email address This will 40 email text Email Address become their username to log into the network Select an option for changing the 50 modify_start_time dropdown Account Activation tii iiaia oi cin aoai Form fields have a Rank number which specifies the relative ordering of the fields when displaying the form The Customize Form Fields editor always shows the fields in order by rank The Type of each form field is displayed This controls what kind of user interface element is used to interact with the user The Label and Description displayed on the form are also shown in the list view To work with a form field click its row in the list The row expands to include the Edit Edit Base Field Remove Insert Before Insert After and Disable Field options
124. the form and select the number of entries that should appear on each page Click the check box by the account entries you want to create or click one of the following options to select the desired accounts e Click the ThisPage link to select all entries on the current page e Click the All link to select all entries on all pages e Click the None link to deselect all entries e Click the Bnew link to select all new entries 2 11imponing GUESEAGCSNRIS Dell Networking W ClearPass Guest 6 0 Deployment Guide Click the ld Existing link to select all existing user accounts in the list Click the Create Accounts button to finish the import process The selected items will be created or updated You can then print new guest account receipts or download a list of the guest accounts See Creating Multiple Guest Account Receipts on page 31 in this chapter for more information Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats Export Guest Accounts Export a list of all current guest accounts to a file You 2 4 8 can select the format you want to export to here Click the appropriate command link to save a list of all guest accounts in comma separated values CSV tab separated values TSV or XML format The Export Accounts view guest_export may be customized by adding new fields or by modifying or removing the existing fields See Customizing S
125. the private key is not encrypted leave this field blank Re enter the private key s passphrase If the private key is not encrypted leave this field blank Upload Certificate 5 If you selected Upload certificate file click Choose File in the Certificate row to browse to the file and select It e To upload a single certificate choose a certificate file in PEM base 64 encoded or binary format crt or PKCS 7 Leave the passphrase fields blank e To upload a certificate s private key as a separate file choose the private key file in PEM base 64 encoded format If the private key has a passphrase enter it in the Private Key Passphrase and Confirm Passphrase fields The private key will be automatically matched to its corresponding certificate when uploaded e To upload a combined certificate and private key choose a file in either PEM base 64 encoded or PKCS 12 format If the private key has a passphrase enter it in the Private Key Passphrase and Confirm Passphrase fields Dell Networking W ClearPass Guest 6 0 Deployment Guide Installing a Certificate Authority s Certificate 89 CA Certificate Import Step 1 Select the format of your certificate Copy and paste certificate as text Format me Upload certificate file Step 2 Upload the certificate file here oe eee Choose File No file chosen Choose a digital certificate to upload This should be a PEM encoded X 509 cer
126. the specified expiration time Otherwise if expire_time is not specified then the expire_time is not set and do_expire will always be set to ZETO If the do_expire field is not included in the form the default expiration action is 4 Logout and Delete This can be configured on the Customize Guest Manager page expire_postlogin This field determines the amount of time after the initial login for which the visitor account will remain valid If this field is not specified the default value is 0 account lifetime not set expire_usage This field determines the total amount of login time permitted for the visitor account If this field is not specified the default value is 0 account usage is unlimited Other Properties All other properties specified at creation time are stored with the visitor account for example email visitor_ name visitor_company visitor_phone sponsor_name as well as any custom fields that have been defined Standard Fields See Field Form and View Reference on page 287 for a listing of the standard fields shipped with ClearPass Guest Standard Forms and Views The figure below shows the standard forms and views in the application Visitor Management Functions Single Account Multiple Accounts Create Account Create Multiple Emil List Accounts Change Expiration Reset Password Export Accounts Print Receipt Edit Multiple view ClearPass Guest iil Rem
127. the top of the window or the Create a new field link at the bottom of the window The Create Field form is displayed Create Field al Field The unique name of this field This is a single word that may consist of letters digits Mame and underscores EENE String 4 ya Field Type E The type of data that is stored in this field Description An optional description of this field The Field Name is not permitted to have spaces but you can use underscores Enter a description in the Description field You can enter multiple line descriptions which result in separate lines displayed on the form The Field Type can be one of String Integer Boolean or No data type The No data type field would be used as a label or a submit button Customizing Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide 145 Default View Display Properties These options control the default values when used in a column Sortable text Il Type of column used to display this field Column Type Column Title The title text to display for this field s column Column 100 Width The default width of this field in pixels CS5 Class Optional CSS class name to apply to this form field CSS Style ty Optional CSS style text to apply to this form field Column Field Value Format Describe how the value should be displayed onscreen I Include values when performing a quick search Search Man
128. the username is specified by the random_username_length field nwa_words_password to create a username using a combination of two randomly selected words and a number between 1 and 99 The maximum length of each of the randomly selected words is specified by the random username length field random_username_method Dell Networking W ClearPass Guest 6 0 Deployment Guide GuestManager Standard Fields 293 Description String The format string to use when creating a username if the random username random_username_picture method field is set to nwa picture password See Format Picture String Symbols on page 297 for a list of the special characters that may be used in the format string String The IP address of the guest at the time the guest account was registered This field remote_addr may be up to 20 characters in length The value of this field is not currently used by the system Integer Role to assign to the account The value of this field must be the integer ID of a valid role_id RADIUS user role String Name of the role assigned to the account Integer Time period in hours after which the account will be enabled This field is used ah dual atte when the modify_schedule_time field iS set to Schedule after The value is specified in hours and is relative to the current time This field controls account creation behavior itis not stored with created visitor accounts Integer Time at which the account will be enabl
129. the value of a single field To use the default view display properties for a field you only need to select the field to display in the column and then click the bl Save Changes button To customize the view display properties click the Advanced view options check box The column type must be one of the following Text The column displays a value as text Sortable text The column displays a value as text and may be sorted by clicking on the column heading Sortable text case insensitive The same as Sortable text but the column sorting will treat uppercase and lowercase letters the same Sortable numeric The column displays a numeric value and may be sorted by clicking on the column heading The Column Format may be used to specify how the field s value should be displayed You may choose from one of the following Field Value The value of the field is displayed as plain text Field Value Un Fscaped The value of the field is displayed as HTML Boolean Yes No The value of the field is converted to Boolean and displayed as Yes or No Boolean Enabled Disabled The value of the field is converted to Boolean and displayed as Enabled or Disabled Boolean On Off The value of the field is converted to Boolean and displayed as On or Off Date The value of the field is assumed to be a UNIX timestamp value and is displayed as a date and time
130. the value of this field is checked E Field value must be supplied Field Required l o i gt Select this option if the field cannot be omitted or left blank Initial Value value for sample field Value to initialize this field with when the form is first displayed Validator No validation Fl The function used to validate the contents of a field v The form was submitted with the following values array password gt password sponsor _ name gt Sponsor Visitor name gt Visitor visitor_company gt Company email gt demo example com expire after gt 1 expire time gt 0 role id gt 2 Creator accept terms gt true Submit gt NULL e Password text field The field is displayed as a text field with input from the user obscured The text typed in this field is submitted as the value for the field Sample Field eee This is a sample field Password text field User Interface ae WA _ The kind of user interface element to use when entering or editing this field Sample Field Label i Label for this field to display on the form This is a sample field a Description ji Descriptive text for this field displayed with the user interface element C55 Class Ma Optional CSS class name to apply to this form field C55 Style Optional CSS style text to apply to this form field e Radio buttons The fie
131. the visitor account is not created auto_update_account If this field is present and set to a non zero value account creation will not fail if the username already exists any changes will be merged into the existing account using an update instead Basic User Properties username This field is the name for the visitor account and may be provided directly If this field is not specified then use the email address from the email field and if that is also not specified then randomly generate a username according to the value of the random_username_method and random_username_length fields modify password This field controls password modification for the visitor account It may be set to one of these values reset to randomly generate a new password according to the values of the random_password_method and random_password_length fields password to use the password specified in the password field random_password to use the password specified in the random_password field If blank or unset the default password behavior is used which is to use any available value from the random password field and the password field or assume that reset was specified otherwise password This field is the password for the visitor account and may be provided directly If this field is not specified then randomly generate a password according to the values of the random password method and random_password_length fields Del
132. this carrier in the list available to the users Country Country the carrier supports SMS Address Use a template to determine the email address SMS Enter an example email address Template Use the keyword NUMBER where appropriate otherwise everything after the D will be used wms E Use the SMS template for MMS as well MMS Template Enter an example email address f _ Use the keyword NUMBER where appropriate otherwise everything after the DO will be used Use the visitor s value Number Format zl Select the country code requirement of the carrier Subject Line Optional subject to include in the message This field supports Smarty template syntax e g number N Create Carrier gt In the Name field enter the carriers name If there is more than one format of the carrier company s name use the format the public most readily identifies with the carrier service 6 To include the carrier in the list of choices for users mark the Enable check box Working with the SMTP Carrier List Dell Networking W ClearPass Guest 6 0 Deployment Guide 235 7 Optional In the Country field enter the country where the carriers service is offered If appropriate you may also indicate an area within the country such as a city county or state 8 In the SMS Address drop down list choose one of the following options Use a template to determine the email address When this optio
133. to 5 is greater than You may search for multiple values when using the equality or inequality operators To specify multiple values list is greater hanot edual to them separated by the pipe character z Secim For example specifying the filter role id 2 3 custom_ field Value restricts the accounts displayed to those with lt h role IDs 2 and 3 Guest and Employee and with the field is less than or equal to named custom field set to Value matches the regular expression does not match the regular expression To restore the default view click the Clear Filter link Use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual page number to jump directly to that page n 123 gt pi To select guest accounts click the accounts you want to work with You may click either the check box or the row to select a visitor account To select or unselect all visible visitor accounts click the check box in the header row of the table Use the selection row at the top of the table to work with the current set of selected accounts The number of currently selected accounts is shown When a filter is in effect the All Matching link can be used to add all pages of the filtered result to the selection Use the F Create tab to create new visitor accounts using the Create Guest Accounts form See Managing
134. to be deleted at any time including before expiration 52 weeks Maximum Period The period after which an expired certificate or a rejected request will be automatically deleted Leave blank to disable automatic deletion Set Data Retention Policy In the Onboard Device Certificates section of the form specify a value in the Minimum Period and Maximum Period fields that is appropriate for your organization s retention policy Ki NOTE Use a blank value for Minimum Period to enable the Delete Certificate and Delete Request actions in the Certificate Management list view This is useful for testing and initial deployment The default data retention policy specifies the values e Minimum Period of 12 weeks e Maximum Period of 52 weeks Uploading Certificates for the Certificate Authority The Certificate Authority Trust Chain page is used to view the certificate authority s current trust chain or to upload a new certificate in the trust chain when configuring a certificate authority To view the Certificate Authority s trust chain go to Onboard gt Certificate Authority Settings and click the View CA Certificate link at the top of the page The Certificate Authority Trust Chain page is displayed This page shows a graphical representation of the certificates that make up the trust chain J ClearPass Onboard Local Certificate Authority self signed Aruba Networks Show certificate ClearPass Onboard Local Certifica
135. to mutual authentication See Configuring Mutual Authentication Settings on page 122 e Windows Specifies networking options used only by devices using the Windows operating system See Configuring Windows Specific Network Settings on page 124 e Proxy Specifies a proxy server to be used by devices connecting to the network See Configuring Proxy Settings on page 125 Ki NOTE Navigating between different tabs will save the changes you have made The modified settings are indicated with a marker in the tab The settings used for device provisioning are not modified until you click Create Network 118 Configuring Basic Network Access Settings Dell Networking W ClearPass Guest 6 0 Deployment Guide Network Settings Network Access Access tW Protocols ay Authentication Trust ie Windows J Proxy Network Access Options for basic network access 4 s s Example Network 2 e Name Enter a name for the network that will be shown to the user Enabled Provision the network profile Select this option to include this network in the device profile Connect to the example network 2 Description Enter a description for the network that will be shown to the user Wireless only Network Type Select which types of network will be provisioned Enterprise security 802 1 will be selected if wired networks are to be supported Enterprise 302 1X Security Type Select the authenticatio
136. users only Save Changes See Smarty Template Syntax on page 264 for details about the template syntax you may use to format the content on this page Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self provisioning pages as well as log in to and view the Hotspot self service portal that allows customers to view their current account expiration date purchase time extensions log out of the Hotspot or change their user password To access either of these user pages navigate to Configuration gt Hotspot manager and select the Self Provisioning or Self Service links in the left navigation menu Dell Networking W ClearPass Guest 6 0 Deployment Guide Viewing the Hotspot User Interface 217 218 Viewing the Hotspot User Interface Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 7 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W ClearPass Guest Accessing Administration To access Dell Networking W ClearPass Guest s administration features click the Administration link in the left navigation Figure 34 The Administration Module s Left Navigation E Guest F Onboard Configuration a Start Here ta AirGroup Services t Data Retention lige Import Configuration g Operator Logins Start Here ee Login C
137. your guests What resources are you going to make available to guests for example type of network access permitted times of day bandwidth allocation Will guest access be separated into different roles If so what roles are needed How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non guest accounts What will be the password format for guest accounts Will you be changing this format on a regular basis What requirements will you place on the shared secret between NAS and the RADIUS server to ensure network security 1s not compromised What IP address ranges will operators be using to access the server Should HTTPS be required in order to access the visitor management server AirGroup Deployment Process AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them You use ClearPass Guest to define AirGroup administrators and operators AirGroup administrators can then use ClearPass Guest to register and manage an organization s shared devices and configure access according to username role or location AirGroup operators end users can use ClearPass Guest to register their personal devices and define the group who can share them Table gt summarizes the steps for configuring AirGroup functionality in ClearPass Guest Details for these steps are provided i
138. 10 27 16 18 E e 41915905 Contractor Active 91 minutes ago 2012 10 27 15 50 al 57744937 Contractor Active 63 minutes ago 2012 10 27 16 18 8 60600985 Contractor Active 28 minutes ago 2012 10 27 16 18 a 91972747 Contractor Active 91 minutes ago 2012 10 27 15 50 ID O ipod Contractor Expired 1 1 days ago Expired A sham a Contractor Expired 1 3 days ago Expired a Cet ee ay I The Username Role State Activation and Expiration columns display information about the visitor accounts that have been created e The value in the Expiration column is colored red if the visitor account will expire within the next 24 hours The expiration time 1s additionally highlighted in boldface if the visitor account will expire within the next hour e In addition icons in the Username column indicate the account s activation status m Visitor account is active amp Visitor account was created but is not activated yet e Visitor account was disabled by Administrator E amp Visitor account has expired You can use the Filter field to narrow the search parameters You may enter a simple substring to match a portion of the username or any other fields that are configured for search and you can include the following operators ob Managing Mle GNEStACCOUNtG Dell Networking W ClearPass Guest 6 0 Deployment Guide Table 8 Operators supported in filters Operator Meaning Additional Information o ee pie Is not equal
139. 10 file or submit a renewal request by using a base 64 encoded PKCS 7 file Click the link to submit a request using a base 64 encoded CMC or PKCS 10 file The Submit a Certificate Request or Renewal Request page is displayed Microsoft Active Directory Certificate Services Suburban Broadband LLC Submit a Certificate Request or Renewal Request To submit a saved request to the CA paste a base 64 encoded CMC or PKCS 10 certificate request or PKCS 7 renewal request generated by an external source such as a Web server in the Saved Request box Saved Request MIIDVICCA OCAQAwWGbMxCzAIBGNVBAYTAIVIMRMw Base 64 encoded MRIWEAYDVQHDAITdWSueXZhbGUxFZAVBogNVBAoMn certificate request FwYDVQQLDBBWaxNpdG3y1FNicnZpY2VzMSYwJAYD CMC or Zm1j YXRIIFidGhvcml0eTEfMBOGCSqGS1b3DQEJA PKCS 10 or bICCAS1lwDQYJKoZ IhvcNAQEBBQADggEPADCCAQoC PKCS 7 X 4 HI t Additional Attributes Attributes 4 b Copy and paste the certificate signing request text into the Saved Request text field Because this certificate is for a certificate authority select the Subordinate Certificate Authority in the Certificate Template drop down list Click the Submit button to issue the certificate Either the Certificate Pending or the Certificate Issued page is displayed Figure 20 The Certificate Pending Page Microsoft Active Directory Certificate Seraces Suburban Broadband LLC Certificate Pending Your certificate r
140. 17 operator logins 258 plugins 224 provisioning settings 106 receipts 234 revocation checks 109 self service portal display functions 301 shared_location field 147 shared_role field 147 skin 226 skin plugin 226 SMS services 228 Windows provisioning 113 contacting support 239 content deleting 136 downloading 135 136 management 134 quick view 136 renaming 136 uploading 135 viewing 136 creating account filter 244 AirGroup administrator 248 AirGroup groups 53 AirGroup operator 248 device accounts 49 field 145 guest account 29 hotspot plan 207 LDAP server 249 LDAP translation rule 254 multiple guest accounts 30 43 Operator 247 operator profile 242 operator profiles 242 printtemplate 194 self registration 172 session filter 244 SMS gateway 229 credits SMS 233 CSV caching 283 parsing 284 customer support 239 customizing content 134 email receipt 190 fields 145 Guest Manager 137 hotspot invoice 210 hotspot receipt 216 hotspot selection interface 212 214 216 login message 185 login page 184 receipt actions 178 receipt page 178 Register Shared Device 147 registration form 177 registration page 1 6 self service portal 187 view fields 169 D data retention 66 221 databases user 21 default skin 226 deleting certificate 98 content 136 field 147 SMS gateways 228 SMTP carrier 234 deployment network provisioning 21 operational issues 21 overview 21 security policy 23 site checklist 22 device type 95 de
141. 187 resetting passwords 187 secret question 188 self registration creating page 172 sending SMS alert 63 SMS message 232 sequence diagram AAA 18 guest self registration 172 servers LDAP creating 249 session filters creating 244 sessions active 59 60 closed 60 closing 62 device 49 disconnecting 60 61 filtering 61 reauthorizing 60 61 SMS alert 63 stale 60 shared locations 53 shared roles 54 site SSID 137 skin configuring 226 email receipt 191 Smarty syntax subject line 191 Smarty template functions 264 assign function 264 comments 264 foreach block 265 if block 264 Include 264 literal block 265 modifiers 266 Onboard 80 section block 265 variables 264 SMS alert for session 63 alerts 63 character limit 194 credits 233 guest account receipts 30 guest self registration receipts 182 receipts 63 subject line 191 SMS gateway editing 231 SMS gateways creating 229 editing 228 viewing 228 SMS services 228 configuring 228 credits available 233 guest receipts 63 233 low credit warning 233 receipt options 234 send 232 sending message 232 SMS gateways 228 SMTP services 189 customizing receipt 192 sponsors 21 SSID 137 stale session 60 subject line email receipt 189 support 239 Support services 236 T tab separated values 43 tag value pair 53 template predefined template functions 266 translation rules 254 Dell Networking W ClearPass Guest 6 0 Deployment Guide troubleshooting X application int
142. 2 Option 2 where the tag value pair tagl valuel represents the value stored in the shared location field in the database the pipe character is a separator and Option 1 represents the text displayed in the checklist Optional To sort the locations by key or value choose an option from the Sort drop down list Optional To control the layout of the checklist on the form first use the Layout drop down list to select either Vertical or Horizontal The name of the next field changes to correspond to your choice in this field Enter the appropriate number in the Vertical Rows or Horizontal Rows field If the Layout field is left blank the default layout of a single list of checklist options is displayed To ensure the values are stored correctly as a comma separated list 148 Configuring the Shared Locations and Shared Role Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide 1 Scroll to the Advanced Properties section of the form and mark the check box in the Advanced row expands to include the advanced options Advanced Properties These properties control conversion display and dynamic behaviours Advanced W Show advanced properties NwalmplodeComma x The function used to convert an incoming field value prior to validation Conversion Type Error The error message to display if the field s value is not supplied has an incorrect type or if conversion fails None The function use
143. 221 Creating AirGroup Operators 22mmmmmmmmmmwmmmu nn eee cece eee eeeeeeees 221 Authenticating AirGroup Users via LDAP wmmmmmmmmamu nn mmmmun 221 Data Retention 2 2 occ cece cece cee eee eee meme mm mwee cence eee eeeeseeeesercesereeeees 221 Import Configuration 2mmmmmmmmn mm eee ee eee cece cece eee ececeeeeeeeeees 222 Plugin Manager 2wwmmmmmmmwwamu nu mw wwanu nu eee LLL cence nu mwanume 223 Viewing Available Plugins 0 02 22 occ cee eee cece eee ee eeeeeeeeeeeees 223 Configuring Plugins _ 0 22 2 cece cee cece aaa aLaaa LLLA ALLL LLALL LLLA ALLL Laana aLL 224 Configuring the Kernel Plugin 22 wmmmmmmmmmmmu mum wmmmn umu muwa 225 Configuring the Dell W ClearPass Skin Plugin 2 22mmmemmmmee ema 226 Configuring the SMS Services Plugin 222mmemmmeemmmme meme mema 227 SMS ServiceS _ 2 2 ieee cece ee ec eee eee cece eee ence eee mi ee cence eeeeeeeeeeeeeseeseeeeeeseesees 228 Viewing SMS Gateways _ 2 00 2 o ieee cece eee eee eee eee ee eee eee cece eee eeeeeeeeeeeeeeee 228 Creating a New SMS Gateway 2mmmmmammmwwmmn mum eee eee e aLL anaana 229 Editing an SMS Gateway 2 22 22 ee
144. 285 Generates a random password of at least len characters in length based on one of the standard complexity requirements specified in Smode If mode is false or the empty string the default password complexity is taken from the Guest Manager plugin configuration Otherwise mode should be one of the following values none No password complexity requirement case At least one uppercase and one lowercase letter number At least one digit punctuation At least one symbol complex At least one of each uppercase letter lowercase letter digit and symbol NwaSmslsValidPhoneNumber NwaSmsIsValidPhoneNumber S phone_ number Validates a phone number supplied in E 164 international dialing format including country code Any spaces and non alphanumeric characters are removed If the first character is a plus sign the phone number is assumed to be in E 164 format already and the plus sign is removed otherwise if the SMS service handler national prefix is set and the phone number starts with that prefix then the prefix is replaced with the country code The phone number must contain no fewer than 5 and no more than 15 digits The phone number is validated for a valid country code prefix If all the foregoing conditions are met the validator returns TRUE otherwise the validator returns FALSE NwaStrongPassword NwaStrongPassword Slen Generate strong passwords of len characters in length A strong pass
145. 4 50 sadf45 10N2432 asdfa098 x Remove Es Edit a Print To update the properties of this personal AirGroup device use the form below Edit Device 8 jralston Name of the person sponsoring this visitor account OurDormTV Enter a name to identify this device 11 33 55 BB AA CC Enter the MAC address of the device sadf45 10N2432_ asdfa098 Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g user1 user2 user3 Save Changes Your Name Device Name MAC Address 3 To edit properties of a device click the Edit link for the device The row expands to include the Edit Device form You can modify the device s name MAC address and group of users 4 When your edits are complete click Save Changes Automatically Registering MAC Devices in ClearPass Policy Manager If ClearPass Policy Manager is enabled you can configure a guest MAC address to be automatically registered as an endpoint record in ClearPass Policy Manager when the guest uses a Web login page or a guest self registration workflow This customization option is available if a valid Local or RADIUS pre authentication check was performed To configure auto registration for an address through a Web login page l Go to Configuration gt Web Logins click the row of the page you wish to configure then click its Edit link The RADIUS Web Login Editor form opens 2 Scroll down to t
146. 40 characters respectively Device IMEI International Mobile Equipment Identity IMEI number allocated to this device Integrated Circuit Card Identifier ICCID number from the Subscriber Identity Module Device ICCID l SIM card presentin the device 94 Specifying the Identity of the Certificate Subject Dell Networking W ClearPass Guest 6 0 Deployment Guide Name Description Serial number of the device MAC Address IEEE MAC address of this device Product Name Product string identifying the device and often including the hardware version information Product Version Software version number for the device Username of the user who provisioned the device Issuing the Certificate Request Mark the Issue this certificate immediately check box to automatically create the certificate Click the Create Certificate Request button to save your changes If the Issue this certificate immediately check box is marked the certificate will be issued immediately and will be displayed in the Certificate Management list view If the Issue this certificate immediately check box is not marked the certificate request will be displayed in the Certificate Management list view The certificate can then be issued or rejected at a later time Managing Certificates To view the list of certificates and work with them go to Onboard gt Certificate Management or click the Certificate Management command link y C
147. 51 Figure 9 Modify fields Rank Field Type Label Description 30 visitor_company text Company Name Please enter your company name Please enter your email address 40 email text Email Address This will become your username to log into the network 45 mac text MAC Address MAC address of the device 47 mac_auth hidden Scheduled date and time at which to enable the visitor account If blank the account will be enabled immediately 50 start_time datetime Activation Time Amount of time before this visitor 60 expire_after hidden Expires After pena account will expire Optional date and time at which the visitor accounts will expire and be deleted If blank the account will not expire 65 expire_time datetime Expiration Time Edit the receipt form fields a Edit username to be a Hidden field Edit password to be a Hidden field e Adjust any headers or footers as needed When the visitor registers they should be able to still log in via the Log In button The MAC will be passed as their username and password via standard captive portal means The account will only be visible on the List Devices page If the guest logs out and reconnects they should be immediately logged in without being redirected to the captive portal page Creating Devices During Self Registration Paired Accounts Paired accounts is a means to create a standard visitor account with credentials but to have a MAC account created in parall
148. 6 0 Deployment Guide The NAS performs authentication and authorization for the guest in ClearPass Guest Once authorized the guest is then able to access the network See Customizing Self Provisioned Access on page 171 for details on creating and managing self registration pages Using Standard Guest Management Features This section describes e How to create a single guest account and a guest account receipt e How to create multiple guest accounts and multiple guest account receipts e How to create a single password for multiple accounts e How to list and edit single and multiple guest accounts To customize guest self registration please see Configuration on page 133 Creating a Guest Account To create a new account go to Guest gt Create Account or click the Create New Guest Account command link on the Guest Manager page The New Visitor Account form opens Create New Guest Account Set up a new account for guest access to your network NOTE The New Visitor Account form create_user may be customized by adding new fields or modifying or removing the Ki existing fields See Customizing Self Provisioned Access on page 171 for details about the customization process The default settings for this form are described below New Visitor Account mi mee admin Sponsors Name i ae Name of the person sponsoring this visitor account Alice Liddel Name of the visitor Visitor s Name Looking Glas
149. 6 AM Account Expires j NoE Your account vill stop working after this time Have you made a record of your username and password Start Browsing gt gt To customize how the Your Receipt page is displayed to the guest go to Configuration gt Hotspot Manager gt Manage Hotspot Sign Up then click the Customize page 3 Invoice or Receipt link in the upper right corner The Edit Hotspot User Receipt Page form opens You can use this form to edit the title introductory text and footer text of the receipt page 216 Customizing Visitor Sign Up Page Three Dell Networking W ClearPass Guest 6 0 Deployment Guide Edit Page Your Receipt Page Title pase Title of this page lt h2 gt Hotspot Sign Up lt img class nwa_hotapot Step Src images hotaspot satep3 png width 100 height 48 border 0 alt Step 3 align absmniddle hspace 10 gt lt h2 gt ron lt p gt w mee ait Your transaction was processed successfully Text Welcome to the Hotspot lt p gt lt p gt Your wireless account is now ready to use Just click the Start Browsing This text is displayed at the top of the page before the user s invoice a Footer Text This text is displayed at the bottom of the page after the user s invoice E Override standard format Options If checked the standard layout on this page will not be included when the page is generated Note this option is recommended for advanced
150. Administration gt Support gt Application Log The Application Log view opens Quick Help Filter Export Keywords Enter keywords to filter the logs Use to negate and quotes to group keywords v Time IP User Severity Message 2012 12 06 09 28 02 10 6 132 68 admin 8 info Updated user account android in the database 2012 12 06 09 26 51 10 6 132 68 admin A wani PHP Message strlen expects parameter 1 to be string array given 2012 12 06 03 00 01 8 info Finished processing data retention policy 0 0 seconds 2012 12 06 03 00 01 8 info Processing data retention policy 2012 12 05 09 52 00 10 6 132 68 admin 8 info Modified operator profile IT Administrators 2012 12 05 09 51 41 10 6 132 68 admin 8 info Operator login admin 2012 12 05 09 51 41 10 6 132 68 i debug Performed eTIPS web auth request 2012 12 05 09 51 03 10 6 132 68 admin 8 info Operator login admin 2012 12 05 09 51 03 10 6 132 68 QO debug Performed eTIPS web auth request C Refresh 12345678910 ay gt i noid 110 kaba 10 rows per page To view in depth information about an event click the event s row The form expands to show details Click the event s row again to close it Time IP User Severity Message 2012 09 Operator login admin 5621 43 26 10 240 104 88 admin 0 info i Operator login admin Client 10 240 104 88 63701 App User admin Script gquest auth_login php Function NwaAuthLoginForm Details user
151. B CC 11 11 11 jralston2 2012 12 17 15 10 admini admin2 AM5 AAM7_ role3 role8 ris LunchroomPrinter1 11 11 11 AA BB AA jralston2 2012 12 17 15 07 Hiro Ali Sean Alice role1 role2 Remove Edit Print a To update the properties of this shared AirGroup device use the form below Edit Shared Device LunchroomPrinter1 Enter a name to identify the device 11 11 11 AA BB AA Enter the MAC address of the device Device Name MAC Address Enter a list of location IDs where this device will be shared Shared Locations Use a comma separated list of tag value pairs tag may be AP Name AP Group or FQLN A fully qualified location name is lt ap name gt floor lt N gt lt building name gt lt campus gt Leave blank to share with all locations Hiro Ali Sean Alice Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g useri user2 user3 role1 role2 Shared Roles List the user roles that will be able to use this device Use a comma separated list e g role1 role2 role3 or blank for all roles Save Changes Dell Networking W ClearPass Guest 6 0 Deployment Guide 3 To edit properties of a shared device click the Edit link for the device The row expands to include the Edit Shared Device form You can modify the device s name MAC address shared locations group of users and shared roles 4 When your edits are complete click Save Changes Register
152. C T0 DE E C7 23 B6 MAC address of the device MAC Address No changes Account is active Account Activation TRENES ice Select an option for changing the activation time of this account No changes Account will not expire Account Expiration ee Select an option for changing the expiration time of this account No changes Select an option for changing the allowed usage time of this account No changes suest Account Role Role to assign to this visitor account Notes f Update MAC l You can change the device s address in the MAC Address row If you need to modify the configuration for expected separator format or case go to Administration gt Plugin Manager gt Manage Plugins and click the Configuration link for the MAC Authentication plugin If you need to change the activation time choose one of the options in the Account Activation drop down list You may choose to activate the account immediately at a preset interval of hours or days or at a specified time No changes Account is active No changes Account is active Disable account Tomorrow Next Monday 1 hour from now 1 day from now 1 week from now Activate at specified time e If you choose Activate at a specified time the Activation Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and mont
153. ClearPass Guest 6 0 Deployment Guide Selecta printtemplate sy Print About Guest Network Access Allows the text displayed to operators on the Guest Manager start page to be customized or removed if a single hyphen is entered About Fields Forms and Views A field is a named item of information It may be used to display information to a user as static text or it may be an interactive field where a user can select an option or enter text A form is a group of fields that is used to collect information from an operator A view is a grouping of fields that is used to display information to an operator Business Logic for Account Creation When guest accounts are created there are certain rules that must be followed in order to create a valid account These rules apply to all accounts regardless of how the account was created The business logic rules that control all guest account creation are described below To see the display name corresponding to a field name go to Configuration gt Fields and scroll to the field name Display names are shown in the Column Title column Verification Properties creator_accept_terms This field must be set to 1 indicating the creator has accepted the terms of use for creating the account If the field is not present or is not set to 1 the visitor account is not created password2 If this field is specified its value must be equal to the password field or else
154. Dell Networking W ClearPass Guest 6 0 Deployment Guide 2 Copyright 2013 Aruba Networks Inc Aruba Networks trademarks include GD Al PT WAVE Aruba Networks Aruba Wire less Networks the registered Aruba the Mobile Edge Company logo and Aruba Mobility Management System Dell the DELL logo and PowerConnect are trademarks of Dell Inc All nghts reserved Specifications in this manual are subject to change without notice Originated in the USA All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses Includes software from Litech Systems Design The IF MAP client library copyright 2011 Intoblox Inc All rights reserved This product includes software developed by Lars Fenneberg et al The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it w
155. GetUserTime Susername from_ time to time null Calculate sum of session times in a specified time interval See Get Traffic on page 274 for details on how to specify the time interval GetUserTraffic GetUserTraffic Susername from_time to time null in out null Calculate sum of traffic counters in a time interval Sessions are summed if they have the same User Name attribute as that specified in the RADIUS Access Request See GetCallingStationTraffic on page 271 for details on how to specify the time interval Advanced Developer Reference The reference documentation in this section is intended for advanced usage by developers nwa_assign nwa assign s Smarty registered template function Assigns a page variable based on the output of a generator function Simple usage example nwa assign var my variable value my value The var parameter specifies the page variable that will receive the output The value parameter specifies the value to assign to var The various request variables may also be accessed using one of two supported methods nwa assign var GET get variable value nwa assign var smarty get get variable value The variables that can be accessed this way are GET smarty get POST smarty post REQUEST smarty request SESSION smarty session COOKIE smarty cookies and ENV smarty env Assigning to values in SESSION will persist the valu
156. Guest Manager plugin configuration holds the default settings for account creation To modify settings for the Guest Manager plugin configuration go to Configuration and click the Guest Manager Settings command link or from the Guest Manager page click the Guest Manager Settings command link Guest Manager Settings AL Customize the base Guest Manager settings Figure 22 Customize Guest Manager Page upper section Configure Guest Manager Aruba Site SSID a The SSID of the wireless LAN if applicable This will appear on guest account print receipts Site WPA Key The WPA key for the wireless LAN if applicable This will appear on guest account print receipts Random digits Username Type s z The method used to generate random account usernames 8 Username Length The length in characters of generated account usernames Random digits x Random Password Type ye The method used to generate a random account password Random Password 8 Length Number of characters to include in randomly generated account passwords No password complexity requirement a Password complexity to enforce for manually entered guest passwords Requires the random password type A password matching the password complexity requirements and the field validator NwalsValidPasswordComplexity for manual password entry Password Complexity Minimum Password 8 Length The minimum number of characters
157. HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 8 You may use the Insert content item drop down list to add an image file or other content item 9 When your entries are complete in this tab click Save Changes You can click Next to continue to the next tab or Previous to return to the previous tab Configuring Options for Legacy OS X Windows and Android Devices The Onboard Client tab is used to edit basic configuration option for Windows Android and legacy OS X 10 5 and 10 6 devices To specify provisioning settings related to these Onboard capable devices 1 Go to Onboard gt Provisioning Settings and click the Onboard Client tab Device Provisioning Settings Omi General 105 iOS amp OS X Legacy OS X Ay Windows Ci Android e Onboard Client Device Provisioning Options for Windows Android and Legacy OS X 10 5 6 device provisioning These settings are not used for iOS or OS X 10 7 Lion or later devices Provisioning Address Provisioning Access validate Certificate Logo Image Wizard Title Password Recovery URL Helpdesk URL 2 In the Provisioning Address drop down list choose the hostname or IP address to use for device provisioning e The system s hostname requires DNS resolution Select this option to use the system hostname for Dell Ovf 50225 requires DNS resolution lv Select the ho
158. If not specified no TARGET attribute is provided The body of the element is the HREF of the command link The icon and command parameters are required All other parameters are optional nwa iconlink nwa_iconlink nwa_iconlink Smarty registered block function Generates a combined icon and text link to a specified URL Usage example nwa _iconlink icon images icon info22 png text More Information more information php nwa_iconlink Dell Networking W ClearPass Guest 6 0 Deployment Guide nwa_commandlink 267 The icon parameter is the SRC to the image of the icon This should normally be a relative path The text parameter is the text to display next to the icon This will also be used as the alternate text that is a tooltip for the icon image The width and height parameters if specified provide the dimensions of the icon to display If not specified this is automatically determined from the image The onclick parameter if specified provides the contents for the onclick attribute of the link The target parameter if specified provides the contents for the target attribute of the link The alt parameter if specified sets the ALT attribute of the icon If not specified the default alt text used is the icon text The style parameter if specified provides CSS for the SPAN element used to implement the icon link The body of the element is
159. If the TLS client certificate has expired then the device will be issued a new certificate This enables re provisioning to occur on a regular basis If the TLS client certificate has been revoked then the device will not be permitted to re provision The revoked certificate must be deleted before the device is able to be provisioned Network Requirements for Onboard For complete functionality to be achieved Dell Networking W ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network The provisioning network must use a captive portal or other method to redirect a new device to the device provisioning page The provisioning server Onboard server must have an SSL certificate that is trusted by devices that will be provisioned In practice this means a commercial SSL certificate is required The provisioned network must support EAP TLS and PEAP MSCHAPv2 authentication methods The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked and deny access to the network Using Same SSID for Provisioning and Provisioned Networks To configure a single SSID to support both provisioned and non provisioned devices use the following guidelines Configure the network to use both PEAP and EAP TLS authentication methods When a user authenticates via PEAP with their domain credentials place them into a provisioning role The provisioning
160. Initial Value i Value to initialize this field with when the form is first displayed IsNonEmpty Validator l The function used to validate the contents of a field None Validator Param Optional name of field whose value will be supplied as the argument to a validator Validator Argument v Optional value to supply as the argument to a validator You cannot leave this field blank Validation Error The error message to display if the field s value fails validation and the validator does not return an error message directly The initial value for a form field may be specified Use this option when a field value has a sensible default The initial value should be expressed in the same way as the field s value In particular for drop down list and radio button selections the initial value should be the key of the desired default option Likewise for date time fields that have a display function set the initial value should be a value that can be passed to the display function Select the Field value must be supplied check box to mark the field as a required field Required fields are marked with an asterisk as shown below Sample Field This is a sample field An optional field may be left blank In this case the field is not validated as there is no value for the field However any value that is supplied for an optional field is subject to validation checks All values supplied for a
161. LLA ALLL Laaa nunu mwen 93 Specifying the Identity of the Certificate Subject 2 22220222 2000 93 Issuing the Certificate Request 02 2 2 e cece eee aLL aoaaa 95 Managing Certificates 22mmmmmmmmmmwwmmu LLLA aLL ee eeceeeeeeeeees 95 Searching for Certificates in the List 22 wmmmmmmmmmmmm mum mmmme 96 Working with Certificates in the List 22mmmmmme mu eee eeeeeeeeee 97 Working with Certificate Signing Requests _ 2 02 2 eee cece eee ee ee ee eee cece cece aoaaa 22au 99 Importing a Code Signing Certificate 22222mmm22222mmee 101 Importing a Trusted Certificate __ 2 2 e eee Laana aaa 103 Requesting a Certificate _ 0 22 2 icc cee eee eee eee eee eee cece ee eeeeeeeeeeeees 104 Providing a Certificate Signing Request in Text Format _ 22 2222 eee eee cece eee eee ee eeeee 104 Providing a Certificate Signing Request File 22 me2222mm 105 Specifying Certificate Properties _ 2 02 2 lec e cee eee eee ee cece cece aana Laana 106 Configuring Provisioning Settings wwmmmmmmmmmmun um cece ee Laana aLaaa 106 Configuring Basic Provisioning Settings
162. Request RADIUS packet type sent to a RADIUS server containing accounting summary information Accounting Response RADIUS packet sent by the RADIUS server to acknowledge receipt of an Accounting Request accounting session time Length of time the guest has been using the network accounting Process of recording summary information about network access by users and devices authentication Verification of a user s credentials typically a username and password authorization Authorization controls the type of access that an authenticated user is permitted to have BYOD Bring your own device Refers to the trend of personal mobile devices being used with enterprise network infrastructure CA See Certificate Authority captive portal Implemented by NAS Provides access to network only to authorized users certificate authority Entity in a public key infrastructure system that issues certificates to clients A certificate signing request received by the CA is converted into a certificate when the CA adds a signature that is generated with the CA s private key See digital certificate private key and public key infrastructure common name CN See distinguished name criteria Array that consists of one or more criteria on which to perform a data based search This array is used for advanced cases where pre defined helper functions do not provide required flexibility CRL Certificate revocation list List of revoked cer
163. S Style Optional CSS style text to apply to this form field Icon Image Image to display with the user interface element _ Hide when no options are selectable Collapse Select this option to automatically hide the form field when only one choice is available Form Validation Properties These properties control how the value of this field is checked E Field value must be supplied Field Required i Select this option if the field cannot be omitted or left blank value for sample field Value to initialize this field with when the form is first displayed No validation x The function used to validate the contents of a field Initial Value Validator e Static text Raw value The field s value is displayed as a non editable text string HTML characters in the value are not escaped which allows you to display HTML markup such as images links and font formatting A value may contain HTML Sample Field dii This is a sample field Use caution when using this type of user interface element particularly if the field s value is collected from visitors Allowing HTML from untrusted sources is a potential security risk Static text Raw value x The kind of user interface element to use when entering or editing this field Sample Field User Interface Label Label for this field to display on the form This is a sample field A Description 2 Descriptive text for this field
164. S X 10 7 Lion or later device provisioning iOS amp OS X Devices Provision iOS and OS X 10 74 Lion or later devices via Apple s Over the Air profile delivery process Device Enrollment z Display Name Example Device Enrollment This text is displayed as the title of the Install Profile screen on the device This configuration profile has network and security settings for your device to allow you to connect to the intranet and access local applications Profile Description 4 Enter the description to display on the Install Profile screen of the device This should provide help text for the user and instruct them to install the profile Always allow removal Profile Security Select when the configuration profile may be removed Device Enrollment Profile Signing Profile Signing Enter the common name to use for the certificate used to sign iOS and OS X 10 74 profiles This will appear as the Signed field on the install profile dialog Profile Type User Select the type of profile to create when provisioning OS X 10 7 Lion or later devices E Change the profile ID Edit ID 8 The current profile ID is com example device provisioning 230dee31 1486 4f31 9685 b63f86b7193e 2 In the iOS amp OS X Devices row mark the Enable iOS and OS X 10 74 Lion or later device provisioning check box to enable provisioning for these devices 3 Use the Display Nam
165. SMS receipt Phone Number Use Default visitor_phone Field The field containing the visitor s phone number auto send 5m5 Auto Send Field The field which if it contains a non empty string or non zero value will cause an account receipt SMS to be automatically sent upon creation of a visitor account Save Changes The Enable visitor access self provisioning check box must be ticked for self provisioning to be available The Require HTTPS field when enabled redirects guests to an HTTPS connection for greater security The Service Not Available Message allows a HTML message to be displayed to visitors if self provisioning has been disabled See Smarty Template Syntax on page 264 in the Reference chapter for details about the template syntax you may use to format this message Click the lal Save Changes button after you have entered all the required data Captive Portal Integration To start the visitor self provisioning process new visitor registration is performed by redirecting the visitor to the URL specified on the Hotspot Preferences page for example https guest spiffywidgets com hotspot_plan php The Hotspot Sign Up page opens to the first page of the wizard Choose Plan The hotspot_plan php page accepts two parameters e The source parameter is the IP address of the customer e The destination parameter is the original URL the customer was attempting to access that is the customers ho
166. Self Signed Certificate section Use the CA Expiration field to specify the lifetime of the root certificate in days The default value of 3653 days is a 10 year lifetime The Clock Skew Allowance field adds a small amount of time to the start and end of the root certificate s validity period This permits a newly issued certificate to be recognized as valid in a network where not all devices are perfectly synchronized The Digest Algorithm drop down list allows you to specify which hash algorithm should be used F NOTE MD5 is not recommended for use with root certificates Mark the Generate CA certificate and invalidate all other certificates check box to confirm the changes Click the 2 Create Root Certificate button to save the settings and generate a new root certificate Setting Up an Intermediate Certificate Authority After you choose Intermediate CA on the Certificate Authority Settings form and click Continue the Intermediate Certificate Settings form opens The Intermediate Certificate Settings form is used to configure the distinguished name and properties for the certificate authority s certificate which will be issued by an external certificate authority NOTE If you intend to change any of the intermediate certificate s distinguished name properties and you have previously created any client or server certificates or performed device provisioning using the existing intermediate certificate these certificates wil
167. TP Carrier List If you have included SMS over SMTP gateways in your SMS gateways list you can manage the list of SMTP carriers that are included in the Mobile Carrier drop down list on the SMS Services gt SMS Gateways gt Edit SMS Gateway form To view or work with the SMTP carrier list l Go to Administration gt SMS Services gt SMTP Carriers The SMS SMTP Carrier List view opens The carriers in this list are the ones that are included in the Mobile Carrier drop down list on the SMS Services gt SMS Gateways gt Edit SMS Gateway form i Quick Help E Display Lists dia Create 2 Name Enabled Country SMS MMS 7 11 Speakout GSM No USA number cingularme com lA AT amp T Enterprise Paging No USA number page att net AT amp T Wireless No USA number txt att net number mms att net Andhra Airtel Andhra Pradesh 3 i No Pradesh number airtelap com kuia India 7 Edit Y Enable amp Delete Karnataka Airtel Karnataka India No India number airtelkk com f Montana Airtel Wireless No USA number sms airtelmontana com Alaska Communications No USA number msqg acsalaska com Systems Alltel Wireless No number message alltel com Mumbai BPL Mobile No f number bplmobile com India Bell Mobility amp Solo Mobile No Canada number txt bell ca lv 76 carriers f Reload 10 rows per page x Dell Networking W ClearPass Guest 6 0 Deployment Guide 2 To filter the list click the Display Lists tab above the
168. TP response before begin disconnected from the network 3 In the Reconnect Delay row enter the duration in seconds for the client to wait after sending a disconnect request to the Web server before it sends a reconnect request This duration must give the Web server and the controller adequate time to negotiate a disconnect for the device first 4 In the Reconnect Timeout row enter the duration in seconds for the client to wait for a valid response after sending a reconnect request to the Web server This duration must allow enough time for the client to be reconnected to the network using the newly installed settings and for the Web server to then acknowledge the HTTP request 5 When your entries are complete in this tab click Save Changes You can click Next to continue to the next tab or Previous to return to the previous tab Configuring Provisioning Settings for Legacy OS X Devices To specify provisioning settings related to legacy OS X 10 5 and 10 6 Leopard and Snow Leopard devices 1 Go to Onboard gt Provisioning Settings and click the Legacy OS X tab 112 Configuring Provisioning Settings for Legacy OS X Devices Dell Networking W ClearPass Guest 6 0 Deployment Guide Device Provisioning Settings 079 General 105105 amp OSX 2 Legacy OS X fy Windows DI Android eu Onboard Client Legacy OS X Provisioning These options control older OS X 10 5 6 Leopard Snow Leopard device provisioning
169. The form expands to include the Key Type drop down list Creating a new key is only necessary if you are recreating the entire certificate authority from the beginning Ki NOTE If you have previously created any client or server certificates or performed device provisioning using the existing intermediate CA certificate these certificates will be invalidated when changing the intermediate CA s private key e The Key Type drop down list specifies the type of private key that should be created for the certificate You can select one of these options a 1024 bit RSA not recommended for a certificate authority a 2048 bit RSA recommended for general use a 4096 bit RSA higher security In the Intermediate Certificate section e The Digest Algorithm drop down list allows you to specify which hash algorithm should be used Ki NOTE MD5 is not recommended for use with certificate authority certificates Mark the Generate CA certificate request and invalidate all other certificates check box to confirm the changes Dell Networking W ClearPass Guest 6 0 Deployment Guide Setting Up an Intermediate Certificate Authority 85 Click the Create Certificate Request button to save the settings and generate a new certificate signing request Obtaining a Certificate for the Certificate Authority The Intermediate Certificate Request page displays the certificate signing request for the certificate authority s intermediate certific
170. The Finished Creating Guest Account page opens This page displays Account Details and provides printer options Account Details MAC Address 11 22 33 AA BB CC Account status Active Account role Guest Sponsor name jeannetteAGop Open print window using template To view and edit your personal AirGroup devices go to Guest gt List Devices or click the Manage my AirGroup Devices link on the Create AirGroup Device page The List Device page lets you remove a device edit a device s name MAC address or shared user list print device details or add a new device To view and edit your personal AirGroup devices Dell Networking W ClearPass Guest 6 0 Deployment Guide Registering Personal Devices 55 l Go to Guest gt List Devices or click the Manage my AirGroup Devices link on the Create AirGroup Device page The AirGroup Devices page opens This page lists all your personal AirGroup devices You can remove a device edit a device s name MAC address or shared user list print device details or add a new device 2 To work with a device click the device s row in the list The form expands to include the Remove Edit and Print options Quick Help pe Create Filter A Device Name MAC Address Created Shared With gf DeptPrinter1 12 34 56 AB CD EF 2012 12 17 14 48 empli empl2 empl3 empl4 gf MyExampleDevice 11 22 33 AA BB CC 2012 12 17 14 42 Alice Ben Chan ris OurDormTV 11 33 55 BB AA CC 2012 12 17 1
171. To make changes to an existing field click its Y Edit link The Form Field Editor opens Any changes made to the field using this editor will apply only to this field on this form To make changes to an existing field s definition click its Fdit Base Field link Any changes made to the field using this editor will apply to all forms that are using this field except where the form field has already been modified to be different from the underlying field definition The Insert Before and Insert After links can be used to add a new field to the form Clicking one of these links will open a blank form field editor and automatically set the rank number of the new field Use the ES Preview Form tab at the top of the list view to see what the form looks like This preview form can be submitted to test the field validation rules you have defined If all fields are able to be validated the form submit 1s successful and a summary of the values submitted is displayed This allows you to verify any data conversion and formatting rules you have set up Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field Form Field Editor visitor name Select the field definition to attach to the form Field Name Ioe Eang E orme Dell Networking W ClearPass Guest 6 0 Deployment Guide Each field can only appear once on a form The Field Name selects which underly
172. XP Vista and 7 or later device provisioning Windows Devices l Downloads and executes a Windows application on a user s device to complete provisioning None Do not sign the application Code Signing Certificate a n Select a certificate for signing the Windows provisioning application 2 In the Code Signing Certificate drop down list select the uploaded certificate To create a test certificate 1 Go to Onboard gt Certificate Management and click the Generate a new certificate signing request link The Certificate Request Settings form opens 2 In the Certificate Type drop down list choose Code Signing TOA Mpg rede Song a ericae Dell Networking W ClearPass Guest 6 0 Deployment Guide 3 Complete the rest of the form with your information Mark the Issue this certificate immediately check box then click Create Certificate Request The test certificate is displayed in the list on the Certificate Management page and can be selected on the Provisioning Settings form Importing a Trusted Certificate Onboard s Certificate Management page supports importing trusted certificates Certificates may be uploaded in PEM format pem To import a trusted certificate l Go to Onboard gt Certificate Management and click the Upload a trusted certificate link in the upper right comer The Import Trusted Certificate form opens Import Trusted Certificate Choose File No file chosen Ce
173. You can use the amp Delete link to delete the content item You will be asked to confirm the deletion You can use the using the LRename link to rename the content item To save a copy of the content item using your Web browser click the lel Download link To open a new window to view the item use the AView Content link Se os eS e The PP Quick View link can be used to display certain types of content inline such as images and text The item is displayed below its row in the list The Quick View link 1s not available for all content types 136 Additional Content Actions Dell Networking W ClearPass Guest 6 0 Deployment Guide Customizing Guest Manager Guest Manager allows the entire guest account provisioning process to be customized This is useful in many different situations such as e Self registration Allow your guests to self register and create their own temporary visitor accounts e Visitor surveys Define custom fields to store data of interest to you and collect this information from guests using customized forms e Branded print receipts Add your own branding images and text to print receipts e SMS and email receipts Include a short text message with your guest s username and password or send HTML emails containing images e Advanced customization ClearPass Guest is flexible and can be used to provide location sensitive content and advertising Default Settings for Account Creation The
174. a You can also specify the values to be used for fields that are not present in the data Importing Guest Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide 41 Match Fields Username Username The username of the created guest accounts Password Password The password for the created guest accounts Assign role Contractor The role to assign to each of the created quest accounts Role None Activate immediately ha Activation Time The date and time at which to enable the guest accounts Expiration The date and time at which a guest account will expire and be deleted None No lifetime The amount of time after the first login before the visitor account will expire and be deleted Expiration Time Account Lifetime Delete and logout at specified time Select an option for controlling the expiration of this account Note that a logout can only occur if the NAS is RFC 3576 compliant None ha A note stored with each of the guest accounts Expire Action Notes Ri Full Name The above fields were auto detected in your file Check the ones you wish to import Auto Detected Fields Header Rows The number of rows shown in the imported data that do not correspond to user accounts To complete the Match Fields form make a selection from each of the drop down lists Choose a column name to use the values from that column when importing guest accou
175. a Selt Registration age on page 172 Configure a self service portal for guests oo on page 186 Editing Guest Receipt Page Properties on page 178 Independent activation time expiration time and maximum usage time Business Logic for Account Local printer SMS or email delivery of account receipts Dell Networking W ClearPass Guest 6 0 Deployment Guide Key Features 19 Feature Refer to Customizing Fields on page Define unlimited custom fields 145 GuestManager Standard Fields on page 287 Username up to 64 characters Customization Features l WA Customizing Forms and Views Create new fields and forms for visitor management 5 on page 150 ae ne i Validation P les Use built in data validation to implement visitor survey forms eee en page 162 Editing Guest Receipt Page Create print templates for visitor account receipts Properties on page 178 Administrative Management Features Operators defined and authenticated locally haa angi on page 247 Operators authenticated via LDAP e Serie a ya page 248 Operator Profiles Role based access control for operators a een eke Plugin based application features automatically updated by ClearPass Policy WA ewe nn eas WA Manager a User Interface Features Documentation and User Context sensitive help with searchable online documentation l y Assistance on page 24 Visitor Management Terminology The following table describes the
176. a downloadable file or display the receipt in a printable window in the visitors browser l Go to Configuration gt Guest Self Registration Click the Guest Self Registration row then click its Edit link The Customize Guest Registration diagram opens 2 In the Receipt Page area of the diagram click the Actions link The Receipt Actions form opens 3 Select either the Enable download of guest receipt check box in the Download area or the Enable print window for guest receipts check box in the Print area The form expands to include configuration options Receipt Actions Options for delivering a receipt to a self registered quest Download Enabled Enable download of guest receipt a 10 Rank Rank ordering number for this receipt action Download Receipt Print Template Print template to use to generate this receipt Guest o20Receipt Suisitor_namelurlencode txt Filename Template code to evaluate to generate the filename for the receipt ESEP Default Action Icon lz Optional custom icon to use for this receipt action Action Text Optional custom label to use for this receipt action Editing Email Delivery of Guest Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line the print template and email format and other fields relevant to email delivery Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing Download
177. a vertical bar Sort NO sorting Method to use to sort the available options IN Hide when no options are selectable Collapse Select this option to automatically hide the form field when only one choice is available e File upload Displays a file selection text field and dialog box the exact appearance differs from browser to browser File uploads cannot be stored in a custom field This user interface type requires special form implementation support and is not recommended for use in custom fields e Hidden field If Hidden Field is selected in the User Interface drop down list the field is not displayed to the user but is submitted with the form This option is often used to force a specific value such as a user s role or an expiration date However it is possible for someone to use browser tools to modify the initial value when the 156 Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide form is submitted If the value should be forced use the Force Value setting under Advanced Properties to ensure the value cannot be overridden For more information see Advanced Form Field Properties on page 165 To set the value to submit for this field use the Initial Value option in the form field editor Hidden field User Interface ma eT The kind of user interface element to use when entering or editing this field Form Validation Properties These properties control how
178. ack to the show Sguest receipt u visitor name htmlspecialchars else Welcome to the show Zif lt p gt For debugging purposes include the following to see all the fields available dump var Sguest receipt export html1 Click Through Login Pages A click through login page will present a splash or terms screen to the guest yet still provide MAC auth style seamless authentication Under this scenario you could have people create an account with a paired MAC yet still have them click the terms and conditions on every new connection Disable MAC authentication on the controller Navigate to Administration gt Plugin Manager gt Manage Plugins MAC Authentication Configuration and enable MAC Detect Create a Web Login Authentication Anonymous Anonymous User _mac _mac is a special secret value Pre Auth Check Local Terms Require a Terms and Conditions confirmation Set the Web login as your landing page and test Using a registered device the Log In button should be enabled otherwise it will be disabled You may also want to add a message so visitors get some direction lt p gt 1fr guest receipt u usernamej if Sguest receipt u visitor name Welcome back Sguest receipt u visitor name htmlspecialchars else Welcome back 7 LE Please accept the terms before proceeding else You need to register LEPSI p gt You can hide the login form by having the final line of the header be
179. agent gt Mozilla 5 0 compatible MSIE 9 0 Windows NI 6 1 WOW64 Trident 5 0 auth Source gt ClearPass operator logins profile gt IT Administrators To search for a particular log record use the Keywords field above the table to enter search terms You can use the hyphen character in front of a keyword to exclude items and you can use quotes to group words as a key phrase Viewing the Application Log Dell Networking W ClearPass Guest 6 0 Deployment Guide 237 The Application Log lists the events messages and configuration changes for the past seven days To view events and messages for a different period or to limit the search items 1 Click the Filter tab The Filter Settings form opens Filter Settings Last 7 days G Select a time range over which to search Severity Debug z Select the minimum severity of messages to display Times E Search all fields Select this option to search all fields of the log record By default only the Client IP and Message fields are searched y Apply Filter Options 2 You can use the Times drop down list to specify a time period to filter for 3 The Severity drop down list lets you limit the range of severity to search for e Error Retums Error items e Warning Returns Error and Warning items e Info Returns Error Warning and Info items Debug Retums Error Warning Info and Debug items 4 By defaul
180. al purposes e The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to 1OS devices a The identity information in the profile signing certificate is displayed during device provisioning e One or more Server Certificates may be issued for various reasons typically for an enterprise s authentication server a The identity information in the server certificate may be displayed during network authentication e One or more Device Certificates may be issued typically one or two per provisioned device a The identity information in the device certificate uniquely identifies the device and the user that provisioned the device You do not need to manually create the profile signing certificate it 1s created when it is needed See Configuring Provisioning Settings for iOS and OS X on page 110 to control the contents of this certificate You may revoke the profile signing certificate it will be recreated when it is needed for the next device provisioning attempt Dell Networking W ClearPass Guest 6 0 Deployment Guide Certificate Hierarchy 69 Certificate Configuration in a Cluster When you use Onboard in a cluster you must use one common root certificate authority CA to issue all CPPM server certificates for the cluster This allows the verified message in iOS and lets you verify that the CPPM server certificate is valid during EAP PEAP or EAP TLS authentication
181. alid http 10 100 9 86 guest mdps_ocsp php 1 OCSP URL The OCSP URL to be included in certificates nwa_icontext type error inwa tezt id 10891 Your operating system is not Supported Please contact your network administrator nwa_text nwa_icontext Unsupported Device Insert content item v These instructions are shown to the user if they attempt to provision an unsupported device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions Authorization These options control how a device is authorized during provisioning Maximum Devices i i The maximum number of devices that a user may provision Use 0 for unlimited 2 Specify one of the following options in the Authority Info Access drop down list to control automatic certificate revocation checks Do not include OCSP responder URL The Authority Info Access extension is not included in the client certificate Certificate revocation checking must be configured manually on the authentication server This is the default option Include OCSP responder URL The Authority Info Access extension is added to the client certificates with the OCSP responder URL set to a predetermined value This value is displayed as the OCSP URL Specify an OCSP responder URL The Authority Info Access extension is added to the client certificates with the OCSP responder URL set to a value def
182. alidating sponsor emails during self registration Requires the sponsor email and do Idap lookup fields enabled in the registration form Enabled Use this server to look up sponsors during self registration Authentication Parameters Test Username The username to use when testing authentication Test Password The password to use when testing authentication Advanced Show detailed authorization info To specify a basic LDAP server connection hostname and optional port number use a Server URL of the form Idap hostname or Idap hostname port See Advanced LDAP URL Syntax on page 251 for more details about the types of LDAP URL you may specify In the top area of the form select the Enabled option below the Name field if you want this server to authenticate operator logins This form allows you to specify the type of LDAP server your system will use Click the Server Type drop down list and select one of the following options Dell Networking W ClearPass Guest 6 0 Deployment Guide Manage TDAP AU ere Table 21 Server Type Parameters Server Type Required Configuration Parameters Server URL The URL of the LDAP server Bind DN The password to use when binding to the LDAP server or empty for an anonymous bind Bind Password If your LDAP server does not use anonymous bind you must supply the required credentials to bind to the directory Leave this field blank to use an anonymous bind Default Pr
183. all the substrings created in this way Formats a numeric value as a string If the argument is null or not supplied the current locale s settings are used to format the numeric value The argument may be an array or a numerica value lf the argument is an array it will override the current locale s settings see below for the list of settings that are used If the argument is a numeric value itis used as the number of fractional digits to use when formatting the string other locale settings will remain unchanged in this case The specific locale settings used are from localeconv and are listed below NwaNumberFormat For general numeric formatting frac_digits number of decimal places to display decimal_point character to use for decimal point thousands_sep character to use for thousands separator For signs for positive negative values positive_sign sign for positive values p_sign_posn position of sign for positive values 0 4 302 Form Field Display Formatting Functions Dell Networking W ClearPass Guest 6 0 Deployment Guide Function Description negative_sign sign for negative values n_sign_posn position of sign for negative values 0 4 For formatting for monetary amounts mon_decimal_point decimal point character for monetary values mon_thousands_sep thousands separator for monetary values p_sep_by_space true if a space separates currency symbol from a positive value p_cs_prec
184. and Print Actions for Guest Receipt Delivery 181 Email Delivery Enabled Always auto send quest receipts by email Use Default Email Field The field containing the visitor account s email address Subject Line Template specifying the subject line for emailed visitor account receipts Leave blank to use the default Visitor account receipt for email Download Receipt The plain text or HTML print template to use when generating an email receipt Use Default No skin HTML only ha The format in which to send email receipts Email Receipt Email Skin Use Default Use Bec if sending to a visitor Specify when to send visitor account receipts to the recipients in the Copies To list default An optional list of email addresses to which copies of visitor account receipts will be sent Send Copies Copies To O Allow the reply to address to be overridden Reply To If checked the reply to address will be overridden by the sponsor email field Leave unchecked to use the global from address When email delivery is enabled the following options are available to control email delivery e Disable sending guest receipts by email Email receipts are never sent for a guest registration e Always auto send guest receipts by email An email receipt is always generated using the selected options and will be sent to the visitor s email address e Auto send guest recei
185. and Views You can change the general properties of a form or view such as its title and description To edit the form or view go to Configuration gt Forms amp Views click the form s or view s row in the list then click its LY Edit link The row expands to include the Edit Properties form Edit Properties guest_ multi Name g TE The name of the application page view Type EF The type of application page Edit Accounts Title The title for this form or view Edit multiple visitor accounts a Description a An optional description of this form or view Width The width of the list view in pixels Page Properties Page Title The title to display on the page Leave blank to use the default title Header HTML Insert content item 7 HTML template code displayed before the form or view Leave blank to use the default text or enter a hyphen to remove the default text 5 Footer HTML Insert content item HTML template code displayed after the form or view Leave blank to use the default text or enter a hyphen to remove the default text 2 Save Changes The Width field is only displayed for views It specifies the total width of the list view in pixels If blank a default value is used You can customize the page title header HTML and footer HTML for many forms and views for example Create Guest Account Edit Guest Accounts and others When these opt
186. andclass nwalImp ortant TLext This 18 a sentence explaining the command Textclass nwalnto link Nere ph p nwa_commandlink The icon parameter is the SRC to the image of the icon This should normally be a relative path The command parameter is the main text of the command link The text parameter is the explanatory text describing the action that lies behind the command link This is optional The linkwidth parameter if specified indicates the width of the command link in pixels This should be at least 250 the recommended value is 400 The width and height parameters if specified provide the dimensions of the icon to display If not specified this is automatically determined from the image The onclick parameter if specified provides the contents for the onclick attribute of the link The commandclass parameter if specified sets the class attribute of the DIV element enclosing the command text The default class is nwalmportant The textclass parameter if specified sets the class attribute of the P element enclosing the command link s descriptive text The default class is nwaInfo The alt parameter if specified sets the ALT attribute of the command link s icon If not specified the default alt text used is the command text The target parameter if specified sets the TARGET attribute of the hyperlink
187. ass Guest 6 0 Deployment Guide Es Es e Other IP address or hostname Select this option to override the hostname or IP address to be specified during device provisioning The administrator must enter the hostname or IP address in the Address text field Use this option when special DNS or NAT conditions apply to devices that are in a provisioning role 3 If you chose Other IP address or hostname in the Provisioning Address drop down list use the Address field to enter a hostname or IP address 4 The Provisioning Access warning message is displayed when HTTPS is not required for guest access HTTPS is recommended for all deployments as it secures the unique device credentials that will be issued to the device NOTE When using HTTPS for device provisioning you must obtain a commercial SSL certificate Self signed SSL certificates and SSL server certificates that have been issued by an untrusted or unknown root certificate authority will cause iOS device provisioning to fail with the message The server certificate for is invalid 5 The Validate Certificate drop down list is used to specify whether the SSL server s certificate should be validated as trusted When this option is set to Yes validate this web server s certificate recommended a certificate validation failure on the client device will cause device provisioning to fail This is the default option You should change this option to No
188. ass Policy Manager The network usage of authorized guests is monitored by the NAS and reported in summary form to ClearPass Policy Manager using RADIUS accounting which allows administrators to generate network reports in ClearPass Insight AAA Framework ClearPass Guest 1s built on the industry standard AAA framework which consists of authentication authorization and accounting components The following figure shows how the different components of this framework are employed in a guest access scenario Figure 4 Sequence diagram for network access using AAA ClearPass Guest Associates 1 Redirects EF Unregistered role Browse to Landing page 2 Submit form 3 Login Message page 4 p Web login Access Request 5 Authentication Access Accept 6 i Authorization D Guest role 7 Complete login form Automated NAS login Accounting Request 8 Accounting Response li Accounting nternet browsing E Session timeout 9 Accounting Request 10 Accounting Response p Accounting States Unauthorized Authenticating Authorized In the standard AAA framework network access is provided to a user according to the following process The user connects to the network by associating with a local access point 1 Dell Networking W ClearPass Guest 6 0 Deployment Guide A landing page is displayed to the user 2 which allows them to log in to the NAS 3 4 using the login name
189. ass Policy Manager s Administration module leave these fields blank The subscription ID is automatically used as the username and password for the ClearPass SMS Service 7 In the Message Format row if needed for custom SMS handlers you can specify that the message format should be converted to hex encoded UTF 16 Unicode 230 Creating a New SMS Gateway Dell Networking W ClearPass Guest 6 0 Deployment Guide 8 In the Mobile Settings area if your country uses a national dialing prefix such as 0 you may enter this in the National Prefix row When sending an SMS to a number that starts with the national dialing prefix the prefix 1s removed and replaced with the country code instead The second part of the form includes the Connection Settings Debug Credits and Test SMS Settings areas Connection Settings Connect 15 seconds Timeout The connection timeout for the 5M5 zamic in sscomds HTTP 0 seconds Timeout The timeout for the HTTP transfer to complete in seconds Debug Enable Log detailed information to the application log Debug If selected debug messages will be generated for sach stage of the HTTP transaction for the service provider Test SMS Settings Send a test SMS message Message 160 characters left Enter the message to send maximum 160 characters Recipient Enter the mobile telephone number of the recipient in intemstionsi format T Send Test Message fave and Clo
190. ass Policy Manager documentation On the device registration forms for AirGroup administrators and operators the default Shared Locations and Shared Roles fields are text boxes where the user enters the information These fields can be configured as selection options populated with existing locations or roles Configuring the Shared Locations and Shared Role Fields To configure a predefined list of shared locations or shared roles Dell Networking W ClearPass Guest 6 0 Deployment Guide Duplicating a Field 147 Go to Configuration gt Fields and click the airgroup_shared_location or airgroup_shared_role row The form expands to include the Edit Duplicate Show Forms and Show Views links Click the Edit link The Define Custom Field form opens Scroll to the Default Form Display Properties section Default Form Display Properties These properties control the default user interface displayed for this field User Interface Checklist vi The kind of user interface element to use when entering or editing this field Shared Locations Label J Label for this field to display on the form Select the location IDs where this eee device will be shared Leave blank to Description share with all locations Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form fiel
191. asswords Password Display If selected guest account passwords may be displayed in the list of guest accounts This is only possible if operators have the View Passwords privilege Initial Sequence Create multi next available sequence number These values will be used when multi_initial_sequence is set to 1 Require click to print Receipt Printing p 9 Guest receipts can print simply by selecting the template in the dropdown or by clicking a link About Guest Network insert content item iaia Template code to display on the Guest Manager start page under the About Guest Network Access heading Leave blank to use the default text or enter a hyphen to remove the default text and the heading Save Configuration e Terms of Use URL URL of a terms and conditions page provided to sponsors You may upload an HTML file describing the terms and conditions of use using the Content Manager See Content Manager on page 134 If this file is called terms html then the Terms of Use URL should be public terms html Active Sessions Default maximum number of active sessions that should be allowed for a guest account This may be overridden by using the simultaneous_use field when creating or editing a guest account Password Logging By default the passwords for created guest accounts are logged in the application log and may be recovered from there For increased security you may prevent th
192. asurement for the time interval hours days or minutes depending on the value An example of this usage is for the expire_ postlogin field which has a value measured in minutes 280 nwatimeformat Modifier Dell Networking W ClearPass Guest 6 0 Deployment Guide Su expire postlogin nwatimeformat minutes to natural The other formats accepted for this modifier are the same as those described for the nwadateformat modifier See nwadateformat Modifier on page 279 Date Time Format String Reference Table 29 Date and Time Format Strings C Same as m d y Local time using 12 hour clock l M p Local time using 24 hour clock H M Current time H M S Dell Networking W ClearPass Guest 6 0 Deployment Guide Date Time Format String Reference 281 Preferred time representation for the current locale without the date Year as a decimal number without the century 00 to 99 Year as a decimal number A literal character Programmer s Reference This section describes the following e NwaAlnumPassword on page 282 e NwaBoolFormat on page 282 e NwaByteFormat on page 283 e NwaByteFormatBasel0 on page 283 e NwaComplexPassword on page 283 e NwaCsvCache on page 283 e NwaDigitsPassword Slen on page 283 e NwaDynamicLoad on page 283 e NwaGeneratePictureString on page 283 e NwaGenerateRandomPasswordMix on page 284 e NwaLettersDigitsPassword on page 284 e NwaLettersPassword on pag
193. ate This page is also used to renew the certificate authority s intermediate certificate when it is close to expiring You can copy the certificate signing request in text format using your Web browser Use this option when you can paste the request directly into another application to obtain a certificate You can click the kl Download the current CSR link to download the certificate signing request as a file Use this option when you need to provide the certificate signing request as a file to obtain a certificate Once you have obtained the certificate click the Install a signed certificate link to continue configuring the intermediate certificate authority See Installing a Certificate Authority s Certificate on page 88 You can also click the Change CA settings link to return to the main Certificate Authority Settings form Use this option to switch to a root CA or to change the name or properties of the intermediate CA and reissue the certificate signing request Using Microsoft Active Directory Certificate Services Navigate to the Microsoft Active Directory Certificate Services Web page This page is typically found at https yourdomain certsrv The Welcome page opens Microsoft Active Directory Certificate Services Suburban Broadband LLC Welcome Use this Web site to request a certificate for your Web browser e mail client or other program By using a certificate you can verify your identity to people you commu
194. ateway z Select the processing gateway you have service with E Save Changes 2 Inthe Name field enter a name for the transaction processor 3 In the Processing Gateway drop down list select the gateway with which you have a service account The form expands to include additional configuration fields for that gateway type Each transaction processing gateway type requires unique merchant identification password and configuration information Depending on the gateway provider these configuration items will include some of the following e API Login e API Password e API Username e Auto Email e Beagle Anti Fraud e Business Center Login e Customer ID e Installation ID e Logging e Merchant ID e Mode Managing Transaction Processors 209 Production Environment URL Shared Secret Signature Test Environment URL Test WSDL Transaction Key Transaction Password Transactions imeout If your transaction processor requires visitors to enter their address ClearPass Guest will automatically include address fields in the guest self registration forms that use that transaction processor Managing Existing Transaction Processors Once you define a transaction processor it will appear in the transaction processor list When you select an individual processors in the list the list displays a menu that allows you to perform the following actions T Edit changes the properties of the specified transa
195. ation id The calling station id address is looked up automatically from the RADIUS Access Request Calling Station ID attribute Because different NAS equipment can send differently formatted MAC addresses in the Calling Station Id attribute the Smac format argument may be specified This should be a sprintf style format string that accepts 6 arguments the octets of the MAC address The default if not specified is the IEEE 802 standard format 02X 02X 02X 02X 02X 02X that is uppercase hexadecimal with each octet separated with a hyphen See Get Traffic on page 274 for details on how to specify the time interval GetCallingStationTime GetCallingStationTime Scallingstationid from_ time Sto time null mac format null Calculate sum of session times in a specified time interval Because different NAS equipment can send differently formatted MAC addresses in the Calling Station Id attribute the Smac format argument may be specified This should be a sprintf style format string that accepts 6 arguments the octets of the MAC address The default if not specified is the IEEE 802 standard format 02X 02X 02X 02X 02X 02X that is uppercase hexadecimal with each octet separated with a hyphen The calling station ID is looked up automatically from the RADIUS Access Request Calling Station ID attribute 270 ChangeToRole Dell Networking W ClearPass Guest 6 0 Deployment Guide See Get Traffic o
196. blic access scenarios You can use the customization features to define settings that allow your visitors to self provision their own guest accounts Visitors register through a branded and customized Web portal ensuring a streamlined and professional experience Surveys can also be presented during the self registration process and the data stored for later analysis and reporting providing additional insight to your visitors and their network usage Dell Networking W ClearPass Guest 6 0 Deployment Guide Dell Networking W ClearPass Guest Overview 15 16 Visitor Access Scenarios ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point ClearPass Policy Manager This ensures that IT administrators have a standard integration with the network security framework but gives operational staff the user interface they require Visitor Access Scenarios The following figure shows a high level representation of a typical visitor access scenario Figure 1 Visitor access using ClearPass Guest Visitors Print Receipts g y SMS Email f GY a5 Mobile Devices ClearPass Guest t Wireless p p APs Operators Visitor Management Appliance Network Network Administrator amp Cloud In this scenario visitors are using their own mobile devices to access a corporate wireless network Because access to the network is restricted visitors must first obtain a
197. block function Replace 1 2 etc with the passed parameters 2 etc Usage example nwa _ replace 1 Sparaml 2 Sparam2 This is the text resource to be replaced where 1 and 2 are the arguments etc nwa_replace The numbered parameters are expanded in the translated string with the positional arguments 1 702 and so forth nwa_text nwa text nwa text Smarty registered block function Translates the block s content if a language pack is available Usage example nwa text id TEXT ID 1l Sparaml 2 Sparam2 This is the text resource to be translated where 1 and 2 are the arguments etc nwa_text The id parameter is the text ID of the resource 278 nwa_privilege Dell Networking W ClearPass Guest 6 0 Deployment Guide The numbered parameters are expanded in the translated string with the positional arguments 1 2 and so forth nwa_userpref nwa Userprer wj Smarty template function Returns the current setting of a user preference stored with the Web application user account Usage examples nwa userprer name prefName nwa_userpref name prefName default 10 nwa userpref has prefName name return the named user preference default supply a value to be returned if the preference is not set has return if the named preference exists for the current user 0 if the preference does not exist nwa_youtube nwa youtube video ID widt
198. board Local Certificate Authority Signing Enter a name for the signing certificate This is the common name of the digital certificate Enter an email address These options are used to create a private key for the root certificate Private Key Generate a new private key Self Signed Certificate These options specify the validity period of the signed certificate CA Expiration Clock Skew Allowance Digest Algorithm Warning Confirm 3653 days The number of days before the certificate authority s root certificate will expire 15 Amount to pre post date certificate validity period in minutes SHA 1 recommended Select the algorithm used to sign the digital certificate request A Creating a new root CA certificate will replace the existing CA certificate This invalidates all existing certificates E Generate CA certificate and invalidate all other certificates In the Identity section of the form e Enter values in the Country State Locality Organization and Organizational Unit text fields that correspond to your organization These values form part of the distinguished name for the root certificate e Enter a descriptive name for the root certificate in the Common Name text field This value will be used to identity the root certificate as the issuer of other certificates notably the signing certificate e Enter a descriptive name for the signing certifi
199. c entry is the match all address of 0 0 0 0 0 Dell Networking W ClearPass Guest 6 0 Deployment Guide Paying for Access 175 As another example the network address 192 168 2 0 24 is less specific than a smaller network such as 192 168 2 192 26 which in turn is less specific than the IP address 192 168 2 201 which may also be written as 192 168 2 201 32 To determine the result of the access control list the most specific rule that matches the client s IP address is used If the matching rule is in the Denied Access field then the client will be denied access If the matching rule is in the Allowed Access field then the client will be permitted access If the Allowed Access field is empty all access will be allowed except to clients with an IP address that matches any of the entries in the Denied Access field This behavior is equivalent to adding the entry 0 0 0 0 0 to the Allowed Access field If the Denied Access list is empty only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access This behavior is equivalent to adding the entry 0 0 0 0 0 to the Denied Access list Editing Registration Page Properties To edit the properties of the registration page l Navigate to Configuration gt Guest Self Registration 2 Select an entry in the Guest Self Registration list and click its Edit link The Customize Guest Registration workflow page appears 3 Click the Register Page l
200. cate in the Signing Common Name text field This value will be used to identify the signing certificate as the issuer of client and server certificates from this certificate authority The other identity information in the signing certificate will be the same as for the root certificate e Enter a contact email address in the Email Address text field This email address will be included in the root and signing certificates and provides a way for users of the certificate authority to contact your organization In the Private Key section e To create a new private key for the root certificate mark the Generate a new private key check box The form expands to include the Key Type drop down list Creating a new private key is only necessary if you are recreating the entire certificate authority from the beginning NOTE If you have previously created any client or server certificates or performed device provisioning using the existing root certificate these certificates will be invalidated when changing the root certificate s private key Dell Networking W ClearPass Guest 6 0 Deployment Guide Setting Up a Root Certificate Authority 83 The Key Type drop down list specifies the type of private key that should be created for the certificate You can select one of these options 1024 bit RSA not recommended for a root certificate 2048 bit RSA recommended for general use a 4096 bit RSA higher security In the
201. ccount Override the Edit Account form Eir Annie Use default guest multi Edit Accounts 7 Override the Edit Accounts view a kaanza Use default guest multi form Edit Guest Accounts Im Override the Edit Guest Accounts form Edit MAC Use default mac edit Edit MAC Override the Edit MAC form Use default guest_export Export Guest Manager Accounts Export Guest Manager Accounts Override the Export Guest Manager Accounts view Use default guest_users Guest Manager Accounts x Guest Manager Accounts Override the Guest Manager Accounts view Use default mac list MAC Authentication Accounts lv Override the MAC Authentication Accounts view MAC Authentication Accounts Use default mac create New MAC Authentication x Override the New MAC Authentication form New MAC Authentication Use default create_user New Visitor Account Override the New Visitor Account form Save Changes New Visitor Account To specify that an operator profile should use a different form when creating a new visitor account 1 Optional In the Customization row select the Override the application s forms and views check box The form expands to show the forms and views that can be modified If alternative forms or views have been created you may use the drop down lists to specify which ones to use 2 When you have selected the custom forms an
202. ce a passcode to be set on devices Force PIN Determines whether the user is forced to set a PIN Simply setting this value and not others forces the user to enter a passcode without imposing a length or quality W Allow simple passcodes Determines whether a simple passcode is allowed A simple passcode is defined as one containing repeated characters or increasing decreasing characters such as 123 or CBA Allow Simple F Require alphabetic characters Require Alphanumeric Di f E Specifies whether the user must enter alphabetic characters abcd or if numbers are sufficient Manual Fetching When F Disable push operations Roaming If set all push operations will be disabled when roaming The user has to manually fetch new data attempts Max Failed Attempts Specifies the number of allowed failed attempts to enter the passcode at the device s lock screen l Once this number is exceeded the device is locked and must be connected to its designated iTunes in order to be unlocked Unlimited Specifies the number of minutes for which the device can be idle without being unlocked by the user Max Inactivity before it gets locked by the system Once this limit is reached the device is locked and the passcode must be entered Note This is the maximum allowed the user may still set a value lower than this days Max PIN Age Specifies the number of days for which the passcode can remain unchanged After th
203. cece cece cece cece cece e eee eeeeeeeeeeeececeeeeeeeereees 287 Field Form and View Reference _ 2 22 22 ee eee cee eee cece cece eee cece cece ececeeceseecesereeseees 287 GuestManager Standard Fields 2222mmmmmmmmmmmmamu ue 287 Hotspot Standard Fields 22mmmmmemzumwwwnmu ne mmmme ne 294 SMS Services Standard Fields mmmmmmm amma maimam imam im 295 SMTP Services Standard Fields mmmmmmm mma oono nornon 296 Format Picture String Symbols 2 wwmmmmmmmmmamu e cece eeeeeeeeeeeeees 297 Form Field Validation Functions 2 22 02 2222 occ cece cece cece eee e eee cece maimam amana 298 Form Field Conversion Functions _ 22 2 2 eee c eee cece cee cee cece cece cece eceeceeceeeseeseeseeseees 301 Form Field Display Formatting Functions __ 2 22 22 eee eee eee cee eee eee cece eee aaao nanana 301 View Display Expression Technical Reference _ 2 22 22 cece eee aooaa aoaaa aoaaa onoono anann 303 LDAP Standard Attributes for User Class mmmm mam mane mam 304 Regular Expressions _ 2 2 2 2 e cee eee eee ee eee eee eee eee umu mumu wamenunua nunu 305 CTO La 307 PON O 311 Dell Networking W ClearPass Guest 6 0 Depl
204. ceding it with a minus sign 5 Click Search The search engine returns a list of results Dell Networking W ClearPass Guest 6 0 Deployment Guide Contacting Support 239 Search Documentation MAC auth Enter the keywords to search for A Results 1 10 of 56 matches for MAC auth Previous 1 2 3 4 5 6 Next Search Accounting Based MAC Authentication be logged out Accounting Based MAC Authentication Accounting based MAC authentication is a way to cache the MAC used during an initial authentication so that the device does not need to authenticate Amigopod Deployment Guide Guest Management score 3 67 Creating Devices During Guest Self Registration MAC Only During Guest Self Registration MAC Only This section describes how to configure a guest self registration so that it creates a MAC device account Once the guest is registered future authentication Amigopod Deployment Guide Guest Management score 3 21 MAC Address Formats the Administrator Tasks chapter MAC Address Formats Different vendors format the client MAC address in different ways for example 112233AABBCC 11 22 33 aa bb cc 11 22 33 AA BB CC ClearPass Guest supports adjusting the expected format of a Amigopod Deployment Guide Guest Management score 3 17 MAC Creation Modes a sponsorship confirmation notice MAC Creation Modes MAC device accounts may be created in three ways Manually in ClearPass Guest using the Create
205. cess Enter the IP addresses and networks that are denied self registration access Send HTTP 404 Not Found status Deny Behavior Select the response of the system to a request that is not permitted Time Access Enter a list of time ranges during which self registration is enabled one per line For example weekdays 7 00 to 19 00 Leave blank to enable registration at all times The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self registration page You can specify multiple IP addresses and networks one per line using the following syntax 1 2 3 4 IP address 1 2 3 4 24 IP address with network prefix length 1 2 3 4 255 255 255 0 IP address with explicit network mask Use the Deny Behavior drop down list to specify the action to take when access is denied The Time Access field allows you to specify the days and times that self registration is enabled Times must be entered in 24 hour clock format For example Mondays Wednesdays and Fridays 8 00 to 17 00 Weekdays 6 00 to 18 00 Weekends 10 00 to 22 00 and Thursday 11 00 to 13 00 The access control rules will be applied in order from the most specific match to the least specific match Access control entries are more specific when they match fewer IP addresses The most specific entry is a single IP address for example 1 2 3 4 while the least specifi
206. ck Export You are given the option to open the file save it to your Downloads folder the default or save it to another location 238 Exporting the Application Log Dell Networking W ClearPass Guest 6 0 Deployment Guide Contacting Support To view contact information for Dell Support go to Administration gt Support gt Contact Support The Contact Support page opens This page provides the following information e Toll free telephone numbers for North American support e A link to contact Dell Support by email e A link to Dell s online Contact Support page which includes telephone numbers and other contact information for over 30 countries Viewing Documentation v To view Dell Networking W ClearPass Guest documentation l Go to Administration gt Support gt Documentation The Documentation page opens Browse Documentation Open the online documentation in a new browser window Search Documentation Search the online documentation p Deployment Guide View the Deployment Guide in a new window PDF document 2 To view this Deployment Guide in your browser click Browse Documentation The document opens in a separate browser tab To search the Deployment Guide click Search Documentation The Search Documentation form opens 4 Inthe Search field enter keywords for the subject You can enter a string of keywords phrases enclosed in quotes my phrase and you can exclude a term by pre
207. com memberOf The memberOf property is a multi valued property that contains groups of which the user is a direct member primaryGroupID The primaryGroupID property is a single valued property containing the relative identifier RID for the primary group of the user sAMAccountType The sAMAccountType property specifies an integer that represents the account type unicodePwd The unicodePwd property is the password for the user Regular Expressions The characters shown in Table 41 can be used to perform pattern matching tasks using regular expressions Table 41 Regular Expressions for Pattern Matching Regex Matches a eamm o ememr o o re e eeen Dell Networking W ClearPass Guest 6 0 Deployment Guide Regular Expressions 305 Regex Matches Any decimal digit Any character that is not a decimal digit The regular expression syntax used is Perl compatible For further details on writing regular expressions consult a tutorial or programming manual 306 Regular Expressions Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 10 Glossary 802 1X IEEE standard for port based network access control Access Accept Response from RADIUS server indicating successful authentication and containing authorization information Access Reject Response from RADIUS server indicating a user is not authorized Access Request RADIUS packet sent to a RADIUS server requesting authorization Accounting
208. contains the visitors phone number The default value 1s visitor_phone Auto Send Field Click this drop down list and select the field which when configured with any string or non zero value will trigger the automatic sending of an SMS receipt The default value of this field is auto_send_sms Managing Hotspot Plans na tary Your Hotspot plans determine how a customer is to pay for Internet access when connected through Dell Networking W ClearPass Guest You also have the option to allow free access To view the list of hotspot plans your visitors can select and to access plan management go to Configuration gt Hotspot Manager gt Manage Plans N Manage Hotspot Plans E View a list of plans that may be selected by visitors You can create modify and remove plans here The Manage Hotspot Plans page opens showing the list of default plans Plans that are enabled have their name in ae O aa bold and their icon in color 6 Plans that are not enabled have their icon in gray 206 Web Site Look and F eel Dell Networking W ClearPass Guest 6 0 Deployment Guide So Free Access 64 kbit Web browsing traffic only and a maximum of one hour Wireless access charged at 2 95 per So Hourly Access hour Offers full Internet access at 128 kbit sec Wireless access charged at 24 95 par Daily Access day 24 hours Offers full Internet access at 256 kbit sec Wireless access charged at 54 95 per Weekly Access week 7 days
209. count creation behavior it is not stored with created visitor accounts Special field used to enable the use of a CAPTCHA security code on a form This field captcha should be used with the user interface type CAPTCHA security code and the standard validator NwaCaptchalsValid in order to provide the standard security code functionality Boolean flag indicating that any existing sessions for a visitor account should be disconnected or modified using RFC 3576 If this field is not specified on a form that modifies the visitor account the default value is taken from the configuration for the RADIUS Services plugin Set this field to a non zero value or a non empty string to enable RFC 3576 updates for active sessions Set this field to a zero value or the empty string to disable RFC 3576 updates for active sessions Integer Time at which the account was created The creation time is specified as a UNIX create_time timestamp This field is automatically configured with the current time when the Initial Value is setto array generator gt time Boolean flag indicating that the creator has accepted the terms and conditions of use When creating an account this field must be present and must be set to the value 1 If this field is unset or has any other value account creation will fail with an error message creator_accept_terms To set the correct value for this field use a check box to require confirmation from the creator or a
210. count details e Edit Changes the properties of a guest account Edit Account Alice Liddel Name of the visitor aliddel fireside org Name of the visitor account visitor s Name Username No changes Account is active Select an option for changing the activation time of this account No changes 2012 10 27 16 18 47 m Select an option for changing the expiration time of this account Account Activation Account Expiration No changes Select an option for changing the allowed usage time of this account No changes Contractor Role to assign to this visitor account Total Allowed Usage Account Role No changes Password g lz Select an option for editing the visitor account s password 1 Session Limit Ske i The number of simultaneous sessions allowed for this visitor account Type 0 for unlimited use Update Account Ki NOTE This form may be customized by adding new fields or modifying or removing the existing fields See Customizing Forms and Views on page 150 for details about this customization process This is the guest_edit form Dell Networking W ClearPass Guest 6 0 Deployment Guide Managing Ses E Click 1 Update Account to update the properties of the guest account A new account receipt is displayed allowing you to print a receipt showing the updated account details Mo e T Sessions D
211. count it is removed from the list permanently Activating a Device To activate a disabled device s account click the device s row in the Guest Manager Devices list then click its Activate link The row expands to include the Enable Guest Account form Enable Guest Account Username 0 DE E2 C 23 B6 Account Expiration Wo expiration time set Now ABition time of this account Activate Account No changes Account is disabled 1 hour from now 1 day from now 1 week from now 88 30 84 40 Gues Activate at specified time required field l In the Activate Account row choose one of the options in the drop down list to specify when to activate the account You may choose an interval or you may choose to specify a time 2 If you choose Activate at specified time the Activation Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date 3 Click Enable Account to commit your changes Editing a Device To edit a device s account click the device s row in the Guest Manager Devices list then click its Edit link The row expands to include the Edit MAC form Dell Networking W ClearPass Guest 6 0 Deployment Guide Disabling and Deleting Devices 47 Total Allowed Usage Edit MA
212. create an opt in facility for guests Use a check box for the auto send sms field and add it to the create user form or a guest self registration instance and SMS messages will be sent to the specified phone number only if the check box has been selected Credit Warning When SMS credits get below this threshold the system will send a warning to the system administrator Advanced Gateways Select this option to configure SMS gateways from multiple SMS providers ClearPass Guest SMS services support SMS USA SMS Worldwide AQL Sirocco Tempos 21 and Upside Wireless SMS gateways SMS via SMTP Select this option to allow visitor account receipt messages to be sent in an email using the defined SMTP server Phone Number Normalization The phone number normalization process translates phone strings that are entered in various formats into a single standard format Click this drop down list and select one of the following options Use the visitors value When you select this option the SMS gateway will always send the SMS message using the phone number and country code entered by the visitor Always include the country code When you select this option the SMS gateway will always send the SMS message using the global country code and default phone number length specified in the Default Country Code and Default Phone Length fields For example consider an Australian mobile phone number with a default number l
213. creating 244 accounting 18 20 accounts passwords multiple 177 visitor account 21 Active Directory LDAP authentication 249 active sessions 59 60 administration 219 236 plugin management 224 Administration module 219 AirGroup authenticating users via LDAP 221 configuration summary 23 configuring fields 147 configuring operator device limit 247 creating groups 53 creating users 248 defining controller 220 enabling dynamic notifications 220 personal devices 55 registering devices 53 shared locations 53 shared roles 54 tag value pair 53 alerts SMS 63 Dell Networking W ClearPass Guest 6 0 Deployment Guide Index application log 237 filtering 238 searching 237 viewing 237 applications installing 78 authentication 18 20 29 44 authorization 18 20 29 access role based 18 dynamic 61 Base 64 encoded 97 binary certificate 97 C caching CSV 283 CAPTCHA security code 153 captive portal 20 172 hotspot 204 Carrier selecting 230 232 certificate formats 97 Signing requests 99 certificates code signing 101 deleting 98 exporting 97 Importing 103 requesting 104 revoking 97 character set encoding 40 closed session 60 closing session 62 code signing certificate 101 Configuration module 133 configuring Android provisioning 114 Index 311 312 Index device limit in AirGroup 247 device provisioning 79 IOS and OS X provisioning 110 Kernel plugin 225 legacy OS X provisioning 112 network settings 1
214. ction processor Delete removes the processor from the Transaction Processors list Duplicate creates a copy of a transaction processor biShow Usage opens a window in the Transaction Processors list that shows if the profile is in use and lists any hotspots associated with that transaction processor Each entry in this window appears as a link to the General Hotspot References form that lets you change the transaction processor associated with that hotspot Managing Customer Information ali zi vi You can customize the fields that the customer sees the details of these fields and the order in which they are presented To customize the fields go to Configuration gt Hotspot Manager gt Manage Hotspot Customer Information FA Manage Hotspot Customer Information Aa Define the information collected about visitors during the Sign Up process The Customize Form Fields view opens for the customer information form See Duplicating Forms and Views on page 151 for instructions for completing the form field editor Managing Hotspot Invoices ras ey wa After the customers transaction has been processed successfully the customer receives an invoice containing confirmation of their transaction and the details of their newly created hotspot user account You can customize the 210 Managing Existing Transaction Processors Dell Networking W ClearPass Guest 6 0 Deployment Guide title shown on the invoice and how
215. d Legend Optional title for the checkbox or radio button group Options Use options Generator The function used to generate the list of available options AP Group Location 1 Location One AP Group Location 2 Location Two Options Location 3 Location Three E List of options available Enter one or more lines containing key value pairs where the key and value are separated with a vertical bar No sortin Sort 9 izi Method to use to sort the available options Collapse I Hide when no options are selectable Select this option to automatically hide the form field when only one choice is available Horizontal Layout Layout mode for the checklist options Horizontal Rows Number of rows to draw in the checklist In the User Interface drop down list select Checklist In the Description text box delete the existing text then enter Select the location IDs where this device will be shared Leave blank to share with all locations Delete any text from the CSS Class and the CSS Style fields In the Options Generator drop down list select Use options In the Options text box enter a list of values to use as the checklist options that presented to the user The values you enter in the Options text box control both the values stored in the shared_location field in the database as well as the text displayed to the user in the checklist Use the following format tagl valuel Option 1 tag2 value
216. d This cannot be edited after creation Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing an SMS Gateway 231 4 Inthe Service Settings area you may edit the Display Name 5 When you duplicate an SMS over SMTP gateway the Carrier Selection configuration options are included In the Carrier Selection drop down list choose one of the following options Registration form will have the visitor carrier field The visitor will supply the carrier information when they register Select a carrier The form includes the Mobile Carrier field Choose the carrier from the Mobile Carrier drop down list Configure Carrier Settings The form expands to include configuration options for the carrier SMS Address You may choose to use a template to determine the email address or to use a fixed address Address Template or Address If you chose to use a template to determine the address the next field is Address Template Enter an example email address that will be used as the pattern for the address format If you chose to use a fixed email address the next field is Address Enter the email address to which all messages will be sent Number Format Choose a country code requirement option from this drop down list The available options are Use the visitor s value Always include the country code or Never include the country code Subject Line You may enter text for the message s subject line This field supports Smart
217. d mac and mac_auth mac _auth mac notes 1 aa aa aa aa aa aa Device A 1 bb bb bb bb bb bb Device B LLCO CO CC CC IrCC Ce Device L Any of the other standard fields can be added similar to importing regular guests Advanced MAC Features 2 Factor Authentication 2 factor authentication checks against both credentials and the MAC address on record Tying the MAC to the visitor account will depend on the requirements of your deployment In practice you would probably add mac as a text field to the create user form When mac is enabled in a self registration it will be included in the account as long as mac is passed in the URL Relying on self registration may defeat the purpose of two factor authentication however The 2 factors are performed as follows l Regular RADIUS authentication using username and password 2 Role checks the user account mac against the passed Calling Station Id Edit the user role and the attribute for Reply Message or Aruba User Role Adjust the condition from Always to Enter conditional expression return MacEgual GetAttr Calling Station Id Suser mac amp amp AccessReject There 1s an alternative syntax where you keep the condition at Always and instead adjust the Value lt MacEgqual GetAttr Calling Station Id Suser mac Srole name AccessReject OT lt MacEqual GetAttr Calling Station Id Suser mac Employee AccessReject MAC Based Derivation of Role
218. d account details e Remove Disables or deletes a guest account 28 Miamagine vest necaunts Dell Networking W ClearPass Guest 6 0 Deployment Guide Remove Account Username 57744937 Account Expiration Account will expire at Saturday 27 October 2012 04 18 PM Disable account action Delete account Caution Deleting a guest account cannot be undone Use this option with care xi Make Changes Select the appropriate Action radio button and click amp Make Changes to disable or delete the account If you wish to have automatic disconnect messages sent when the enabled value changes you can specify this in the Configuration module See Configuring ClearPass Guest Authentication on page 134 e Activate Re enables a disabled guest account or specifies an a ctivation time for the guest account Enable Guest Account Username 60600985 Account Expiration Account will expire at Saturday 27 October 2012 04 18 PM Account Activation Friday 26 October 2012 04 18 PM Activate Account Now M Select an option for changing the activation time of this account Enable Account Select an option from the drop down list to change the activation time of the guest account To re enable an account that has been disabled choose Now Click Y Enable Account to set the new activation time for the guest account A new account receipt is displayed allowing you to print a receipt showing the updated ac
219. d on the statement of health provided by the NAP client To enable NAP for Microsoft Windows clients mark the Enable NAP services check box on this tab You will also need to mark the Enable Quarantine Checks check box on the T Protocols tab e Do one of the following Click the Previous button to return to the Trust tab Click the Next button to continue to the Proxy tab 124 Configuring Windows Specific Network Settings Dell Networking W ClearPass Guest 6 0 Deployment Guide Click the Create Network button to make the new network configuration settings take effect Click the Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring Proxy Settings Click the Proxy tab to display the Proxy Settings form Network Settings Proxy Access tW Protocols ay Authentication Trust iy Windows lt Proxy Proxy Settings Options for proxy settings on the network Proxy Type sec z E Select your network s proxy server configuration type A The manual proxy type is only supported by the following devices im Android Note ied ees 1S 10S i OS X 10 7 Lion or later Server The proxy server s network address 8060 Server Port The proxy server s port Cancel Save Changes f Previous Select one of these options in the Proxy Type drop down list e None No proxy server will be configured e Manual A proxy
220. d to format a field value after validation NwaExplodeComma x The function used to convert a field to a displayable value on the form Value Format Display Function _self Display Param i Optional name of field whose value will be supplied as the argument to a display function Display Arguments Optional value to supply as the argument to a display function Static Display None Function The function used to convert a static field to a displayable value on the form F Always use initial value on form submit Force Value Sets the field s value to the initial value specified above when the form is submitted Use this option when the field must have a certain value that cannot be overridden by a user Field was not pre registered Pre Registration applies for accounts that have been created prior to registration A field requiring a match will be searched in the account list If a single match is found the registration can continue Pre Registration A Enable If Javascript conditional expression for this field s enabled property The expression f value returns the in form value of field f A Visible If as Javascript conditional expression for this field s visibility The expression f value returns the in form value of field f Save Changes The form 2 In the Conversion drop down list select NwalmplodeComma The form expands to include the Type Error row
221. d views to use click lel Save Changes to complete the creation of the operator profile Operator Profile Privileges The privilege selections available for an operator profile provide you with control over the functionality that is available to operators No Access means that the operator will have no access to the particular area of functionality Options for that functionality will not appear for that operator in the menus Read Only Access means that the operator can see the options available but is unable to make any changes to them Full Access means that all the options are available to be used by the operator Custom access allows you to choose individual permissions within each group For example Guest Manager allows you to control access to the following areas e Active sessions management e Viewing historical data for active sessions e Changing expiration time of guest accounts e Creating multiple guest accounts e Creating new guest accounts e Editing multiple guest accounts e Exporting guest account data e Full user control of guest accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide Importing guest accounts Listing guest accounts Managing customization of guest accounts Managing print templates Removing or disabling guest accounts Resetting guest passwords Refer to the description of each individual operator privilege to determine what the effects of granting that permission will be Managin
222. dditional authorization steps may be taken after authentication has completed to determine the appropriate provisioned role Configuring Online Certificate Status Protocol Onboard supports the Online Certificate Status Protocol OCSP to provide a real time check on the validity of a certificate To configure OCSP for your network you will need to provide the URL of an OCSP service to your network equipment This URL can be constructed by using the relative path mdps_ocsp php 1 For example if the Onboard server s hostname is onboard example com the OCSP URL to use 1s http onboard example com mdps_ocsp php 1 Ki NOTE OCSP does not require the use of HTTPS and can be configured to use HTTP Configuring Certificate Revocation List CRL Onboard supports generating a Certificate Revocation List CRL that lists the serial numbers of certificates that have been revoked To configure a CRL you will need to provide its URL to your network equipment This URL can be constructed by using the relative path mdps_crl php id 1 For example if the Onboard servers hostname is onboard example com the location of the CRL is http onboard example com mdps_crl php id 1 F NOTE A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP Network Architecture for Onboard The high level network architecture for the Onboard solution is shown in the following figure 72 Configuring Online Certificat
223. de 3 Select one of the radio buttons to either copy and paste the certificate as encoded text or browse to the file to upload The form expands to include options for that method 4 If you selected Copy and paste certificate as text e To upload a single certificate copy and paste the certificate into the Certificate text field The text must include the BEGIN CERTIFICATE and END CERTIFICATE lines Leave the passphrase fields blank e To upload a certificate and private key copy and paste the certificate and private key into the Certificate text field The text must include the BEGIN CERTIFICATE and END CERTIFICATE lines as well as the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines CA Certificate Import Step 1 Select the format of your certificate Format Step 2 Copy and paste certificate as text Upload certificate file Provide the certificate here Certificate Private Key Passphrase Confirm Passphrase BEGIN CERTIFICATE MI IEOzCCAyOgAwIBAgIBBDANBgkghkiG9wOBAQUFADCBgTELMAkGA1UEBhMCVVMx EZARBGNVBAGMCKNhbGimb3 JuaWExEjAQBGNVBAcMCVNibm55dmFsZTEXMBUGAIUE CowOQOXJU1YmEqimV0d2 9ya3SMxLTArBaNVBAMMJEFtaWdvcG9kIExvY2FsIENicnRp Copy and paste the digital certificate here This is a block of encoded text and should include the BEGIN CERTIFICATE and END CERTIFICATE lines Enter the passphrase that was used to encrypt the private key If
224. description of this content item E Replace existing item with same name Overwrite ode Select this option to overwrite an existing content item that has the same name Cancel Fetch Content After you have completed the form click the Y Fetch Content button to have the file downloaded The file is placed in the public directory on the Web server You are then able to reference this file when creating custom HTML templates Additional Content Actions To work with your content items l Go to Configuration gt Content Manager then click the item s row in the list The row expands to include the Properties Delete Rename Download View Content and Quick View options 2 The F Properties link allows you to view and edit the properties of the item Editable properties include the content item s filename and description Read only properties include the content type modification time file size and other content specific properties such as the image s size Content Item Properties 8 admin Owner The operator that added this content item autu mnGraphic PNG Filename The filename component of the content item Graphic 1 for autumn offers j gt Description Enter an optional description of this content item Content Type image png Image Size 813 339 pixels Date Modified Tuesday 30 October 2012 02 22 PM File Size 40 4 KB 41 328 bytes p p 2 Save Changes f Cancel
225. device 4 After provisioning has completed the app switches the device to PEAP authentication using the newly provisioned unique device credentials Mutual authentication is performed the authentication server verifies the client s username and password and the client verifies the authentication server s certificate 5 The device is now onboard and is able to securely access the network The Onboard provisioning workflow is used to securely provision a device and configure it with network settings Figure 19 shows a sequence diagram that explains the steps involved in this workflow Figure 19 Onboard Provisioning Workflow in the QuickConnect App l Network ClearPass ClearPass Onboard Device Infrastructure Onboard Policy Manager Onboard Provisioning Start provisioning 4 Enter credentials Send device provisioning request Authenticate with Active Directory Generate TLS certificate for device Convert to unique device credentials Create user account Return unique device credentials Configure network settings Future PEAP Provisioning MSCHAPv2 Complete authentication with these credentials Managing Provisioned Applications he The Applications form lets you mark individual applications for installation during device provisioning and specify whether they should be restarted when the device is provisioned If restart is selected you can specify whether the restart should take effect when the
226. do not validate this web server s certificate only during testing or if you are waiting for a commercial SSL certificate 6 To display your enterprise s logo select an image from the list in the Logo Image field Navigate to Administration gt Content Manager to upload new images to use as the logo The native size of the logo used in the QuickConnect client 1s 188 pixels wide 53 pixels high You may use an image of a different size and it will be scaled to fit but for the best quality results it is recommended that you provide an image that is already the correct size 7 The Wizard Title text field may be used to specify the text displayed to users when they launch the QuickConnect app to provision their device 8 If provided the Password Recovery URL and Helpdesk URL fields may be used to provide additional resources to users who encounter trouble in provisioning their devices NOTE Ensure that users in the provisioning role can access these URLs 9 When your entries are complete in this tab click Save Changes You can click Previous to return to the previous tab Configuring Network Settings for Device Provisioning g Jo To configure the network settings that will be sent to a provisioned device go to Onboard gt Network Settings or click the Network Settings command link The Network Settings list view opens Security re cpg qga onboard Wireless only i Enterprise 802 1X Connect to t
227. domly generated account passwords For nwa words password the random password length is the maximum length of random password length the random words to use Two random words will be used to create the password joined together with a small number up to 2 digits For nwa picture password the random password length is ignored String Identifier specifying how passwords are to be created It may be one of the following identifiers nwa_digits_password to create a password using random digits The length of the random_password_method password is specified by the random password length field nwa_letters_password to create a password using random lowercase letters a through z The length of the password is specified by the random password length field nwa_lettersdigits_password to create a password using random lowercase letters and 292 GuestManager Standard Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide Description digits a through z and 0 through 9 The length of the password is specified by the random_password_length field nwa_alnum_password to create a password using a combination of random digits uppercase letters and lowercase letters a z A Z and 0 9 The length of the password is specified by the random password length field nwa_strong_password to create a password using a combination of digits uppercase letters lowercase letters and some punctuation Certain characters are omitted from the password The
228. e The not valid after time is first calculated as the earliest of the following The current time plus the maximum validity period The expiration time of the user account for whom the device certificate is being issued The not valid after time is then increased by the clock skew allowance 5 The Key Type drop down list specifies the type of private key that should be created when issuing a new certificate You can select one of these options 1024 bit RSA created by device Lower security Uses SCEP to provision the EAP TLS certificate 2048 bit RSA created by device Recommended for general use Uses SCEP to provision the EAP TLS certificate 1024 bit RSA created by server Lower security 2048 bit RSA created by server Recommended for general use 4096 bit RSA created by server Higher security NOTE Using a private key containing more bits will increase security but will also increase the processing time required to create the certificate and authenticate the device The additional processing required will also affect the battery life of a mobile device It Ki is recommended to use the smallest private key size that is feasible for your organization The created by device options use SCEP to provision the EAP TLS device certificate so the private key is known only to the device rather than also known by the user When a created by device option is selected the generated key is used instead o
229. e 1 National Prefix ii Optional national dialing prefix to recognize Dell Networking W ClearPass Guest 6 0 Deployment Guide Creating a New SMS Gateway 229 3 In the SMS Gateway field if you choose Custom HTTP Handler from the drop down list you may specify the HTTP method to use The form expands to include options for configuring that gateway type and the Service Method row includes the GET and POST options 4 If you selected the POST option in the SMS Gateway field the HTTP Headers and HTTP Post rows are added You can use the text fields in these rows to override HTTP headers and enter the text to post Service Method POST The HTTP method to sccoess the processor HTTP Headers Chembe the HTTP Readers For example Content Type text xml HTTP Post Enter the text to POST See the Service URL for svailebl substitutions gt If you selected the SMS over SMTP option in the SMS Gateway field most of the fields on this form are removed and the Service Settings area includes the Display Name Carrier Selection and Mobile Carrier fields SMS Gateway Configuration SMS over SMTP lv Select the SMS gateway you have service with SMS Gateway Service Settings Display Name The name for this service handler This will be displayed to operators using the system Carrier Selection Select ah ere Registration form will have the visitor_carrier field Mobile Carrier rn ae eae Debu
230. e 284 e NwaMoneyFormat on page 284 e NwaParseCsv on page 284 e NwaParseXml on page 285 e NwaPasswordByComplexity on page 285 e NwaSmsIsValidPhoneNumber on page 286 e NwaStrongPassword on page 286 e NwaVLookup on page 286 e NwaWordsPassword on page 287 NwaAlnumPassword NwaAlnumPassword S len Generates an alpha numeric password mixed case of length len characters NwaBoolFormat NwaBoolFormat value Soptions null Formats a boolean value as a string If 3 function arguments are supplied the 2nd and 3rd arguments are the values to return for false and true respectively Otherwise the Soptions parameter specifies how to do the conversion e Ifan integer 0 or 1 the string values 0 and 1 are returned e Ifa string containing a character the string is split at this separator and used as the values for false and true respectively 282 Programmer s Reference Dell Networking W ClearPass Guest 6 0 Deployment Guide If an array the 0 and 1 index values are used for false and true values Otherwise the string values true and false are returned NwaByteFormat NwaByteFormat S bytes Sunknown null Formats a non negative size in bytes as a human readable number bytes KB MB GB etc Assumes that 1 KB 1024 bytes 1 MB 1024 KB etc If a negative value is supplied returns the unknown string If a non numeric value is supplied that value is return
231. e Changes P save and Continue Login Delay Click the ll Save Changes button to return to the process diagram for self registration Self Service Portal Properties To edit the properties of the self service portal 1 Go to Configuration gt Guest Self Registration Click to expand the Guest Self Registration row in the form then click its Edit link The Customize Guest Self Registration diagram opens 2 Click the Self Service Portal link or one of the Login Page Summary Page Change Password or Reset Password links for the Self Service Portal 3 Mark the Enable self service portal check box The form expands to include configuration options The self service portal is accessed through a separate link that must be published to guests The page name for the portal is derived from the registration page name by appending portal When the self service portal is enabled a Go To Portal link is displayed on the list of guest self registration pages and may be used to determine the URL that guests should use to access the portal The portal offers guests the ability to log in with their account details view their account details or change their password Additionally the Reset Password link provides a method allowing guests to recover a forgotten account password 186 Self Service Portal Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Customize Guest Registration Self Service Portal Option
232. e Enables the revocation of unique credentials on a specific user s device e Leverages ClearPass profiling to identify device type manufacturer and model Accessing Onboard To access Dell Networking W ClearPass Onboard s device provisioning features click the Onboard link in the left navigation Start Here vey Applications et Certificate Authority Settings f Certificate Management oy Exchange ActiveSync ro Network Settings Passcode Policy amp Provisioning Settings Pr Reset to Factory Defaults igi VPN Settings About ClearPass Onboard This section provides important information about Dell Networking W ClearPass Onboard Dell Networking W ClearPass Guest 6 0 Deployment Guide Onboard 65 Onboard Deployment Checklist Table 12 lists planning configuration and testing procedures Use this checklist to complete your Onboard deployment Onboard events are stored in the Application Log for seven days by default After seven days significant runtime events are listed in the Audit Viewer in Dell Networking W ClearPass Policy Manager s Monitoring module Onboard events that are listed include Changing the CA certificate Issuing a new certificate Signing a certificate signing request Revoking a certificate Deleting a certificate Importing a trusted certificate Uploading a code signing or other certificate Table 12 Onboard Deployment Checklist Deployment Step Reference Planning and Prepara
233. e Export Certificate button to download the certificate file in the selected format e Revoke certificate Displays the Revoke Certificate form Dell Networking W ClearPass Guest 6 0 Deployment Guide Working with Certificates in the List 97 Revoke Certificate Certificate Details Details about the certificate and its owner Issued To Device Enrollment Profile Signing Valid From NI Monday 22 October 2012 02 02 PM Valid To F Sunday 23 October 2022 02 32 PM Country US State California Subject Locality Sunnyvale Organization Aruba Networks Common Name Device Enrollment Profile Signing E Revoke this client certificate Select this checkbox to confirm the certificate revocation a 1 i Revoke Certificate Cancel Mark the Revoke this client certificate check box to confirm that the certificate should be revoked and then click the Revoke Certificate button Once the certificate has been revoked future checks of the certificate s validity using OCSP or CRL will indicate that the certificate is no longer valid Confirm Ki NOTE Due to the way in which certificate revocation lists work a certificate cannot be un revoked A new certificate must be issued if a certificate is revoked in error Ki NOTE Revoking a device s certificate will also prevent the device from being re provisioned This is necessary to prevent the user from simply re provisioning and obtainin
234. e Language row the default setting is Auto detect This lets the application determine the operator s language preference from their local system settings To specify a particular language to use in the application choose the language from the drop down list 4 Optional In the Time Zone row the Default setting indicates that the operator s time zone will default to the system s currently configured time zone You can use the drop down list to specify a particular time zone 5 Optional In the Customization row you can choose to override the application s default forms and views For more information see the next section Customizing Forms and Views on page 150 Customizing Forms and Views You can use the Customization option in the Operator Profile Editor to override default forms and views and specity different ones to be used for the operator profile Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring the User Interface 245 246 Operator Profile Privileges Custom Forms and Views Use default guest_sessions Active Sessions Override the Active Sessions view Active Sessions Use default change_expiration Change Expiration B Change Expiration a Override the Change Expiration form Use default create multi Create Guest Accounts x Override the Create Guest Accounts form Use default guest edit Edit Account iy Create Guest Accounts Edit A
235. e Status Protocol Dell Networking W ClearPass Guest 6 0 Deployment Guide Figure 11 ClearPass Onboard Network Architecture O Provisioned using Onboard Workflow Bring Your Own Client Devices Administer amp Secure BYOD Network Access Devices authenticate with Unique Device Credentials The sequence of events shown in Figure 11 is 1 Users bring their own device to the enterprise 2 The Dell Networking W ClearPass Onboard workflow is used to provision the user s device securely and with a minimum of user interaction 3 Once provisioned the device re authenticates to the network using a set of unique device credentials These credentials uniquely identify the device and user and enable management of provisioned devices 4 Administrators can configure all aspects of the provisioning workflow including the devices that have been provisioned policies to apply to devices and the overall user experience for BYOD A more detailed view of the network architecture is shown in Figure 12 This diagram shows different types of client devices using the Onboard workflow to gain access to the network Some of the components that may be configured by the network administrator are also shown Figure 12 Detailed View of the ClearPass Onboard Network Architecture Onboard Workflow EAP TLS Device Certificate Seea g Certificates 3 f Onboard d Provisioning Endp
236. e a different skin for a particular operator profile see Creating an Operator Profile on page 242 e To use a different skin for an individual operator login see Local Operator Authentication on page 247 e To have the login page use a different skin than the rest of the application see Operator Logins Configuration on page 257 e To specify a skin for a customized guest self registration page see Configuring Basic Properties for Self Registration on page 174 Configuring the SMS Services Plugin The SMS Services plugin configuration allows you to configure options related to SMS receipts You may also configure SMS receipt options in the Customization module see Customize SMS Receipt on page 198 To view or configure SMS services and receipt options 1 Go to Administration gt Plugin Manager The Available Plugins list opens 2 Scroll to the SMS Services row and click its Configuration link The Configure SMS Services form opens Figure 36 Configure SMS Services Plugin Configure SMS Services 6 0 1 22673 Test v The default SMS gateway to use when sending SMS messages Service Provider Receipt Options Select options for the SMS receipt SMS Receipt x SMS Receipt j The plain text format print template to use when generating an SMS receipt Fields Select the visitor account fields related to the SMS receipt visitor phone Phone Number Field ph a The field containing the visitor
237. e and Profile Description text fields to control the user interface displayed during device provisioning ption This configuration profile has network and security settings for your device to allow you to Install Profile Installing this profile will change settings on your iPad Cancel Install Now moro ooun aS 110 Configuring Provisioning Settings for iOS and OS X Dell Networking W ClearPass Guest 6 0 Deployment Guide 4 Inthe Profile Security row select one of the following options from the drop down list to control how a device provisioning profile may be removed Always allow removal The user may remove the device provisioning profile at any time which will also remove the associated device configuration and unique device credentials Remove only with authorization The user may remove the device provisioning profile if they also provide a password The administrator must specify the password in the Removal Password and Confirm Removal Password fields Never allow removal The user cannot remove the device provisioning profile This option should be used with caution as the only way to remove the profile 1s to reset the device to factory defaults and destroy all data on the device 5 Use the Profile Signing text field to specify the display name of the certificate used to sign the configuration profile This certificate will be automatically created by the certificate autho
238. e for the next page load in the session Alternative usage example nwa assign var userskin plugin generator NwaGetPluginDetails arg S5u userskin The generator parameter specifies the generator function to be called A single arg parameter if specified provides a l argument form of calling the function alternatively arg1 arg2 may be specified to form an array of arguments to pass to the generator nwa_bling nwa bling Dell Networking W ClearPass Guest 6 0 Deployment Guide GetUserSessions 275 Smarty registered template function Adds various kinds of visual effects to the page Usage example nwa bling id Ssome_id type fade The id parameter is the ID of the HTML element to which you will add bling effects The type parameter is the kind of bling desired fade element smoothly fades in and out blink element blinks slowly nwa makeid nwa_makeid Smarty registered template function Creates a unique identifier and assigns it to a named page variable Identifiers are unique for a given page instantiation Usage example nwa_makeid var some_ id The var parameter specifies the page variable that will be assigned Alternative usage nwa makeid var some id file filename The file parameter specifies a file which contains a unique ID This allows issued IDs to be unique across different page loads To return the valu
239. e form you must enter the number of visitor accounts you want to create A random username and password will be created for each visitor account This is not displayed on this form but will be available on the guest account receipt The visitor accounts cannot be used before the activation time or after the expiration time The Account Role specifies what type of accounts to create Click the Create Accounts button after completing the form Creating Multiple Guest Account Receipts Once a group of guest accounts has been created the details for the accounts are displayed Creating Multiple Guest Account Receipts Dell Networking W ClearPass Guest 6 0 Deployment Guide 31 Usemame Password Role Current State Account Activation Account Expiration Account Details 91972747 20620907 Contractor Active Friday 26 October 2012 03 50 PM Saturday 27 October 2012 03 50 PM Account Details Username Password Role Current State Account Activation Account Expiration 09609379 97625198 Contractor Active Friday 26 October 2012 03 50 PM Saturday 27 October 2012 03 50 PM Username Password Role Current State Account Activation Account Expiration Account Details 41915905 97695485 Contractor Active Friday 26 October 2012 03 50 PM Saturday 27 October 2012 03 50 PM To print the receipts select an appropriate template from the AOpe
240. e issued to that device Network Architecture for Onboard when Using ClearPass Guest ClearPass Guest supports the provisioning authentication and management aspects of the complete Onboard solution Figure 13 shows the high level network architecture for the Onboard solution when using ClearPass Guest as the provisioning and authentication server Figure 13 ClearPass Onboard Network Architecture when Using ClearPass Guest O Provisioned using Onboard Onboard Workflow Workflow A Manage Devices Bring Your Own Client Devices Administer D Secure BYOD Network Access Authentication Server Devices authenticate with Unique Device Credentials The user experience for device provisioning is the same in Figure 13 and Figure 11 however there are implementation differences between these approaches When using the ClearPass Guest RADIUS server for provisioning and authentication EAP TLS and PEAP authentication must be configured Navigate to RADIUS gt Authentication gt EAP amp 802 1X to configure a server certificate and the appropriate EAP types for the ClearPass Guest RADIUS server ClearPass Policy Manager supports a rich policy definition framework If you have complex policies to enforce multiple authentication or authorization sources that define user accounts or you need features beyond those available in the ClearPass Guest RADIUS server you
241. e may also contain visitor account fields The value of each field is displayed in the print template By default the wizard sets up the template with the username password and role_name fields but these may be customized Options in the Fields row let you add remove or change the order of fields Use the drop down list to choose the field name then click the icon at the left of the drop down list The field s row expands to include the option links Abe username Remove 4p Move Down gt Insert Before Ys Insert After Fields Abe password Abe role name Ea Select the visitor account fields to display on the print template Use the 9 Remove T Move Up Move Down Insert Before and Insert After links to adjust the fields that are to be included on the print template Click the 4 Create Template button to save your newly created print template and return to the list Modifying Wizard Generated Templates Once you have created a print template using the print template wizard you can return to the wizard to modify it Click the Edit print template code Advanced link to use the standard print template editor See Creating New Print Templates on page 194 for a description 196 Print Template Wizard Dell Networking W ClearPass Guest 6 0 Deployment Guide NOTE If you use the wizard to edit a print template after changes have been made to it outside the wizard those changes will Ki be
242. e rather than assign it to a variable use the syntax nwa makeid file filename output 1 Otherwise this template function does not generate any output nwa_nav nwa nav nwa_nav Smarty registered block function Defines a block area for navigation a control or generates navigation control HTML of a particular type Blocks are individual components of the navigation area which basically consist of HTML Blocks for actual navigation items have substitution tags in the form tagname The recognized tags are described in the table below Table 27 Navigation Tags Description Ta a aa g 276 nwa_makeid Dell Networking W ClearPass Guest 6 0 Deployment Guide When used with the block parameter the nwa_nav control does not generate any HTML When used with the type parameter the nwa_nav control uses the previously defined blocks to generate the HTML navigation area The following types are recognized simple Only the current L item has L2 items L3 only when L2 active all I11 All current L1 items are shown to L3 otherwise L1 only expanded All L items have L2 items L3 only when L2 active all expanded All items shown to L3 The reset parameter may be specified to clear any existing navigation settings Usage example nwa nav block levell active lt li class active gt a lt li gt nwa_nav nwa_nav block levell in active lt li gt a lt li gt nwa_nav
243. e roles If a database is selected in the User Roles list but no roles within that database are selected then all roles defined in the database will be available This is the default option 4 The Operator Filter may be set to limit the types of accounts that can be viewed by operators Options include default no operator filter only show accounts created by the operator and only show accounts created by operators within their profile 5 The User Account Filter and Session Filter fields are optional and allow you to create and configure these filtering options The User Account Filter field lets you create a persistent filter applied to the user account list For example this feature is useful in large deployments where an operator only wants to have a filtered view of some accounts To create an account filter enter a comma delimited list of field value pairs Supported operators are described below The Session Filter field lets you create a filter for only that session To create a session filter enter a comma delimited list of field value pairs Supported operators are described below The user can enter a simple substring to match a portion of the username or any other fields that are configured for search and may include the following operators Table 20 Operators supported in filters Operator Meaning Additional Information o faw ple Is not equal to 5 is greater than You may search for multiple values when usi
244. e root CA certificate with an updated validity period Use this option to maintain the validity of all certificates issued by the CA e Replacement Renewal Generates a new private key for the root certificate and reissues the root CA certificate with an updated validity period Use this option if the root certificate has been compromised or if you want to invalidate all certificate that were previously issued by the CA Whether you renew or replace the root certificate you should distribute a new copy of the root certificate to all users of that certificate Click the Renew Root Certificate button to perform the renewal action Configuring Data Retention Policy for Certificates The data retention policy for certificates and certificate requests can be configured by navigating to Onboard gt Certificate Authority Settings and clicking the Configure data retention link The Manage Data Retention form is displayed 90 Renewing the Certificate Authority s Certificate Dell Networking W ClearPass Guest 6 0 Deployment Guide Manage Data Retention W Enable data retention policy Enable If enabled records will be deleted after the period set below A 3 0 Time of Day i Select the time of day at which data retention will run Onboard Device Certificates 12 weeks Minimum Period The minimum delay required before an expired certificate or a rejected request can be deleted Leave blank to allow certificates and requests
245. e specified sessions are closed and are removed from the Active Sessions list peu Deca nmer ng MUNI Hee Sessions Dell Networking W ClearPass Guest 6 0 Deployment Guide Sending Multiple SMS Alerts The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately for example a special offer that will only be available for an hour a change in a meeting s schedule or location or a public safety announcement To create an SMS message 1 Click the SMS tab on the Active Sessions page The Send SMS Notification form opens Send SMS Notification Message 160 characters left Enter the message to send maximum 160 characters 2 Use the filter to specify the group of addresses that should receive the message See Filtering the List of Active Sessions on page 61 Only accounts with valid phone numbers can be sent SMS alerts Enter the message in the Message text box Messages may contain up to 160 characters 4 Click Send About SMS Guest Account Receipts You can send SMS receipts for guest accounts that are created using either sponsored guest access or self provisioned guest access This is convenient in situations where the visitor may not be physically present to receive a printed receipt ClearPass Guest may be
246. e this option Sponsorship Confirmation Enabled Require sponsor confirmation prior to enabling the account Require sponsors to provide credentials prior to sponsoring the guest Authentication If checked the sponsor will need to successfully authenticate prior to sponsoring the user The sponsor s operator profile must have the Guest Manager gt Remove Accounts privilege Use Default x Email Field The field containing the sponsor s email address Sponsorship Confirmation The plain text or HTML print template to send to the sponsor Use Default No skin HTML only The format in which to send email receipts Email Confirmation Email Skin Do not send copies Send Copies o Specify when to send visitor account receipts to the recipients in the Copies To list UI Overrides Display fields to override UI text and labels Prompt Role Override l j Change the guest s role upon a successful confirmation from the sponsor Extend Expiration Extend the account s expiration time Leave blank to use the original expiration time For example 12h 30d or Fly 4 In the Authentication row mark the check box for Require sponsors to provide credentials prior to sponsoring the guest In the Role Override row choose Prompt from the drop down list 6 Complete the rest of the form with the appropriate information then click Save Changes The Customize Guest R
247. e to generate the filename for the receipt l y Default Action Icon Deka l Optional custom icon to use for this receipt action Action Text Optional custom label to use for this receipt action Print Enabled E Enable print window for guest receipts Email Delivery Enabled Disable sending quest recel pts by email el SMS Delivery Enabled Disable sending guest receipts by SMS Ja Sponsorship Confirmation Enabled Require sponsor confirmation prior to enabling the account Save Changes Save and Continue Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self registered account To enable role selection by the sponsor l Go to Configuration gt Guest Self Registration Click the Guest Self Registration row then click its Edit link The Customize Guest Registration diagram opens 2 In the Receipt Page area of the diagram click the Actions link J Receipt Page Title Header ae gt Actions ry ie Footer The Receipt Actions form opens Dell Networking W ClearPass Guest 6 0 Deployment Guide Enabling Sponsor Confirmation for Role Selection 179 3 In the Sponsorship Confirmation area at the bottom of the form mark the Enabled check box for Require sponsor confirmation prior to enabling the account The form expands to let you configur
248. e together with their meaning and an example of each ave CUSteM Ing Prini Tempiatas Dell Networking W ClearPass Guest 6 0 Deployment Guide AI OO pescription f Example u username User account name 12345678 u password User account password 87654321 u enabled Non zero if the guest account is enabled 1 u role_name Role assigned to guest account Guest u start_time Time at which the guest account will become active 1155772123 u expire_time Time at which the guest account will expire 1155858523 u expire_postlogin Lifetime of the guest account login in minutes after login 120 u visitor_name User s name Susan Guest u visitor_company User s company name Acme Sprockets u sponsor_name Sponsor s name John Sponsor u custom_field Custom fields attached to the account action Action taken on account create delete or edit create source Source of account action create user reset_password etc create user This section is followed by three other sections the body the header and the footer Each section must be written in HTML There is provision in each section for the insertion of multiple content items such as logos You are able to add Smarty template functions and blocks to your code These act as placeholders to be substituted when the template is actually used See Smarty Template Syntax on page 264 for further information on Smarty template syntax You are able to use an if stateme
249. e when sending the message 3 Click Send Message About SMS Credits Most SMS providers use a system of credits when for sending messages In Dell Networking W ClearPass Guest SMS Services one credit is used for each sent message The credit is used when the message is sent regardless of whether the recipient actually receives the message Please review your provider s details and pricing To determine the number of remaining SMS credits navigate to the Administration gt SMS Gateways window The Credits Available field indicates the number of remaining SMS credits for your account This value is determined once the first message has been sent and is updated after sending each message When credits are running low a warning message is emailed to the administrator group The email address is determined by looking up all local operators with the special IT Administrators operator profile and using any configured email address for those operators Up to three messages will be sent e A low credit warning is sent once the Credits Available value reaches the warning threshold the default value is 50 e A second low credit warning is sent once the Credits Available value reaches half the warning threshold e A final message is sent once the Credits Available value reaches zero Ki NOTE To adjust the warning threshold set the Credit Warning value in the configuration for the SMS Services Plugin Abou
250. e_subject smtp_warn_before_template_id smtp_warn_before_receipt_format smtp_warn_before_cc_list smtp_warn_before_cc_action warn_before_from_sponsor warn_before_ from Description String This field may be set to a non zero value to enable sending an email receipt If unset the default value from the email receipt configuration is used The special values _Auto Always auto send guest receipts by email _AutoField Auto send guest receipts by email with a special field set Click Display a link enabling a guest receipt via email and Cc Send an email to a list of fixed addresses may also be used String This field specifies the email format to use for the receipt It may be one of plaintext No skin plain text only html_embedded No skin HTML only receipt No skin Native receipt format default Use the default skin or the plugin ID of a skin plugin to specify that skin If blank or unset the default value from the email receipt configuration is used String This field specifies the subject line for the email message Template variables appearing in the value will be expanded If the value is default the default subject line from the email receipt configuration is used String This field specifies the print template ID to use for the email receipt If blank or unset the default value from the email receipt configuration is used String This field overrides what is specified in the subject line unde
251. earch Directory to attempt to find sponsor names that match the lookup values or click O Cancel to cancel the test The Authentication Test area is added above the server names to indicate the search s progress Troubleshooting Error Messages The error messages in the following table can be used to diagnose error messages such as LDAP Bind failed Invalid credentials 80090308 LdapErr DSID 0C090334 comment AcceptSecurityContext error data 525 vece bind DN was Table 22 LDAP Error Messages Error Data Reason Invalid credentials password is incorrect Dell Networking W ClearPass Guest 6 0 Deployment Guide Looking Up Sponsor Names 253 Error Data Reason Account has expired User must reset password User account is locked Other items to consider when troubleshooting LDAP connection problems Verify that you are using the correct LDAP version use Idap for version 2 and Idap3 to specify LDAP version 3 Verify that you are using an SSL TLS connection use Idaps or Idap3s as the prefix of the Server URL Verify that the Bind DN is correct the correct DN will depend on the structure of your directory and is only required if the directory does not permit anonymous bind Verify that the Base DN is correct the Base DN for user searches is fixed and must be specified as part of the Server URL If you need to search in different Base DNs to match different kinds of operato
252. ece cee eee ee eee eee cece teen nanu LLDD LDLo anana naana 279 Dell Networking W ClearPass Guest 6 0 Deployment Guide nwa_youtube oaaao aoaaa oaaao aoaaa oaaao cee eee eee ee cee cece eee cece eee ee cee eeeeeeeeeseseeeesereees 279 Date Time Format Syntax _ _ 2 22 22 cece LLLA AALL LLLA ALLL LDAA LLL LLLA ALLL Laana aLaaa 219 nwadateformat Modifier 222mmmmemmmmmmm eee m mmama Laaa 222 279 nwatimeformat Modifier 22mmmmmmme mm mm mme eeeeeeeceeeeeeeees 280 Date Time Format String Reference _ 0 02 2 cece cece cece ee eee cece eee e cece ceeeeeeeeeees 281 Programmers Reference 22mmmmmmwmmmamanununa nan eeeeeeeeeeeeeee 282 NwaAlnumPassword 2 2 2 2 e cece c eee e cece cece cece cece cece eee cence cence ceeeeeeeeeseseeceseeeees 282 NwaBoolFormat mmmmmmmmma mene m mwamini mwm meme nima a 2222an 282 NwaByteFormat w wmmmmmmauunnun umu cece ence eee eee eeeeeeceeeeeee 283 NwaByteFormatBasel0 _ _ 02 o lle cence eee eee LLL LLL LLa aaan aaan 283 NwaComplexPassword 2mmmmmmmm LLLA ALLL LLLA eee Laaa a aLL aana 283 NwaCsvCache oaaao 02 2 elec cee eee eee eee cece cece eee ec ee eee eeeeeeceseeeeeeeseeseeees 283 NwaDigitsPassword len 2 002
253. eceipts and the visitor s email address was typed into the New Visitor Account form an email receipt will be sent automatically A message is displayed on the account receipt page after an email has been sent Creating Multiple Guest Accounts The Create Guest Accounts form is used to create a group of visitor accounts To create multiple accounts go to Guest gt Create Multiple or click the Create Multiple Guest Accounts command link on the Guest Manager page The Create Guest Accounts form opens Create Multiple Guest Accounts i Create multiple guest accounts each with a randomly assigned username and password oo Create GUESTACCOUNIRECEIPI Dell Networking W ClearPass Guest 6 0 Deployment Guide NOTE The Create Guest Accounts form create_multi may be customized by adding new fields or modifying or removing the Ki existing fields See Customizing Self Provisioned Access on page 171 for details about the customization process The default settings for this form are described below Create Guest Accounts Number of visitor accounts to create Number of Accounts Pen eer oe Now Account Activation Lr a a Select an option for changing the activation time of this account TAa 1 day from now Account Expiration z l Select an option for changing the expiration time of this account EA Contracto Account Role I z Role to assign to this visitor account Create Accounts To complete th
254. ected language The following example from the demonstration site uses Danish da Spanish es and the default language English as highlighted in bold if Scurrent_ language da lt p gt Indtast brugernavn og password for at lt br gt fa adgang til ClearPass Guest SA lt p gt Kontakt lt a href http www airwire dk gt Airwire lt a gt Norden for at fa demoadgang lt p gt elseif Scurrent_ language es lt p gt Para entrar en el web demo de ClearPass Guest lt br gt necesitas un nombre y contrase a lt p gt lt p gt Si no tienes un login puedes obtener uno lt br gt lt a href http www arubanetworks com gt contactando con Aruba Networks lt a gt SIA else lt p gt The ClearPass Guest demo site lt br gt 258 Custom Login Message Dell Networking W ClearPass Guest 6 0 Deployment Guide requires a username and password lt o gt lt p gt If you don t have a login lt br gt lt a href http www arubanetworks com gt contact Aruba Networks lt a gt to obtain one lt p gt if lt br clear all gt In the Login Footer field enter any HTML information that you want displayed in the Operator Login form Select the login skin from the Login Skin drop down menu Options include the default skin or a customized skin Advanced Operator Login Options Advanced Options These options do not normally need to be modified Log only web logins Im Logging g
255. ed If neither condition has matched the enabled field will be set to 0 and login will not be permitted Operator Logins Configuration Ss Operator Logins Configuration Dell Networking W ClearPass Guest 6 0 Deployment Guide 257 You are able to configure a message on the login screen that will be displayed to all operators This must be written in HTML You may also use template code to further customize the appearance and behavior of the login screen Options related to operator passwords may also be specified including the complexity requirements to enforce for operator passwords Navigate to Administration gt Operator Logins and click the Operator Logins Configuration command link to modify these configuration parameters Operator Logins Configuration Adjust configuration options for operator logins including displaying a message on the login screen Custom Login Message Configuration Operator Login UI Override the look and feel of the operator login screen Login Message Insert content item The message that will be displayed in the header of the login screen Login Footer Insert content item The message that will be displayed in the footer of the login screen Default Login Skin l Override the skin of the login screen If you are deploying ClearPass Guest in a multi lingual environment you can specify different login messages depending on the currently sel
256. ed The time should be specified as a UNIX schedule_time l timestamp String The guest s answer to the secret question that is stored in the secret guestion field To use this field first add both the secret_question and secret_answer fields to a guest self Sere EE registration form Then in the self service portal for a guest selt registration page select the Secret Question as the Required Field This configuration requires that guests provide the correct answer in order to reset their account password Answers must match with regards to case in order to be considered as correct String The guest s secret question used to confirm the identity of a guest during a reset password operation secret_question Integer Maximum number of simultaneous sessions allowed for the account Email address of the sponsor of the account If the sponsor_email field can be inserted into sponsor email an email receipt and used future emails the Reply To email address will always be the email address of the original sponsor not the current operator String Name of the sponsor of the account The default value of this field is the username of sponsor_name the current operator No Type Field attached to submit buttons This field controls account creation behavior it is submit Pa not stored with created visitor accounts np Integer Login activity of the guest account This field is available in views and may be used user_activity ao t
257. ed authentication disabling a user s account would impact all devices using those credentials To disable network access for a device revoke the TLS client certificate provisioned to the device See Working with Certificates in the List on page 97 NOTE Revoking access for a device is only possible when using an enterprise network Personal PSK networks do not support this capability Revoking Credentials to Prevent Network Access NOTE Revoking a device s certificate will also prevent the device from being re provisioned This is necessary to prevent the user from simply re provisioning and obtaining a new certificate To re provision the device the revoked certificate must be deleted If the device is provisioned with an EAP TLS client certificate revoking the certificate will cause the certificate authority to update the certificate s state When the certificate 1s next used for authentication it will be recognized as a revoked certificate and the device will be denied access NOTE When using EAP TLS authentication you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate OCSP is recommended as it offers a real time status update for certificates If the device is provisioned with PEAP unique device credentials revoking the certificate will automatically delete the unique username and password associated with the device When th
258. ed directly NwaByteFormatBase10 NwaByteFormatBasel0 Sbytes Sunknown null Formats a non negative size in bytes as a human readable number bytes KB MB GB etc Assumes base 10 rules in measurement that is 1 KB 1000 bytes 1 MB 1000 KB etc If a negative value is supplied returns the Sunknown string If a non numeric value is supplied that value is returned directly NwaComplexPassword NwaComplexPassword len 8 Generates complex passwords of at least len characters in length where 1en must be at least 4 A complex password includes at least 1 each of a lower case character upper case character digit and punctuation symbol NwaCsvCache NwaCsvCache Scsv_ file Suse cache true Soptions null Loads and parses the contents of a CSV file using a built in cache The cache may be cleaned for a specific file by setting Suse cache to false The cache may be cleaned for ALL files by setting csv_file to the empty string and Suse cache to false CSV parsing options see NwaParseCsv on page 284 may be specified in options Additionally a 2 argument form of this function may be used by passing an array of options as the second argument in this case Suse __ cache is assumed to be true This function returns false if the file does not exist otherwise returns an array of arrays containing each of the parsed records from the file NwaDigitsPassword len NwaDigitsPassword S len Generates digi
259. ed if you have a specific requirement for that method The Windows EAP options that may be specified include e Enable Fast Reconnect Fast Reconnect is a PEAP property that enables wireless clients to move between wireless access points on the same network without being re authenticated each time they associate with a new access point If TLS is selected Fast Reconnect is not available e Enforce Network Access Protection Enable this option to obtain a system statement of health SSoH from the OnGuard or Microsoft NAP Agent and send it to the authentication server during the 802 1X authentication process Use this option to enforce network access control NAC protections on the network If TLS is selected Enforce Network Access Protection is not available e Enforce Cryptobinding Cryptobinding is a process that protects the authentication protocol negotiation against man in the middle attacks The cryptobinding request and response performs a two way handshake between the peer and the authentication server using key materials If TLS is selected Enforce Cryptobinding is not available e Do one of the following Click the Previous button to return to the Access tab Click the Next button to continue to the Authentication tab o Click the I Create Network button to make the new network configuration settings take effect Click the Y Cancel button to discard your changes and return to the main Onboard configuration user in
260. edes true if currency symbol precedes positive value n_sep_by_space true if a space separates currency symbol from a negative value n_cs_precedes true if currency symbol precedes negative value Additionally the special value monetary if true indicates that a currency value should be formatted rather than a regular numeric value View Display Expression Technical Reference A page that contains a view is displayed in an operators Web browser The view con tains data that is loaded from the server dynamically Because of this both data formatting and display operations for the view are implemented with JavaScript in the Web browser For each item displayed in the view a JavaScript object is constructed Each field of the item is defined as a property of this object When evaluating the JavaScript Display Expression the data variable is used to refer to this object Thus the expression data my field would return the value of the field named my field Quick Help a Create lft sitet f h9147037 Guest Enabled Ari 0 IT i E ar 3 ore ar status i i 2008 06 13 00 26 hi448161 Guest Enabled 2006 06 13 01 07 67284301 Guest Enabled N A 3 user accounts O Reload 20 rows per page In the above view the guest_users view the four columns displayed correspond to the username role_name enabled and expire_time fields Table 40 Display Expressions for Data Formatting Value Description Display Expressions
261. ediate CA and Root CA and can be imported in Dell Networking W ClearPass Guest 6 0 Deployment Guide Working with Certificate Signing Requests 99 ClearPass Policy Manager as the server certificate ClearPass Policy Manager does not accept PKCS 7 To include the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager mark the Include certificate trust chain check box then click the Export Certificate button Click the Export Request button to download the certificate signing request file in the selected format e Sign request Displays the Sign Request form Use this action to approve the request for a certificate and issue the certificate Sign Request Request Details Details about the request and its owner Issue To za Example Certificate Authority Country US State California f Locality Sunnyvale Subject S 7 Organization SpitfyWidgets Common Name Example Certificate Authority Email Address example spiffywidgets com Certificate Options Options that affect the signing of the certificate a 365 days Expiration a m The number of days before the certificate will expire E Sign this request Select this checkbox to sign the request and issue a certificate Use the Expiration text field to specify how long the issued certificate should remain valid Confirm Mark the Sign this request check box to confirm that the certificate should be
262. ee cece eeecesceseeeeeeees 43 About CSV and TSV Exports oaoa 2222 lc ccc cece Daaa ALLL cece eeeeeeeeeeeees 43 About XML Exports oaaao aaa anaana anaana ahaaa cece ee eee eee eee cence eee eeeeeeeeeeeeees 43 MAC Authentication in ClearPass Guest 22 22 22 o lice cece eee eee eee cece eee eeceeeeeeeeeeees 44 MAC Address Formats 02 022 o eee eee e cece cee cece cece cee cee cece cece ee ceeceeceeeeeeseeeeeseereeees 44 Managing Devices _ 22 2 ieee cee cece eee cee cece eee cece eee tence cece sence ceeeeeeeeeeeee 44 Changing a Device s Expiration Date _ 2 0 2 lei c eee eee eee eee eeeeeee 46 Disabling and Deleting Devices 22222mmmmmmmmwmmmnmnnnnn nunu mm 41 Activating a Device _ 2 2 2 ice eee eee eee eee LLL aoaaa aana 22222 41 Editing a Device _ _ 2 2 i cece eee ee eee e cece e cence eee eeeeeeeeeeseees 4 Viewing Current Sessions fora Device 22mmmemmmmee meme 49 Viewing and Printing Device Details _ 0 2 oleic eee eee eee cece cece eeeeeeeee 49 MAC Creation Modes 2 22 2 eee cece cece ee eee cee cee cece eee c ence ceeceeeeeeeeeeeeseeseeees 49 Creating Devices Manually in ClearPass Guest 2m2222eme2 mme 50 Creating Devices During Self Registration MAC Only 2 2 02 222 51 Creating Devices During Self Registration Paired Account
263. ee eee cece eee e eee ec ee cece ee ceeeeceeeeeseseeseeeees 61 Disconnecting Multiple Active Sessions 2mm2mmmmem mme mwee mw mene me me 62 Sending Multiple SMS Alerts 22mmmmmmmmmmwmmm umu e cence Laana aaa 63 About SMS Guest Account Receipts _ 222 2 2 oo ccc cee eee eee eee eee cee eeeeeeeeee 63 Onboard cea teste ss se ed ass a000 se crass geese po dade etcateane 65 Accessing Onboard 2mm2mmmeme mwm m cence eee eeeeesceceeeeeceeeeseeeees 65 About ClearPass Onboard 2 2 eo cle cece ccc cee cece cece cece eee mmama ceeceeeeeeseeseeseerees 65 Onboard Deployment Checklist 020 22 2 licence eee eee eee eee eeeeeeeeees 66 Onboard Feature List 22 22 ccc cece eee e cece eee cece cee ceeceeseeceeeeeeseeseesees 67 Supported Platforms m2mmmmmmmm nm AALL LLLA ALLL LLLA LaaLa aoaaa 68 Public Key Infrastructure for Onboard 2 22 2 cei eee eee cece eee cece eeeeeees 68 Certificate Hierarchy 22mmmmmmmmmmwmama new eee cece eee eeeeeeeeeeeees 69 Certificate Configuration in a Cluster 0 22 2 ieee cee cee aaa LaLa aaa cece eeeeeeeeee 70 Revoking Unique Device Credentials 222mmmemmmmmmmeme 70 Dell Networking W ClearPass Guest 6 0 Deployment Guide
264. eeeeeeeeeee 199 Customize Random Username and Passwords 2 22 2 e cece eee e cece ccc eee eceececceceeseeseeees 199 Create the Print Template _ 0 22 2 oleic cece cee eee eee eee cece eee e Laana naaa 199 Customize the Guest Accounts Form 2mmmmmmmmm emma e eee L Daa aona annaa 201 Create the Access Code Guest Accounts mmmmmme mmama mumu mla imma 201 Hotspot Manager 2 2 00 2 occ ccc cece c cece cece ccc cc cece ccecceeeeeeeeeceeeeeeeeeeseeeeeeeeeee 203 Accessing Hotspot Manager 2 2 2 2 eee eee eee eee eee eee cece cece eeeeeeeeeeeees 203 About Hotspot Management mmmmwmmm umu m wwa mum w wanami e mwani inn 203 Managing the Hotspot Sign up Interface 2 wmmmmmmmmmamunmum 204 Captive Portal Integration 222mmmmmmmemmwmmmu mum wwanu L Laana naL 205 Web Site Look and Feel mmmmmmm mmama mamaaa mm mumin 206 SMS ServiceS mmmmmm mmama e cece eee ee cence eee ee eee eeeeeeseeseereeeeereerseeres 206 Managing Hotspot Plans _ _ 2 2 2 lice eee ee eect LLL LLL LLL ahaaa anaana 206 Editing or Creating a Hotspot Plan _ 0222 2 lc ee cee aLL LLa aa aLL Loana naL aoaaa 207 Managing Transaction Processors
265. eeeeeees 121 Configuring Mutual Authentication Settings 22mmee2mmeee meme ema 122 Configuring Trust Settings Automatically 02 22 22 lice eee eee cece cee ceeeeeeeeees 122 Configuring Trust Settings Manually 22mmmmmmmmmmmmmamu 22au 123 Configuring Windows Specific Network Settings 22222me220me 124 Configuring Proxy Settings 22mmmmmememm mwanam eee aaa LLL Laana aLaaa 125 Configuring an iOS Device VPN Connection _ 22 2 o eee cee ee cee eee eee cece eee eeeeeeeeeeseeees 125 Configuring an iOS Device Email Account mmmmmee emma ceeeeeeeseeeeeees 127 Configuring an iOS Device Passcode Policy 2 22 2 ee cece eee cece cee eee cece eee ee eee eeeeeseeseeees 129 Resetting Onboard Certificates and Configuration 2 222mmeem meme 130 Onboard Troubleshooting 22mmmmmmmm um eee eee ee eee cece eeeeeeeeeeees 131 Configuration ec c cece cece ccc cececeececeeeeceeceeeeceeeeceeeeceeseseeseeeeeteeeeee 133 Accessing Configuration 2 2 02 eee ccc cece eee eee eee eee cece e eee cece eee Laaa aLL Laana 133 Configuring ClearPass Guest Authentication 22mmemmmmee
266. eees 212 GetSessions 2 2m2mmmmme e cece LDL eee eeeseeeeeeeeeeeeeteeeeeeeeres 273 GetSessionTimeRemaining w mmmemmmm mwm m mwm mume mme 273 SMV WI 273 GetTraffic III 274 GetUserActiveSessions _ 2 22 o ecco cece ee ccc cece e cece eee cece cece ceeeeteeeseceeseeeeeeeeres 274 GetUserActiveSessionCount 2mm2memmmme mmewe LaLa aooaa 274 GetUserCumulativeUsage 2 2 22 e cece cece cece eeeeeeeeeeeseees 274 GetUserCurrentSession 2memmemmm mmama LDL LLDD aLL aLa naL 274 GetUserFirstLoginTime 2wmmmmm mwen mma mm wanu mm muwe LaaLa aLa 274 GetUserSessions 2m2mm2memmm meme cece eee mami mema amene 275 GUSWA 275 Advanced Developer Reference __ 02 2 2 eee e cece eee cece cece cece cece eeeeeeeeeeeeeeee 2715 nwa assign Wi eee e cess ee seeeeeeeeeeeeees 2715 nwa WING AA 2715 nwa_makeld 2m0mmmmmm mme m cence cee eeeeeeeeeseeeeseeeees 276 VO VAY AI 276 nwa_plugin __ 228 eee eee eee eee eee eee eee cece cece eee e ee eeeeeeeeeeeeees 271 nwa privilege II 218 PV hi ee cesta ester sees ciarce cps Seeds eceeses tos eed E a a ame ae 278 nwa_text 2 0 cece eee eee ee eee eee e eee eee eee eee mwm meme 278 nwa_userpref _ 2 0 cece c
267. egistration diagram opens again 7 You can click the Launch this guest registration page link at the upper right corner of the Customize Guest Registration diagram to preview the Guest Registration login page Launch this guest registration page K The Guest Registration login page is displayed as the guest would see it Visitor Registration Alice Liddel Please enter your full name aliddel wonderland org Please enter your email address This will become your username to log into the network Your Name Email Address Confirm I accept the terms of use Register When a guest completes the form and clicks the Register button the sponsor receives an email notification 8 To confirm the guest s access the sponsor clicks the click here link in the email and is redirected to the Guest Registration Confirmation form 180 Enabling Sponsor Confirmation for Role Selection Dell Networking W ClearPass Guest 6 0 Deployment Guide Visitor Registration Receipt Account Role Employee 7 Sponsor s Name Visitor s Name Company Name visitor company Account Username 8 username Expiration Time Wednesday 31 October 2012 03 03 AM 9 Inthe Account Role drop down list the sponsor chooses the role for the guest then clicks the Confirm button Editing Download and Print Actions for Guest Receipt Delivery To enable the template and display options to deliver a receipt to the user as
268. egrity check 224 Onboard 131 TSV 43 XML guest account list 43 parsing 285 U uploading code signing certificate 101 content 135 user database 21 V viewing application log 237 content 136 devices 55 documentation 239 plugins 223 sessions device 49 SMS gateways 228 SMTP carriers 234 views 21 141 144 column format 170 customization 150 duplicating 151 editing 151 169 field editor 170 guest_export 43 144 guest_multi 38 144 guest_sessions 60 144 guest_users 34 144 visitors 21 account 21 VPN settings 125 W Web logins 21 WiFi network 137 wizards print template 196 WPA key 138 Dell Networking W ClearPass Guest 6 0 Deployment Guide Index 319 320 Index Dell Networking W ClearPass Guest 6 0 Deployment Guide
269. el that is directly tied to the visitor account These accounts share the same role expiration and other properties This requires a vendor passing a mac parameter in the redirect URL ClearPass Guest does not support querying the controller or DHCP servers for the client s MAC based on IP To edit the registration form fields go to Configuration gt Forms and Views In the guest_register row click the Edit Fields link The Customize Form Fields page opens If you do not see mac or mac auth pair in the list click the Customize fields link above the list Click the Edit link in the field s row In the Define Custom Field form edit the registration form fields Add or enable mac a UI Hidden field a Field Required optional a Validator IsValidMacAddress e Add or enable mac auth pair UI Hidden field Initial Value 1 E Any other expiration options role choice surveys and so on can be entered as usual You will see an entry under both List Accounts and List Devices Each should have a View Pair action that cross links the two 52 Creating Devices During Self Registration Paired Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide Ki NOTE If you delete the base account all of its pairings will also be deleted If RFC 3576 has been configured all pairs will be logged out AirGroup Device Registration AirGroup allows users to register their personal mobile devices on the local network and define
270. elds are used to determine the time at which the visitor account will be activated If modify_schedule_time is none then the account 1s disabled and has no activation time set If modify schedule time is now then the account is enabled and has no activation time set If modify schedule time is a value that specifies a relative time change for example 1h then the visitor account s activation time is modified accordingly If modify_schedule_time is a value that specifies an absolute time for example 2010 12 31 17 00 then the visitor account s activation time is set to that value If modify_schedule_time is schedule after or schedule time then the activation time is determined according to the schedule_after or schedule_time fields as explained below If schedule_after is set and not zero then add that time in hours to the current time and use it as the activation time setting do schedule to 1 enabled will be set to zero Otherwise if schedule_after is zero negative or unset and schedule_time has been specified use that activation time set do schedule to and enabled to 0 If the schedule time specified is in the past set do schedule to 0 and enabled to 1 Otherwise if schedule_time if not specified then the visitor account has no activation time and do_schedule will default to zero Visitor Account Expiration Properties do_expire modify_expire_time expire_after and expire_time The
271. elf Provisioned Access on page 171 for details about this customization process About CSV and TSV Exports In CSV and TSV format the following default fields are included in the export Number Sequential number of the guest account in the exported data User ID Numeric user ID of the guest account Username Username for the guest account Role Role for the guest account Activation Date and time at which the guest account will be activated or N A if there is no activation time Expiration Date and time at which the guest account will expire or N A if there is no expiration time Lifetime The guest account s lifetime in minutes after login or 0 if the account lifetime is not set Expire Action Number specifying the action to take when the guest account expires 0 through 4 About XML Exports The default XML format consists of a lt GuestUsers gt element containing a lt GuestUser gt element for each exported guest account The numeric ID of the guest account is provided as the id attribute of the lt GuestUser gt element This format is compatible with the ClearPass Policy Manager XML format for guest users The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag where the tag has the same name as the guest account field An example XML export is given below lt xml version 1 0 encoding UTF 8 standalone true gt lt TipsCon
272. ell Networking W ClearPass Guest 6 0 Deployment Guide About Customizing SMTP Email Receipt Fields 193 e smtp_warn_before_cc_action This field overrides how copies are sent as indicated under Logout Warnings on the email receipt to send copies of email receipts It may be one of never always cc always_bcec conditional_cc or conditional_bec If blank or unset the default value from the email receipt configuration is used e warn before from sponsor This field overrides the Reply To field that is the sponsor_email field of a user or the admin s email under the Logout Warnings on the email receipt If the value is default the Reply To field under Logout Warnings from the email receipt configuration is used e warn_before_from This field overrides the Override From field under the Logout Warnings on the email receipt If the value is default the Override From field under Logout Warnings from the email receipt configuration is used Customizing Print Templates Print templates are used to define the format and appearance of a guest account receipt To work with print templates go to Configuration gt Print Templates The Print Templates view opens Click a print template s row in the list to select it The template s row expands to include the Edit Duplicate Delete Preview Show Usage and Permissions options The LfEdit code action is displayed for a print template when
273. eneral 95 iOS amp OS X Legacy OS X Android Provisioning These options control Android device provisioning 7 ie Anica Dei W Enable Android device provisioning Downloads and executes an Android application on a user s device to complete provisioning Android Rootkit Detection Provision all devices x ay Windows TI Android Control whether devices with a rootkit may be provisioned Instructions These options control the text shown during provisioning for Android devices e Onboard Client inwa_icontext type info inwa tezt id 10897 In order to connect to this network J your device must be configured for enhanced security Aruba Networks QuickConnect application will guide you through the configuration process nwa_text nwa_icontext nwa_text id 10896 lt p gt To apply the network profile you first need to download and install the QuickConnect application from the Android marketplace lt p gt nwa_text assign var link_text value 10903 NwaText Download and _ install the QuickConnect network configuration as Saat san LL WW Before Provisioning Insert content item lv These instructions are shown to the user before they provision an Android device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions nwa_text id 10895 lt p gt After you have downloaded and installed the application
274. ength of 9 plus a leading zero and a country code of 61 If you selected the Always include the country code option the Australian mobile number 04123456785 would normalize to 61412345678 in the internationalized format Never include the country code When you select this option any country code specified by the visitor is removed before the SMS message is sent SMS Services With SMS Services you can configure ClearPass Guest to send SMS messages to guests You can use SMS to send a customized guest account receipt to your guest s mobile phone You can also use SMS Services to send an SMS from your Web browser To use the SMS features you must have the SMS Services plugin installed Manage SMS Gateways HF Create and manage the SHS gateways used for text messaging sames Viewing SMS Gateways To view the list of SMS gateways 1 Go to Administration gt SMS Services gt SMS Gateways The SMS Gateways list view opens This list displays the name and available credits for any currently defined SMS gateways 228 SMS Services Dell Networking W ClearPass Guest 6 0 Deployment Guide Service Name Credits Aa SMS Gateway ClearPass Guest SMS Service 204 Es Edit Ee Duplicate Delete H Send SMS 1 gateway 73 Reload 20 rows per page x 2 To work with a gateway click its row in the list The gateway s row expands to include the Edit Duplicate Delete Make Default and Send SMS options e
275. equest has been received However you must wait for an administrator to issue the certificate you requested Your Request Id is 626 Please return to this web site in a day or two to retrieve your certificate Note You must return with this web browser within 10 days to retrieve your certificate Dell Networking W ClearPass Guest 6 0 Deployment Guide Using Microsoft Active Directory Certificate Services 87 If the Certificate Pending page is displayed follow the directions on the page to retrieve the certificate when it is issued Figure 21 The Certificate Issued Page Microsoft Active Directory Certificate Services amg ad DC CA Certificate Issued The certificate you requested was issued to you ODER encoded or Base 64 encoded HUM en Ce ae Z Download certificate chain If the Certificate Issued page 1s displayed select the Base 64 encoded option and then click the Download certificate chain link A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system Refer to the instructions in Installing a Certificate Authority s Certificate on page 88 for information on uploading the certificate file to Onboard Installing a Certificate Authority s Certificate You can import a private key and certificate pair to use for the root certificate or intermediate certificate The CA Certificate Import page may be used to e Upload a certificate that
276. er Only one SMS receipt per guest registration can be sent in this way Enabling and Editing NAS Login Properties To enable and edit the properties for automatic NAS login 1 Go to Configuration gt Guest Self Registration Click to expand the Guest Self Registration row in the form then click its Edit link The Customize Guest Self Registration diagram opens 2 In the lower nght corner of the diagram click the NAS box or the NAS Vendor Settings link The NAS Login form opens F oo NI Login Delay efe NAS Vendor Settings Customize Guest Registration NAS Login Options controlling logging into a NAS for self registered guests Enabled Enable guest login to a Network Access Server save Changes save and Continue 3 Mark the Enabled check box to expand the form Dell Networking W ClearPass Guest 6 0 Deployment Guide Enabling and Editing NAS Login Properties 183 Customize Guest Registration NAS Login Options controlling logging into a NAS for self registered guests Enabled V Enable guest login to a Network Access Server Vendor Aruba Networks v Settings Select a predefined group of settings suitable for standard network configurations securelogin arubanetworks com IP Address g Enter the IP address or hostname of the vendor s product here Use vendor default v Secure Login Select a security option to apply to the web login process The
277. er the Expires After row is added to the form Choose an interval of hours days or weeks from the drop down list 46 Changing a Device s Expiration Date Dell Networking W ClearPass Guest 6 0 Deployment Guide e Ifyou choose Account Expires at a specified time the Expiration Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date 2 If you choose any option other than will not expire or now in the Account Expiration field the Expire Action row is added to the table Use the drop down list in this row to specify one of the following actions delete delete and log out disable or disable and log out 3 Click Update Account to commit your changes Disabling and Deleting Devices To remove a device s account by disabling or deleting it click the device s row in the Guest Manager Devices list then click its Remove link The row expands to include the Remove Account form Remove Account Username 70 DE E C 23 B6 Disable account Action Delete account Caution Deleting a guest account cannot be undone Use this option with care X Make Changes You may choose to either disable or delete the account If you disable it it remains in the device list and you may activate it again later If you delete the ac
278. er 144 guest register receipt 144 previewing 152 reset password 144 G guest 21 guest access business rules 141 click to print 140 email receipt 189 NAS login 171 receipt page 171 registration page 171 roles 18 guest access self provisioned 28 guest accounts activate 37 Dell Networking W ClearPass Guest 6 0 Deployment Guide change expiration 36 creating 29 creating multiple 30 43 delete 36 disable 36 edit 37 editing expiration 36 email receipt 30 export 43 exporting 43 filtering 35 38 Importing 40 list 34 manage multiple 38 paging 35 print 38 reset password 36 selection row 39 SMS receipt 30 view passwords 140 XML export 43 guest management 27 28 custom fields 145 customizing 137 emailreceipts 189 print template wizard 196 printtemplates 194 self provisioned 171 sessions 59 SMS receipts 63 233 Guest module 27 guest self registration H download receipt 181 email receipts 181 login page 184 print receipt 181 self service portal 186 SMS receipt 182 help context sensitive 24 field help 25 quick help 25 searching 24 Index 315 hotspot management 203 captive portal 205 creating plan 207 customer information 210 customizing invoice 210 customizing receipt 216 customizing selection interface 212 214 216 editing plan 207 Invoice 210 plans 206 Hotspot Manager 203 HTML Smarty templates 264 standard styles 262 syntax 261 Importing certificate code signing
279. er a name to identify the guest self registration instance This is visible only to administrators A Description Enter comments about this instance of guest self registration This is visible only to administrators Enabled V Enable guest self registration Register Page Enter the base page name for the guest registration page No parent standalone Parent Fields and text will use the parent s value unless overridden Simply edit a field to override the parent value F Require operator credentials prior to registering the guest Authentication If checked access to this registration page will require operator credentials The sponsor s operator profile must have the Guest Manager gt Create New Guest Account privilege The Register Page is the name of a page that does not already exist There are no spaces in this name This page name will become part of the URL used to access the self provisioning page For example the default guest_ register page 1s accessed using the URL guest_register php Click the lal Save Changes button to save the self registration page A diagram of the self registration process 1s displayed Click the Save and Continue button to proceed to the next step of the setup Once a self registration page has been created you are able to edit delete duplicate or go to it providing self registration has been enabled Editing Self Registration Pages
280. ername Authentication Navigate to Guest gt Create Multiple Mark the check box in the Username Authentication row that was added in the procedure above If you do not select this check box and if the username is entered on the login screen the authentication will be denied The example shown below will create 10 accounts that will expire in two weeks or fours hours after the visitors first log in whichever comes first 10 Number of visitor accounts to create Number of Accounts Allow visitor access using their username only Visitors will require the login screen setup for username based authentication as well aa Now Account Activation lz PART Select an option for changing the activation time of this account TE Account expires after Account Expiration pi Ls ey Select an option for changing the expiration time of this account 2 weeks Expires After ji Amount of time before this visitor account will expire Contractor Account Role i Role to assign to this visitor account gt Create Accounts Customize the Guest Accounts Form 201 3 Click Create Accounts to display the Finished Creating Guest Accounts page If you create a large number of accounts they are created at one time but might not all be displayed at the same time This will not affect the printing action in the following step Account Details Username Password Role Current State Acc
281. ertificate Management e f Create view and revoke digital certificates for devices servers and certificate authorities The Certificate Management list view opens This list displays all of the certificates and certificate requests in the Onboard system oe Quick Help il Columns Filter Device Common Name Serial Number Valid From Valid To Type 2012 12 10 100 9 ey 10 R N 10 100 9 67 19 trusted 30 40 23 00 2013 12 10 21 10 23 00 one View certificate ae Export certificate Xx Delete certificate a Amigopod Local Certificate 2012 05 24 4 05 24 20 57 55 00 E N Atai trusted 30 27 55 00 2013 05 24 20 57 55 one 2012 12 07 e 7 E 4 i 7 12 30 21 00 N Example Root CA 17 ca ais icc 2022 12 08 21 ES None E Example Root CA Signing 18 ca ke 2022 12 08 21 30 21 00 None e iain 21 00 21 00 Showing 1 4of4 10 rows per page x C Refresh 1 Information provided in the Certificate Management list includes common name serial number if available certificate type validity date range and device type iOS Android Windows or None if not associated with a device type Table 17 lists the types of certificate that are displayed in this list Dell Networking W ClearPass Guest 6 0 Deployment Guide Issuing the Certificate Request 95 Table 17 Types of Certificate Supported by Onboard Certificate Management Certificate Type Type Column Notes
282. erver Auth indicating that the certificate may be used to identify a server e Certificate Authority Use this option when the certificate is for a subordinate certificate authority When this option is selected the issued certificate will contain an extension identifying it as an intermediate certificate authority and the extended key usage property will contain the three values Client Auth Server Auth and OCSP Signing e Code Signing Use this option for signing the Windows provisioning application Specifying the Identity of the Certificate Subject In the first part of the form provide the identity of the person or device for which the certificate is to be issued the subject of the certificate Together these fields are collectively known as a distinguished name or DN e Country e State e Locality e Organization Creating a Certificate Dell Networking W ClearPass Guest 6 0 Deployment Guide 93 Organizational Unit Common Name this is the primary name used to identify the certificate Email Address The Key Type drop down list specifies the type of private key that should be created for the certificate You can select one of these options 1024 bit RSA lower security 2048 bit RSA recommended for general use 4096 bit RSA higher security NOTE Using a private key containing more bits will increase security but will also increase the processing time re
283. est 6 0 Deployment Guide Operator Logins 241 Your profile may only allow you to create guest accounts or your profile might allow you to create guest accounts as well as print reports What your profile permits 1s determined by the network administrator Two types of operator logins are supported local operators and operators who are defined externally in your company s directory server Both types of operators use the same login screen Role Based Access Control for Multiple Operator Profiles Using the operator profile editor the forms and views used in the application may be customized for a specific operator profile which enables advanced behaviors to be implemented as part of the role based access control model This process is shown in the following diagram Figure 37 Operator profiles and visitor access control __ _ _ Operators Profile 1 Form1 Visitors ClearPass Guest Role Based Access Control s _ Operators Profile 2 Form2 Visitors See About Operator Logins on page 241 for details on configuring different forms and views for operator profiles Operator Profiles d i An operator profile determines what actions an operator is permitted to take when using Dell Networking W ClearPass Guest Some of the settings in an operator profile may be overridden in a specific operator s account settings These customized settings will take precedence over the defau
284. eteuestoe 261 Basic HTML Syntax _ 2 2 0222 o cece ee ee eee eee eee cece eee ALLL LDAA aLL Ladann 261 Standard HTML Styles 202 2 2 icc cee eee ee eee eee cece LLa aa aL Laana 262 Smarty Template Syntax _ 2 0222 lei ec eee cee eee eee eee ence cence mwani nnne 264 Basic Template Syntax 222 mmmmmmmmmmmmu LLLA LALL LLALLA LLLA a aLL LLa aaan aLL 264 Text Substitution 2 22 02 llc e cece ccc mme mauwa mwaume cee a ooann 264 Template File Inclusion 2 22 22 llc cece eee eee eee eee cece um www eee eeeeeeeeeees 264 Dell Networking W ClearPass Guest 6 0 Deployment Guide 9 10 Comment 00 cocoon ccc ee bbb bbb bbe ees 264 Variable Assignment 22mmmmmmmwwwwwamanu nunuzi cece eeeeeeeeeseseees 264 Conditional Text Blocks 2 ccecose sek tend cde eoec oceuderedabewiedSacte suse SaedaddSuetesereudeasscuecaideess 264 Script Blocks 22 2 cece ee eee eee eee ence cece eee cece eee eeceeeeeeseeeeseees 265 Repeated Text Blocks _ 2 222 e cece cece cece cence eeeeeseseecesereees 265 Foreach Text Blocks wmmemm amwe LLDD mill uceeabcende beds 265 Modifiers 22m2mmmmem cece eee e cece eee cence cence seen ceseeeesereeserereees 266 Predefined Template Functions _ _ 2 2 2 2 e eee eee cee eee cece eee cece LL22 Loa aoaaa 266 UIT AA faeces diese wots
285. every form The field help provides a short summary of the purpose of the field at the point you need it most In many cases this is sufficient to use the application without further assistance or training 12 hours Account Lifetime ji The amount of time after the first login before the visitor account will expire and be deleted Quick Help In list views click the O Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list o Quick Help Upload New Content Jj Download New Cont On some forms and views the Quick Help icon may also be used to provide additional detail about a field 2012 10 Issued new certificate for 10 100 9 87 6 info Ep 10 6 132 97 admin 9 2012 10 10 6 5 115 SEA fi nfo Operator login admin 09 13 46 20 lf You Need More Assistance If you encounter a problem using ClearPass Guest your first step should be to consult the appropriate section in this Deployment Guide If you cannot find an answer here the next step is to contact your reseller The reseller can usually provide you with the answer or obtain a solution to your problem If you still need information you can refer to the Contact Support command available under Support Services in the user interface or see Contacting Support on page 14 g Supp pag Use of Cookies Cookies are small text files that are
286. f registration The registration process consists of a data collection step the register page and a confirmation step the receipt page You can define what information is collected from visitors on the registration page New fields and data validation rules can be defined with the custom form editor Specific details about the type of visitor accounts created are also set here The receipt page also includes a form although typically this form will only contain static information about the guest account Several different actions can be included on the receipt page enabling visitors to obtain their receipt in different ways The receipt page can also be used to automatically log the guest into a Network Access Server enabling them to start using the network immediately Detailed user interface customization can be performed for all parts of the self registration process You can define page titles template code for the page header and footer and choose a skin that controls the overall look and feel of self registration The default user interface customization can be disabled Self Registration Sequence Diagram To set up a captive portal with guest self registration configure your Network Access Servers to redirect guests to the URL of the Go To link To complete the portal ensure that the NAS is configured to authorize users with the ClearPass Guest RADIUS server and set up the self registration NAS logi
287. f a username password authentication defined in Network Settings 6 Mark the Include device information in TLS client certificates check box to include additional fields in the TLS client certificate issued for a device These fields are stored in the subject alternative name subjectAltName of the certificate Refer to Table 18 for a list of the fields that are stored in the certificate when this option is enabled Storing additional device information in the client certificate allows for additional authorization checks to be performed during device authentication Ki NOTE If you are usinga W Series Controller to perform EAP TLS authentication using these client certificates you must have Aruba OS 6 1 or later to enable this option Table 18 Device Information Stored in TLS Client Certificates Name Description Integrated Circuit Card Identifier ICCID number from the Subscriber Identity Module SIM card present in the device This is only available l Device ICCID for devices with GSM cellular network capability where a SIM card mdpsDevicelccid 4 has been installed International Mobile Equipment Identity IMEI number allocated to this Device IMEI device This is only available for devices with GSM cellular network mdpsDevicelmei 3 capability Serial number of the device mdpsDeviceSerial 9 Device Type Type of device such as iOS Android etc mdpsDeviceType 1 Unique device identifier UDID for th
288. f your country State gt Enter the full name of your state or province Locality Enter the name of your locality town or city Organization Enter the name of your organization or company Organizational Unit f Enter the name of your organizational unit e g section or division of the company Common Name Enter a name for the certificate authority This is the common name of the digital certificate Email Address Enter an email address Private Key These options are used to create a private key for the certificate request 2048 bit RSA x Key Type l i Select the type of private key to create for the certificate To create a new certificate or certificate signing request first select the type of certificate you want to create from the Certificate Type drop down list e TLS Client Certificate Use this option when the certificate is to be issued to a client such as a user or a user s device When this option is selected the issued certificate s extended key usage property will contain a value of Chent Auth indicating that the certificate may be used to identify a client e Trusted Certiticate Use this option when the certificate is to be issued to a network server such as a Web server or as the KAP T LS authentication server m When this option is selected the issued certificate s extended key usage property will contain a value of S
289. feature may require configuration on your mail server to allow the override Fields Select the visitor account fields related to the email receipt ome email Email Field f l The field containing the visitor account s email address auto_send_smtp lv The field which if it contains a non empty string or non zero value will cause an account receipt email to be automatically sent upon creation of a visitor account Test Mail Settings Send a test mail message Auto Send Field To e To send a test message enter the recipient s address Send Test Message A Save and Close 1 The Subject Line may contain template code including references to guest account fields The default value Visitor account receipt for email uses the value of the email field See Smarty Template Syntax on page 264 for more information on template syntax 2 The Skin drop down list allows you to specify a skin to be used to provide the basic appearance of the email You may select from one of the installed skins or use one of these special options e No skin Plain text only A skin is not used and the email will be sent in plain text format Use this option to remove all formatting from the email e No skin HTML only A skin is not used but the email will be sent in HTML format Use this option to provide a basic level of formatting in the email e No skin Native receipt format A skin is not used T
290. ficates subordinate certificate authorities and other client certificates not associated with a device to be issued by the Onboard certificate authority Click on a certificate request to select it You can then select from one of these actions e View request Displays the properties of the certificate request Click the Cancel button to close the certificate request properties e Export request Displays the Export Certificate Request form Export Certificate PKCS 12 Certificate amp Key 012 89 Format Select the file format for the exported item MI Include certificate trust chain Trust Chain Select this option to include the certificates for the CA and any intermediate certificate authorities in the PKCS 12 container Passphrase Passphrase to protect the PKCS 12 file Confirm Passphrase Re enter the passphrase B Export Certificate Use the Format drop down list to select the format in which the certificate signing request should be exported The following formats are supported m PKCS 10 Certificate Request p10 Exports the certificate signing request in binary format Base 64 Encoded pem Exports the certificate signing request as a base 64 encoded text file This is also known as PEM format If you choose Base 64 Encoded the form expands to include the Trust Chain row You can use this option to create and export a certificate bundle that includes the Interm
291. fying a length of 4 will result in sequence numbers 0001 0002 etc random_username_length String Identifier specifying how usernames are to be created It may be one of the following identifiers nwa_sequence to assign sequential usernames In this case the multi_prefix field is used as the prefix for the username followed by a sequential number the number of digits is specified by the random username length field nwa_picture_password to create a random username using the format string specified by the random_username_picture field nwa_digits_password to create a username using random digits The length of the username is specified by the random_username_length field nwa_letters_password to create a username using random lowercase letters The length of the username is specified by the random_username_length field nwa_lettersdigits_password to create a username using random lowercase letters and digits The length of the username is specified by the random username length field nwa_alnum_password to create a username using a combination of random digits uppercase letters and lowercase letters The length of the username is specified by the random_username_length field nwa_strong_password to create a username using a combination of digits uppercase letters lowercase letters and some punctuation Certain characters are omitted from the generated username to ensure its readability for example o 0 and 0 The length of
292. g Configure carrier settings F Log detailed information to the application log If selected debug messages will be generated for each stage of the HTTP transaction for the service provider Save and Close Enable Debug a Enter the gateway s name in the Display Name field b In the Carrier Selection drop down list choose how the carrier will be determined You may choose e Registration form will have the visitor_carrier field If you choose this option the visitor must enter their carrier on the registration form The visitor_carrier field may be customized the default is a drop down list e Select a carrier lf you choose this option the form includes the Mobile Carrier field where you specify the carrier to use e Configure carrier settings If you choose this option the form includes the SMS Address Address Template Number Format and Subject Line fields For information on completing these fields see Editing an SMS Gateway on page 231 When you save your entries for the SMS over SMTP option a new screen SMTP Carriers is added to the left navigation For more information see Working with the SMTP Carrier List on page 234 6 In the Service Username and Service Password fields you may enter your authorization username and password for your SMS service provider If you are using ClearPass Guest SMS Service and have entered your ClearPass subscription ID in the Software Updates page of ClearP
293. g Operator Profiles Once a profile has been created you are able to view to edit and to create new profiles When you click an operator profile entry in the Operator Profiles list a menu appears that allows you to perform any of the following operations View Hide Details displays or hides configuration details for the selected operator profile including the profile name description operator login access and the settings for the defined skin start page language and time zone F Edit changes the properties of the specified operator profile Delete removes the operator profile from the Operator Profiles list Duplicate creates a copy of an operator profile Create Operator opens the Create Operator Login form allowing you to create a new operator login associated with the selected operator profile 8 Show Operators shows a list of operator login names associated with that operator profile biShow Usage opens a window in the Operator Profiles list that shows if the profile is in use and lists any LDAP authentication servers LDAP translation rules and operator logins associated with that profile Each entry in this window appears as a link to the form that lets you edit that LDAP or operator login setting Configuring AirGroup Operator Device Limit By default an AirGroup operator can create up to five personal devices To change this default l Go to Administration gt Operator Logins gt Profile
294. g a new certificate To re provision the device the revoked certificate must be deleted e Delete certificate Removes the certificate from the list Trusted certificates that were imported into Onboard may be deleted at any time after import For all other certificates this option is only available if the data retention policy is configured to permit the certificate s deletion See Configuring Data Retention Policy for Certificates on page 90 98 Working with Certificates in the List Dell Networking W ClearPass Guest 6 0 Deployment Guide Delete Certificate Certificate Details Details about the certificate and its owner Issued To Amigopod Local Certificate Authority Valid From i Thursday 24 May 2012 01 27 PM Valid To iw Friday 24 May 2013 01 57 PM Country US State California Locality Sunnyvale Subject o Organization Aruba Networks Common Name Amigopod Local Certificate Authority Email Address jralston arubanetworks com oo am E Delete this server certificate Select this checkbox to confirm the certificate deletion Ka wa Delete Certificate Cancel The Delete Certificate form is displayed Mark the Delete this client certificate check box to confirm the certificate s deletion and then click the amp Delete Certificate button Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view This allows for server certi
295. ge Return Onboard portal page Detect device type ad Download Onboard configuration Launch app Push unique device Onboard 4 _ Device P rowisroning eh eee i es Provisioning K Provisioning complete Switch to PEAP PEAP MSCHAPv2 Auth RADIUS Auth PEAP MSCHAPv2 Verify unique Server certificate Access Accept device credentials ified vorme EAP Success Authenticated Device authenticated Onboard Complete 1 When a BYOD device first joins the network it does not have a set of unique device credentials This will trigger the captive portal for that device which brings the user to the mobile device provisioning page Dell Networking W ClearPass Guest 6 0 Deployment Guide Devices Supporting Onboard Provisioning 77 2 The Onboard portal is displayed The user s device type is detected and a link is displayed depending on the device type a For Android devices the link is to a file containing the Onboard configuration settings downloading this file will launch the QuickConnect app on the device b For Windows and Mac the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings 3 The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server The device is configured with appropriate network settings and credentials that are unique to the
296. ge is used to delete certificates or restore the default configuration for Onboard These options are useful while trailing the Onboard workflow with a set of test devices 130 Resetting Onboard Certificates and Configuration Dell Networking W ClearPass Guest 6 0 Deployment Guide Onboard Reset Delete all client certificates Reset Type Choose what to reset Reset the specified items Performing a reset will permanently delete the selected data Check the above box if this is really what you want to do Confirm Reset A This action cannot be undone Note oO Onboard devices will not deleted from Policy Manager You should do this manually D Select one of the following options in the Reset Type drop down list Delete all client certificates Removes all client certificates from Certificate Management The certificate authority s root certificate intermediate certificate profile signing certificate and any server certificates are not affected The provisioning settings for iOS and Onboard capable devices are not modified Delete all certificates Removes all certificates from Certificate Management including the certificate authority s root certificate intermediate certificate profile signing certificate and any server certificates The detault certificate authority certificate will be recreated The provisioning settings for 1OS and Onboard capable devices are not modified Re create
297. ger Standard Fields 289 Field Description String Identifies the Web browser that you are using This tracks user s browsers when they are registering This is stored with the user s account ie String Internal user ID used to identify the guest account to the system String The IP address to assign to stations authenticating with this account This field may be up to 20 characters in length The value of this field is not currently used by the system ip_address However a RADIUS user role may be configured to assign IP addresses using this field by adding the Framed IP Address attribute and setting the value for the attribute to lt Suser ip address http_user_agent String Value indicating how to modify the expire_postlogin field This field is only of use when editing a visitor account It may be set to one of the following values expire_postlogin to set the post login expiration time to the value in the expire_ postlogin field modify_expire_postlogin plus X or minus X where X is a time measurement to extend or reduce the post login expiration timer by X minutes but may have a ywdhms suffix to indicate years weeks days hours minutes seconds respectively A number to set the post login expiration time to the value specified Any other value to leave expire_postlogin unmodified This field controls account modifications itis not stored with the visitor account String
298. ges button to save this LDAP Server If the server is marked as enabled subsequent operator login attempts will use this server for authentication immediately Advanced LDAP URL Syntax For Microsoft Active Directory the LDAP server connection will use a default distinguished name of the form dc domain dc com where the domain name components are taken from the bind username To specify a different organizational unit within the directory include a distinguished name in the LDAP server URL using a format such as ldap 192 168 88 1 ou IT S20Services ou Departments dc server dc com To specify a secure connection over SSL TLS use the prefix Idaps To specify the use of LDAP v3 use the prefix Idap3 or Idap3s if you are using LDAP v3 over SSL TLS When Microsoft Active Directory is selected as the Server Type LDAP v3 is automatically used An LDAP v3 URL has the format Idap host port dn attributes scope filter extensions dn is the base X 500 distinguished name to use for the search attributes is often left empty scope may be base one or sub filter is an LDAP filter string for example objectclass e extensions is an optional list of name value pairs Refer to RFC 2255 for further details Viewing the LDAP Server List Once you have defined one or more LDAP servers those servers will appear in the LDAP server list on the Administration gt Operator Logins gt Servers page
299. ging Select the level of logging to use when the application is accessed Se 10 Local Priority _ gt he priority rank of the service handler for authentication of local operators Lower numbers represent higher priorities 4 hours Logout After i he idle timeout for operator login sessions in hours Full checking Session Checking The amount of validity checking to perform on operator login sessions at each page load Higher settings reduce performance 15 seconds Minimum interval in seconds between checks of a session s validity Save Changes Check Interval The following options are available in the Logging drop down list No logging Log only failed operator login attempts Log only Web logins Log only XMLRPC access Log all access Log messages for operator logins whether successful or unsuccessful are shown in the application log Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator s session will be ended The value for Logout After should be specified in hours You can use fractional numbers for values less than an hour for example use 0 25 to specify a 15 minute idle timeout Dell Networking W ClearPass Guest 6 0 Deployment Guide Advanced Operator Login Options 259 260 Automatic Logout Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 9 Reference This chapter i
300. h click the numbers in the Time fields to increment the hours and minutes then click a day to select the date If you need to change the expiration time choose one of the options in the Account Expiration drop down list You may terminate the account immediately at a preset interval of hours or days or at a specified time No changes Account will not expire Pa No changes Account will not expire Account will not expire Friday night 1 hour from now 1 day from now 1 week from now Account expires after Account expires at specified time e If you choose any time in the future the Expire Action row is added to the form Use this drop down list to indicate the expiration action for the account either delete delete and log out disable or disable and log out The action will be applied at the time set in the Account Expiration row e Ifyou choose Account expires after the Expires After row is added to the form Choose an interval of hours days or weeks from the drop down list The maximum is two weeks 48 Editing a Device Dell Networking W ClearPass Guest 6 0 Deployment Guide If you choose Account Expires at a specified time the Expiration Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date 4 To change the max
301. h cx height cy nwa_youtube Smarty registered block function Provides simple support for embedding a YouTube video in the body of a page The content of this block is the initial alternate content that will be presented until the YouTube player can be embedded if it can be embedded Ki NOTE Not all devices are capable of playing back YouTube video content Usage example nwa youtube video Y7dpJ0oseIA width 320 height 240 YouTube is the world s most popular online video community nwa_youtube The supported parameters for this block function are video required the YouTube video ID to embed width required the width in pixels of the video height required the height in pixels of the video autoplay optional if true auto play the video chrome optional if true use the chromed player that is provide a user experience with playback controls version optional the minimum version required to play the video onended optional the name of a global function that is a member of the JavaScnpt window object that is to be called at the end of video playback Date Time Format Syntax There are two basic modifiers available for you to use in Dell Networking W ClearPass Guest nwadateformat and nwatimeformat nwadateformat Modifier The date format takes one or two arguments the format description and an optional default value used if there is no
302. handled by the Smarty template engine Using text that contains these characters such as CSS and JavaScript blocks requires a Smarty block literal literal lt script type text javascript language JavaScript gt bbe acu cies function my function some Javascript code here pe a literal lt scripe gt Failing to include the literal tag will result in a Smarty syntax error when using your template Single instances of a or character can be replaced with the Smarty syntax ldelim and rdelim respectively Repeated Text Blocks To repeat a block of text for each item in a collection use the section section tag section loop Scollection name i lt tr gt lt td class nwaBody gt Scollection i name lt td gt lt tr gt sectionelse lt l Gneluded if Scollection 1s empty gt section The content after a sectionelse tag is included only if the section block would otherwise be empty Foreach Text Blocks An easier to use alternative to the section section tag is to use the foreach foreach block foreach key key var item item var from Scollection Skey var item var foreachelse lt included if S collection is empty gt foreach The advantage of this syntax is that each item in the collection is immediately available as the named item variable in this example item_var This construct is also useful when iterating
303. he AirGroup Administrator or AirGroup Operator profile as appropriate These profiles are automatically included in ClearPass Guest when the AirGroup Services plugin is installed Create a CPPM role for the operator In ClearPass Policy Manager CPPM go to Configuration gt Identity gt Roles and create a role that matches the operator profile Refer to the ClearPass Policy Manager documentation for information on creating the role Create a local user for the operator In CPPM go to Configuration gt Identity gt Local Users Select the CPPM role defined for the user Refer to the ClearPass Policy Manager documentation for information on creating the local user Create a translation rule to map the CPPM role name to the ClearPass Guest operator profile In ClearPass Guest go to Administration gt Operator Logins gt Translation Rules In the Translation Rules list choose the profile then click its Edit link Edit the fields appropriately to match the CPPM role name to the ClearPass Guest operator profile See LDAP Translation Rules on page 254 Click Save Changes External Operator Authentication Operators defined externally in your company s directory server form the second type of operator Authentication of the operator is performed using LDAP directory server operations The attributes stored for an authenticated operator are used to determine what operator profile should be used for that user The Manage Opera
304. he Enabled row the Allow Operator Logins check box is selected by default To disable a profile unmark the Allow Operator Logins check box If a profile is disabled any operators with that profile will be unable to log in to the system This may be useful when performing system maintenance tasks 2 In the Operator Privileges area use the drop down lists to select the appropriate permissions for this operator profile Operator Privileges By Administrator No Access Select operator permissions for system administration and management tasks t3 AirGroup Services No Access Select operator permissions for access to AirGroup services Guest Manager No Access fa Select operator permissions for managing guest users for a network a IP Phone Services No Access Select operator permissions for IP phone administration and management tasks igh Onboard No Access Select operator permissions for managing Onboard device provisioning Privileges Sy Operator Logins No Access fa Select permissions for managing local operator logins i Platform No Access Select operator permissions for platform administration tasks mja SMS Services No Access Select operator permissions for access to SMS services i SMTP Services No Access Select operator permissions for SMTP services E Support Services No Access Select operator permissions for access to support services Show descriptions For each permission you may grant No Access Read Onl
305. he Post Authentication area Post Authentication Actions to perform after a successful pre authentication Register the guest s MAC address with ClearPass Policy Manager Policy Manager If selected and a ClearPass Policy Manager has been enabled the username will be linked to the MAC Advanced Advanced ClearPass Policy Manager options username Username visitor name Visitor Name Endpoint cn Visitor Name Attributes visitor phone Visitor Phone in List of name value pairs to pass along user_field Endpoint Attribute A Save Changes g Save and Reload T 56 Automatically Registering MAC Devices in ClearPass Policy Manager Dell Networking W ClearPass Guest 6 0 Deployment Guide 3 In the Policy Manager row mark the check box to register the guest s MAC address with ClearPass Policy Manager The Advanced row is added to the form 4 In the Advanced row mark the check box to enable advanced options in ClearPass Policy Manager The Endpoint Attributes row is added to the form gt Inthe Endpoint Attributes row enter name value pairs for the user fields and Endpoint Attributes to be passed 6 Click Save Changes to complete this configuration and continue with other tasks or click Save and Reload to proceed to Policy Manager and apply the network settings Importing MAC Devices The standard Guest gt Import Accounts form supports importing MAC devices At a minimum the following two columns are require
306. he certificate should be exported The following formats are supported PKCS 7 Certificates p7b Exports the certificate and optionally the other certificates forming the trust chain for the certificate as a PKCS 7 container Base 64 Encoded pem E xports the certificate as a base 64 encoded text file This is also known as PEM format You may optionally include the other certificates forming the trust chain for the certificate Binary Certificate crt Exports the certificate as a binary file This is also known as DER format Open SSL Text Format Exports the certificate as a full openssl text format output allowing you to view advanced details such as X509v3 extensions It also includes the certificate in pem format appended to the txt file PKCS 12 Certificate amp Key p12 Exports the certificate and its associated private key and optionally any other certificates required to establish the trust chain for the certificate as a PKCS 12 container This option is only available if the private key for the certificate 1s available to the server If you select the PKCS 12 format you must enter a passphrase to protect the private key stored in the file NOTE To protect against brute force password attacks and ensure the security of the private key you should use a strong passphrase one consisting of several words mixed upper and lower case letters and punctuation or other symbol characters Click th
307. he default instructions 2 To enable provisioning Windows devices mark the check box in the Windows Devices row 3 In the Code Signing Certificate drop down list select a certificate for signing the provisioning application or leave the default setting of None Do not sign the application 4 Inthe Before Provisioning text box enter the instructions that are shown to the user before they provision their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed gt In the After Provisioning text box enter the instructions that are shown to the user after they have provisioned their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 6 You may use the Insert content item drop down list to add an image file or other content item When your entries are complete in this tab click Save Changes You can click Next to continue to the next tab or Previous to return to the previous tab Configuring Provisioning Settings for Android Devices To specify provisioning settings related to Android devices l Go to Onboard gt Provisioning Settings and click the Android tab 114 Configuring Provisioning Settings for Android Devices Dell Networking W ClearPass Guest 6 0 Deployment Guide Device Provisioning Settings i G
308. he email will be sent in either plain text or HTML format depending on the type of print template that was selected e Use the default skin The skin currently marked as the default skin is used When sending an email message using HTML formatting the images and other resources required to display the page will be included in the message 3 Use the Copies To field to create a list of additional email addresses that are designated to receive copies of the generated email receipts 4 Choose a value from the Send Copies drop down list to specify how copies of the email receipts will be sent to the additional email addresses listed in the Copies To field e Do not send copies The Copies To list is ignored and email is not copied Dell Networking W ClearPass Guest 6 0 Deployment Guide Email Receipt Options 191 Always send using cc The Copies To list is always sent a copy of any guest account receipt even if no guest account email address 1s available Always send using bee The Copies To list is always sent a blind copy of any guest account receipt even if no guest account email address 1s available Use cc if sending to a visitor If a guest account email address is available the email addresses in the Copies To list will be copied Use bce if sending to a visitor If a guest account email address is available the email addresses in the Copies To list will be blind copied
309. he example network i Show Details F Edit Disable amp Delete Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Network Settings for Device Provisioning 117 All networks that have been provisioned are included in the list To view details for a network or to configure a network click the network s row in the list The row expands to include the Show Details Edit Disable or Enable and Delete options Configuring Basic Network Access Settings 1 To configure the network settings that will be provisioned to devices click the network s F Edit link To create a new network click the 3 Create new network link in the upper right comer he Network Access form opens with the Access tab displayed The configuration process is the same for editing an existing network and for creating a new network The Network Access form is divided into several tabs e Access Specifies basic network properties such as the name of the wireless network and the type of security that is used See Configuring Basic Network Access Settings on page 118 e Protocols Specifies the 802 1X authentication protocols that are used by the network See Configuring 802 1X Authentication Network Settings on page 120 e X Authentication Specifies the type of device authentication to be used for the network See Configuring Device Authentication Settings on page 121 e Trust Specifies options related
310. he value matches a regular expression supplied as the argument the validator The regular expression should be a Perl compatible regular expression with delimiters For example the validator argument a i will match any value that starts with an a case insensitively Regular Expressions on page 305 for more information about regular expression syntax IsValidBool Checks that the value is a standard Boolean truth value Valid Boolean values are the integers 0 and 1 and the PHP values false and true IsValidDateTime Checks that the value appears to be a valid time specification string according to the rules of the PHP function strtotime Valid date time syntax includes ISO 8601 standard times YYYY MM DD hh mm ss with and without time zone specifications as well as many other formats IsValidEmail Checks that the value appears to be a valid RFC 822 compliant email address When using the IsValidEmail validator the validator argument may be specified with a whitelist blackhst of domain names Use the syntax array allow gt array COrp domain com other domain com y deny gt array blocked domain com other blocked domain com y The keys whitelist and blacklist may also be used for allow and deny respectively An allow or deny value that is a string is converted to a single element array Wildcard matching may be used on domain names
311. hentication server is in use Only require a username for authentication S If set th d field will not be displ d ove se e password field will not be displayed Authentication i TG Only accounts with the Username Authentication flag set on their account can login Require a Terms and Conditions confirmation If checked the user will be forced to accept a Terms and Conditions checkbox Post Authentication Actions to perform after a successful pre authentication Wi Register the guest s MAC address with ClearPass Policy Manager Policy Manager l a 9 selected and a ClearPass Policy Manager has been enabled the username will be linked to the MAC m ama Advanced Advanced ClearPass Policy Manager options username Username visitor name Visitor Name cn Visitor Name visitor phone Visitor Phone v List of name value pairs to pass along user_field Endpoint Attribute m Endpoint Attributes The login page consists of two separate parts the login form page and a login message page The login form page contains a form prompting for the guest s username and password The title header and footer of this page can be customized If the Provide a custom login form option is selected then the form must also be provided in either the Header HTML or Footer HTML sections Login UI Options controlling the appearance of the NAS login page Network Login Login Page Title
312. her own guest account on your network for access to the Internet This can save you time and resources when dealing with individual accounts Accessing Hotspot Manager To access Dell Networking W ClearPass Guest s hotspot management features click the Configuration link in the left navigation then click Hotspot Manager a Guest F Onboard a Start Here ay Authentication Ka Content Manager be Email Receipt i Fields Forms amp Views Guest Manager Guest Self Registration 8 Hotspot Manager Start Here i Manage Customer Info KA Manage Hotspot z Manage Invoice gl Manage Plans Manage Transaction Processors a Self Service About Hotspot Management The following diagram shows how the process of customer self provisioning works Dell Networking W ClearPass Guest 6 0 Deployment Guide Hotspot Manager 203 Figure 33 Guest self provisioning Gateway Router Internet e Captive portal redirect e Web login page e Guest self registration process e Send SMS email receipt ClearPass Guest L_ FA y gt a Visitors Wireless AP Network Visitor Access Management Server Appliance e Your customer associates to a local access point and is redirected by a captive portal to the login page Existing customers may log in with their Hotspot username and password to start browsing e New customers click the Hotspot Sign up link On page 1 the customer selects one of the Hotsp
313. hidden field if use of the form is considered acceptance of the terms and conditions This field controls account creation behavior itis not stored with created visitor accounts String Name of the creator of the account This field does not have a default value See creator_name sponsor name on page 294 Integer that specifies the action to take when the expire time of the account is reached See expire_time on page 289 0 Account will not expire 1 Disable l 2 Disable and logout do_expire 3 Delete 4 Delete and logout Disable indicates that the enabled field will be set to 0 which will prevent further authorizations using this account Logout indicates that a RADIUS Disconnect Request will be used for all active sessions 288 GuestManager Standard Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide auto_update_account change_of_ authorization Field Description Boolean flag indicating if the account should be enabled at schedule_time Set this field to 0 die eenedile to disable automatic activation of the account at the activation time Set this field to 1 and E provide a valid time in the schedule_time field to automatically enable the account at the specified activation time See schedule_time on page 294 Integer Time at which the account will expire calculated according to the account s dynamic_expire_time expiration timers The value of this field is a UNIX times
314. humbprint of the certificate 2048 bit RSA Private Key The type of the private key for this certificate Details JJ Show To export a certificate 1 Click the Download Bundle link The Export Certificate form opens Export Certificate PKCS 12 Certificate amp Key p12 Format Select the file format for the exported item Include certificate trust chain Trust Chain Select this option to include the certificates for the CA and any intermediate certificate authorities in the PKCS 12 container Passphrase Passphrase to protect the PKCS 12 file Confirm Passphrase Re enter the passphrase ES Export Certificate 2 In the Format row choose the certificate format The form expands to include configuration options for that format 3 Complete the fields with the appropriate information then click Export Certificate 92 Uploading Certificates for the Certificate Authority Dell Networking W ClearPass Guest 6 0 Deployment Guide Creating a Certificate From the Certificate Management page click the bGenerate a new certificate signing request link to access the Certificate Request form Certificate Request Settings TLS Client Certificate Certificate Type a l Select the type of certificate to create from this signing request Identity These details are used to create a Distinguished Name for the certificate request Country ji Enter the 2 letter ISO country code o
315. iagram showing the interactions between each component of this workflow is shown in Figure 15 Figure 15 Sequence Diagram for the Onboard Workflow on iOS Platform Network ClearPass ClearPass iOS Device Infrastructure Onboard Policy Manager Associate HTTP GET Provisioning role Captive portal ft Request mobile device provisioning page d Download and install root certificate from portal Pre provisioning a Login with provisioning user s credentials Apple Over the Air Provisioning 2 Provisioning complete Provisioning Switch to EAP TLS q EAP TLS Auth RADIUS Auth EAP TLS Client certificate Server certificate Access Accept verified verified EAP Success p Authenticated Device authenticated Authenticate with Active Directory Onboard Complete Dell Networking W ClearPass Guest 6 0 Deployment Guide The ClearPass Onboard Process 75 1 When a BYOD device first joins the provisioning network it does not have a set of unique device credentials This will trigger the captive portal for that device which brings the user to the mobile device provisioning page 2 A link on the mobile device provisioning page prompts the user to install the enterprise s root certificate Installing the enterprise s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning 3 The user then authenticates with their provisioning credentials these are typically
316. icate immediately Submit Certificate Signing Request Paste the text into the Certificate Signing Request text field Be sure to include the complete block of text including the beginning and ending lines A complete certificate signing request looks like the following MI IB 7DCCAVUCAQAwgasxC ZAJBGNVBAYTALVTMRMWEQOYDVOOTEwpDYWxpZm9 ybmlh MRIwWEAYDVQQHEW1TdW5ueXZhbGUxF ZAVBGNVBAOTDKFDTUUgU3Byb2NrZXRzMRkw Fwy DVOQQLEXBWaXNpdG9yIFNicnZpYy2VzMR4wHAY DVOQDEXVBdXROZW50aWNhdGlv biBTZXJ2ZX1xHzAdBgkqhkiG9IwOBCQRWEG1LUuZm9AZXhhbxXBsZS5j b20wgZ8wDOYI KoZIThvcNAQEBBOADgY OAMIGJAOGBALR4wRSH2 6bwlcf30EPETN341XRQIUrnYnDfo ZezeB i4NZUARVLMvhPW7DcLpiZJ171ILj3aPPUXWDBYYiiuOkmuFX3dG7eKCLMH Z4E9zlozK5Znm8cwlj56kg69le7QOrAZBY rd5QaBTMxEe0F9ICGFSYDFx1ViMUMxN6 EJILaCTBAgMBAAGgADANBgkgqhkiG 9w0BAQUFAAOBgQOB8 So 9KU5BS 30 yx ft IwF GWVNP2CNrukyQaba5RQ11xdHAsPE 3uYIHNvlqqipSzBlfYkr21S4DdR3SSC3bxy t41 fyMuC1cEG RpPSxdDALpeT8MuoGV1JonKo2BDitOEd4y5SXGmHmDBHrPW2Nd gthkrtBb a2WAkNcRf DuiQ Providing a Certificate Signing Request File Alternatively if you have the certificate signing request as a file click the Upload certificate signing request file radio button Certificate Signing Request Step 1 Select the format of your certificate signing request Copy and paste certificate signing request as text Format eae Upload certificate signing request file Step 2 Upload the certificate signing request file here Certificate Signing 5 Br
317. ice Use a comma separated list e g rolel role role3 or blank for all roles Bi Register Shared Device 2 In the Device Name field enter the name used to identify the device 3 In the MAC Address field enter the device s MAC address 4 In the Shared Locations field enter the locations where the device can be shared To allow the device to be shared with all locations leave this field blank Each location is entered as a tag value pair describing the MAC address of the access point AP closest to the registered device Use commas to separate the tag value pairs in the list Tag value pair formats are shown in the following table Table 10 Tag Value Pair Formats AP Type Tag Value Format Group based AP ap group lt group gt FOLN based AP fgln lt fgln gt Dell Networking W ClearPass Guest 6 0 Deployment Guide AirGroup Device Registration 53 54 Registering Groups of Devices or Services e AP FQLNs should be configured in the format lt ap name gt lt floor gt lt building gt lt campus gt e Floor names should be in the format floor lt number gt e The lt ap name gt should not include periods Example AP105 1 Floor 1 TowerD Mycompany 5 Inthe Shared With field enter the usernames of your organization s staff or students who are allowed to use the device Use commas to separate usernames in the list e Ifthe Share With field is left blank this device can be accessed by all device
318. ide translated user interface text and messages in various languages WA E Standard Plugins 6 0 0 Enabled 5 Cisco IP Phone Services s Provides guest account creation senrices to Cisco IP phones E Configuration amp About ClearPass Guest Services Provides guest mansgenrent and pletion integration sennices for the Policy Manager i Configuration About 60 0 Enabled B ClearPass Onboard 6 0 0 Enabled Provides secure enrollment and mansgement capabilities for networked devices i Configuration amp About z Deployment Guide Er Contains built in product documentation and context sensitive help Faaki i About a Guest Manager Creste and manage guest users for a network 6 0 0 Enabled ei Configuration amp About The 1 About link displays information about the plugin including the installation date and update date The About page for the Kernel plugin also includes links to verify the integrity of all plugin files or perform an application check Plugin Information ClearPass Guest Services Wersion 6 0 0 build 22366 Type Standard Plugin Installed 26 September 2012 Last Updated Not Available Configurable Yes Copyright Copyright 2 2012 Aruba Networks Inc Click a plugin s Configuration link to view or modify its settings See Configuring Plugins on page 224 for details about the configuration settings Configuring Plugins You can configure most standard kernel and
319. ifiers and see Table 26 Table 26 Smarty Modifiers Modifier Description Escapes characters used in HTML syntax with the equivalent HTML entities amp amp for amp amp lt for lt and amp gt for gt nl2br Replaces newline characters in the value with HTML line breaks lt br gt Formats a numerical value for display an optional modifier argument may be used to specify the number_format number of decimal places to display default is 0 Date time formatting see nwadateformat Modifier on page 279 for details about this modifier function htmlspecialchars nwadateformat Date time formatting see Date Iime Format String Reference on page 281 for details about nwatimetormat this modifier function Formats a monetary amount for display purposes an optional modifier argument may be used to nwamoneyformat specify the format string This modifier is equivalent to the NwaMoneyFormat function see NwaMoneyFormat on page 284 for details Predefined Template Functions Template functions are used to perform different kinds of processing when the template is used The result of a template function takes the place of the function in the output of the template Functions are of two kinds block functions which have a beginning and ending tag enclosing the text operated on by the function and template functions which have just a single tag and do not enclose text To use a function enclose the function name
320. iguration gt Forms amp Views Click the create multi row then click its Edit Fields link The Customize Form Fields view opens showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions At this point the Password field is not listed because the Create Multiple Guest Accounts form create multi has not yet been customized to include it You will create it for the form in the next step 2 Click on any field in the list to expand a row then click the Insert After link you can modify this placement later The Customize Form Field form opens 3 Inthe Field Name row choose password from the drop down list The form displays configuration options for this field 2 password x Field Name Select the field definition to attach to the form Form Display Properties These properties control the user interface displayed for this field W Enable this field When checked the field will be included as part of the form Field R ank ETERA A Number indicating the relative ordering of user interface fields which are displayed in order of increasing rank Password text field User Interface The kind of user interface element to use when entering or editing this field Visitor Password Label for this field to display on the form Label 4 In the Field row mark the Enable this field check box 5 To adjust the placement of the passwo
321. iguration gt Hotspot Manager gt Manage Hotspot Sign Up then click the Customize page 1 Choose Plan link in the upper right corner The Edit Hotspot Plan Selection Page form opens You can use this form to edit the title introductory text and footer of the Choose Plan page The introduction and the footer are HTML text that can use template syntax See Smarty Template Syntax on page 264 in the Reference chapter Choose Plan Page Tite Title of this page gt nwa_cookiecheck lt h2 gt Hotspot Sign Up lt img class nwa_hotspot step src images hotspot stepl png width 100 height 48 border 0 alt Step 1 align absmiddle hspace 10 gt lt h2 gt m Introductory HTML lt P gt Welcome to the Hotspot Sign Up Get connected to the Internet without wires in just three easy steps _ lt p gt lt p gt This text is displayed at the top of the page before the list of Hotspot plans Footer HTML This text is displayed at the bottom of the page after the list of Hotspot plans C Override standard form Options If checked the standard form on this page will not be included when the page is generated Note this option is recommended for advanced users only Save Changes Customizing Visitor Sign Up Page Two g 212 CHONG or Sign pede One Dell Networking W ClearPass Guest 6 0 Deployment Guide Page two of the guest self provisioning process asks the guest t
322. imum usage allowed for the account choose an option from the Total Allowed Usage drop down list You may set the total usage to one or two hours add one or two hours to the existing setting or subtract one or two hours from the existing setting You can use the Account Role drop down list to change the visitor s assigned role 6 Optional In the Notes row you may enter additional information To commit your changes click Update MAC Viewing Current Sessions for a Device To view any sessions that are currently active for a device click the Sessions link in the device s row on the Guest Manager Devices form The Active Sessions list opens For more information see Active Sessions Management on page 59 Viewing and Printing Device Details To print details receipts confirmations or other information for a device click the device s row in the Guest Manager Devices list then click its Print link The row expands to include the Account Details form and a drop down list of information that can be printed for the device Account Details Guest username 11 22 33 44 55 66 Account role Guest Account status Active Sponsor name admini Open print window using template oN pen print window using template Account List Download Receipt GuestManager Receipt bi One account per page OMS Receipt sponsorship Confirmation 0 Dl Two column scratch cards Choosing an option in the Open print
323. in curly braces and provide any attributes that may be required for the function Block functions also require a closing tag dump dump var Svalue 266 Modifiers Dell Networking W ClearPass Guest 6 0 Deployment Guide Smarty registered template function Displays the value of a variable Use the following Smarty syntax to print a variable s contents dump var Svar_ to dump export html The contents of the variable are printed in a lt pre gt block Use the attribute export 1 to use PHP s var export format or omit this attribute to get the default behavior PHP s var _ dump format Use the attribute html 1 to escape any HTML special characters in the content This can also be done with attribute export html and is recommended for use in most situations so that any embedded HTML is not interpreted by the browser nwa_commandlink nwa _commandlink nwa_commandlink Smarty registered block function Generates a command link consisting of an icon main text and explanatory text Command links are block elements and are roughly the equivalent of a form button A command link is typically used to represent a choice the user should make to proceed The command link contains an icon command text that sums up the action taken by the command link and any explanatory text needed for the command Usage example nwa _commandlink icon images command Command Link linkwidth 400 comm
324. ined by the administrator This value may be specified in the OCSP URL field Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Revocation Checks and Authorization 109 3 In the Unsupported Device text box enter instructions to be displayed to the user if they attempt to provision an unsupported device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the following default text will be displayed Your operating system is not supported Please contact your network administrator 4 In the Authorization area of the form enter a number in the Maximum Devices field to limit the maximum number of devices that each user may provision Devices are recognized as unique when they have a different MAC address or a different device identifier when the MAC address is not available 5 When your entries are complete in this tab click Save Changes You can click Next to continue to the next tab Configuring Provisioning Settings for iOS and OS X To specify provisioning settings related to iOS and OS X devices 1 Go to Onboard gt Provisioning Settings and click the iOS amp OS X tab Device Provisioning Settings 079 General 1955105805 Y Legacy OS X ay Windows i Android G Onboard Client iOS amp OS X Provisioning These options control Apple iOS iPad iPod iPhone and OS X Lion or later device provisioning Enable iOS and O
325. ing Operator Credentials _ 0 02 2 lei cece cee eee eee cece eee eee eeeeeeeee 175 Editing Registration Page Properties _ 2 2 2 o elec cece eee eee eee eee eee cece eee eeeeeeeeeee 176 Editing the Default Self Registration Form Settings 222 22222220ee 177 Creating a Single Password for Multiple Accounts 2222mmme 177 Editing Guest Receipt Page Properties __ 02 2 loli ccc eee eee e LLa ao Lanao ooann aa 178 Editing Receipt Actions 22222mmmmmmmwwmmmmun LLL LLDD cece eeeeeeeeeeeees 178 Enabling Sponsor Confirmation for Role Selection 179 Editing Download and Print Actions for Guest Receipt Delivery 181 Editing Email Delivery of Guest Receipts 222222mmmemmmeme meme eee 181 Editing SMS Delivery of Guest Receipts 2 mme222mmmmmmmm e cece eeeeeee 182 Enabling and Editing NAS Login Properties 2222mmmmemmmmmmmme 183 Editing Login Page Properties 222222mmmmmmmmmmmmuuu nin eeeeeeeeeeeee 184 Self Service Portal Properties _ 0 0 leone eee cece eee eee ence L Loana aaa 186 Resetting Passwords with the Self Service Portal
326. ing Personal Devices This functionality 1s available to AirGroup operators To register your personal devices and define a group who can share them l Log in as the AirGroup operator and go to Guest gt Create Device The Register Device form opens Register Device jeannetteAGop Name of the person sponsoring this visitor account myDevice1 Enter a name to identify your device 11 22 33 aa bb cc Enter the MAC address of the device Your Name Device Name MAC Address abc 51beryl madrone09s0 aliLeon42 Shared With Enter up to 10 usernames that will be able to use this device Use a comma separated list e g userl user users or blank for all users Bi Register Device In the Your Name field enter your username for your organization In the Device Name field enter the name used to identify the device In the MAC Address field enter the device s MAC address In the Shared With field enter the usernames of your friends or colleagues who are allowed to use the device Use JU PP ON N commas to separate usernames in the list You may enter up to ten usernames e Ifthe Shared With field is left blank this device can only be accessed by devices registered by the same operator or with a dotlx username that matches the operator s name e If users are entered in the Shared With field the device can be accessed by the device owner and by the specified users 6 Click Register Device
327. ing W ClearPass Guest 6 0 Deployment Guide 6 To set the account s expiration time choose one of the options in the Account Expiration drop down list You may set the account to never expire or to expire at a preset interval of hours or days or at a specified time Account will not expire pa Account will not expire Tonight Friday night 1 hour from now 1 day from now 1 week from now Account expires after Account expires at specified time If you choose any time in the future the Expire Action row is added to the form Use this drop down list to indicate the expiration action for the account either delete delete and log out disable or disable and log out The action will be applied at the time set in the Account Expiration row If you choose Account expires after the Expires After row is added to the form Choose an interval of hours days or weeks from the drop down list The maximum is two weeks If you choose Account Expires at a specified time the Expiration Time row is added to the form Click the button to open the calendar picker In the calendar use the arrows to select the year and month click the numbers in the Time fields to increment the hours and minutes then click a day to select the date Use the Account Role drop down list to assign the visitor s role 8 In the Terms of Use row first click the terms of use link and read the agreement then mark the check box to agree to the terms
328. ing field is being represented on the form The remainder of the form field editor is split into three sections e Form Display Properties e Form Validation Properties e Advanced Properties See Form Display Properties on page 153 for detailed descriptions of these form sections Form Display Properties Form Display Properties These properties control the user interface displayed for this field Field Rank User Interface Label Description CSS Class CSS Style Label After V Enable this field When checked the field will be included as part of the form 20 Number indicating the relative ordering of user interface fields which are displayed in order of increasing rank Text field lv The kind of user interface element to use when entering or editing this field Visitor s Name Label for this field to display on the form Name of the visitor Descriptive text for this field displayed with the user interface element Optional CSS class name to apply to this form field width 240px Optional CSS style text to apply to this form field Text to display after the user interface element The form display properties control the user interface that this field will have Different options are available in this section depending on the selection you make in the User Interface drop down list The available user interface elements are listed below together with an example of each
329. ing provided by a NAS on behalf of an authorized client While a session is in progress the NAS sends interim accounting update messages to the RADIUS server This maintains up to date traffic statistics and keeps the session active The frequency of the accounting update messages is configurable in the RADIUS server e V Stale If an accounting stop message is never sent for a session for example if the visitor does not log out that session will remain open After 24 hours without an accounting update indicating session traffic the session is considered stale and is not counted towards the active sessions limit for a visitor account To ensure that accounting statistics are correct you should check the list for stale sessions and close them Closed A session ends when the visitor logs out or if the session is disconnected When a session is explicitly ended in either of these ways the NAS sends an accounting stop message to the RADIUS server This closes the session No further accounting updates are possible for a closed session 60 Session States Dell Networking W ClearPass Guest 6 0 Deployment Guide RFC 3576 Dynamic Authorization Dynamic authorization describes the ability to make changes to a visitor account s session while it 1s in progress This includes disconnecting a session or updating some aspect of the authorization for the session The Active Sessions page provides two dynamic authorization capabilities
330. ing the account Confirm Re enter the account password Sync Settings These options configure mail synchronization 3days The number of past days of mail to synchronize save Changes Days of Mail In the Syne Settings group choose one of the following options from the Days of Mail drop down list e No Limit e 1 day e 3 days e week e 2 weeks e 1 month Click the YI Save Changes button to save the Exchange ActiveSync profile and return to the main Onboard configuration user interface Configuring an 10S Device Passcode Policy F wr To make changes to the Passcode Policy configuration that will be sent to a device go to Onboard gt Passcode Policy or click the Passcode Policy command link The Passcode Policy Settings page opens Passcode Policy Settings Configure the Passcode Policy that will be provisioned to devices This page is used to configure a passcode policy that is applied to iOS devices when provisioned Typically you would enable this policy when provisioning a corporate owned device or if you are allowing a user to access sensitive information remotely NOTE Onboard Passcode Policy settings can only be used with iOS 4 and iOS 5 devices Other platforms are not supported Configuring an iOS Device Passcode Policy 129 Passcode Policy Settings Ebie F Enable passcode policy If set then the settings below will be applied to devices when provisioned For
331. ink or one of the Title Header or Footer fields for the Register Page Figure 29 Customize Guest Registration Register Page UI Options controlling the appearance of the guest registration page Guest Registration The title to display on the guest registration page Title lt p gt rs Please complete the form below to gain access to lt p gt Insert content item HTML template code displayed before the guest registration form if 9gsr metadata nas login enabled lt p gt r Already have an account lt a href qsr metadata register page rawurlencode _login php smarty server QUERY STRING rawurlencode gt Sign Ingra lt p gt it Footer HTML Insert content item HTML template code displayed after the guest registration form E Do not include guest registration form contents Select this option if you want to replace the HTML of the form Template code for the title header and footer may be specified See Smarty Template Syntax on page 264 for Override Form E Save and Continue details on the template code that may be inserted Select the Do not include guest registration form contents check box to override the normal behavior of the registration page which is to display the registration form between the header and footer templates Click the amp Save and Reload button to update the self registration page and launch or refresh a second browser window to sho
332. installation is complete or at a later time To manage your applications l Go to Onboard gt Applications The Applications form opens 75 1 Managing Provisioned Applications Dell Networking W ClearPass Guest 6 0 Deployment Guide Applications Windows Applications Options for installing applications on Windows devices Application Installer Install Restart ClearPassOnGuardInstall exe ClearPass OnGuard installer for Windows Installers C Install application Requires restart Select the applications that are to be installed when a Windows device is provisioned m Save Changes 2 To upload applications click the Content Manager link above the form 3 To select applications to install mark their check boxes then click Save Changes Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways e Customizing the Web login page used for device provisioning All devices will reach the device provisioning Web login page as the first step of the provisioning process See Customizing the Device Provisioning Web Login Page on page 79 to make changes to the content or formatting of this page e Customizing the properties of the device provisioning profile for iOS and OS X devices After starting the provisioning process users of 1OS and OS X are prompted to accept a configuration profile See Configuring Provisioning Set
333. ion Test device provisioning Verify that each type of device can be provisioned successfully Verify that each type of device can join the provisioned network and is authenticated successfully Test device revocation Revoke a device s certificate Verify that the device is no longer able to authenticate Verify that re provisioning the device fails The following features are available in Dell Networking W ClearPass Onboard Onboard Feature List Table 13 Onboard Features Feature Configure wired networks using 802 1X Configure Wi Fi networks using either 802 1X or pre shared key PSK Configure trusted server certificates for 802 1X Configure Windows specific networking settings Automatic configuration of network settings for wired and wireless endpoints Configure HTTP proxy settings for client devices Android OS X only Configure EAP TLS and PEAP MSCHAPv2 without user interaction Revoke unique device credentials to prevent network access Secure provisioning of unique device credentials for BYOD and IT managed devices Support for Windows Mac OS X iOS and Leverage ClearPass Profiling to identify device type manufacturer Dell Networking W ClearPass Guest 6 0 Deployment Guide Onboard Feature List 67 Feature Android devices nra o Control the user interface displayed during device provisioning Root and intermediate CA modes of operation Supports SCEP enrollment of certificates Support
334. ion before the form processing A comparison of these two approaches is shown below to illustrate the difference Form Field UI Form Field UI 2008 01 01 00 00 9008 01 01 00 00 Conversion Conversion NwaConvertOptionalDateTime None 1199145600 2008 01 01 00 00 Validator Validator IsValidFutureTimestamp IsValidFutureDateTime If valid If valid Value Formatter Value Formatter None NwaConvertOptionalDateTime 1199145600 1199145600 Form Processing Form Processing When using a Conversion or Value Format function you will almost always have to set up a Display Function for the form field This function is used to perform the conversion in the reverse direction between the internal stored value and the value displayed in the form field Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field Validation Processing Sequence 167 See Form Field Conversion Functions on page 301 for a detailed list of the options available to you for the Conversion and Value Format functions The Display Param is the name of a form field the value of which will be passed to the Display Function In almost all cases this option should contain the name of the form field Display Arguments are available for use with a form field and are used to control the conversion process In the case of the expire_time form field the Display Function is set to NwaDateFormat to perform a conversion
335. ion of the plan This will be displayed with the Hotspot plan s name _ 128 kbit sec Internet access es A brief description of the plan This will be displayed on the customer s invoice along with the Hotspot Description E plan s name V Hots lan enabl Enabled Bnp ed Enabled plans are shovm to customers and may be selected for purchase User Account Details A user account is created for each Hotspot customer Use these options to control how user accounts are created hH Format picture see below describing the usernames that vill be created for customers Leave blank to use the customer s email address as the username HHHHHHH Generated Format picture see below describing the passwords that vill be created for customers Generated Username Password Leave blank to use the password specified on the customer information form This may require adding the password field to the customer info form Role z The role to assign to accounts that vill be created for this plan Time amp Cost Hotspot plans are purchased in units Use these options to control the time and cost of each unit 2 95 Unit Cost The cost to purchase a single unit of this plan Enter 0 to create a free access plan 4 Minimum number of units that may be purchased 24 Maximum number of units that may be purchased Minimum Units Maximum Units Enter the Minimum Units value to hide the quantity option
336. ion when the field must have a certain value that cannot be overridden by a user Field was not pre registered Pre Registration applies for accounts that have been created prior to registration A field requiring a match will be searched in the account list If a single match is found the registration can continue Javascript conditional expression for this field s enabled property The expression f value returns the in form value of field f Javascript conditional expression for this field s visibility The expression f value returns the in form value of field f The Advanced Properties control certain optional form processing behaviors You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application On the Customize Form Fields page select the Show advanced properties check box to display the advanced properties in the form field editor The Conversion Value Format and Display Function options can be used to enable certain form processing behavior See Form Field Conversion Functions on page 301 and Form Field Display Formatting Functions on page 301 In the Force Value row use the Always use initial value on form submit check box to prevent attempts to override the value set for a field When this option is set if a user modifies the field s value it reverts to the specified initial value when the form is submitted A simi
337. ionid argument is supplied sessions that match that Calling Station Id are excluded from the count of active sessions GetUserActiveSessionCount GetUserActiveSessionCount Susername Counts the number of currently active sessions for the current username The username attribute is looked up automatically from the RADIUS Access Request User Name attribute GetUserCumulativeUsage GetUserCumulativeUsage Susername Looks up the total cumulative time for the username The username attribute is looked up automatically from the RADIUS Access Request User Name attribute GetUserCurrentSession GetUserCurrent Session username Looks up the current most recent active session for the specified username See GetCurrentSession on page 271 for details of the return value GetUserFirstLoginTime GetUserFirstLoginTime Susername 274 GetTraffic Dell Networking W ClearPass Guest 6 0 Deployment Guide Looks up the first login time for the specified username The username attribute is looked up automatically from the RADIUS Access Request User Name attribute GetUserSessions GetUserSessions username from time Sto time null Calculate the number of sessions for accounting records matching a specific user name The username attribute is looked up automatically from the RADIUS Access Request User Name attribute See Get Traffic on page 274 for details on how to specify the time interval GetUserTime
338. ions are available the Page Properties area is included on the Edit Properties form Duplicating Forms and Views You can make a copy of a form or view to use as a template in order to provide different forms and views to different operator profiles See Role Based Access Control for Multiple Operator Profiles on page 242 for a description This enables you to provide different views of the underlying visitor accounts in the database depending on the operator s profile To make a copy of the form or view go to Configuration gt Forms amp Views click the form s or view s row in the list then click its Duplicate link The copy is added to the Forms and Views list The name of the duplicated form or view is the same as the original with a number appended This name cannot be changed Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view Click the bi Show Usage link for a duplicated form or view to see the operator profiles that are referencing it Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing Forms and Views 151 Click the Delete link for a duplicated form or view to remove the copy A duplicated item cannot be removed if it is referenced by an operator login account or an operator profile Editing Forms To add a new field to a form reorder the fields or make changes to an existing field go to Configuration gt Forms amp Views click
339. is device This is typically a 64 bit l Device UDID 128 bit or 160 bit number represented in hexadecimal 16 32 or 40 mdpsDeviceUdid 2 108 Configuring Certificate Properties for Device Provisioning Dell Networking W ClearPass Guest 6 0 Deployment Guide Name Description IEEE MAC address ofthis device This element may be present multiple MAC Address times ifa device has more than one MAC address for ekample an mdpsMacAddress 5 Ethernet port and a Wi Fi adapter Product string identifying the device and often including the hardware version information Product Version String containing the software version number for the device mdpsProductVersion 7 UserName String containing the username of the user who provisioned the device mdpsUserName 8 Note Object Identifier These OIDs are relative to the ClearPass Guest base OID which is 1 3 6 1 4 1 14823 1 5 1 Product Name mdpsProductName 6 Configuring Revocation Checks and Authorization To specify automatic certificate revocation checks and to configure device authorization l Go to Onboard gt Provisioning Settings click the General tab and scroll to the Authority Info Access row Include OCSP Responder URL v Authority Info Select the information about the certificate authority to include in the client certificate Access Note that when an OCSP URL is provided clients may need to access this URL in order to determine if the certificate is still v
340. is number of days the user is forced to change the passcode before the device is unlocked characters Min Complex Chars Specifies the minimum number of complex characters that a passcode must contain A complex character is a character other than a number or a letter such as amp 4 Hours Max Grace Period the maximum grace period in minutes to unlock the device without entering a passcode Note This is the maximum allowed the user may still set a value lower than this s characters Min Length a Specifies the minimum number of characters that a passcode must contain i PIN History animas When the user changes the passcode it has to be unique within the last N entries in the history Save Changes To enable the passcode policy on all 1OS devices mark the Enable passcode policy check box and configure the remaining options according to your enterprise s security requirements Click the YI Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface Resetting Onboard Certificates and Configuration To delete certificates re create the Onboard Web login page or reset configuration to factory default settings go to Onboard gt Reset to Factory Defaults or click the Reset to Factory Defaults command link The Reset to Factory Defaults page opens Reset to Factory Defaults Delete certificates and configuration for Onboard This pa
341. is password from being logged by unselecting this check box e Password Display Select the View guest account passwords to enable the display of visitor account passwords in the user list To reveal passwords the password field must be added to the guest users or guest edit view and the operator profile in use must also have the View Passwords privilege Initial Sequence This field contains the next available sequence number for each username prefix that has been used Automatic sequence numbering is used when the value of the multi initial seguence field is set to 1 The username prefix is taken from the multi_prefix field when usernames are automatically generated using the nwa_ sequence method You can edit the values stored here to change the next sequence numbers that will be used This is an automatically managed field in most situations there is no need to edit it Receipt Printing Select the Require click to print option to change the behavior of the receipt page When this option is not selected the default behavior is to provide a drop down list of print templates and to open a new window when one is selected A Open print window using template When Require click to print is selected the receipt page provides a drop down list of print templates and a Print link that must be clicked to display the account receipt 140 Default Settings for Account Creation Dell Networking W
342. is test k dinpiayed st the tap atthe page before the form for the user s detalle P Mm mwa_icontext type info class lt span class nwalmportant gt Hote lt span gt Fo Footer HTML provide you with wireless network service Your personal details are kept strictly confidential at all times ita heef tarcget HotspotPopup onmclick alert Sorry this feature has been disabled in the demo_ sretum Ealse Pead our privacy policy lt a This text ke Jipe st the bottom of the page Siter the form for the uers detall h gt P Hotspot Fign Dp lt img class nwa_hot pot_step src images hotspoet stepi png width LO0 height 45 bordec 0 alt Fteep 2 aliqn absmiddle h space 10 gt Trmeaction Header HTML Please wait while your transaction is being proressed lt p gt When a transecthon i in progress this text le dinplayed at the tap ofthe page before the progress notification ares a Transaction Footer HTML a When a transaction bs in progress this text is displayed at the bottom of the page after the progress notification area El Ovenide standard form Options tichecked the standard form on this page will not be Included when the page is generated Note this option ip recommended for advanced users onhy W W Saye Cha G a Save Changes See Smarty Template Syntax on page 264 for details about the template syntax you may use to format the content on this
343. is username is next used for authentication it will not be recognized as valid and the device will be denied access NOTE OCSP and CRL are not used when using PEAP unique device credentials The ClearPass Onbord server automatically updates the status of the username when the device s client certificate is revoked 70 Certificate Configuration in a Cluster Dell Networking W ClearPass Guest 6 0 Deployment Guide Re Provisioning a Device Because bring your own devices are not under the complete control of the network administrator it is possible for unexpected configuration changes to occur on a provisioned device For example the user may delete the configuration profile containing the settings for the provisioned network instruct the device to forget the provisioned network settings or reset the device to factory defaults and destroy all the configuration on the device When these events occur the user will not be able to access the provisioned network and will need to re provision their device The Onboard server detects a device that is being re provisioned and prompts the user to take a suitable action such as connecting to the appropriate network If this is not possible the user may choose to restart the provisioning process and re provision the device Re provisioning a device will reuse an existing TLS client certificate or unique device credentials if these credentials are still valid
344. is view Use the Edit Base Field link to make changes to an existing field definition Any changes made to the field using this editor will apply to all views that are using this field except where the view field has already been modified to be different from the underlying field definition The Insert Before and Insert After links can be used to add a new column to the view Clicking one of these links will open a blank view field editor and automatically set the rank number of the new column Use the Enable Field and Disable Field links to quickly turn the display of a column on or off Click the Add Field tab to add a new column to the view View Field Editor The view field editor is used to control the data display aspects of a column within the view Dell Networking W ClearPass Guest 6 0 Deployment Guide eeing pte View Field Editor Field Name Field Rank Advanced Default Title Default Type Default Width Default Format Default Search role name Select the field definition to display in the view Enable this field When checked the field will be included as part of the view 60 Number indicating the relative ordering of fields which are displayed in order of increasing rank ID Advanced view options When checked you will be able to override the default view options Role static_options 120px Field Value Off Save Changes Each column in a view displays
345. isplays the active sessions for a guest account See Active Sessions Management on page 59 in this chapter for details about managing active sessions e Print Displays the guest account s receipt and the delivery options for the receipt For security reasons the guest s password is not displayed on this receipt To recover a forgotten or lost guest account password use the N Reset password link Managing Multiple Guest Accounts Use the Edit Accounts list view to work with multiple guest accounts This view may be accessed by clicking the Edit Multiple Guest Accounts command link View a list of all current quest accounts You can modify and remove one or more user accounts here Ze Edit Multiple Guest Accounts m This view guest_multi may be customized by adding new fields or by modifying or removing the existing fields See Customizing Self Provisioned Access on page 171 for details about this customization process The default settings for this view are described below i Quick Help F Create gt Delete kg Edit Results a SMS Bg More Options Fiter Search all fields that have been configured for quick search Select This Page 9 0 All Matching 9 None e Total number of accounts currently selected 0 Username Activation Expiration E 8 09609879 Contractor Active 91 minutes ago 2012 10 27 15 50 LI 09641588 Contractor Active 63 minutes ago 2012
346. ith respect to infringement of copyright on behalf of those vendors Dell Networking W ClearPass Guest 6 0 Deployment Guide Contents About this Guide 0 0 00 occ c cece eee cccc ccc cece ccc ec cece ce cececececeeeeceeeeececeectcesececeeseseees 13 AUdIeNnce cost on cease nneaeeseeeaess cane cue ceca aneiere aueesse secu sencaatsst awsausueeaaeuceuses senbeseeneeeesc 13 INCI ae tee st en eee AA AA deemed es AA EEEE 13 Contacting Support _ 2 2 c cece ec cece cece eee e cece ee ceceeceeceeeecceseeceeceeeereesersees 14 Dell Networking W ClearPass Guest Overview 0 0 0 0 2 2 c cece cece cecccceccececceeees 15 About Dell Networking W ClearPass Guest 22mmmmmunemwwwmnanwwwwanu umwana 15 Visitor Access Scenarios 2 cece c eee cece cee cee cee cece cee cee cee ceeceecececeeceeceeceecceeceeeeeceecees 16 Reference Network Diagram 2 e cece cece eee ec eee cece cece cece eee eeeeeee ee cecececeeeeeeeeeeees 16 Key IMC TOCUOWS c2uce veces cued ee nutans nese wee en ea e went eae noone eam eee ceed E A 17 AAA Framework 2 22 2 ee eee cece cee cece cece eee c cece cee ceccecececeeeeceececeecececcececceceseecesereecerees 18 Key FealUrGS III EERS 19 Visitor Management Terminology 2 2 2 e cece cece eee eee c cece cece cece eee ec ee cececeteceeeeeeeeeeseees 20 ClearPass Guest Deployment Process 2 02 2 cece cece cece cece cece cece
347. ities to convert the array value to and from a string when using this user interface type To store a comma separated list of the selected values enable the Advanced options select NwalmplodeComma for Conversion select NwaExplodeComma for Display Function and enter the field s name for Display Param 154 Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide The Vertical and Honzontal layout styles control whether the check boxes are organized in top to bottom or left to right order The default is Vertical if not specified When using these options you may also specify the desired number of columns or rows to adjust the layout appropriately User Checklist lv Interface The kind of user interface element to use when entering or editing this field Sample Field Label pi Label for this field to display on the form This is a sample field ya Description a Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CSS Style Si Optional CSS style text to apply to this form field Legend Select Options Optional title for the checkbox or radio button group Options Use options Generator The function used to generate the list of available options one Option One two Option Two three Option Three 4 hunj gt Options List of options available Enter one or more
348. king W ClearPass Guest 6 0 Deployment Guide 213 Your Details E Oo Hotspot Sign Up 2 i To create your wireless account please enter your details below You have selected Free Access change Your Details Your Personal Details First Name Your first name Last Name Your last name Company Name l The name of your company Zip Fhone Number Your contact telephone number Email Address Your email address Confirm E 1 accept the terms of use 7 Create Acco nt To customize how the Your Details page is displayed to the guest go to Configuration gt Hotspot Manager gt Manage Hotspot Sign Up then click the Customize page 2 Customer Details link in the upper right comer The Edit Hotspot User Details Page form opens You can use this form to edit the content displayed when the customer enters their personal details including credit card information if purchasing access The progress of the user s transaction is also shown on this page Stee OH ONG iLO reln Up Rage EWG Dell Networking W ClearPass Guest 6 0 Deployment Guide Edit Page Your Details EE Title of this page hi gt r Hotspot Bigu Ip lt img class nwa_hotspot_step src images hotspot stepZ png width LO0 height 48 border 0 alt Step 2 align absmiddle h space 10 gt lt p gt Introductory HTML To create your wireless account please enter your details below lt p gt Th
349. l Form Auto Complete 1 To change the application s title enter the new name in the Application Title field for example your company name to display that text as the title of your Web application Click Save Configuration 2 The Kernel plugin s Debug Level and Application URL options should not be modified unless you are instructed to do so by Dell support 3 To turn off autocomplete on forms mark the check box in the Form Auto Complete row This disables credentials caching 4 To restore the plugin s configuration to the original settings click the Restore default configuration link below the form A message alerts you that the change cannot be undone and a comparison of the current and default settings highlights the changes that will be made Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring the Kernel Plugin 225 5 Review the differences between the current settings and the default configuration To commit the change to the default settings click the Restore Default Configuration link Plugin Information a Kernel Version 6 0 0 build 22363 Type Kernel Plugin Installed 26 September 2012 Last Updated Not Avaliable Configurable Yes Copyright Copyright amp 2010 amigopod Pty Ltd Configuring the Dell W ClearPass Skin Plugin A Web application s skin determines its visual style the colors menus and graphics You can use either the standard Dell ClearPass skin pl
350. l receipts will be sent to the visitor only if the check box has been selected Alternatively to always send an SMTP receipt this field can be set to a value of 1 using a hidden field String This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the email receipt configuration is used smtp_auto_send_field Additionally the special values Disabled and _Enabled may be used to never send email or always send email respectively String This field specifies how to send copies of email receipts It may be one of smtp_cc_action never always cc always_bcc conditional_cc or conditional_bcce If blank or unset the default value from the email receipt configuration Is used String This field specifies a list of additional email addresses that will receive a smtp_cc_list copy of the visitor account receipt If the value is default the default carbon copy list from the email receipt configuration is used String This field specifies the name of the field that contains the visitor s email address If blank or unset the default value from the email receipt configuration IS used Additionally the special value _None indicates that the visitor should not be sent any email smtp_email_field 296 SMTP Services Standard Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide smtp_enabled smtp_receipt_format smtp_ subject smtp_template_id smtp_warn_befor
351. l Fu be invalidated because the intermediate certificate s distinguished name has changed In this case you should use the Reset to Factory Defaults form see Resetting Onboard Certificates and Configuration on page 130 to delete all client certificates and re provision all devices You will also need to reissue any server or subordinate CA certificates To avoid the complication of revoking and reissuing certificates it is recommended that you configure the certificate authority before any device provisioning or other configuration is done 84 Setting Up an Intermediate Certificate Authority Dell Networking W ClearPass Guest 6 0 Deployment Guide Intermediate Certificate Settings Identity These details are used to create a Distinguished Name for the certificate authority US Country Enter the 2 letter ISO country code of your country California State Enter the full name of your state or province Sunnyvale Locality ty Enter the name of your locality town or city Aruba Networks Organization Enter the name of your organization or company Organizational Unit Enter the name of your organizational unit e g section or division of the company ClearPass Onboard Local Certificate Authority Common Name _ mi Enter a name for the certificate authority This is the common name of the digital certificate Email Address Enter an email address Private Key These options are u
352. l Networking W ClearPass Guest 6 0 Deployment Guide About Fields Forms and Views 141 role_id This field is the role to assign to the visitor account and may be specified directly If this field is not specified then determine the role ID from the role name field If no valid role ID is able to be determined the visitor account 1s not created simultaneous_use This field determines the maximum number of concurrent sessions allowed for the visitor account If this field is not specified the default value from the Guest Manager configuration is used random_username_method The method used to generate a random account username If not specified the default value from the GuestManager configuration is used random_username_length The length in characters of random account usernames If not specified the default value from the GuestManager configuration is used random password method The method used to generate a random account password If not specified the default value from the GuestManager configuration is used random password length The length in characters of random account passwords If not specified the default value from the GuestManager configuration is used Visitor Account Activation Properties enabled This field determines if the account is enabled or disabled if not specified the default is 1 account is enabled do_schedule modify_schedule_time schedule_after and schedule_time These fi
353. lable are listed below NwaConvertOptionalDateTime Converts a string representation of a time to the UNIX time representation integer value The conversion leaves blank values unmodified NwaConvertOptionalInt Converts a string representation of an integer to the equivalent integer value The conversion leaves blank values unmodified NwaConvertStringloOptions Converts a multi line string representation of the form keyl valuel key2 value2 to the array representation array keyl gt valuel key2 gt value2 NwalmplodeComma Converts an array to a string by joining all of the array values with a comma NwaTrim Removes leading and trailing whitespace from a string value NwaTrimAll Removes all whitespace from a string including embedded spaces newlines carriage returns tabs etc NwaStrToUpper Formats the text string to all uppercase letters NwaStrToLower Formats the text string to all lowercase letters NwaNormalizePhoneNumber Removes all spaces dashes parenthesis and non numerical characters from the phone number Form Field Display Formatting Functions The Display Functions that are available are listed below Table 39 Form Field Display Functions Function Description Formats a Boolean value as a string lf the argument is 0 or 1 a0 or 1 is returned for false and true respectively lf the argument is a string containing a character the st
354. laced with a random punctuation symbol e The ampersand symbol amp is replaced with a random character letter digit or punctuation symbol e All other characters are used without modification For more information see Format Picture String Symbols on page 297 208 Editing or Creating a Hotspot Plan Dell Networking W ClearPass Guest 6 0 Deployment Guide Dell Networking W ClearPass Guest 6 0 Deployment Guide 5 Complete the rest of the fields appropriately for your organization s needs then click Create Plan or Edit Plan The Manage Hotspot Plans list opens with the new plan displayed Managing Transaction Processors Your hotspot plan must also identify the transaction processing gateway used to process credit card payments Dell Networking W ClearPass Guest supports plugins for the following transaction processing gateways e Authonze Net AIM e CyberSource e eWAY e Netregistry e Paypal e WorldPay ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions Creating a New Transaction Processor To define a new transaction processor l Go to Configuration gt Hotspot Manager click Manage Transaction Processors then select Create new transaction processor Transaction Processor Configuration exampleTransactionProcessor Enter a name for this transaction processor Name l Demo Transaction Services gt Processing G
355. lar effect can be achieved by using appropriate validation rules but selecting this check box is easier Using this option is recommended for hidden fields particularly those related to security such as role ID or expiration date For pre registered guest accounts some fields may be completed during pre registration and some fields may be left for the guest to complete at registration You can use the Pre Registration field to specify whether the guest s entry must match the preliminary value provided for a field during pre registration If a value was not provided for a field when the account was created choose Field was not pre registered from the drop down list If a preliminary value was provided for the field but the guest s entered value does not need to match case or all characters choose Guest must supply field from the drop down list For example a bulk account creation might use random usernames and each visitors entry in that field would not need to match exactly If a preliminary value was provided for the field and the guest s entered value must match case or all characters choose Guest must supply field match case from the drop down list If the guest s entry does not successfully match the preregistered value the account registration will not succeed For example if a list of email addresses Dell Networking W ClearPass Guest 6 0 Deployment Guide Advanced Form Field Properties 165 and phone
356. ld The check box label can be specified using HTML If the check box is selected the field is submitted with its value set to the check box value default and recommended value 1 If the check box is not selected the field is not submitted with the form User Checkbox Interface The kind of user interface element to use when entering or editing this field Aa Sample Field Label Pp Label for this field to display on the form This is a sample field 2 Description 4 Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CSS Style a Optional CSS style text to apply to this form field Checkbox in lt em gt HTML lt em a HTML 2 HTML text to display next to the checkbox as its clickable label Checkbox Value Optional value to use for a checked checkbox the default is 1 e Checklist A list of check boxes is displayed as shown below Select Options HWLH_MNHNHo oH A Option One Sample Field IF option Two a Option Three This is a sample field The text displayed for each check box is the value from the options list Zero or more check boxes may be selected This user interface type submits an array of values containing the option key values of each selected check box Because an array value may not be stored directly in a custom field you should use the conversion and value formatting facil
357. ld is displayed as a group of radio buttons allowing one to be selected as shown below Mi Option One Option Two O Option Three This is a sample field Sample Field The text displayed for each option is the value from the options list When the form is submitted the key of the selected value becomes the value of the field Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field ae Radio buttons x User Interface N The kind of user interface element to use when entering or editing this field Sample Field Label Label for this field to display on the form This is a sample field 4 Description 7 Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field Legend Select Options Optional title for the checkbox or radio button group L Add No changes No Changes ges Select if you want the list to insert a No changes option to the default set Options Use options Generator The function used to generate the list of available options one Option One A two Option Two Options three Option Three z List of options available Enter one or more lines containing key value pairs where the key and value are separated with a vertical bar Sort No sorting Method to use to sort the available options
358. ld may be set to a non zero value to enable sending an SMS receipt If sms_enabled l unset the default value is true sme handierid String This field specifies the handler ID for the SMS service provider If blank or unset the default value from the SMS plugin configuration is used E MLA String This field specifies the name of the field that contains the visitor s phone P number If blank or unset the default value from the SMS plugin configuration is used en ee String This field specifies the print template ID for the SMS receipt If blank or unset em prate_ the default value from the SMS plugin configuration is used String This field overrides the logout warning message If blank or unset the default value from the Customize SMS Receipt page is used visitor_carrier String The visitor s mobile phone carrier SMTP Services Standard Fields The table below describes standard fields available for the SMTP Services sms_warn_before_message Table 35 SMPT Services Standard Fields Field Description Boolean Flag indicating that an email receipt should be automatically sent upon creation of the guest account Set this field to a non zero value or a non empty string to enable an automatic email receipt to be sent This field can be used to auto_send_smtp create an opt in facility for guests Use a check box for the auto send smtp held and add it to the create_user form or a guest self registration instance and emai
359. learPass Onboard Process for Onboard Capable Devices Pre provisioning Android Marketplace Install QuickConnect app for Android devices Provisioning Certificate Authority QuickConnect Interface QuickConnect Certificates Login Device provisioning Issue Certificate PEAP Unique Device Credentials Derive Unique Device Credentials Authentication Microsoft Server Active Certificate Authentication Directory Balalin source Endpoints The Onboard process is divided into three stages l Pre provisioning This step is only required for Android devices the W Series QuickConnect app must be installed for secure provisioning of the device 2 Provisioning The device provisioning page detects the device type and downloads or starts the QuickConnect app The app authenticates the user and then provisions their device with the Onboard server The device is configured with appropriate network settings and credentials that are unique to the device See Figure 18 for details 3 Authentication Once configuration is complete the user switches to the secure network and is authenticated using PEAP MSCHAPv2 unique device credentials Figure 18 Sequence Diagram for the Onboard Workflow on Android Platform l Network ClearPass ClearPass Onboard Device Infrastructure Onboard Policy Manager Associate HTTP GET q Request mobile device provisioning pa
360. lete provisioning None Do not sign the application x Code Signing Certificate Select a certificate for signing the Windows provisioning application Instructions These options control the text shown during provisioning for Windows devices nwa_icontext type info inwa tezt id 10897 In order to connect to this network your device must be configured for enhanced security Aruba Networks QuickConnect application will guide you through the configuration process nwa_text nwa_icontext nwa_text id 10893 lt p gt To apply the network profile you meed to download and start the QuickConnect Before Provisioning japplication lt p gt nwa_text A assign var link_text value 10899 NwaText Download and start the QuickConnect network configuration application Lannian oe a eer oe st 1 1 O28 86 Lees Tasta Oe ae Insert content item m r These instructions are shown to the user before they provision a Windows device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions nwa_text id 10892 lt p gt QuickConnect will now apply the metwork profile to your device lt p gt nwa_text After Provisioning Insert content item lv These instructions are shown to the user after they have provisioned a Windows device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use t
361. lick the Create new SMS gateway link in the upper nght comer The SMS Gateway Configuration form opens The first part of the form includes the Service Settings and Mobile Number Settings areas SMS Gateway Configuration ClearPass Guest SMS Service x SMS Gateway Y Select the SMS gateway you have service with Service Settings Display Name The name for this service handler This will be displayed to operators using the system Service Your authorization username for the SMS service provider Username Note if you are using ClearPass Guest SMS Service and have entered your ClearPass Subscription ID the username and password fields should be left blank Service Password Your authorization password for the SMS service provider Confirm Password Your authorization password for the SMS service provider E Convert text to hex encoded UTF 16 Message Format If selected the message will be converted to hex encoded UTF 16 Refer to your service provider s documentation if this is necessary Mobile Number Settings Country Code The default country code to use for mobile telephone numbers that start with the national prefix Most SMS providers require the number sent with the country code Default Length if your country has a default length enter it here and the country code above will be automatically added where necessary For example North American numbers have a default length of 10 and country cod
362. lick the Master Enable User Database Choose Skin or Rename Page links to edit the basic settings for guest self registration Customize Guest Registration Basic Properties Options controlling basic operation of guest self registration oe Guest Self Registration Enter a name to identify the guest self registration instance This is visible only to administrators Default settings for visitor self registration Description Enter comments about this instance of guest self registration This is visible only to administrators Enabled Enable guest self registration guest_register Register Page Enter the base page name for the guest registration page SG ClearPass Policy Manager User Database ye Self provisioned visitor accounts are created using this service handler Skin Default x Choose the skin for the self registration pages The Basic Properties window has configurable settings such as Name Description enabling guest self registration Register Page Parent and Authentication Using a Parent Page To use the settings from a previously configured self registration page select an existing page name from the Parent drop down menu This is useful if you need to configure multiple registrations You can always override parent page values by editing field values yourself To create a self registration page with new values select the Guest Self Registration guest_register op
363. licy 129 passwords generating 138 logging 140 multiple accounts 177 recovery 11 resetting 36 picture string 298 PKCS 12 97 PKCS 7 97 plugin management 224 plugins configuring 224 226 configuring Kernel 225 configuring skin 226 restoring default configuration 225 viewing 223 POSIX LDAP 249 previewing forms 152 printtemplates 21 194 creating 194 creating using wizard 196 custom fields 196 editing 196 permissions 197 SMS receipts 194 programmers reference 261 provisioning settings configuring 106 Dell Networking W ClearPass Guest 6 0 Deployment Guide 0 quick start Smarty template syntax 264 quick view content 136 RADIUS server 18 accounting query 269 active sessions 59 disconnecting session 60 61 reauthorizing session 60 61 reauthorizing session 60 61 receipt page 171 editing 178 receipts 233 configuring 234 email 189 SMS 63 reference 261 Register page 171 registering MAC devices 56 regular expressions 305 renaming content 136 resetting certificates 130 passwords 36 187 revocation checks 109 revoking certificate 97 RFC 2255 252 253 RFC 3576 61 role based access 18 Role based access control 241 roles 21 shared 54 RSA 108 S searching application log 237 documentation 239 security policy checklist 22 Index 317 318 Index selecting mobile carrier 232 self registration creating device 51 editing 177 self service portal 186 auto login 187 password generation
364. lowing entities in the Entity drop down list e Operator Profiles a specific operator profile may be selected The corresponding permissions will apply to all operators with that operator profile e Other Entities a Authenticated operators the permissions for all operators other than the owner profile may be set using this item Permissions for an individual operator profile will take precedence over this item a S Guests the permissions for guests may be set using this item The permissions for the selected entity can be set using the Permissions drop down list a QNo access the print template is not visible in the list and cannot be used edited duplicated or deleted m 7 Visible only access the print template is visible in the list but cannot be edited duplicated or deleted S GuestManager Receipt Page Enabled Preview Ly Show Usage zi Read only access the print template is visible in the list and the settings for it may be viewed The print template cannot be edited or deleted Dell Networking W ClearPass Guest 6 0 Deployment Guide PELE Anampa _ i he eS GuestManager Receipt Page Enabled Eg View Settings Eg Duplicate Preview sy Show Usage Update access the print template is visible in the list and may be edited The print template cannot be deleted and the permissions for the print template cannot be modified f GuestManager Receipt Page Enabled Ee Edit Ee Du
365. lso included for the field thereby including the field s value when the form is submitted ji Option Two Sample Field d ii This is a sample field Static text Options lookup lv The kind of user interface element to use when entering or editing this field User Interface Sample Field Label Label for this field to display on the form This is a sample field 4 Description n Descriptive text for this field displayed with the user interface element CSS Class Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field 2 mag TEES images icon key png Image to display with the user interface element Options Use options Generator The function used to generate the list of available options one Option One two Option Two three Option Three 4 Wij gt Options List of options available Enter one or more lines containing key value pairs where the key and value are separated with a vertical bar i W Hide when no options are selectable Collapse Select this option to automatically hide the form field when only one choice is available If the Hide when no options are selectable check box is selected in the Collapse row the field will be hidden if its value is blank To set the value of this field use the Initial Value option in the Form Validation Properties area of the form field editor e Static group heading
366. lt tr gt HTML if Su create_result error lt tr gt lt th class nwaLeft gt Error lt th gt lt td class nwaBody gt lt span class nwaError gt u create_ result message escape lt span gt lt td gt lt tr gt if lt tbody gt lt table gt 5 Remove extraneous data from the User Account HTML field Example text 1s shown below lt table Stable class content gt lt thead gt lt tr gt lt th class nwaTop colspan 3 gt Access Details lt th gt L er lt thead gt xtbody gt lt tr gt lt td class nwaBody rowspan 99 valign top gt lt img src images icon user48 png width 48 height 48 border 0 alt gt lt td gt lt th class nwaLeft gt Access Code lt th gt lt td class nwaBody style width 12em gt Su username htmlspecialchars lt td gt lt r if UeCreaLle Tesullserror lt tr gt lt th lass nwahert SError lt th gt lt td class nwaBody gt lt span class nwaError gt u create result message lt span gt lt td gt lt r if lt tbody gt lt table gt 6 Click H Save Changes to save your settings 7 To preview the new template select the template in the Guest Manager Print Templates list then click Preview The template created in this example appears as shown below 200 Create the Print Template Dell Networking W ClearPass Guest 6 0 Deployment Guide Sy Copy of Two column access codes 2 column list Enabled F Edit ES Duplicate amp Delete
367. lt values defined in the operator profile To define new operator profiles and to make changes to existing operator profiles go to Administrator gt Operator Logins gt Profiles The Operator Profiles page opens with the profiles list displayed Creating an Operator Profile wwa q d Click the Create Operator Profile link to create a new operator profile The Operator Profile Editor form is displayed This form has several sections which are described in more detail below 242 Role Based Access Control for Multiple Operator Profiles Dell Networking W ClearPass Guest 6 0 Deployment Guide Operator Profile Editor Reception and Front Desk Name Enter a name for this operator profile Limited to creating new accounts and sending receipts a only Defaults to create user form on login Description Comments or descriptive text about the operator profile Access These options control what operators with this profile are permitted to do W Allow operator logins Enabled ji i If unchecked operators with this profile will not be able to log in The fields in the first area of the form identify the operator profile and capture any optional information l You must enter a name for this profile in the Name field 2 Optional You may enter additional information about the profile in the Description field The fields in the Access area of the form define permissions for the operator profile 1 In t
368. mat 12 In the Number Format row choose a country code requirement option from the drop down list The available options are Use the visitor s value Always include the country code or Never include the country code 13 Optional In the Subject Line field you may enter text for the message s subject line This field supports Smarty template syntax and the number is available as number For example Sent to Snumber in the year Y date would produce Sent to 15555551234 in the year 2012 For a Smarty template syntax description See Smarty Template Syntax on page 264 14 When all fields are completed appropriately click Edit Carrier or Create Carrier The SMS SMTP Carrier List is updated with the changes Support Services The Administration gt Support Services page provides links to Dell Networking W ClearPass Guest documentation the application log and Dell Customer Support contact information 236 Support Services Dell Networking W ClearPass Guest 6 0 Deployment Guide Documentation View the user s manual or one of the available network integration guides Contact Support Information about obtaining customer support gl View Application Log YA View the application log file You can choose different log files search for log records and export the log to different formats here Viewing the Application Log To view events and messages generated by the application go to
369. material in a table without the material looking as if itis in a table in other words without borders walimpata All Text that should be prominently displayed Table subheadings Dell Networking W ClearPass Guest 6 0 Deployment Guide Standard HTML Styles 263 Smarty Template Syntax Dell Networking W ClearPass Guest s user interface is built using the Smarty template engine This template system separates the program logic and visual elements enabling powerful yet flexible applications to be built When customizing template code that 1s used within the user interface you have the option of using Smarty template syntax within the template Using the programming features built into Smarty you can add your own logic to the template You can also use predefined template functions and block functions to ensure a consistent user interface Basic Template Syntax Following is a brief introduction to the usage of the Smarty template engine For more information please refer to the Smarty documentation at http www smarty net docs php or the Smarty Crash Course at http www smarty net crashcourse php Text Substitution Simple text substitution in the templates may be done with the syntax variable as shown below The current page s title is Stitle Template File Inclusion To include the contents of another file this can be done with the following syntax include file public included_ file htm1 Smarty tem
370. me page This is used to automatically redirect the customer on successful completion of the sign up process For browsers without JavaScript you may use the lt noscript gt tag to allow customers to sign up Dell Networking W ClearPass Guest 6 0 Deployment Guide Captive Portal Integration 205 lt noscript gt lt a href https guest spiffywidgets com hotspot plan php gt Hotspot Sign Up lt a gt lt noscript gt However in this situation the MAC address of the customer will not be available and no automatic redirection to the customer s home page will be made You may want to recommend to your customers that JavaScript be enabled for best results Web Site Look and Feel The skin of a Web site is its external look and feel It can be thought of as a container that holds the application its style sheet font size and color for example its header and footer button style and so on The default skin used by Dell Networking W ClearPass Guest is the one that is enabled in the Plugin Manager The skin is seen by all users on the login page SMS Services Configure the following settings in the SMS Services section of the Hotspot Preferences form to override the default SMS settings with your own custom configuration SMS Receipt Click this drop down list to select the template you want to use for SMS receipts The default value is SMS Receipt Phone Number Field Click this drop down list and identify the field that
371. mic_expire_time 289 SMTP services 189 dynamic_is_expired 289 enabling Edit 147 SMTP carrier 234 email 141 289 encoding 40 enabled 142 289 encryption key in guest receipt 138 expiration_time 289 expire_after 142 Dell Networking W ClearPass Guest 6 0 Deployment Guide Index 313 314 Index expire_postlogin 143 expire_time 142 289 expire_usage 143 289 first_name 295 hotspot_plan_id 295 hotspot_plan_name 295 id 290 ip address 290 last name 295 modify_expire_postlogin 290 modify password 141 290 modify schedule time 291 multi initial seguence 291 multi prefik 140 291 netmask 291 no password 291 no portal 291 no war before 291 notes 291 num accounts 292 password 141 196 292 password action 292 password action recur 292 password last change 292 password2 141 292 295 personal details 295 purchase amount 295 purchase details 295 random password 141 292 random password length 141 142 292 random password method 141 142 292 random password picture 298 random username length 141 142 293 random username method 138 141 142 random userame picture 298 role id 142 role name 142 196 schedule after 142 schedule time 142 secret answer 188 secret guestion 188 Show forms 147 simultaneous use 142 sms auto send field 199 296 sms enabled 199 296 sms handler id 199 296 sms phone field 199 296 sms template id 199 296 sms war before message 296 smtp auto send field 193 smtp cc action 193
372. mnun cece eee eeeeeeeeeeeeee 151 Editing FONTS IA 152 Form Field Editor soe oe eet ae een aoaaa oaaao aooaa LLDD eee Uo ale Loa eee 152 Form Validation Properties 2 00aaaaaaa anaana aoaaa aoaaa ahaaha aaa ee eee cece e Aaaa LLALL LLL Laaa anaana 162 Examples of Form field Validation _ 02 2 2 lee cee eee eee ee cece ee ceeeeceeeeceeereeee 163 Advanced Form Field Properties 22 wmmmmmmmmmununum mm mwmwmuma 165 Form Field Validation Processing Sequence 22 2c cece eee eee eee eee eee eeeeeeeeeeeeee 166 Editing VIEWS Ua 169 View Field Editor 2 02 2 lec eee eee eee eee ec eee cece eee eee ee ee eee eeceeeececeseeeeeees 169 Customizing Self Provisioned ACCESS 2mmmmmmm nm Laaa aLL Laana aLa aaa 171 Self Registration Sequence Diagram _ 2 2 2 e cece cece eee eee eee eee cece cece eeeeeeeeeeeees 171 Creating a Self Registration Page 02 2 2 occ cee aaa aLL LLa aaa LLa aa ee Loana an2 172 Editing Self Registration Pages 2mmmme ee eeeeeceeeesceseeseeees 173 Configuring Basic Properties for Self Registration 2 174 Using a Parent Page 2 2 eee ee eee eee cece eee eee eeeeeeeeees 174 Paying for ACCESS lt 2 cusccuwecentenieawdue ainctecdcneuean be duebdeadddselasneencunaueaveaeticecdeeemsaas 175 Requir
373. n CoA Request to the network access server The username parameter specifies the user account to modify use the expression GetAttr User Name to use the value from the RADIUS User Name attribute The role_name parameter specifies the name of the RADIUS User Role to apply to the user Example Use the following as a conditional expression for an attribute If the user s traffic in the past 24 hours exceeds 50 MB the user is changed to the Over Quota role return GetUserTraffic 86400 gt 50e6 amp amp ChangeToRole Over Quota GetCallingStationCurrentSession GetCallingStationCurrentSession callingstationid Smac format null Looks up the current most recent active session for the specified calling station ID Because different NAS equipment can send differently formatted MAC addresses in the Calling Station Id attribute the mac format argument may be specified This should be a sprintf style format string that accepts 6 arguments the octets of the MAC address The default if not specified is the IEEE 802 standard format 02X 02X 02X 02X 02X 02X that is uppercase hexadecimal with each octet separated with a hyphen See GetCurrentSession on page 271 for details of the return value GetCallingStationSessions GetCallingStationSessions callingstationid from_time to time null mac_format nu 11 Calculate the number of sessions for accounting records matching a specific calling st
374. n 2012 10 30 14 23 0 0 KB springGrapic1 PNG admin image png 2012 10 30 14 23 40 4 KB Es Properties amp Delete JI Rename Download View Content pp Quick View 3 items O Reload 20 rows per page lv You can add content items by using your Web browser to upload them You can also copy a content item stored on another Web server by downloading it 134 Configuring ClearPass Guest Authentication Dell Networking W ClearPass Guest 6 0 Deployment Guide To use a content item you can insert a reference to it into any custom HTML editor within the application To do this select the content item you want to insert from the drop down list located in the lower right corner of the editor The item will be inserted using HTML that is most suited to the type of content inserted To manually reference a content item you can use the URL of the item directly For example an item named logo jpg could be accessed using a URL such as http 192 168 88 88 public logo jpg Uploading Content To add a new content item using your Web browser 1 Go to Configuration gt Content Manager then click the Upload New Content tab The Add Content form opens Add Content Size Limit A Maximum file upload size 5 0 MB File nm i Choose a file to upload from your computer fs Description 4 Enter an optional description of this content item Fl Renla na d A oo Replace existing item with same name Select this option to ove
375. n is chosen the next field s name becomes SMS Template Use a fixed email address Use this option if all SMS messages are to be sent to the same address When this option is chosen the next field s name becomes Address 9 Configure the option you chose in the previous step If you chose Use a template in the SMS Address field enter an example email address in the SMS Template field This provides the pattern for the address format The default is to substitute the number for all characters preceding the sign producing the pattern number address Some carriers require additional characters before or after the phone number In this case use the keyword string NUMBER in the pattern to limit the substitution to just the phone number portion of the address tor example NUMBER msg carrier example com or username NUMBER mymail com If you chose Use a fixed email address n the SMS Template field use the Address field to enter the email address to which all SMS messages will be sent 10 In the MMS row To use the SMS template for MMS messages mark the check box in this row The SMS Address configuration will be applied to MMS messages and the MMS Template row is removed from the form To use an MMS template for MMS messages leave this check box unmarked 11 If you will use an MMS template for MMS messages enter an example email address in the MMS Template field This provides the pattern for the address for
376. n method used for the network Enterprise security 802 1 will be selected if wired networks are to be supported Wireless Network Settings Options for wireless network access WPA with AES recommended Select the WPA encryption version for the wireless network This setting is used for Windows Android and Legacy OS X 10 5 6 devices only iOS and OS X 10 74 Lion or later devices auto detect the WPA version Security Version scp Example TLS 2 Enter the SSID of the wireless network to connect to a I Hidden network 020077 Select this option if the wireless network is not open or broadcasting Automatically join network Auto Join y yom Select this option to automatically join the wireless network gt Next M Create Network Cancel To edit the network s basic and wireless network access options click the Access tab If you need to edit the network s name enter the new name in the Name field You can use the check box in the Enabled row to enable or disable the network in the device profile Optional You may enter additional identifying information in the Description field oy a SS S The options available in the Network Type drop down list are e Both Wired and Wireless Configures both wired Ethernet and wireless network adapters Use this option when you have 02 1X configured for all types of network access e Wireless only Configures only wireless network adapte
377. n page 274 for details on how to specify the time interval GetCallingStationTraffic GetCallingStationTraffic Scallingstationid from time Sto time null Sin out null mac format null Calculate sum of traffic counters in a time interval Sessions are summed if they have the same Calling Station Id attribute as that specified in the RADIUS Access Request If no Calling Station Id attribute was included in the request returns zero Because different NAS equipment can send differently formatted MAC addresses in the Calling Station Id attribute the Smac format argument may be specified This should be a sprintf style format string that accepts 6 arguments the octets of the MAC address The default if not specified is the IEEE 802 standard format 02X 02X 02X 02X 02X 02X that is uppercase hexadecimal with each octet separated with a hyphen This string matches what ClearPass Guest sees from the NAS The time interval specified by from_ time and optionally to time is also used to narrow the search If Sto time is not specified from_ time is a look back time that is the time interval in seconds before the current time If Sto time is specified the interval considered is between from time and to time Sin out may be in to count only input octets out to count only output octets or any other value to count both input and output octets towards the traffic total Examples Use the following
378. n print window using template drop down list A new browser window opens with the Print dialog displayed To download a copy of the receipt information in CSV format click the lel Save list for scratch cards CSV file link You will be prompted to either open or save the spreadsheet CSV file The fields available in the CSV file are e Number the sequential number of the visitor account starting at one e Username the username for the visitor account e Password the password for the visitor account e Role the visitor account s role e Activation Time the date and time at which the account will be activated or N A if there is no activation time e Expiration Time the date and time at which the account will expire or N A if there is no activation time e Lifetime the account lifetime in minutes or N A if the account does not have a lifetime specified e Successful Yes if the account was created successfully or No if there was an error creating the account Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password In order to do this you first customize the Create Multiple Guest Accounts form to include the Password field 32 Creating a Single Password for Multiple Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide To include the Password field on the Create Multiple Guest Accounts form l Go to Conf
379. n the relevant sections of this Guide This table does not include the configuration steps performed in ClearPass Policy Manager or the W Series controller For complete AirGroup deployment information refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation Table 5 Summary of AirGroup Configuration Steps in ClearPass Guest Step Section in this Guide Create AirGroup administrators Creating a New Operator on page 248 Create AirGroup operators Creating a New Operator on page 248 Configure an operator s device limit Configuring AirGroup Operator Device Limit on page 247 To authenticate AirGroup users via LDAP Define the LDAP server Define appropriate translation rules External Operator Authentication on page 248 LDAP Translation Rules on page 254 AirGroup administrator Register devices or groups of devices AirGroup operator Register personal devices AirGroup Device Registration on page 53 Optional Configure device registration form with drop down lists for existing locations and roles AirGroup Device Registration on page 53 Customizing AirGroup Registration Forms on page 147 Dell Networking W ClearPass Guest 6 0 Deployment Guide Security Policy Considerations 23 Documentation and User Assistance This section describes the variety of user assistance available for ClearPass Guest Deployment Guide and Online Help This Deployment Guide provides complete informati
380. n to attempt to authenticate the LDAP server or click O Cancel to cancel the test The Authentication Test area is added above the server names to indicate the test s progress 252 LDAP Operator Server Troubleshooting Dell Networking W ClearPass Guest 6 0 Deployment Guide Authentication test Status Testing operator authentication with server 100 KA Test 3 9 50 Active Directory KA LDAPserver2 50 Active Directory F Edit Delete Eg Duplicate 48 Disable Ho Ping f You can also verify operator authentication when you create a new LDAP server configuration using the SiTest Settings button on the LDAP Configuration form See Creating an LDAP Server on page 249 for a description Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page 1 To look up a sponsor select a server name in the LDAP Server table then click the Test Lookup link The Test Operator Lookup area is added to the LDAP servers list 2 In the Lookup field enter a lookup value This can be an exact username or you can include wildcards If you use wildcards the search might return multiple values 3 In the Search Mode field use the drop down list to specify whether to search for an exact match or use wildcard values 4 Optional Click the Advanced check box to display detailed authorization information for the specified sponsor 5 Click S
381. n to redirect registered guests back to the NAS This process is shown below Dell Networking W ClearPass Guest 6 0 Deployment Guide USIAMINI SEI iOvenes ee Figure 27 Sequence diagram for guest self registration ClearPass Guest NAS Associates Redirects 1 i Captive portal Aecount creation al NAS login SESCESSOSSSESED IIMSI MIM IIMII MIM EEE EE EEE EHIE Pp HERH P Hi Authentication Authorization Authorized The captive portal redirects unauthorized users to the register page 2 After submitting the registration form 3 the guest account is created and the receipt page is displayed 4 with the details of the guest account If NAS login is enabled submitting the form on this page will display a login message 5 and automatically redirect the guest to the NAS login 6 After authentication and authorization the guest s security profile is applied by the NAS 7 enabling the guest to access the network 8 Creating a Self Registration Page To create a new guest self registration page go to Configuration gt Guest Self Registration and click the Create new self registration page link The Customize Guest Registration form is displayed phe CRC OUNG Se Ie e io uel tage Dell Networking W ClearPass Guest 6 0 Deployment Guide Customize Guest Registration Basic Properties Options controlling basic operation of guest self registration i Name Ent
382. nan cece e eee eeeeeeeeseeeeeees 249 Advanced LDAP URL Syntax 0002 2 occ cence eee cece cece cece aaa ununue 251 Viewing the LDAP Server List _ 2 0222 2 eee cece eee eee eee cece LLa aaa eeeeeeeeees 251 LDAP Operator Server Troubleshooting 02 2 2 e eee eee cece eee cece cece LaLa aaan 252 Testing Connectivity _ 2 22 2 loll eee ee eee eee eee cece ee eeeeeeeeeeeeees 252 Testing Operator Login Authentication 222mmmmmem mme 252 Looking Up Sponsor Names mmmmmmmu mu eee cece eeeeeeeeeeeeee 253 Troubleshooting Error Messages 2 2 2 2 2 eee eee eee cence cece cece cece eee eee aaa anaana 253 LDAP Translation Rules 2 22 2 2 lec cece eee eect e cece cece eee cece m mwm mme m mwee 254 Custom LDAP Translation Processing 2 22 2 cece eee e cece eee eee ee aaa eee ee eeeeeeeeeeeeeee 256 Operator Logins Configuration 222mmmmmmu mu mw eee cece eee eeeeseeeeees 257 Custom Login Message mmmmmmmun mm mwanume www nin Laaa aa LLa aaan 258 Advanced Operator Login Options 2mmmmmmmu nm e eee LLa aaan 259 Automatic Logout _ 2 222 elec nen eee eee eee eee cece Laaa anaana 259 Reference ce eects ate eines eles new ee cine m oye acmeedeisane sen dued de uae nana
383. nced Show advanced properties m save Changes Select the Show advanced properties check box to reveal additional properties related to conversion display and dynamic form behavior See View Field Editor on page 169 in this chapter for more information about advanced properties 146 Creating a Custom Field Dell Networking W ClearPass Guest 6 0 Deployment Guide Click the lel Save Changes button to complete the creation of a new field The new field is added at the top of the field list To change the position of the new field you can re sort the list or you can reload the page Duplicating a Field To duplicate a field click the field to be duplicated then click the Duplicate link The field is copied and a number appended to the end of the field name for example if you were to duplicate the card code field the duplicated field would be card code 1 To rename the field click Edit Editing a Field You are able to alter the properties of the field by making changes to the Field Name Field Type or Description when you click the 2 Edit link This link is available when you click a field in the list view Click the YI Save Changes button to have the changes made permanent Deleting a Field Fields that do not have a lock symbol can be deleted by clicking on the 9 Delete link You will be asked to confirm the deletion If you want the deletion to take place you are informed when the deletion has been completed
384. ncludes the following sections Basic HTML Syntax on page 261 Standard HTML Styles on page 262 Smarty Template Syntax on page 264 Date Time Format Syntax on page 279 Programmers Reference on page 282 Field Form and View Reference on page 287 LDAP Standard Attributes for User Class on page 304 Regular Expressions on page 305 Basic HTML Syntax Dell Networking W ClearPass Guest allows different parts of the user interface to be customized using the Hypertext Markup Language HTML Most customization tasks only require basic HTML knowledge which is covered in this section HTML is a markup language that consists primarily of tags that are enclosed inside angle brackets for example lt p gt Most tags are paired to indicate the start and end of the text being marked up an end tag is formed by including the tag inside the angle brackets with a forward slash for example lt p gt Use the following standard HTML tags in customization Table 24 Standard HTML Tags Item HTML Syntax Basic Content lt h3 gt Section heading lt h3 gt lt br gt lt br gt equivalent syntax KHTML lt ul gt lt li gt List item text lt li gt Dell Networking W ClearPass Guest 6 0 Deployment Guide Reference 261 HTML Syntax lt ol gt lt li gt List item text lt li gt lt ol gt Text Formatting lt b gt words to be made bold lt b gt lt strong gt equivalent syntax lt strong gt lt i gt
385. nd examples enclosed in brackets are optional Do not type the brackets Item A In the command examples items within curled braces and separated by a vertical bar represent the Item B available choices Enter only one choice Do not type the braces or bars Dell Networking W ClearPass Guest 6 0 Deployment Guide About this Guide 13 The following informational icons are used throughout this guide Ks NOTE Indicates helpful suggestions pertinent information and important things to remember A CAUTION Indicates a risk of damage to your hardware or loss of data WARNING Indicates a risk of personal injury or death Contacting Support Web Site Support Support Website dell com support Documentation Website dell com support manuals 14 Contacting Support Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 2 Dell Networking W ClearPass Guest Overview This chapter explains the terms concepts processes and equipment involved in managing visitor access to a network and helps you understand how Dell Networking W ClearPass Guest can be successfully integrated into your network infrastructure It is intended for network architects T administrators and security consultants who are planning to deploy visitor access or who are in the early stages of deploying a visitor access solution This chapter includes the following sections About Dell Networking W ClearPass Guest on page 15 Visitor Acces
386. nd other components involved in providing guest access Figure 3 nteractions involved in guest access E Visitors e Web login e Self registration e Account receipt e SMS receipt ClearPass Guest Visitor Management Appliance Network Access Servers e Authentication e Authorization e Accounting e Dynamic authorization Visitor Access e Captive portal e NAS login Dell Networking W ClearPass Guest 6 0 Deployment Guide 3g Operators e Provision accounts e Manage visitors e Customer service e Manage sessions e Run reports t 8 IT Administrator e Provision operators e Configure VMA e Configure NAS e Run reports Key Interactions 17 18 AAA Framework ClearPass Guest is part of your network s core infrastructure and manages guest access to the network NAS devices such as wireless access points and wired switches on the edge of the network use the RADIUS protocol to ask ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network If authentication is successful the guest 1s then authorized to access the network Roles are assigned to a guest as part of the context ClearPass Policy Manager uses to apply its policies RADIUS attributes that define a role s access permissions are contained within Policy Manager s Enforcement Profile Additional features such as role mapping for ClearPass Guest can be performed in ClearP
387. ndom letters and digits or Sequential numbering The default length of random account usernames when creating groups of accounts This may be overridden by using the random_username_ length field Username Format This field is displayed if the Username Type is set to Format picture It sets the format of the username to be created See Format Picture String Symbols on page 297 for a list of the special characters that may be used in the format string This may be overridden by using the random username_picture field Random Password Type The default method used to generate random account passwords when creating groups of accounts This may be overridden by using the random password method field Random Password Length The default length of random account passwords when creating groups of accounts This may be overridden by using the random password length field Password Format This field is displayed if the Password Type field is set to Format picture It sets the format of the password to be created See Format Picture String Symbols on page 297 for a list of the special characters that may be used in the format string This may be overridden by using the random _ password_picture field Password Complexity The policy to enforce when guests change their account passwords using the guest self service user interface Different levels of password complexity can require guests to select password
388. network Secret Question Enter your secret question The answer will be required to reset your password Secret Answer Enter the answer to your secret question E 1 accept the terms of use Flag indicating that the creator has accepted the terms and conditions of use Reser Confirm Next enable the Required Field option in the Self Service Portal properties Setting this to Secret Question will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value With these settings the user interface for resetting the password now includes a question and answer prompt after the username has been determined 188 Resetting Passwords with the Self Service Portal Dell Networking W ClearPass Guest 6 0 Deployment Guide Reset Password Username demo example com Secret Question What is my favorite color Secret Answer Enter the answer to your secret question Cee Reset Selecting a different value for the Required Field allows other fields of the visitor account to be checked These fields should be part of the registration form For example selecting the visitor_name field as the Required Field results in a Reset Password form like this Reset Password Username Your Name Please enter your full name T Reset Email Receipts and SMTP Services With SMTP Services you can config
389. ng the equality or inequality operators To specify multiple values list is greater andr edual to them separated by the pipe character p eic For example specifying the filter role_id 2 3 custom_ field Value restricts the user accounts displayed to those l with role IDs 2 and 3 Guest and Employee and with the field is less than or equal to named custom field set to Value matches the regular expression does not match the regular expression eee reangan Operator Prote Dell Networking W ClearPass Guest 6 0 Deployment Guide 6 In the Account Limit row you can enter a number to specify the maximum number of accounts an operator can create Disabled accounts are included in the account limit To set no limit leave the Account Limit field blank When you create or edit an AirGroup operator the value you enter in the Account Limit field specifies the maximum number of devices an AirGroup operator with this profile can create Configuring the User Interface User Interface These options control the visual appearance and behavior of the application skin Default Choose the skin to use for operators with this profile Create New Guest Account Start Page a ee The initial page to show this operator after logging in aaa Auto detect mi l Select the default language to use for operators with this profile Default Time Zone ED lz Select the default time zone for operators with this p
390. nicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Active Directory Certificate Services see Active Directory Certificate Services Documentation Select a task Request a certificate View the status of a pending certificate request Download a CA certificate certificate chain or CRL Click the Request a Certificate link on this page The Request a Certificate page opens Microsoft Active Directory Certificate Senices Suburban Broadband LLC Request a Certificate Select the certificate type Web Browser Certificate E Mail Protection Certificate Or submit an advanced certificate req Click the link to submit an advanced certificate request The Advanced Certificate Request page opens 86 Obtaining a Certificate for the Certificate Authority Dell Networking W ClearPass Guest 6 0 Deployment Guide Microsoft Active Directory Certificate Seraces Suburban Broadband LLC Advanced Certificate Request The policy of the CA determines the types of certificates you can request Click one of the following options to Create and submit a request to this CA Submit a certificate request by using a base 64 encoded CMC or PKCS
391. nk to restore the default view Use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual page number to jump directly to that page Ki NOTE When the list contains many thousands of certificates consider using the Filter field to speed up finding a specific certificate Click the column headers to sort the list view by that column Click the column header a second time to reverse the direction of the sort 96 Searching for Certificates in the List Dell Networking W ClearPass Guest 6 0 Deployment Guide Ka Working with Certificates in the List Click on a certificate to select it You can then select from one of these actions e 21 View certificate Displays the properties of the certificate Click the S Cancel button to close the certificate properties e Export certificate Displays the Export Certificate form Export Certificate PKCS 12 Certificate amp Key p12 7 Format Select the file format for the exported item W Include certificate trust chain Trust Chain Select this option to include the certificates for the CA and any intermediate certificate authorities in the PKCS 12 container Passphrase Passphrase to protect the PKCS 12 file Confirm Passphrase Re enter the passphrase Es Export Certificate Use the Format drop down list to select the format in which t
392. nsidered is between from time and to time Returns the total session time for all matching accounting records in the time interval specified GetTraffic GetTraffic Scriteria from_time Sto time null in_out null Calculate the sum of traffic counters for accounting records in the database Ki NOTE This is a multi purpose function that has a very flexible query interface for ease of use consider using one of the related functions GetCallingStationTraffic GetlpAddressTraffic or GetUserTraffic Scriteria is the criteria on which to search for matching accounting records The time interval specified by Sfrom time and optionally to time is used with the criteria to narrow the search If to time is not specified from_ time is a look back time that is the time interval in seconds before the current time If to time is specified the interval considered is between from time and Sto time Sin out may be in to count only input octets out to count only output octets or any other value to count both input and output octets towards the traffic total This argument returns the computed total of traffic for all matching accounting records GetUserActiveSessions GetUserActiveSessions username Scallingstationid null Looks up the list of all sessions for the specified username The username attribute is looked up automatically from the RADIUS Access Request User Name attribute If a Scallingstat
393. nt to define a single print template that caters for multiple situations For example if you want to customize the print template to display different content depending on the action that has been taken the following code could be used if Saction create lt p gt Your guest account has been created and is now ready to use lt p gt lt ul gt tt Pelee ssid lt li gt Connect to the wireless network named lt b gt site ssid lt b gt lt 1li gt tease lt li gt Make sure your network adapter is set to DHCP Obtain an IP address Automatically lt li gt lt li gt Open your Web browser lt 1li gt lt li gt Enter your username and password in the spaces provided lt li gt lt ul gt elseif Saction edit lt p gt Your guest account has been updated lt p gt elseif action delete if lt table Stable class content width 500 gt lt tbody gt if Su guest name lt Tr gt lt th class nwaLeft gt guest name lt th gt lt td class nwaBody gt Su guest name lt td gt lt tr gt if If this code is placed in the User Account HTML section it will cater for the create edit and delete options Dell Networking W ClearPass Guest 6 0 Deployment Guide Creating New Print Templates 195 Print Template Wizard The 4 Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image
394. nts or select one of the other available options to use a fixed value for each imported guest account Click the Next Step button to preview the final result Import Step 3 of 3 the Import Accounts form opens and shows a preview of the import operation The values of each guest account field are determined and any conflicts with existing user accounts are shown Import Accounts ae This Page 7 All 7 None 8 New 7 e k Existing 0 Total number of records currently selected 7 Username Password Role Expiration Expire Action Full Name W 8 demo005 secret005 Contractor 2011 06 10 09 00 4 Demo five iv 8 demo006 secret006 Contractor 2011 06 11 10 00 4 Demo six mi 8 demo007 secret007 Contractor 2011 06 12 11 00 4 Demo seven WAA vi 8 demo008 secret008 Contractor 2011 06 13 12 00 4 Demo eight M 8 demo009 secret009 Contractor 2011 06 13 12 00 4 Demo nine v 8 demo010 secret010 Contractor 2011 06 13 12 00 4 Demo ten RI 8 demo011 secret011 Contractor 2011 06 13 12 00 4 Demo eleven teres maua Select the accounts to import gt Create Guest Accounts The icon displayed for each user account indicates if it is a new entry 8 or if an existing user account will be updated A By default this form shows ten entries per page To view additional entries click the arrow button at the bottom of the form to display the next page or click the 10 rows per page drop down list at the bottom of
395. o determine the most recent start and stop time of visitor account sessions String Username of the account This field may be up to 64 characters in length String The visitor s company name String The visitor s full name String The visitor s contact telephone number Hotspot Standard Fields The table below describes standard fields available for the Hotspot form 294 Hotspot Standard Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide Table 33 Hotspot Standard Fields Field Description address String The visitor s street address String The 3 or 4 digit cardholder verification code printed on the credit card This field is only used during transaction processing SMS Services Standard Fields The table below describes standard fields available for the SMS Services form card code Table 34 SMS Services Standard Fields Field Description Boolean Flag indicating that a SMS receipt should be automatically sent upon creation auto_send_sms of the account Dell Networking W ClearPass Guest 6 0 Deployment Guide SMS Services Standard Fields 295 Description String This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the SMS plugin configuration is used Additionally the special values _Disabled and _Enabled may be used to never send an SMS or always send an SMS respectively sms auto send field Boolean This fie
396. o provide their personal details and payment method The example below shows the default Your Details page if the customer chooses to pay for the Hourly Access plan Your Details STEP Hotspot Sign Up 2 To create your wireless account please enter your details below w You have selected Hourly Access 1 hour s change Your Details Your Personal Details First Name Your first name Last Name Your last name Company Name The name of your company Zip Phone Number Your contact telephone number Email Address Your email address Purchase Details Card Number Your credit card number vithout spaces Card Expiry puy Your credit card expiration date Card Name eSEE The name on the card exactly as it is printed Card Verification Code The 3 or 4 digit cardholder verification code printed on the card 2 95 Purchase Amount This is the total amount of your purchase Your credit card vill not be charged until you click the Purchase button below Confirm E I accept the terms of use Purchase Access Although it is not shown in this illustration the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page The example below shows the default Your Details page for a customer who chooses the Free Access plan Customizing Visitor Sign Up Page Two Dell Networ
397. o the string value one two which is then used as the value for the field Finally when the form is displayed and the value needs to be converted back from a string the NwaExplodeComma display function is applied which turns the one two string value into an array value array one two which is used by the checklist to mark the first two items as selected e Date time picker A text field is displayed with an attached button that displays a calendar and time chooser A date may be typed directly into the text field or selected using the calendar Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide 155 The text value typed is submitted with the form If using a date time picker you should validate the field value to ensure it 1s a date Certain guest account fields such as expire_time and schedule_time require a date time value to be provided as a UNIX time value In this case the conversion and display formatting options should be used to convert a human readable date and time to the equivalent UNIX time and vice versa Date time picker lv User Interface The kind of user interface element to use when entering or editing this field Sample Field Label Label for this field to display on the form This is a sample field Description 7 Descriptive text for this field displayed with the user interface element CSS Class n Optional CSS class name to apply to this form
398. ocality Sunnyvale Subject a A Organization SpiftfyWidgets Common Name Example Certificate Authority Email Address example spiffywidgets com C Delete this request Select this checkbox to confirm the request deletion Confirm Cancel 3 Delete Request The Delete Request form is displayed Mark the Delete this request check box to confirm the certificate signing request s deletion and then click the amp Delete Request button Importing a Code Signing Certificate Onboard supports importing a code signing certificate chain and private key for signing the Windows provisioning application Certificates can be uploaded as PFX PKCS 12 SPC or PKCS 7 and can include a chain of certificates Importing a Code Signing Certificate Dell Networking W ClearPass Guest 6 0 Deployment Guide 101 An operator s profile must include the Import Code Signing Certificate privilege in order to access this feature To import a code signing certificate 1 Go to Onboard gt Certificate Management or Onboard gt Provisioning Settings and click the Upload a code signing certificate link at the top of the page The Code Signing Certificate Import form opens Fi 1 a k a E WETT leet a e Reece ma Software Publisher Certificate _spc Certificate RA Ero Certificate 2 In the Certificate Type drop down list choose the file type either SPC PFX PKCS 7 or PKCS 12 The form expands to include the Cer
399. oe co a a nawetenee 266 nwa_commandlink oaaao 22 2 o eee eee eee e eee e cece cece eee e ee ceeeeceseeeeeeeeeeeees 267 nwa ICOnliNK WWW 267 nwa_icontext 2mmmmem D DDALL LLDD LLL LLDD mme 268 nwa_quotejSs mmmeme LLL DDALL LLDD LDLR L L oaaao 22L 269 nwa_radius_query 2 22 2 eee ec e eee eee ee eee cece mim DALL L DDALL LDLo 2222an a222 269 ChangeToRole 22 22 22 eee cece eee eee cece eee cece eee e cence ee LLALLA LaLa aoaaa 270 GetCallingStationCurrentSession 2 22m22mmem eee eee eeeeee 270 GetCallingStationSessions 2 2mmmmm menu menu mumu cece eee eeeeeeee 270 GetCallingStationTime mmmm mme eee eee eee eee eeeeeeeee 270 GetCallingStationTraffic 2m22mm22mm22mm2 mme 20 271 GetCurrentSession 22memmmmemmm mam m DLADLA LLDD LaLa Lana 271 GetlpAddressCurrentSession m2memmeme mamae m amwe m amene malele 272 GetlpAddressSessions _ 2 222 2 eee c cece cece ccc eee aaa aaa LaaLa LLALLA LLa LaaLa a LaaLa aaa 272 GetlpAddressTime 2m2mmemmmmmmm wam cece sees eeeeeeeeseesseeeee 272 GetlpAddressTraffic 22022 oll e cece eee eeee
400. of an existing field Forms amp Views Add new fields to forms change existing fields or reconfigure views of visitor accounts To view or customize forms and views go to Configuration gt Forms amp Views The Customize Forms and Views page opens fill airgroup_shared_list List of shared devices managed by the administrator A change_ expiration Change the expiration time of a single visitor account Shared Devices view Change Expiration form ELE multiple wisitor accounts G7 Edit FE Edit Fields L Duplicate w Use Create user ooo ECK a l E mar n New Visitor Account form Create a single visitor account You can open a form or view directly from the Forms and Views page To open form or view to use it go to Configuration gt Forms amp Views click the form s or view s row in the list then click its Use link The form or view opens in a separate browser tab and the Forms and Views tab stays open so you can work in both An asterisk shown next to a form or view indicates that the form or view has been modified from the defaults You can click the Reset to Defaults link to remove your modifications and restore the original form Resetting a form or view is a destructive operation and cannot be undone You will be prompted to confirm the form or view reset before it proceeds 150 Customizing Forms and Views Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing Forms
401. ofile The default operator profile to assign to operators authorized by this LDAP server Microsoft Active Directory Server URL The URL of the LDAP server Bind DN The password to use when binding to the LDAP server or empty for an anonymous bind Bind Password The password to use when binding to the LDAP server Leave this field blank to use an anonymous bind Base DN The Distinguished Name to use for the LDAP search Default Profile The default operator profile to assign to operators authorized by this LDAP server POSIX Compliant Server URL The URL of the LDAP server Bind DN The password to use when binding to the LDAP server or empty for an anonymous bind Bind Password The password to use when binding to the LDAP server Leave this field blank to use an anonymous bind Base DN The Distinguished Name to use for the LDAP search Unique ID The name of an LDAP attribute used to match the username Filter Additional LDAP filters to use to search for the server Attributes List of LDAP attributes to retrieve Or leave bland to retrieve all attributes default Default Profile The default operator profile to assign to operators authorized by this LDAP server Custom RADIUS Server The hostname or IP address of the RADIUS server Port Number The port number of the RADIUS authentication service Shared Secret The shared secret for the RADIUS server RADIUS Authentication Method The authentication method that s
402. oints PEAP Unique Device Credentials Users Bring Your Own Client Devices Network Server The components shown in Figure 12 are Dell Networking W ClearPass Guest 6 0 Deployment Guide Network Architecture for Onboard 73 1 Users bring different kinds of client device with them Onboard supports smart devices that use the 1OS or Android operating systems such as smartphones and personal tablets Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers laptops and netbooks 2 The Onboard workflow is used to provision the user s device securely and with a minimum of user interaction The provisioning method used depends on the type of device a Newer versions of Mac OS X 10 7 and later and iOS devices use the over the air provisioning method b Other supported platforms use the Onboard provisioning method 3 Once provisioned client devices use a secure authentication method based on 802 1X and the capabilities best supported by the device a The unique device credentials issued during provisioning are in the form of an EAP TLS client certificate for iOS devices and OS X 10 7 devices b Other supported devices are also issued a client certificate but will use the PEAP MSCHAPv2 authentication method with a unique username and strong password 4 Administrators can manage all Onboard devices using the certificat
403. on for all ClearPass Guest features The following quick links may be useful in getting started Table 6 Quick Links For information about Refer to What visitor management is and how it works a Networking W ClearPass Guest on Using Standard Guest Management Features on Using the guest management features page 29 Role based access control for operators Operator Profiles on page 242 Setting up LDAP authentication for operators External Operator Authentication on page 248 Context Sensitive Help For more detailed information about the area of the application you are using click the context sensitive Help link displayed at the top right of the page This opens a new browser tab showing the relevant section of this deployment guide Support Help Logout admin IT Administrators The deployment guide may be searched using the Search box in the top nght corner Search Type in keywords related to your search and click the Search button to display a list of matches The most relevant matches will be displayed first Words may be excluded from the search by typing a minus sign directly before the word to exclude for example exclude Exact phrase matches may also be searched for by enclosing the phrase in double quotes for example word phrase AR te ONAN GS sarAssisiange Dell Networking W ClearPass Guest 6 0 Deployment Guide Field Help The ClearPass Guest user interface has field help built into
404. onfiguration g Frofiles p Servers j Translation Rules fa SMS Services a Start Here Bi send sms Py SMS Gateways a Start Here 15 Application Log 28 Contact Support 7 Documentation Dell Networking W ClearPass Guest 6 0 Deployment Guide Administration 219 AirGroup Services en This section describes configuration options for the AirGroup Services plugin and provides links to other AirGroup steps performed in Dell Networking W ClearPass Guest For an overview of AirGroup functionality see AirGroup Deployment Process on page 23 For complete AirGroup deployment information refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation Configuring the AirGroup Services Plugin To enable support for dynamic notification of AirGroup events when new devices are added and to configure AirGroup logging each AirGroup enabled W Series controller must also be defined in Dell Networking W ClearPass Guest To configure the AirGroup Services plugin l Go to Administration gt AirGroup Services and click the Configure AirGroup Services command link The Configure AirGroup Services form opens Configure AirGroup Services 6 0 1 22806 AirGroup Logging Standard Recommended log basic information lv Select an option for logging events related to AirGroup Services Use Hostname Port v 5999 Enable The controller s hostname or IP address UDP port number Con
405. options here are to Do nothing makes no changes Assign fixed operator profile assigns the selected Operator Profile to the operator Assign attribute s value to operator field uses the value of the attribute as the value for an operator field This option can be used to store operator configuration details in the directory Assign custom value to operator field uses a template to assign a value to a specific operator field If you choose this option the form expands to include the Custom text box for you to enter your custom template code See Custom LDAP Translation Processing on page 256 Apply custom processing evaluates a template that may perform custom processing on the LDAP operator If you choose this option the form expands to include the Custom text box for you to enter your custom template code See Custom LDAP Translation Processing on page 256 Remove attribute from operator removes the selected LDAP attribute from the operator 7 Click the Operator Profile drop down list and select the profile to be assigned if there is a rule match In the example shown above if the Administrator group is matched the Administrator profile is to be assigned 8 Select the Fallthrough check box if you want to use multiple translation rules When you create multiple rules you can build a complete logical structure to perform any type of processing on the LDAP attributes available in your directory 9 Click Save
406. or on page 248 Authenticating AirGroup Users via LDAP Dell Networking W ClearPass Guest supports LDAP authentication for administrators and operators To provide AirGroup Services to LDAP authenticated users l Define the LDAP server for AirGroup See External Operator Authentication on page 248 2 Detine the appropriate translation rules to categorize the LDAP users See Custom LDAP Translation Processing on page 256 Data Retention The Data Retention Policy page Administration gt Data Retention lets you manage historical data by archiving or deleting it For a data retention policy to take effect you must schedule and enable database maintenance To do so refer to the Dell Networking W ClearPass Policy Manager documentation Dell Networking W ClearPass Guest 6 0 Deployment Guide Creating AirGroup Administrators 221 Figure 35 Data Retention Policy page Manage Data Retention Enable Hl Enable data retention policy ZA I enabled records will be deleted after the pened set below P T Select the time of day at which data retention will run Time of Day Onboard Device Certificates lz weeks Minimum Period The minimum delay required before an expired certificate or a rejected request can be deleted Leave blank to allow certificates and requests to be deleted at any time including before xpiration a2 weeks Maximum Period The penod after which an xpired certificate or a rejected reques
407. or Account Creation on page 137 for a description Click A Save Configuration to save your changes Create the Print Template By default the print templates include username password and expiration as well as other options For the purpose of access codes we only want the username presented This access code login example bases the print template off Dell Networking W ClearPass Guest 6 0 Deployment Guide SMS Receipt Fields 199 an existing scratch card template Navigate to Configuration gt Print Templates Select Two column scratch cards and click Duplicate Select the Copy of T wo column scratch cards template then click F Edit BW N In the Name field substitute Access Code for Username as shown below Edit Print Template ein Copy of Two colum access codes A name for the print Template This name is used to select which template to use when printing a list of accounts Enabled Allow the use of this print template 2 column list Layout Choose how the guest account list will be printed when using this template lt tr gt lt th class nwaTop colspan 3 bAccess Details lt th gt lt tr gt lt thead gt lt tbody gt lt tr gt lt td class nwaBody rowspan 99 valign top gt lt img src images icon user48 pno width 48 height 48 border 0 alt gt lt td gt lt th Seen pee lt td class nwaBody style width 12em b Su username escape lt td gt User Account
408. orm l Go to Configuration gt Forms amp Views Click the create multi row then click its Edit Fields link The Customize Form Fields view opens showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions At this point the Password field is not listed because the Create Multiple Guest Accounts form create multi has not yet been customized to include it You will create it for the form in the next step 2 Click on any field in the list to expand a row then click the Insert After link you can modify this placement later The Customize Form Field form opens 3 Inthe Field Name row choose password from the drop down list The form displays configuration options for this field Form Field Editor password Field Name Select the field definition to attach to the form Form Display Properties These properties control the user interface displayed for this field Field v Enable this field When checked the field will be included as part of the form oe R ank 2 Number indicating the relative ordering of user interface fields which are displayed in order of increasing rank Password text field Im User Interface The kind of user interface element to use when entering or editing this field Visitor Password Label Label for this field to display on the form 4 In the Field row mark the Enable this field check box 5 To adjust the
409. ormation such as credit card details ClearPass Policy Manager User Database AA Aa Self provisioned wisitor accounts are created using this service handler Transaction we Processing Hotspot transactions are processed using this service handler Service Not Temporarily Unavailable Available Tithe Tithe of the page displayed if self provisioning has been disabled lt h gt Ja Visitor Registration Temporarily Unavailable ani Service Not nwa_icontext icon images icon schedulez png Available We re sorry but the system is currently unavailable due to maintenance Please try again later nwa_icontext Insert content item Enter HTML message to display to visitors if self provisioning has been disabled Message Captive Portal These options control the overall look and feel of the self provisioning visitor pages https 10 100 9 37 guest hotspot_plan php This is the URL that starts the self provisioning process For external captive portals redirect wisitors to this URL to start the Sign Up process Hotspot Sign Up URL Look and Feel These options control the owerall look and feel of the self provisioning wisitor pages Default Skin Choose the skin for the Hotspot visitor access pages SMS Services Override the default SMS settings Use Default Download Receipt SMS Receipt The plain text format print template to use when generating an
410. ot plans you have created e On page 2 the customer enters their personal details including credit card information if purchasing access e The customers transaction is processed and if approved their visitor account is created according to the appropriate Hotspot plan On page 3 the customer receives an invoice containing confirmation of their transaction and the details of their newly created visitor account e The customer is automatically logged in with their username and password providing instant Hotspot access Managing the Hotspot Sign up Interface You can enable visitor access self provisioning by navigating to Configuration gt Hotspot Manager and selecting the Manage Hotspot Sign up command G Manage Hotspot Sign Up E Change user interface options and set global preferences for self provisioning of visitor accounts The Hotspot Preferences form opens This form allows you to change user interface options and set global preferences for the self provisioning of visitor accounts aoe Managing iNe ols Perot MHD IMENE Dell Networking W ClearPass Guest 6 0 Deployment Guide Hotspot Preferences General Hotspot Preferences Global options for self provisioned visitor access On Off Switch Enable visitor access self provisioning Always use HTTPS for customer connections Require HTTPS Require HTTPS connections for customers creating Hotspot accounts This is recommended to ensure the privacy of sensitive inf
411. ount Activation Account Expiration 01973984 47468940 Contractor Active Wednesday 31 October 2012 06 23 AM Wednesday 14 November 2012 05 23 AM Account Details Username Password Role Current State Account Activation Account Expiration 30759520 71701546 Contractor Active Wednesday 31 October 2012 06 23 AM Wednesday 14 November 2012 05 23 AM Account Details Username Password Role Current State Account Activation Account Expiration 28603627 69265462 Contractor Active Wednesday 31 October 2012 06 23 AM Wednesday 14 November 2012 05 23 AM Account Details Password Role Mores sb Chee Username 775604827 08704971 Contractor B mn rm 4 Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password expiration and role 5 Click the Open print window using template drop down list and select the new print template you created using this procedure See Create the Print Template on page 199 for a description of this procedure A new window or tab will open with the cards 202 Create the Access Code Guest Accounts Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 6 Hotspot Manager gi ai sa a jl ae OD a 2 _ The Hotspot Manager controls self provisioned guest or visitor accounts This is where the customer is able to create his or
412. ove Account Edit Multiple form uil cad tl cail Hul Canil Edit Account P P m Active Sessions The table below lists all the forms and views used for visitor management Dell Networking W ClearPass Guest 6 0 Deployment Guide Other Properties 143 Table 19 Visitor Management Forms and Views Name Type Visitor Management Function Editable ern Ka ee e _ oa These forms are accessed directly create_multi form multiple account creation create_user form sponsored account creation guest_register form guest self registration form These forms are accessed through the action row of the guest_users view change_expiration form change expiration time for a single account guest multi form form editing multiple accounts guest_edit form editing single account reset_ password form reset password for a single account These forms are the standard self registration forms guest register form self registration form guest_register_receipt form self registration receipt These standard views are defined in Guest Manager guest_export view view used when exporting guest account information guest_multi view displays a list of guest accounts optimized for working with multiple accounts guest_sessions view displays a list of current or historical sessions See Active Sessions Management on page 59 guest_users view displays a list of guest accounts op
413. owse l Choose a digital certificate signing request to upload This should be a PEM encoded PKCS 10 certificate Request request file TLS Client Certificate Certificate Type Select the type of certificate to create from this signing request Approval Issue this certificate immediately E Submit Certificate Signing Request Use the Certificate Signing Request field to select the appropriate file for upload Dell Networking W ClearPass Guest 6 0 Deployment Guide Providing a Certificate Signing Request File 105 Ki NOTE The file should be a base 64 encoded PEM format PKCS 10 certificate signing request Specifying Certificate Properties Select the type of certificate from the Certificate Type drop down list Choose from one of the following options TLS Client Certificate Use this option when the certificate is to be issued to a client such as a user or a user s device When this option is selected the issued certificate s extended key usage property will contain a value of Chent Auth indicating that the certificate may be used to identify a client TLS Server Certificate Use this option when the certificate is to be issued to a network server such as a Web server or as the KAP T LS authentication server When this option is selected the issued certificate s extended key usage property will contain a value of Server Auth indicating that the certificate may be used to
414. oyment Guide 11 12 Dell Networking W ClearPass Guest 6 0 Deployment Guide Chapter 1 About this Guide Dell Networking W ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access Audience This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W ClearPass Guest as their visitor management solution It describes the installation and configuration process Conventions The following conventions are used throughout this guide to emphasize important concepts Table 1 Typographical Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books This fixed width font depicts the following Sample screen output System prompts Filenames software devices and specific commands when mentioned in the text In the command examples this bold font depicts text that you must type exactly as shown System items In the command examples italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation For example lt Arguments gt send lt text message gt In this example you would type send at the system prompt exactly as shown followed by the text of the message you wish to send Do not type the angle brackets Optional Comma
415. p amp nbsp Login below using your nwa mdps config name organ ization name credentials lt br gt lt strong gt 3 lt strong gt nbsp nbsp amp nbsp amp nbsp Install the certificate when prompted lt br gt lt strong gt 4 lt strong gt nbsp nbsp amp nbsp amp nbsp Go to your Wi Fi settings and connect to SSID lt st rong gt nwa_mdps config name wifi_ssid lt strong gt lt br gt lt p gt Using the nwa_mdps_config Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page To obtain these properties use the nwa_mdps_config Smarty template function The name parameter specifies which property should be returned as described in Table 15 Table 15 Properties Available with the nwa mdps config Smarty Template Function Description URL of the Onboard certificate authority s root certificate Browsing to this URL will install the root certificate on the device which Is required as part of the pre provisioning step root_cert Example lt a Nrer nwe mdps contig name root cert gt Install Onboard root certificate lt a gt 80 Using the nwa_mdps_config Template Function Dell Networking W ClearPass Guest 6 0 Deployment Guide Description Name of the wireless network See Configuring Basic Network Access Settings on page 118 Example Connect to the network named nwa mdps config name wifi_ ssid wifi_ssid The
416. page Customizing Visitor Sign Up Page Three Page three of the guest self provisioning process provides the customer an invoice containing confirmation of their transaction and the details of their newly created wireless account An example of the default Your Receipt page is shown below Customizing Visitor Sign Up Page Three Dell Networking W ClearPass Guest 6 0 Deployment Guide 215 Your Receipt STEP Hotspot Sign Up 3 Your transaction was processed successfully Welcome to the Hotspot Your wireless account is now ready to use Just click the Start Browsing button below to automatically log in and continue to your Web browser s home page Oo Note If your computer is turned off or goes out of range you will need to log in to the Hotspot again Make sure you have the username and password shown under Account Details Please review the receipt below and save a copy for your records Your Invoice Your Company Name Date Tuesday 04 December 2012 12 36 AM Your contact details Invoice No P 8 Purchase Details Description Qty Unit Price Price Free Access 0 00 0 00 Free basic wireless access Limited to 64 kbit Web browsing traffic only and a maximum of one hour Total 0 00 Account Details v 16788743 Username Use this username to log in to the Hotspot ieee v 740661384 Use this password to log in to the Hotspot Account will expire at Tuesday 04 December 2012 01 3
417. page Ki NOTE If this check box is not marked device provisioning will be inoperative Select the appropriate Onboard configuration from the Configuration drop down list Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring the User Interface for Device Provisioning 79 To modify the instructions provided to users on the device provisioning page edit the contents of the Header HTML text area The default instructions are displayed to the user as Please configure security and network settings on your device to allow secure access to the internal network Please follow the instructions listed below Install root certificate click here Login below using your Example Organization credentials Install the certificate when prompted Go to your Wi Fi settings and connect to SSID Example TLS AWUN Username Password Log In required field This corresponds to the following text prepopulated in the Header HTML text area lt p gt Please configure security and network settings on your device to allow secure lt br gt access to the internal network Please follow the instructions listed below lt br gt lt br gt lt strong gt 1 lt strong gt amp nbsp nbsp amp nbsp nbsp nwa_iconlink icon images icon certificate22 png text Install root certificate click here nwa_mdps config name root cert nwa_iconlink lt br gt lt strong gt 2 lt strong gt amp nbsp amp nbsp amp nbs
418. pecified the default is output id that is the plugin ID is returned nwa_privilege nwa privilege nwa_ privilege Smarty registered block function Includes output only if a certain kind of privilege has been granted Usage examples nwa privilege access create user wa content nwa_ privilege The access parameter specifies the name of a privilege to check for any access nwa privilege readonly create user content nwa privilege The readonly synonym ro parameter specifies the name of a privilege to check for read only access Be aware that an operator with read write access also has read only access To include content if the user ONLY has read access that is not if the user has full access prefix the privilege name with a character and use the parameter name readonly or ro nwa privilege full create user content nwa_ privilege The full synonym rw parameter specifies the name of a privilege to check for full read write access The name la parameter is the name of the privilege to check If name is prefixed with a the output is included only if that privilege is NOT granted inverts the sense of the test An optional level parameter may be specified which is the level of access to the privilege required default is 0 or any access nwa_replace nwa replace 1 2 nwa_replace Smarty registered
419. perator login e Move Up moves the rule up to a higher priority on the rule list Move Down moves the rule down to a lower priority on the rule list Custom LDAP Translation Processing When matching an LDAP translation rule custom processing may be performed using a template The template variables available are listed in the table below Table 23 Template Variables Variable Description The name of the LDAP attribute that was matched Contains settings for the operator including all LDAP attributes user returned from the server For a Smarty template syntax description See Smarty Template Syntax on page 264 These may be used to make programmatic decisions based on the LDAP attribute values available at login time For example to permit non administrator users to access the system only between the hours of 8 00 am and 6 00 pm you could define the following LDAP translation rule 256 Custom LDAP Translation Processing Dell Networking W ClearPass Guest 6 0 Deployment Guide Edit Translation Rule CustomEnabledHours Name Enter a name for this translation rule Enabled Use this rule when processing reply attributes memberof Enter the name of the attribute e g memberof Use for all attributes Attribute Name contains Matching Rule Select the matching rule to apply to the value of the attribute Value Enter the value to match the attribute against o As
420. placement of the password field on the Create Multiple Guest Accounts form you may change the number in the Rank field 6 In the User Interface row choose Password text field from the drop down list The Field Required check box should now be automatically marked and the Validator field should be set to IsNonEmpty 7 Click Save Changes The Customize Form Fields view opens again and the password field is now included and can be edited Dell Networking W ClearPass Guest 6 0 Deployment Guide Editing the Default Self Registration Form Settings 177 To create the multiple accounts that all use the same password see Creating Multiple Guest Accounts on page 30 Editing Guest Receipt Page Properties To edit the properties of the guest receipt page l Navigate to Configuration gt Guest Self Registration 2 Select an entry in the Guest Self Registration list and click its Edit link The Customize Guest Registration workflow page appears 3 Click the Receipt Page link or one of the Title Header or Footer fields for the Receipt Page to edit the properties of the receipt page This page 1s shown to guests after their visitor account has been created Customize Guest Registration Receipt Page UI Options controlling the appearance of the guest receipt page Guest Registration Receipt Title The title to display on the guest receipt page lt p gt ji Header HTML The details for your guest account are shown below l
421. plate syntax found in these files is also processed as if the file existed in place of the include tag itself Comments To remove text entirely from the template comment it out with the Smarty syntax commented text Be aware that this is different from an HTML comment in that the Smarty template comment will never be included in the page sent to the Web browser Variable Assignment To assign a value to a page variable use the following syntax assign var name value value The value can be a text value string number or Smarty expression to be evaluated as shown in the examples below assign var question value forty plus two The question is question assign var answer value 42 The answer is Sanswer assign var question_ uppercase value question strtoupper THE QUESTION IS question uppercase Conditional Text Blocks To include a block of text only if a particular condition is true use the following syntax if Susername lt tr gt lt td class nwaBody gt Username lt td gt lt td class nwaBody gt Susername lt td gt lt tr gt else 264 Smarty Template Syntax Dell Networking W ClearPass Guest 6 0 Deployment Guide lt No user name no table row gt 7a The condition tested in the if if block should be a valid PHP expression The else tag does not require a closing tag Script Blocks The brace characters and are specially
422. please click lt b gt Next lt b gt lt p gt nwa_text assign var link_text value 1732 NwaText Next Next Step YA Insert content item lv These instructions are shown to the user after they download the application to an Android device Enter the HTML code to display Smarty template functions can be used here Leave this field empty to use the default instructions To enable provisioning Android devices mark the check box in the Android Devices row In the Android Rootkit Detection drop down list choose one of the following options e Provision all devices All Android devices will be provisioned e Do not provision rooted devices Onboard will detect a jailbroken Android device and will not provision the network if the device has been compromised In the Before Provisioning text box enter the instructions that are shown to the user before they provision their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed In the Next Step text box enter the instructions that are shown to the user after they download the application to their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed nwa_text id 10894 lt p gt To configure your device you must mow install the following network profile lt p gt nwa_text
423. plicate Preview sly Show Usage Update and delete access the print template is visible in the list and may be edited or deleted The permissions for the print template cannot be modified fe GuestManager Receipt Page Enabled Es Edit Ee Duplicate 9 Delete Preview sly Show Usage X Full access ownership the print template is visible in the list and may be edited or deleted The permissions for the print template can be modified if the operator has the Object Permissions privilege Ee GuestManager Receipt Page Enabled Ei Edit Fe Duplicate 9 Delete Preview l Show Usage E Permissions Customize SMS Receipt Navigate to Configuration gt SMS Receipts to configure SMS receipt options These fields are described for the SMS plugin configuration page Use the SMS receipt page for further customization For information on standard SMS services see SMS Services on page 228 Figure 32 Customize SMS Receipt page Customize SMS Receipt Receipt Options Select options for the SMS receipt SMS Receipt SMS Receipt j The plain text format print template to use when generating an SMS receipt Fields Select the visitor account fields related to the SMS receipt visitor_ phone Phone Number Field The field containing the visitor s phone number visitor_ phone Auto Send Field The field which if it contains a non empty string or non zero value will Cause an account recei
424. pplication onboard provisioning Process used to securely provision a device and configure it with network settings operator profile Characteristics assigned to a class of operators such as the permissions granted to those operators operator operator login Person who uses Dell Networking W ClearPass Guest to create guest accounts or perform system administration OS X Operating system from Apple Inc for desktop and laptop computers over the air provisioning Process used to securely provision a device and configure it with network settings applies to 10S and OS X 10 7 only PEAP Protected EAP See KAP PEAP ping Test network connectivity using an ICMP echo request ping PKCS n Public key cryptography standard N Refers to a numbered standard related to topics in cryptography including private keys PKCS 1 digital certificates PKCS 7 certificate signing requests PKCS 10 and secure storage of keys and certificates PKCS 12 308 Glossary Dell Networking W ClearPass Guest 6 0 Deployment Guide PKI Public key infrastructure Security technology based on digital certificates and the assurances provided by strong cryptography See also certificate authority digital certificate public key private key print template Formatted template used to generate guest account receipts private key The part of a public private key pair that 1s always kept private The private key is used to encrypt a message s signatu
425. pt SMS to be automatically sent upon creation of a wisitor account Save Configuration 198 Customize SMS Receipt Dell Networking W ClearPass Guest 6 0 Deployment Guide SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields You can override global settings by setting these fields sms_enabled This field may be set to a non zero value to enable sending an SMS receipt If unset the default value is true sms_handler_id This field specifies the handler ID for the SMS service provider If blank or unset the default value from the SMS plugin configuration is used sms_template_id This field specifies the print template ID for the SMS receipt If blank or unset the default value from the SMS plugin configuration is used sms phone field This field specifies the name of the field that contains the visitors phone number If blank or unset the default value from the SMS plugin configuration is used sms auto send field This field specifies the name of the field that contains the auto send flag If blank or unset the default value from the SMS plugin configuration is used Additionally the special values _ Disabled and Enabled may be used to never send an SMS or always send an SMS respectively The logic used to send an SMS receipt is If SMS receipts are disabled take no action Otherwise check the auto send field If it is Disabled
426. ption for example width 460px height 100px specifies a 460 x 100 pixel minimum area e Text field The field is displayed as a single line text box The text typed in this box is submitted as the value for the field Sample Field o Text This is a sample field A short text label may be placed after the text box using the Label After option Form Field Editor Dell Networking W ClearPass Guest 6 0 Deployment Guide 161 Text field User Interface T The kind of user interface element to use when entering or editing this field Label Sample Field l Label for this field to display on the form This is a sample field Description Descriptive text for this field displayed with the user interface element CSS Class 7 Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field Label After Text Text to display after the user interface element Form Validation Properties The form validation properties control the validation of data entered into a form By specifying appropriate validation rules you can detect when users attempt to enter incorrect data and require them to correct their mistake Form Validation Properties These properties control how the value of this field is checked lV Field value must be supplied Field Required p Select this option if the field cannot be omitted or left blank value for sample field
427. pts by email with a special field set If the Auto Send Field available for this delivery option is set to a non empty string or a non zero value an email receipt will be generated and sent to the visitor s email address The auto send field can be used to create an opt in facility for guests Use a check box for the auto_send_smtp field and add it to the create_user form or a guest self registration instance and email receipts will be sent to the visitor only if the check box has been selected e Display a link enabling a guest receipt via email A link is displayed on the receipt page if the visitor clicks this link an email receipt will be generated and sent to the visitor s email address e Send an email to a list of fixed addresses An email receipt is always generated using the selected options and will be sent only to the list of email addresses specified in Copies To Editing SMS Delivery of Guest Receipts The SMS Delivery options available for the receipt page actions allow you to specify the print template to use the field containing the visitor s phone number and the name of an auto send field SMS Delivery Enabled Display a link enabling a guest receipt via SMS 7 Phone Number Field Use Default zl The field containing the visitor s phone number Service Provider Use Default zl The service provider to use when sending SMS messages Use Default Im SMS Receipt
428. quired to create Ki the certificate and authenticate the device The additional processing required will also affect the battery life of a mobile device It is recommended to use the smallest private key size that is feasible for your organization Subject Alternative Name These details are used to add a subjectAltName extension to the certificate request Device Type Device UDID Device IMEI Device ICCID Device Serial MAC Address Product Name Product Version User Name Issue Certificate Checking this option will immediately issue the certificate for the request Approval Issue this certificate immediately E Create Certificate Request If you have selected TLS Client as the certificate type the Subject Alternative Name section is also shown The alternative name can be used to specify additional identification details for the certificate s subject If one or more of these options are provided the issued certificate will contain a subjectAltName extension with the specified values Table 16 explains the fields that may be included as part of the subject alternative name Table 16 Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Description Device Type Type of device such as IOS Android etc Device UDID Unique device identifier UDID for this device This is typically a 64 bit 128 bit or 160 bit number represented in hexadecimal 16 32 or
429. r Logout Warnings on the email receipt If the value is default the default subject line under the Logout Warnings section on the email receipt configuration is used String This field overrides the print template ID specified under Logout Warnings on the email receipt If the value is default the default template ID under the Logout Warnings section on the email receipt configuration is used String This field overrides the format in the Email Receipt field under Logout Warnings It may be one of plaintext No skin plain text only html_embedded No skin HTML only receipt No skin Native receipt format default Use the default skin or the plugin ID of a skin plugin to specify that skin If blank or unset the default value in the Email Receipt Field under the Logout Warnings on the email receipt configuration is used String This overrides the list of additional email addresses that receive a copy of the visitor account under Logout Warnings on the email receipt If the value is default the default carbon copy list under Logout Warnings from the email receipt configuration is used String This field overrides how copies are sent as indicated under Logout Warnings on the email receipt to send copies of email receipts It may be one of never always cc always bcc conditional_cc or conditional_bcc If blank or unset the default value from the email
430. ration Dell Networking W ClearPass Guest 6 0 Deployment Guide To use the Upload File form click the Browse button in the Backup File row to navigate to and select the backup file you want to restore To use the Specify Backup File form enter the URL for the backup file Click Continue The Import Configuration Step 2 page opens Configuration Backup Backup cpguest amg ad localdomain com 2012 12 13 1113 complete A Configuration Item Restore 8 amp 5 Guest Manager w ys 4 gt X 8 amp 5 Guest Manager Configuration 123 Guest Manager Custom Fields K S v E Guest Manager Custom Forms x f m Guest Manager Custom Views x v Restore Set Guest Manager Print Templates x ov Guest Manager Self Registration x 4 i LDAP Sponsor Lookups x i gf MAC Authentication Configuration x ov i Hotspot Manager xtY lv XM Unselect All 10 rows per page Ivi Select the items from this configuration backup to restore v Restore settings from backup Select this option to confirm the restore operation Caution This may overwrite your current settings r gt Restore Configuration Confirm e x The red X icon means the item is not available e The blue arrow icon means part of the item s configuration will restored e Y The green check mark means the item s full configuration will be restored 3 Select the items in the list that you want to restore then mark the Restore
431. rcase characters Sdigit specifies the minimum number of digits to include or l to not use any digits Ssymbol specifies the minimum number of symbol characters to include or l to not use any symbol or punctuation characters NwaLettersDigitsPassword NwaLettersDigitsPassword Slen Generates an alpha numeric password of len characters in length consisting of lowercase letters and digits NwaLettersPassword NwaLettersPassword S len Generates a password of len characters in length consisting of lowercase letters NwaMoneyFormat NwaMoneyFormat Samount format null Formats a monetary amount for display purposes The current page language is used to adjust formatting to the country specified Returns a result that is guaranteed to be in UTF 8 The format argument may be null to specify the default behavior U S English format or it may be a pattern string containing the following currency symbol prefix thousands separator decimal point number of decimal places The format 1 000 00 uses the Euro sign as the currency symbol as the thousands separator as the decimal point and 2 decimal places If not specified explicitly the default format is 1 000 00 NwaParseCsv NwaParseCsv Stext options null Parses text containing comma separated values and returns the result as a list of records where each record contains a list of fields Supports CSV escaping using double
432. rch and you can include the following operators Table 7 Operators supported in filters Operator Meaning Additional Information o ee o is not equal to is greater than You may search for multiple values when using the equality or inequality operators To specify multiple values list 7 isareaterihan ot eq alto them separated by the pipe character siese WA For example specifying the filter role_id 2 3 custom_ field Value restricts the accounts displayed to those with j role IDs 2 and 3 Guest and Employee and with the field is less than or equal to named custom field set to Value aa matches the regular expression does not match the regular expression To restore the default view click the Clear Filter link Use the paging control at the bottom of the list to jump forwards or backwards by one page or to the first or last page of the list You can also click an individual page number to jump directly to that page Dell Networking W ClearPass Guest 6 0 Deployment Guide Managing Guasi ae Ki n 2 m i NOTE When the list contains numerous user accounts consider using the Filter field to speed up finding a specific user account Use the BCreate tab to create new visitor accounts using the New Visitor Account form See Creating a Guest Account on page 29 for details about this form Use the E More Options tab for additional functions including import and export of guest accounts and the
433. rd field on the Create Multiple Guest Accounts form you may change the number in the Rank field 6 In the User Interface row choose Password text field from the drop down list The Field Required check box should now be automatically marked and the Validator field should be set to IsNon Empty 7 Click Save Changes The Customize Form Fields view opens again and the password field is now included and can be edited To create multiple accounts that all use the same password l Go to Guest gt Create Multiple The Create Guest Accounts form opens and includes the Visitor Password field Create Guest Accounts Number of Accounts Number of wisitor accounts to create visitor Password Account Activation zi Select an option for changing the activation time of this account notes 1 day from now Account Expiration a e Select an option for changing the expiration time of this account Contractor Account Role ong Role to assign to this visitor account Create Accounts 2 Inthe Number of Accounts field enter the number of accounts you wish to create In the Visitor Password field enter the password that is to be used by all the accounts 4 Complete the other fields with the appropriate information then click Create Accounts The Finished Creating Guest Accounts view opens The password and other account details are displayed for each account Dell Networking W ClearPass Guest 6 0
434. re to authenticate the sender only the sender knows the private key The private key is also used to decrypt a message that was encrypted with the sender s public key only the sender can decrypt it public key The part of a public private key pair that is made public The public key is used to encrypt a message the recipient s private key is required to decrypt the message A large part of a digital certificate is the certificate owner s public key QuickConnect App Application used to securely provision an Android Windows or OS X device and configure it with network settings RFC Request For Comments a commonly used format for Internet standards documents role Type of access being granted You can define multiple roles Such roles could include employee guest team member or press Roles are used for both guest access user role and operator access to Dell Networking W ClearPass Guest See operator profile root CA Certificate authority that signs its own certificate a self signed certificate and must be explicitly trusted by users of the CA SCEP Simple certificate enrollment protocol Protocol for requesting and managing digital certificates self signed certificate See root CA session Service provided by a NAS to an authorized user skin Web site s external appearance or look and feel It can be thought of as a container that holds the application its style sheet font size and color for example it
435. receipt settings e Web login pages Accessing Configuration To access Dell Networking W ClearPass Guest s application customization features click the Configuration link in the left navigation Start Here ay Authentication KWa Content Manager ve Email Receipt Hy Fields FT Forms amp Views Guest Manager Guest Self Registration a IP Phones Sy Print Templates SMS Receipt me Web Logins Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuration 133 Configuring ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W ClearPass Guest application To configure ClearPass Guest s authentication settings l Go to Configuration gt Authentication The Authentication Settings form opens Authentication Settings Dynamic Authorization NAS Type RFC 3576 Bind Address Internal Auth Type Security Send a disconnect re authorization message to the NAS Global to automatically send disconnects when enabled role values change Requires a NAS Type supporting RFC 3576 Aruba Networks RFC 3576 support v Select the default type for network access servers 0 0 0 0 Force a specific bind address for RFC 3576 requests This may be needed in an AirGroup environment PAP Controls the RADIUS authentication type used for internal RADIUS authentication requests E Require HTTPS for gues
436. rent time plus the number of hours in the schedule_after field plus X where X is a time measurement to extend the activation time by X The time measurement is normally hours but may have a ywdhms suffix to indicate years weeks days hours minutes or seconds respectively Alternatively this operation may be written equivalently as X pX plusX add X addX or aX Example to delay activation time by 2 days use the value 2d minus X where X is a time measurement to reduce the activation time by X See above for details about specifying a time measurement Alternatively this operation may be written equivalently as K mX minusX sub X subX or sX Example to bring forward activation time by 12 hours use the value 12h A time measurement X to set the activation time to the current time plus X A time and date specification to set the activation time to that time and date Many different formats are specified for clarity it is recommended that a standard format such as IS0 8601 is used YYYY MM DD hh mm ss format Any other value to leave schedule_time unmodified This field controls account creation and modification behavior itis not stored with created or modified visitor accounts modify_schedule_time Integer Initial sequence number This field is used when creating guest accounts and the random username method field is set to
437. ring is split at the separator and used for false and true values If the argument Is an array the 0 and 1 index values are used for false and true values Otherwise the string values false and true are returned NwaByteFormat Formats a non negative size in bytes as a human readable number bytes KB MB GB etc 1 KB is NwaBoolFormat Dell Networking W ClearPass Guest 6 0 Deployment Guide Form Field Conversion Functions 301 Function Description defined as 1 024 bytes 1 MB as 1 024 KB 1 048 576 bytes and 1 GB as 1 024 MB 1 073 741 824 bytes If a negative value is supplied returns the argument or null if no argument was supplied If a non numeric value is supplied that value is returned directly Formats a numeric value that indicates a monetary amount as a string lf the argument Is null or not supplied the current locale s settings are used to format the monetary value The argument may be an array which will override the current locale s settings see NwaNumberFormat for the list of settings that are used The argument may be a numeric value which Is used as the number of fractional digits to use when formatting the monetary amount other locale settings will remain unchanged in this case NwaCurrencyFormat Format a date like the PHP function strftime using the argument as the date format string Returns a result guaranteed to be in UTF 8 and correct for the current page language See Date
438. rint or thumbprint of the certificate Details 4 Show 3 You can use the following additional options in the upper right corner of the Import Trusted Certificate page e Click the Upload another trusted certificate link to upload additional certificates e Click the Edit lt certificate name gt trust settings link to open the Trust tab of the Network Settings form Requesting a Certificate From the Certificate Management page click the Upload a certificate signing request link to access the Certificate Signing Request form Providing a Certificate Signing Request in Text Format If you have a certificate signing request in text format click the Copy and paste certificate signing request as text radio button POR a A C ENUNCAR Dell Networking W ClearPass Guest 6 0 Deployment Guide Certificate Signing Request Step 1 Select the format of your certificate signing request Copy and paste certificate signing request as text oe Format pie Upload certificate signing request file Step 2 Provide the certificate signing request here Certificate Signing Request Copy and paste the certificate signing request here This is a block of encoded text and should include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines TLS Client Certificate Certificate Type Select the type of certificate to create from this signing reguest Approval Issue this certif
439. rint receipt e Send SMS email receipt The operator creates the guest accounts and generates a receipt for the account The guest logs on to the Network Access Server NAS using the credentials provided on her receipt The NAS authenticates and authorizes the guest s login in ClearPass Guest Once authorized the guest is able to access the network Self Provisioned Guest Access Self provisioned access is similar to sponsored guest access but there is no need for an operator to create the account or to print the receipt The following figure shows the process of self provisioned guest access Figure 6 Guest access when guest is self provisioned Gateway Router Internet e Captive portal redirect e Web login page e Guest self registration process e Send SMS email receipt L DA a ClearPass Guest Visitors Wireless AP Network Visitor Access Management Server Appliance The guest logs on to the Network Access Server NAS which captures the guest and redirects them to a captive portal login page From the login page guests without an account can browse to the guest self registration page where the guest creates a new account At the conclusion of the registration process the guest is automatically redirected to the NAS to log in The guest can print or download a receipt or have the receipt information delivered by SMS or email 28 About Guest Management Processes Dell Networking W ClearPass Guest
440. rity s root self signed certificate 82 Setting Up a Root Certificate Authority Dell Networking W ClearPass Guest 6 0 Deployment Guide NOTE If you intend to change any of the root certificate s distinguished name properties and you have previously created any client or server certificates or performed device provisioning using the existing root certificate these certificates will be invalidated and deleted because the root certificate s distinguished name has changed To avoid the complication of revoking and reissuing certificates itis recommended that you configure the certificate authority before any device provisioning or other configuration is done Root Certificate Settings Identity These details are used to create a Distinguished Name for the certificate authority Country State Locality Organization Organizational Unit Common Name Signing Common Name Email Address Private Key US Enter the 2 letter ISO country code of your country California Enter the full name of your state or province Sunnyvale Enter the name of your locality town or city Aruba Networks Enter the name of your organization or company Enter the name of your organizational unit e g section or division of the company ClearPass Onboard Local Certificate Authority Enter a name for the certificate authority This is the common name of the digital certificate ClearPass On
441. rity and appears as the Signed field on the device when the user authorizes the device provisioning 6 In the Edit ID row Mark the Change the profile ID check box to change the unique value associated with the configuration profile This value is used to identify the configuration settings as being from a particular source and should be globally unique When an iOS device receives a new configuration profile that has the same profile ID as an existing profile the existing profile will be replaced with the new profile NOTE Changing the profile ID will affect any device that has already been provisioned with the existing profile ID The default value Ki is automatically generated and is globally unique You should only change this value during initial configuration of device provisioning Configuring Instructions for 10S and OS X To edit the instruction text shown during provisioning for iOS and OS X devices 1 Go to Onboard gt Provisioning Settings click the iOS amp OS X tab and scroll to the Instructions area of the form 2 In the Before Provisioning text box enter the instructions that are shown to the user before they provision their device The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 3 Inthe After Provisioning text box enter the instructions that are shown to the user after they have provisioned their de
442. rm Creating a Guest Account Receipt After you click the Create Account button on the New Visitor Account form the details for that account are displayed Account Details Guest username aliddel wonderland org Guest password 95539400 Account status Active Account activation Monday 29 October 2012 01 27 PM Account expiration Account will expire at Tuesday 30 October 2012 01 27 PM Account role Contractor Sponsor name Wonderland To print a receipt for the visitor select an appropriate template from the AOpen print window using template list A new Web browser window will open and the browser s Print dialog box will be displayed Click the Send SMS receipt link to send a guest account receipt via text message Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent Sending SMS receipts requires the SMS Services plugin If the administrator has enabled automatic SMS and the visitors phone number was typed into the New Visitor Account form an SMS message will be sent automatically A message is displayed on the account receipt page after an SMS message has been sent Click the Send email receipt link to send an email copy of the guest account receipt Use the Email Receipt form to enter the email address to which the receipt should be sent You can also specify the subject line for the email message If the administrator has enabled automatic email for guest account r
443. rm field CSS Style Optional CSS style text to apply to this form field im fi mark Icon Image images icon checkmark png Image to display with the user interface element The description is not used The field s value is ignored and will be set to NULL when the form is submitted To place an image on the button an icon may be specified To match the existing user interface conventions you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form e Text area The field is displayed as a multiple line text box The text typed in this box is submitted as the value for the field Sample Field This is a sample field Text area User Interface 2 n ue The kind of user interface element to use when entering or editing this field mople Field Label Sample Field Label for this field to display on the form This is a sample field Description ui Descriptive text for this field displayed with the user interface element CSS Class _ m Optional CSS class name to apply to this form field CSS Style Optional CSS style text to apply to this form field 3 Rows A j Number of rows to display in the user interface element 40 Columns Number of columns to display in the user interface element It is recommended that you specify the desired minimum dimensions of the text area either with the Rows and Columns options or by specifying a width in the CSS Style o
444. rofile E Override the application s forms and views If checked you can specify different default forms and views to use Customization The fields in the User Interface area of the form determine elements of the application s visual appearance and behavior that operators with this profile will see The Skin Start Page Language and Time Zone options specify the defaults to use for operators with this profile Individual operator logins may have different settings which will be used instead of the values specified in the operator profile For information on specifying options at the individual operator level see Local Operator Authentication on page 247 1 Optional In the Skin row the Default setting indicates that the skin plugin currently marked as enabled in the Plugin Manager will be used To have a different skin displayed for users with this operator profile choose one of the available skins from the drop down list For more information on skins see Plugin Manager on page 223 2 Optional In the Start Page row the Default setting indicates that the application s standard Home page will be the first page displayed after login To have a different start page displayed to users with this operator profile choose a page from the drop down list For example if a profile is designed for users who do only certain tasks you might want the application to open at the module where those tasks are performed 3 Optional In th
445. role should have limited network access and a captive portal that redirects users to the device provisioning page When a user authenticates via PEAP with unique device credentials place them into a provisioned role When a user authenticates via EAP TLS using an Onboard client certificate place them into a provisioned role For provisioned devices additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role Using Different SSID for Provisioning and Provisioned Networks To configure dual SSIDs to support provisioned devices on one network and non provisioned devices on a separate network use the following guidelines Dell Networking W ClearPass Guest 6 0 Deployment Guide Re Provisioning a Device 71 Configure the provisioning SSID to use PEAP or another suitable authentication method When a user connects to the provisioning SSID place them into a provisioning role The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page When a user connects to the provisioned SSID authenticate based on the type of credentials presented For PEAP authentication with unique device credentials place them into a provisioned role For EAP TLS authentication using an Onboard client certificate place them into the provisioned role In all other cases deny access As for the single SSID case a
446. rom_time Sto time null Calculate the number of sessions from accounting records in the database Ki NOTE This is a multi purpose function that has a very flexible query interface for ease of use consider using one of the related functions GetCallingStationSessions GetlpAddressSessions GetUserActiveSessions or GetUserSessions Scriteria is the criteria on which to search for matching accounting records As well as the criteria specified the time interval specified by from_ time and optionally to time is also used to narrow the search If Sto time is not specified from_ time is a look back time that is the time interval in seconds before the current time If Sto time is specified the interval considered is between from time and to time Returns the total number of sessions for matching accounting records in the time interval specified GetSessionTimeRemaining GetSessionTimeRemaining Susername format relative Calculates the session time remaining for a given user account if the user account was to be authenticated at the moment of the call The username parameter is required This is the username for the authentication The format parameter is optional and defaults to relative if not otherwise specified This parameter may be one of the following values relative or session_time Calculates the session timeout as for the Session Timeout RADIUS attribute that i
447. rs e Wired only Configures only wired Ethernet network adapters 7 The options available in the Security Type drop down list are e Enterprise 802 1X Use this option to setup a network that requires user authentication e This option is the only available choice when the Network Type is set to Wired only e Personal PSK Use this option to setup a network that requires only a pre shared key password to access the network This option is only available when the Network Type is set to Wireless only The Security Type field lets you set the encryption version for the wireless network to WPA or WPA2 9 If you have selected the Personal PSK security type you must provide the pre shared key in the Password field Selecting this security type will hide the T Protocols Authentication and Trust tabs 10 In the Wireless Network Settings area Configuring Basic Network Access Settings Dell Networking W ClearPass Guest 6 0 Deployment Guide 119 e The drop down list in the OS X Profile row allows you to select the type of profile to create when an OS X 10 7 or later device is provisioned To create a per user profile select the User option To create a system profile select the System option The System option can be used in settings where the device has several users and a single profile might be preferred to individual user profiles for example where an iMac in a high school classroom is used by
448. rs then you should define multiple LDAP Servers and use the priority of each to control the order in which the directory searches are done LDAP Translation Rules 5 LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator To create a new LDAP translation rule l Go to Administration gt Operator Logins gt Translation Rules then click the Create new translation rule link The Edit Translation Rule form opens Edit Translation Rule MatchAdmin Enter a name for this translation rule Name Enabled Use this rule when processing reply attributes mberor Attribute Name membe Enter the name of the attribute e g memberof Use for all attributes contains Matching Rule l Ea Select the matching rule to apply to the value of the attribute CN Administrators Value Enter the value to match the attribute against Assign fixed operator profile On Match _ E P Select what happens when this translation rule matches an attribute IT Administrators Operator Profile Select the operator profile to assign E Continue translation if rule matches Check this box if you want to apply multiple translation rules E Save Changes Fallthrough 2 Inthe Name field enter a self explanatory name for the translation rule In the example above the translation rule is to check that the user is an administrator hence the name Ma
449. rtificate Choose the trusted certificate to upload The certificate must be in PEM format pem gt Upload Certificate 2 Click Choose File to browse to the certificate on your system then click Upload Certificate A confirmation message is displayed and the imported certificate is included in the Certificate Management list You can click the Show Certificate link next to the certificate s name to view the certificate s details Dell Networking W ClearPass Guest 6 0 Deployment Guide Importing a Trusted Certificate 103 Certificate Information Certificate Details Details about the certificate and its owner Issued To Amigopod Local Certificate Authority Valid From iv Thursday 24 May 2012 01 27 PM Valid To v9 Friday 24 May 2013 01 57 PM Country US State California Subject Locality Sunnyvale Organization Aruba Networks Common Name Amigopod Local Certificate Authority Email Address jralston arubanetworks com Issuer Details Details about the certificate authority that issued the certificate Issued By E Amigopod Local Certificate Authority Country US State California Locality Sunnyvale Issuer a ON Organization Aruba Networks Common Name Amigopod Local Certificate Authority Email Address jralston arubanetworks cam Advanced Technical information about the certificate 509d 776e 0e14 a833 0756 9b2c 2498 Oaf2 9542 6bd9 Fingerprint me i i s Tep This is the SHA 1 fingerp
450. rwrite an existing content item that has the same name Cancel 2 In the File row click Browse to navigate to the file you wish to upload The Maximum file size is 15 MB You can upload single content files multiple content asset files and folders or a Web deployment archive To upload multiple assets first compress the files as a tarball or zip file then browse to it in the File field Allowed file formats are tgz tar gz tb2 tar bz2 or zip When you have uploaded the file the Extract option lets you create the new directory navigate into it and view and extract the files Directory structure is preserved when extracting Optional You may enter a description of the content assets in the Description text area 4 To overwrite a previous file of the same name mark the Overwrite check box Click Upload Content to upload the file The file is displayed in the list view and will be placed in the public directory on the Web server You can reference the file when creating custom HTML templates Downloading Content To download a file from the Internet for use in ClearPass Guest 1 Go to Configuration gt Content Manager then click the 4 Download New Content tab The Fetch Content form is displayed Uploading Content Dell Networking W ClearPass Guest 6 0 Deployment Guide 135 Fetch Content Content URL Enter the URL of the resource to download Description Enter an optional
451. s 52 AirGroup Device Registration w 2mmmmmmmmumwmwamu ee eeeceeeeeeeeeees 53 Registering Groups of Devices or Services 2 2 2 e eee eee eee eee eee eee cece cece eeeeeeeeeees 53 Registering Personal Devices 2 22 2 cece eee cece eee ee eee cece e eee cece eeeceeeseeees 55 Automatically Registering MAC Devices in ClearPass Policy Manager 56 Importing MAC Devices _ _ 2 22 ieee cece eee eee eee eee eee cece eee eeeeeeeeeeeeees 57 Advanced MAC Features _ 022 2202 eee eee eee cece eee cece eee cece eee cee eee ceeceeseeeeeeseeseereees 57 2 Factor Authentication _ 20 2 l elec ccc cece cece eee eee e cence eee eee eeceeeeeeeeeeeeeees 57 MAC Based Derivation of Role 2 22222mmmemmmeemmmme mwm ee 57 User Detection on Landing Pages _ 2 2 2 lec eee cence cece cece e eee e ee eeeeeeeeeeeee 58 Click Through Login Pages mmmmmamu eee eee eeeeeeeeseeeeees 58 Active Sessions Management wwmmmmmmmmmmmu nu mwmanu e eee eeeeeceeeeeeeeees 59 SESSION ed COS etre rae a eae acter ate ata ene E he oe aa 60 RFC 3576 Dynamic Authorization _ 2 22 2 2 cece cee eee eee ee eee cece ee eeeeeeeeeees 61 Filtering the List of Active SESSIONS _ 22 2222 e
452. s In most cases plugin configuration settings do not need to be modified directly Use the customization options available elsewhere in the application to make configuration changes For more information about plugin configuration e AirGroup Services See Creating AirGroup Administrators on page 221 e Kernel See Configuring the Kernel Plugin on page 225 e Dell ClearPass Skin See Configuring the Dell W ClearPass Skin Plugin on page 226 e Guest Manager See Default Settings for Account Creation on page 137 e SMS Services See Sending an SMS on page 232 e SMTP Services See Email Receipts and SMTP Services on page 189 e MAC Authentication See MAC Authentication in ClearPass Guest on page 44 Configuring the Kernel Plugin The Kernel Plugin provides the basic framework for the application Settings you can configure for this plugin include the application title the debugging level the base URL and the application URL and autocomplete Configure Kernel 6 0 0 22363 Application Title The title of the web application This is displayed as the title of the main page 1 i Debug Lewel Debugging level for the application Zero is off 1 logs PHP messages and Pa gging for logs PHP messages with full debugging details Application URL Base URL for the application O Request browsers to not save password information Select this option if your policy is to never remember fom field and credentia
453. s The Customize Email Receipt form may be used to set default options for visitor account email receipts To configure email receipt options go to Configuration gt Email Receipt The Customize Email Receipt form opens 190 Configuring Email Receipts Dell Networking W ClearPass Guest 6 0 Deployment Guide Figure 30 Customize Email Receipt page Customize Email Receipt Receipt Options Select options for the email receipt Visitor account receipt for email Subject Line Template specifying the subject line for visitor account receipts sent by email Email GuestManager Receipt Receipt The plain text or HTML print template to use when generating an email receipt Use the default skin Skin The format in which to send email receipts Copies To An optional list of email addresses to which copies of visitor account receipts will be sent Send Use Bcc if sending to a visitor x Copies Specify when to send visitor account receipts to the recipients in the Copies To list W Allow the reply to address to be overridden per operator If checked the reply to address will be overridden by the sponsor_email field of a user or the admin s email Leave unchecked to use the global from address Reply To L Override the from address instead of using reply to Override From If checked the from address will be overridden in lieu of the reply to value above Note this
454. s 121 e Machine Only Use computer only credentials e User Only Use user only credentials e Machine Or User Use computer only credentials or user only credentials When a user is logged on the user s credentials are used for authentication When no user is logged on computer only credentials are used for authentication e Guest Use guest only credentials 3 Do one of the following Click the Previous button to retum to the Protocols tab e Click the Next button to continue to the Trust tab o Click the Create Network button to make the new network configuration settings take effect e Click the Cancel button to discard your changes and return to the main Onboard configuration user interface Configuring Mutual Authentication Settings Click the H Trust tab to display the Enterprise Trust form Use this form to create the network settings that will be sent to a provisioned device Network Settings Enterprise Trust Access T Protocols ay Authentication Trust i Windows J Proxy Enterprise Trust Certificate trust options for 802 1 protocols supported on the network Automatically configure trust settings re Configure Trust Use automatic configuration if you are using Policy Manager for authentication Otherwise select manual configuration A Trusted Server Names Enter the certificate names expected from the authentication server one per line Wildcards may be used to
455. s Validation Error The error message to display if the field s value fails validation and the validator does not return an error message directly This example could be used for a string field named visitor_department Because the values are known in advance a drop down list is the most suitable user interface An initial value for the form field as shown above could be used if most visitors are in fact there to visit the sales team To match against a list of options used for a drop down list or set of radio buttons you can use the IsInOptionsList validator Example 3 To create a form field that validates U S social security numbers using a regular expression use the following settings in the form field editor W Field value must be supplied Field Required q Select this option if the field cannot be omitted or left blank Initial Value Value to initialize this field with when the form is first displayed IsRegexMatch Validator 8 The function used to validate the contents of a field None Validator Param Optional name of field whose value will be supplied as the argument to a validator d d d d id d id id ds P Validator Argument Optional value to supply as the argument to a validator Please a valid SSN Validation Error The error message to display if the field s value fails validation and the validator does not return an error message directly Notice that the regular expres
456. s e If users are entered in the Shared With field the device can only be accessed by the specified users 6 In the Shared Roles field enter the user roles that are allowed to use the device Use commas to separate the roles in the list e To make the device available to all roles leave this field blank e If roles are entered in the Shared Roles field the device can only be accessed by users with matching roles 7 Click Register Shared Device The Finished Creating Guest Account page opens This page displays Account Details and provides printer options Account Details MAC Address 11 233 33 AA BB DD Account status Active Account role Guest Sponsor name jeannetteAG Open print window using template To view and edit your organization s shared AirGroup devices 1 Go to Guest gt List Devices or click the Manage my AirGroup Devices link on the Create AirGroup Device page The AirGroup Devices page opens This page lists all the shared AirGroup devices for the organization You can remove a device edit a device s name MAC address shared locations shared user list or shared roles print device details or add a new device 2 To work with a device click the device s row in the list The form expands to include the Remove Edit and Print options ii Quick Help en Create Filter A Device Name MAC Address Created By Created Shared Locations Shared With gr DormPad1 AA B
457. s the number of seconds before the session should end If the session does not have a session timeout the value returned is 0 time Calculates the session end time as the UNIX time at which the session should end If the session does not have an expiration time the value returned is 0 Other values These are interpreted as a date format see NwaDateFormat and the session end time is returned in this format Examples iso8601 longdate recent Y m d H 7 M etc If the session does not have an expiration time the value returned is a blank string GetTime GetTime Scriteria from time to time null Calculate the sum of session times for accounting records in the database NOTE This is a multi purpose function that has a very flexible query interface for ease of use consider using one of the related Ki functions See GetCallingStationTime on page 270 GetIpAddressTime on page 272 or GetUserTime on page ATA Scriteria is the criteria on which to search for matching accounting records Dell Networking W ClearPass Guest 6 0 Deployment Guide GetSessions 273 As well as the criteria specified the time interval specified by from_ time and optionally to time is also used to narrow the search If to time is not specified from time is a look back time that is the time interval in seconds before the current time If Sto time is specified the interval co
458. s then select the AirGroup Operator profile in the list 2 Click the Edit link The Edit Operator Profile form opens 3 In the Account Limit field specify an appropriate value This is the maximum number of personal devices that an operator with this profile can create 4 Click Save Changes You can create a set of operator profiles and configure each profile with a different account limit This makes it easy to assign operator profiles appropriately for small groups larger groups or events To create each profile in the set duplicate the built in AirGroup Operator profile and update the Account Limit field in the new profile Local Operator Authentication s ClearPass Policy Manager profiles and ClearPass Guest profiles are different To create a ClearPass Guest operator login local users are first defined in ClearPass Policy Manager with a role that matches an operator profile in Guest then rules are used to map the role to the Guest operator profile Dell Networking W ClearPass Guest 6 0 Deployment Guide Managing Operator Profiles 247 Creating a New Operator To create a new operator or administrator for ClearPass Guest or AirGroup some steps are performed in ClearPass Policy Manager CPPM and some steps are performed in ClearPass Guest as described below l Create an operator profile in ClearPass Guest or use an existing one See Operator Profiles on page 242 To create AirGroup users choose either t
459. s CRL generation to list revoked certificates Supports OCSP responder to query for certificate status Approve certificate signing request Reject certificate signing request Sign certificate from uploaded certificate signing request CSR Issue certificate Revoke certificate Display certificates Export certificate Renew root certificate Certificate authority enables the creation and revocation of unique credentials on a specific user s device Exchange ActiveSync Passcode policy VPN settings Provision additional settings specific to iOS devices Supported Platforms The platforms supported by Dell Networking W ClearPass Onboard and the version requirements for each platform are summarized in the following table Table 14 Platforms Supported by ClearPass Onboard Platform Example Devices Version Required for Onboard Support Notes iPhone Apple i0S iPad iPod Touch IOS 4 IOS 5 Mac OS X 10 8 Mountain Lion Mac OS X 10 7 Lion Apple Mac OS X MacBook Pro Samsung Galaxy S Android Samsung Galaxy Tab Android 2 2 or higher Motorola Droid Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 Laptop Microsoft Windows Nao MACBOOKA Mac OS X 10 6 Snow Leopard 9 Mac OS X 10 5 Leopard Note 1 Uses the Over the air provisioning method Note 2 Uses the Onboard provisioning method Note 3 Onboard may also be used to provision VPN settings Exchange Acti
460. s Scenarios on page 16 Reference Network Diagram on page 16 Key Interactions on page 17 AAA Framework on page 18 Key Features on page 19 Visitor Management Terminology on page 20 ClearPass Guest Deployment Process on page 21 AirGroup Deployment Process on page 23 Documentation and User Assistance on page 24 Use of Cookies on page 25 About Dell Networking W ClearPass Guest Dell Networking W ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access It gives your non technical staff controlled access to a dedicated visitor management user database Through a customizable Web portal your staff can easily create an account reset a password or set an expiry time for visitors Access permissions to ClearPass Guest functions are controlled through an operator profile that can be integrated with an LDAP server or Active Directory login Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit The visitor can be given a printed customized receipt with account details or the receipt can be delivered wirelessly using the integrated SMS services Companies are also able to pre generate custom scratch cards each with a defined network access time which can then be handed out in a corporate environment or sold in pu
461. s Travel Co Company Name Company name of the wisitor aliddel fireside_org Email Address The visitor s email address This will become their username to log into the network Account Activation 2 WA ee Select an option for changing the activation time of this account UA 1 day from now Account Expiration a l oe Select an option for changing the expiration time of this account Contractor Account Role Role to assign to this visitor account Password 74997359 Terms of Use I am the sponsor of this visitor account and accept the terms of use 71 Create Account To complete the form first enter the visitor s details into the Sponsor s Name Visitor Name Company Name and Email Address fields The visitor s email address will become their username to log into the network Dell Networking W ClearPass Guest 6 0 Deployment Guide Using Standard Guest Management Features 29 You can specify the account activation and expiration times The visitor account cannot be used before the activation time or after the expiration time The Account Role specifies what type of account the visitor should have A random password is created for each visitor account This is displayed on this form but will also be available on the guest account receipt You must mark the Terms of Use check box in order to create the visitor account Click the Create Account button after completing the fo
462. s controlling details and actions a visitor has to their own account Enabled Enable self service portal Disabled Users Prohibit disabled users from accessing the service portal F Auto login by IP address Silent Login x If set and the user has an active accounting session they will be logged in automatically Login Page UI Overrides Display fields to override UI text and labels Summary Page UI Overrides Display fields to override UI text and labels Change Password Change Password Disable the ability to change passwords UI Overrides Display fields to override UI text and labels Reset Password Reset Password Disable the ability to reset passwords Secret Question vi Required Field The field containing a value the visitor must match prior to resetting their password Passwords will be randomly generated lv Password Generation Select the policy for reset password generation UI Overrides Display fields to override UI text and labels g Save and Reload A Save Changes To adjust the user interface use the override check boxes to display additional fields on the form These fields allow you to customize all text and HTML displayed to users of the self service portal The behavioral properties of the self service portal are described below e The Enable self service portal check box must be selected for guests to be able to access the
463. s header and footer and so forth SMS Short Message System a method for delivering short messages up to 140 characters to mobile phones sponsor See operator TLS See EAP TLS trust chain Sequence of certificates starting at a trusted root certificate that establishes the identity of each certificate in the chain trusted root See root CA unique device credentials Network authentication credentials that uniquely identify the device and user and enable management of provisioned devices May be a username and password or a TLS client certificate depending on the type of device user database Database of the guests on the system view Table containing data Used to interactively display data such as visitor accounts to operators visitor guest Someone who is permitted to access the Internet through your Network Access Server VPN Virtual private network Enables secure access to a corporate network when located remotely VSA Vendor specific attribute walled garden Network resources that can be accessed by unauthorized users through the captive portal Web login Login page displayed to a visitor X 509 Standard defining the format and contents of digital certificates Dell Networking W ClearPass Guest 6 0 Deployment Guide Glossary 309 310 Glossary Dell Networking W ClearPass Guest 6 0 Deployment Guide 1 1024 bit RSA 108 2 2048 bit RSA 108 A AAA 18 access control printtemplates 197 account filters
464. s issued to devices when they are provisioned Which operating systems should be supported Authorization properties the number of devices that a user may provision The Device Provisioning form is organized in tabbed pages with separate tabs for general 1OS amp OS X Legacy OS X Windows Android and Onboard Client information 106 Specifying Certificate Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Basic Provisioning Settings gt General 195 iOS ROS X Legacy OS X iy Windows i Android E Onboard Client Local Device Provisioning N ame Enter a name for this configuration set Example Organization a Organization Enter an organization name for this configuration set The organization name is displayed by the device during provisioning This is the default configuration set for device provisioning Description Enter comments or notes about this configuration set To configure basic provisioning settings 1 Go to Onboard gt Provisioning Settings and click the General tab The first part of the Device Provisioning Settings form s General tab is used to specify basic information about Onboard provisioning 2 The Name and Description fields are used internally to identify this set of Onboard settings for the network administrator These values are never displayed to the user during device provisioning 3 Use the Organization field to provide the name of your organi
465. s that contain different combinations of uppercase letters lowercase letters digits and symbols amp lt gt 1 _ 1 The available options for this setting are No password complexity requirement At least one uppercase and one lowercase letter 138 Default Settings for Account Creation Dell Networking W ClearPass Guest 6 0 Deployment Guide At least one digit At least one letter and one digit At least one of each uppercase letter lowercase letter digit At least one symbol At least one of each uppercase letter lowercase letter digit and symbol Minimum Password Length The minimum acceptable password length for guests changing their account passwords Disallowed Password Characters Special characters that should not be allowed in a guest password Spaces are not allowed by default You can specify special characters numbers and letters to exclude from passwords for example letters and numbers that can look similar such as 1 l 1 0 O 0 5 S Disallowed Password Words Enter a comma separated list of words that are disallowed and will not be created by the random words password generator Figure 24 Customize Guest Manager Page Continued middle section one Wh be Expiration Options one Wh be hour hours hours hours hours hours 12 12 hours 16 16 hours 20 20 hours The available options to select from when choosing the expiration time of a gues
466. se Complete the fields with the appropriate information then click either BSend Test Message or lel Save and Close The new configuration settings will take effect immediately Editing an SMS Gateway To edit an SMS gateway l Go to Administration gt SMS Services gt SMS Gateways The SMS Gateways list view opens 2 Click the gateway s row in the list The row expands to include the Edit SMS Gateway form for the existing gateway SMS Gateway Configuration a SMS over SMTP SMS Gateway Select the SMS gateway you have service with Service Settings My Example SMS Gateway Display Name sani The name for this service handler This will be displayed to operators using the system Select a carrier Carrier Selection Select how the carrier will be determined Mobile Carrier AT amp T Wireless Debug W Log detailed information to the application log Enable Debug l 9 If selected debug messages will be generated for each stage of the HTTP transaction for the service provider Test SMS Settings Send a test SMS message This is a test message Message 3 138 characters left Enter the message to send maximum 160 characters 16505551212 Enter the mobile telephone number of the recipient in international format F Send Test Message Save and Close Recipient 3 The SMS Gateway field displays the gateway service that was selected when the gateway was create
467. se fields are used to determine the time at which the visitor account will expire If modify_expire_time is none then the account has no expiration time set If modify_expire_time is now then the account is disabled and has no expiration time set If modify_expire_time is a value that specifies a relative time change for example lh then the visitor account s expiration time is modified accordingly If modify_expire_time is a value that specifies an absolute time for example 2010 12 31 17 00 then the visitor account s expiration time is set to that value If modify_expire_time is expire_after or expire_time then the expiration time is determined according to the expire_after or expire_time fields as explained below 142 Visitor Account Activation Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide f expire_after is set and not zero and the account will be activated immediately then add the value in hours to the current time to determine the expiration time If expire_after is set and not zero and account activation is set for a future time schedule time instead of the current time then the expiration time is calculated relative to the activation time instead of the current time Otherwise if expire_after is zero negative or unset and expire_time has been specified use that expiration time If the expire_time specified is in the past set do_expire to 0 and ignore
468. sed to create a private key for the intermediate certificate Private Key E Generate a new private key Intermediate Certificate These options specify other properties of the certificate request Digest SHA 1 recommended x Algorithm Select the algorithm used to sign the digital certificate request A Creating a new intermediate CA certificate request will replace the existing CA certificate This invalidates Warning os A ma all existing certificates Confirm Generate CA certificate request and invalidate all other certificates i Create Certificate Request In the Identity section of the form e Enter values in the Country State Locality Organization and Organizational Unit text fields that correspond to your organization These values form part of the distinguished name for the certificate authority e Enter a descriptive name for the certificate authority in the Common Name text field This value will be used to identify the intermediate certificate as the issuer of client and server certificates from this certificate authority e Enter a contact email address in the Email Address text field This email address will be included in the certificate authority s certificate and provides a way for users of the certificate authority to contact your organization In the Private Key section e To create a new private key for the intermediate certificate mark the Generate a new private key check box
469. settings from backup check box to confirm Click Restore Configuration System progress is displayed while the changes are made When the backup is complete the Administration module s Start Here page displays a list of any errors that occurred during the backup operation This might include such things as items not found or plugin missing Plugin Manager Y D gt Plugins are the software components that fit together to make your Web application The Available Plugins list shows all the plugins currently included in your application It lets you view information about each plugin and configure some aspects of most plugins You can click a plugin s name to go directly to that area of the application for example clicking the name of the SMTP Services plugin opens the Customize Email Receipt page in the Configuration module Viewing Available Plugins Ait Plugin Manager Dell Networking W ClearPass Guest 6 0 Deployment Guide 223 To access the Available Plugins list navigate to Administration gt Plugin Manager The Available Plugins page opens Plugins are listed by category and include e Standard application plugins Provide corresponding functionality for interactive use by operators e Kernel plugins Provide the basic framework for the application e Operator Login plugins Control access to the Web application e Skin plugins Provide the style for the application s visual appearance e Translation plugins Prov
470. should deploy Policy Manager for authentication 74 Network Architecture for Onboard when Using ClearPass Guest Dell Networking W ClearPass Guest 6 0 Deployment Guide The ClearPass Onboard Process Devices Supporting Over the Air Provisioning Dell Networking W ClearPass Onboard supports secure device provisioning for iOS 4 iOS 5 and recent versions of Mac OS X 10 7 Lion and later These are collectively referred to as 1OS devices The Onboard process for iOS devices is shown in Figure 14 Figure 14 ClearPass Onboard Process for iOS Devices Pre provisioning Pa Canica Root certificate Provisioning Device Provisioning Web Login Login Device provisioning Certificate Authority EAP TLS Device Certificate Certificates Authentication Server Authentication source Microsoft Certificate Active EAP TLS Directory Endpoints The Onboard process is divided into three stages l Pre provisioning The enterprise s root certificate is installed on the iOS device 2 Provisioning The user is authenticated at the device provisioning page and then provisions their device with the Onboard server The device is configured with appropriate network settings and a device specific certificate 3 Authentication Once configuration is complete the user switches to the secure network and is authenticated using an EAP TLS client certificate A sequence d
471. sign custom value to operator field On Match 9 P i l Select what happens when this translation rule matches an attribute enabled Operator Field izi l Select the operator field to assign the walue to strip r of stripos Suser memberof CN Administrators false 1 elseif date H gt 8 k date H lt 18 1 else Custom o it fstrip Insert content item Enter custom template code applied when the translation rule matches Sha S Continue translation if rule matches Fallthrough Check this box if you want to apply multiple translation rules Save Changes The Custom rule is Stripi if stripos Suser memberof CN Administrators false 1 elseif date H gt 8 amp amp date H lt 18 1 else 0 if Berio Explanation The rule will always match on the memberof attribute that contains the users list of groups The operator field enabled will determine if the user is permitted to log in or not The custom template uses the strip block function to remove any whitespace which makes the contents of the template easier to understand The if statement first checks for membership of the Administrators group using the PHP stripos function for case insensitive substring matching if matched the operator will be enabled Otherwise the server s current time is checked to see if it 1s after 8am and before 6pm if so the operator will be enabl
472. sion used here includes beginning and ending delimiters in this case the character and ensures that the whole string matches by the start of string marker and the end of string marker The construct d is used to match a single digit Many equivalent regular expressions could be written to perform this validation task See Regular Expressions on page 305 for more information about regular expressions 164 Examples of Form field Validation Dell Networking W ClearPass Guest 6 0 Deployment Guide Advanced Form Field Properties Advanced Properties These properties control conversion display and dynamic behaviours Advanced Conversion Type Error Value Format Display Function Static Display Function Force Value Pre Registration Enable If Visible If v Show advanced properties Use default The function used to convert an incoming field value prior to validation The error message to display if the field s value is not supplied has an incorrect type or if conversion fails Use default The function used to format a field value after validation Use default The function used to convert a field to a displayable value on the form Use default Im The function used to convert a static field to a displayable value on the form Always use initial value on form submit Sets the field s value to the initial value specified above when the form is submitted Use this opt
473. specifies the user principal name UPN of the user The UPN is an Internet style login name for the user based on the Internet standard RFC 822 The sAMAccountName property is a single valued property that is the logon name The objectSid property is a single valued property that specifies the security identifier SID of the user accountExpires The accountE xpires property specifies when the account will expire badPasswordTime The badPasswordTime property specifies when the last time the user tried to log onto the account using an incorrect password badPwdCount The badPwdCount property specifies the number of times the user tried to log on to the account using an incorrect password codePage The codePage property specifies the code page for the user s language of choice This value is not used by Windows 2000 countryCode The countryCode property specifies the country code for the user s language of choice This value is not used by Windows 2000 lastLogoff The lastLogoff property specifies when the last logoff occurred lastLogon The lastLogon property specifies when the last logon occurred 304 LDAP Standard Attributes for User Class Dell Networking W ClearPass Guest 6 0 Deployment Guide logonCount The logonCount property counts the number of successful times the user tried to log on to this account mail The mail property is a single valued property that contains the SMTP address for the user such as demo example
474. specify the name e g wpa example com If a server presents a certificate that isn t in this list it wont be trusted esi Configuring Trust Settings Automatically 1 When you open this tab the default selection in the Configure Trust field is Automatically configure trust settings recommended With this option selected Onboard automatically determines the appropriate certificate trust configuration for your deployment 2 Ifthe deployment is not using the built in CA you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server Only certificates included in this list will be trusted Enter each server name on a separate line You can use wildcards 3 Do one of the following e Click the Previous button to return to the Authentication tab e Click the amp Next button to continue to the Windows tab o Click the Create Network button to make the new network configuration settings take effect e Click the Y Cancel button to discard your changes and return to the main Onboard configuration user interface 122 Configuring Mutual Authentication Settings Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Trust Settings Manually 1 To change the recommended default setting and configure trust settings manually choose Manually configure certificate trust settings in the Configure Trust drop down list The form expands to include configuration op
475. ss symbol fatal skull symbol info information symbol note or arrow right pointing arrow ClearPass Guest ClearPass Guest logo ok or tick green tick mark warn or warning warning symbol wait animated spinner If noindent 1 is specified the block is not indented using the nwaIndent style If novspace 1 is specified the block uses a DIV element rather than a P element If neither icon nor type is supplied the default behavior is to insert an info type image Specifying a type is equivalent to specifying an icon width height and alt parameter and may also include a class depending on the type selected Usage example nwa icontext struct Serror nwa_icontext 268 nwa_icontext Dell Networking W ClearPass Guest 6 0 Deployment Guide The struct parameter if specified uses a standard result type If the error key is set and non zero the type parameter is set to the value error and the message key is converted to a HTML formatted error message for display nwa_quotejs nwa _quotejs nwa_quotejs Smarty registered block function Quotes its content in a string format suitable for use in JavaScript This function also translates UTF 8 sequences into the corresponding JavaScript Unicode escape sequence uXXXX Usage example nwa_quotejs String with and nwaquote js The output of
476. stManager Standard Fields Field Description String The current account activation time in long form This field is available on the Dell Networking W ClearPass Guest 6 0 Deployment Guide NwaWordsPassword 287 Description change_expiration and guest_enable forms The value is generated from the do_schedule and schedule_time fields and may be one of the following Account will be enabled at date and time Account is currently active No account activation Boolean flag indicating that an already existing account should be updated rather than failing to create the account This field should normally be enabled for guest self registration forms to ensure that a visitor that registers again with the same email address has their existing account automatically updated Set this field to a non zero value or a non empty string to enable automatic update of an existing account This field controls account creation behavior it is not stored with created visitor accounts auto_update_account Boolean flag indicating that an already existing account should be updated rather than failing to create the account This field should normally be enabled for guest self registration forms to ensure that a visitor that registers again with the same email address has their existing account automatically updated Set this field to a non zero value or a non empty string to enable automatic update of an existing account This field controls ac
477. sting the guest accounts in ClearPass Guest In a user interface a table displaying data such as visitor account information to operators Visitor Guest Someone who is permitted to access the Internet through your Network Access Server Settings for a visitor stored in the user database including username password and other fields Web Login NAS Login Login page displayed to a guest user ClearPass Guest Deployment Process As part of your preparations for deploying a visitor management solution you should consider the following areas Visitor Account Management decisions about security policy Decisions about the day to day operation of visitor management Technical decisions related to network provisioning Operational Concerns When deploying a visitor management solution you should consider these operational concerns Who is going to be responsible for managing guest accounts What privileges will the guest account manager have Will this person only create guest accounts or will this person also be permitted access to reports Do you want guests to be able to self provision their own network access What settings should be applied to self provisioned visitor accounts How will operator logins be provisioned Should operators be authenticated against an LDAP server Who will manage reporting of guest access What are the reports of interest Are any custom reports needed Network Provisioning Deploying ClearPass
478. stname or IP address to use for device provisioning i To be provisioned devices must be able to access Dell Ovf 50225 via HTTPS Yes validate this web server s certificate recommended lv Specify whether the web server s certificate is to be validated during device provisioning When testing with the default self signed web server certificate you may need to disable validation This option applies to Windows Android and OS X 10 5 6 devices only Default 188 x 53 s ect an image to use in the provisioning wizard New images can be uploaded using the Content Manager Onboard Wizard Enter a title for the wizard used on Windows and Legacy OS X 10 6 devices un Enter the URL displayed to users who have forgotten their password Enter the URL displayed to users who require helpdesk assistance device provisioning Ki NOTE This option requires that the device be able to resolve the listed hostname at the time the device is provisioned e The system s IP address network adapter name Select this option to use the IP address of the system for device provisioning The drop down list includes one option for each of the IP addresses detected on the system Use this option when DNS resolution of the system s hostname is not available for devices that are in a provisioning role 116 Configuring Options for Legacy OS X Windows and Android Devices Dell Networking W ClearP
479. supports a number of options for MAC Authentication and the ability to authenticate devices The advanced features described in this section generally require a WLAN capable of MAC authentication with captive portal fallback Please refer to your WLAN documentation for setting up the controller appropriately To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features go to Administration gt Plugin Manager gt List Available Plugins For information on plugin management see Plugin Manager on page 223 MAC Address Formats Different vendors format the client MAC address in different ways for example e 112233AABBCC e 11 22 33 aa bb cc e 11 22 33 AA BB CC ClearPass Guest supports adjusting the expected format of a MAC address To configure formatting of separators and case in the address as well as user detection and device filtering for views go to Administration gt Plugin Manager gt Manage Plugins and click the Configuration link for the MAC Authentication plugin The MAC Authentication Configuration page opens Figure 7 MAC Authentication Plugin Configuration Configure MAC Authentication 6 0 1 22683 E Allow users to be detected via their MAC address Provides access to user configuration for headers footers etc on login and registration pages Please note that a passed MAC can be easily changed by the user so personal details should not
480. t UTF 8 iz Select the character set encoding of the file Automatically detect format Import Format Select the file format of the file Header Force first row as header row To complete the form you must either specify a file containing account information or type or paste in the account information to the Accounts Text area Select the Show additional import options check box to display the following advanced import options e Character Set ClearPass Guest uses the UTF 8 character set encoding internally to store visitor account information If your accounts file is not encoded in UTF 8 the import may fail or produce unexpected results if non ASCII characters are used To avoid this you should specify what character set encoding you are using e Import format The format of the accounts file is automatically detected You may specify a different encoding type if automatic detection is not suitable for your data The Import Format drop down list includes the following options 0 Imponing eet ec cule Dell Networking W ClearPass Guest 6 0 Deployment Guide a Automatically detect format This default option recognizes guest accounts exported from ClearPass Policy Manager in XML format a XML Comma separated values Tab separated values Pipe separated values Colon separated values Semicolon separated values e Select the Force first row as header row check box if your data contains a
481. t only the Client IP and Message fields are searched To search all fields mark the check box in the Options row Events are stored in the Application Log for seven days by default To review a record of significant runtime events prior to the last seven days you can use the Audit Viewer in ClearPass Policy Managers Monitoring module Exporting the Application Log To save the log in other formats 1 Click the Export tab The Export Application Logs form opens Export Application Logs Comma Separated Values csv Format Select a format to export the logs to Range Multiple from current start the export from the current page 1000 Enter the maximum number of log messages to download Leave this field empty to download all messages WARNING downloading all messages could take a long time Download Limit 2 In the Format drop down list choose the format you want the file saved as The available formats are Comma Separated Values CSV HTML document html Tab Separated Values tsv Text file txt and XML document xml 3 Inthe Range drop down list select the range of pages to save Options include the current page only all pages starting from the current page or all pages starting from the first page that matched any keyword or filter criteria you entered 4 If you entered a range of pages in the Range drop down list the form expands to include the Download Limit TOW 5 Cli
482. t will be sutomatically deleted Leswe Blant to disable sutometic deletion 3 yet Data Retention Policy Select Enable to enable the data retention policy option and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted For mobile device certificates select the minimum delay in weeks required before an expired certificate or rejected request can be deleted The maximum period is the number of weeks after which an expired certificate is automatically deleted Import Configuration Q The Import Configuration screen lets you import selected items from a ClearPass Guest 3 9 configuration To import configuration settings from a standalone ClearPass Guest 3 9 backup file 1 Go to Administration gt Import Configuration The Import Configuration Step 1 page opens with the Upload File form displayed Upload File Size Limit A Maximum file upload size 5 0 MB Select the backup file to start the restore process Backup File Continue 2 If your file does not exceed the 5 0 MB size limit use this form to upload your file If your file is larger than the maximum file upload size of 5 0 MB you must specify a URL instead Click the Restore a backup from a URL link above the Upload File form The Specify Backup File form is displayed Specify Backup File URL Specty the URL of the backup file Continue oe IMpOrtE ontidu
483. t SMS Guest Account Receipts a You can send SMS receipts for guest accounts that are created using either sponsored guest access or self provisioned guest access This is convenient in situations where the visitor may not be physically present to receive a printed receipt Dell Networking W ClearPass Guest 6 0 Deployment Guide About SMS Credits 233 234 SMS Receipt Options Dell Networking W ClearPass Guest may be configured to automatically send SMS receipts to visitors or to send receipts only on demand To manually send an SMS receipt l Navigate to the Guest gt List Accounts and click to expand the row of the guest to whom you want to send a receipt 2 Click Print to display the Account Details view then click the Send SMS receipt link The SMS Receipt form opens Use the fields on this form to enter the service to use the recipient s mobile phone number the mobile carrier and the message text When using guest self registration SMS Delivery options are available for the receipt page actions See Editing Receipt Actions on page 178 for full details SMS Receipt Options SMS receipt configuration options are available in the Customization module see Customize SMS Receipt on page 198 Advanced configuration options for the SMS Services including receipt options are also available in the plugin configuration see Configuring the SMS Services Plugin on page 227 in this chapter Working with the SM
484. t access If checked HTTP access by guests will be redirected to use HTTPS instead Save Changes 2 To send automatic disconnect or re authorization messages when enabled or role values change mark the check box in the Dynamic Authorization row This requires a network access server NAS type that supports RFC 3576 In the NAS Type row use the drop down list to choose the default type for network access servers 4 To force a specific bind address for RFC 3576 requests enter a value in the RFC 3576 Bind Address row This might be needed in an AirGroup environment gt In the Internal Auth Type row choose a type from the drop down list Choices in list include PAP CHAP and MS CHAP The internal authentication type controls the RADIUS authentication used for internal RADIUS requests 6 To redirect HTTP access to use HTTPS instead mark the check box in the Security row Content Manager Z The Content Manager allows you to upload content items to Dell Networking W ClearPass Guest Content items are assets such as text images and animations that are made available for guest access using the application s built in Web server To work with your content items go to Configuration gt Content Manager i Quick Help t Upload New Content 4 Download New Content fag Create New Directory Date Modified autumnGraphic1 PNG admin image png 2012 10 30 14 22 40 4 KB A autumnOffersContent1 txt admin text plai
485. t account Expiration times are specified in hours 0 N A 60 1 hour 120 2 hours 180 3 hours 240 4 hours Lifetime Options 399 6 hours 480 8 hours 720 12 hours 1440 1 day noes The available options to select from when choosing the lifetime of a guest account Lifetime values are specified in minutes m T m T Expiration Options Default values for relative account expiration times These options are displayed as the values of the Expires After field when creating a user account Lifetime Options Default values for account lifetimes These options are displayed as the values of the Account Lifetime field when creating a user account Dell Networking W ClearPass Guest 6 0 Deployment Guide Default Settings for Account Creation 139 Figure 25 Customize Guest Manager Page Continued lower section external terms_html The URL of a terms and conditions page If non blank this will enable a Terms Of Use URL terms of use checkbox on the create account page which must be checked in order to create a new account The URL here is specified as the terms of use and is opened in a new window 1 Active Sessions Enable limiting the number of active sessions a guest account may have Enter 0 to allow an unlimited number of sessions V Log guest account passwords Password Logging Whether to record passwords for guest accounts in the application log View guest account p
486. t only passwords of at least len characters in length NwaDynamicLoad NwaDynamicLoad func Loads the PHP function func for use in the current expression or code block Returns true if the function exists that is the function is already present or was loaded successfully or false if the function does not exist Ki NOTE Attempting to use an undefined function will resultin a PHP Fatal Error Use this function before using any of the standard Nwa functions NwaGeneratePictureString NwaGeneratePictureString string Dell Networking W ClearPass Guest 6 0 Deployment Guide NwaByteFormat 283 Creates a password based on a format string For details on the special characters recognized in string see Format Picture String Symbols on page 297 NwaGenerateRandomPasswordMix NwaGenerateRandomPasswordMix Spassword len Slower 1 Supper 1 Sdigit 1 Ssymbol 1 Generates a random password that meets a certain minimum complexity requirement Spassword len specifies the total length in characters of the generated password The password returned will be at least Supper Slower Sdigit symbol characters in length Any length beyond the required minimum will be made up of any allowed characters Slower specifies the minimum number of lowercase characters to include or l to not use any lowercase characters Supper specifies the minimum number of uppercase characters to include or l to not use any uppe
487. t p gt Insert content item HTML template code displayed before the guest receipt fs Footer HTML Insert content item HTML template code displayed after the quest receipt El Do not include guest receipt contents Select this option if you want to replace the HTML of the guest receipt Save Changes e Save and Continue Override Receipt Click the lal Save Changes button to return to the process diagram for self registration Editing Receipt Actions To edit the actions that are available once a visitor account has been created l Navigate to Configuration gt Guest Self Registration 2 Select an entry in the Guest Self Registration list and click its Edit link The Customize Guest Registration workflow page appears 3 In the Receipt Page area of the diagram click the Actions link The Receipt Actions form opens P Receipt Page Abc Title Header Form gt Actions t Abc Footer 178 Editing Guest Receipt Page Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Customize Guest Registration Receipt Actions Options for delivering a receipt to a self registered guest Download Enabled Enable download of guest receipt 10 Rank Rank ordering number for this receipt action Download Receipt Print Template l l Print template to use to generate this receipt ne Guest o20Receipt Svisitar_name urlencode txt TET TE IE a Template code to evaluat
488. tamp This field is available when modifying an account using the change expiration or guest edit forms that have a username matching the account username This option requires the NAS to support RFC 3576 dynamic authorization See RFC 3576 Dynamic Authorization on page 61 for more information Le Boolean flag indicating if the user account is authorized to log in This field is available dynamic_is_authorized ep ao when modifying an account using the change_expiration or guest_edit forms e Boolean flag indicating if the user account has already expired This field is available when dynamic_is_expired ee l a l modifying an account using the change_expiration or guest_edit forms Integer The maximum session time that would be allowed for the account if an authorization request was to be performed immediately Measured in seconds Set to 0 if dynamic_session_time the account is either unlimited dynamic_is_expired is false or if the account has expired dynamic_is_expired is true This field is available when modifying an account using the change_expiration or guest_edit forms String Email address for the account This field may be up to 100 characters in length When creating an account if the username field is not set then the email field is used as the username of the account Boolean flag indicating if the account is enabled Set this field to 0 to disable the account If an account Is disabled authorization
489. tchAdmin ere eae Manston RUGS Dell Networking W ClearPass Guest 6 0 Deployment Guide 3 Select the Enabled check box to enable this rule once you have created it If you do not select this check box the rule you create will appear in the rules list but will not be active until you enable it 4 Click the Matching rule drop down list and select a rule The Matching Rule field can be one of blank always matches contains case insensitive substring match anywhere in string matches regular expression match where the value is a Perl compatible regular expression including delimiters for example to match the regular expression admin case insensitively use the value admin i See Regular Expressions on page 305 for more details about regular expressions equals case insensitive string comparison matches on equality does not equal case insensitive string comparison matches on inequality less than numerical value is less than the match value greater than numerical value is greater than the match value starts with case insensitive substring match at start of string ends with case insensitive substring match at end of string 5 Select a Value The Value field states what is to be matched in this case CN Administrators to look for a specific group of which the user is a member 6 Click the On Match drop down list and select the action the system should take when there is a match Your
490. te Authority Signing Aruba Networks 4 Show certificate A Download Bundle The first certificate listed is the root certificate Root certificates are always self signed and are explicitly trusted by clients Each additional certificate shown is an intermediate certificate The last certificate in the list is the signing certificate that is used to issue client and server certificates To view the properties of a certificate in the trust chain click the Show certificate link The Certificate Information view opens Dell Networking W ClearPass Guest 6 0 Deployment Guide WA onmiee KU ae Certificate Information Certificate Details Details about the certificate and its owner Issued To E ClearPass Onboard Local Certificate Authority Valid From vy Monday 22 October 2012 02 02 PM Valid To vy Sunday 23 October 2022 02 32 PM Country US State California Subject Locality Sunnyvale Organization Aruba Networks Common Name ClearPass Onboard Local Certificate Authority Issuer Details Details about the certificate authority that issued the certificate Issued By 21 ClearPass Onboard Local Certificate Authority Country US State California Issuer Locality Sunnyvale Organization Aruba Networks Common Name ClearPass Onboard Local Certificate Authority Advanced Technical information about the certificate Fingerprint 3ddc 0203 1480 2513 3773 6b2a 0643 6b2c a8c7 Gabc i This is the SHA 1 fingerprint or t
491. te Configuration in a Cluster on page 70 Setting Up the Certificate Authority The Certificate Authority Settings form is used to set up the mode of operation for the certificate authority Configuring the Certificate Authority Dell Networking W ClearPass Guest 6 0 Deployment Guide 81 Certificate Authority Settings Local Certificate Authority Name Enter a name to identify this certificate authority This is the default certificate authority Description A description of the certificate authority Root CA The certificate authority has a self signed root certificate and issues client certificates locally Mode Intermediate CA The certificate authority has a certificate issued by another CA and issues client certificates locally Select the mode of operation for the certificate authority Warning A Changing CA mode will generate a new CA certificate This invalidates all existing certificates Certificate Retention Policy Options that affect when certificates are deleted Schedule Configure data retention The Name and Description fields are used internally to identify this certificate authority for the network administrator These values are never displayed to the user during device provisioning Select the appropriate mode for the certificate authority e Root CA The Onboard certificate authority issues its own root certificate The certificate authority issues
492. te Generate TLS certificate and payload with Onboard settings Install profile and return to Safari Switch to EAP TLS 1 The only user interaction reguired is to accept the provisioning profile This profile is signed by the Onboard server so that the user can be assured of its authenticity 2 An iOS device will have two certificates after over the air provisioning is complete a A Simple Certificate Enrollment Protocol SCEP certificate is issued to the device during the provisioning process This certificate identifies the device uniquely and is used to encrypt the device configuration profile so that only this device can read its unique settings b A Transport Layer Security TLS client certificate is issued to the device This certificate identifies the device and the user that provisioned the device It is used as the device s network identity during EAP TLS authentication Devices Supporting Onboard Provisioning Dell Networking W ClearPass Onboard supports secure device provisioning for Microsoft Windows XP service pack 3 and later Microsoft Windows Vista Microsoft Windows 7 Apple Mac OS X 10 5 and 10 6 and Android devices smartphones and tablets These are collectively referred to as Onboard capable devices The Onboard process for these devices is shown in Figure 17 76 Devices Supporting Onboard Provisioning Dell Networking W ClearPass Guest 6 0 Deployment Guide Figure 17 C
493. tents xmlins http www avendasys com tipsapiDefs 1 0 gt lt TipsHeader version 6 0 exportTime Sun 16 Dec 2012 16 36 03 PST gt lt GuestUsers gt lt GuestUser guestType USER enabled true sponsorName 55480025 expirylime 2012 L2 04 13 39 25 gtartTime 1969 12 3L 16 00 00 password 08654361 name 55480025 gt lt GuestUserTags tagValue Hotspot Services self provisioned guest account Source IP 10 11 10 254 MAC unknown Plan Free Access x 1 Transaction Amount 0 00 Invoice Number P 15 Transaction ID tagName notes gt lt GuestUserTags tagValue 2 tagName Role ID gt lt GuestUserTags tagValue 1 tagName do expire gt lt GuestUserTags tagValue 1 tagName simultaneous_ use gt Exporting Guest Account Information Dell Networking W ClearPass Guest 6 0 Deployment Guide 43 lt GuestUserTags tagValue ff tagName Company Name gt lt GuestUserTags tagValue 2012 12 04 12 39 14 tagName Create Time gt lt GuestUserTags tagValue fffe df tagName Email gt lt GuestUserTags tagValue ff tagName first name gt lt GuestUserTags tagValue plan0 tagName hotspot plan id gt lt GuestUserTags tagValue Free Access tagName hotspot plan name gt lt GuestUserTags tagValue ff tagName last name gt lt GuestUserTags tagValue ff ff tagName Visitor Name gt lt GuestUserTags tagValue ff tagName zip gt lt GuestUser gt MAC Authentication in ClearPass Guest ClearPass Guest
494. terface Configuring Device Authentication Settings Click the Authentication tab to display the Enterprise Authentication form Network Settings Enterprise Authentication lt Access 19 Protocols ay Authentication E Trust fy Windows lt Proxy Enterprise Authentication Options for 802 1X authentication used on the network iOS amp OS X Authentication Certificate lv iOS amp OS X Credentials Select the type of credentials to provision for iOS and OS X 10 7 Lion or later devices Windows Authentication Machine or User Im Vista Credentials A Select the authentication mode to use for Windows Vista or later devices Machine or User x Select the authentication mode to use for Windows XP devices 1 Select one of these options in the iOS amp OS X Credentials drop down list e Certificate A device certificate will be provisioned and used for EAP TLS client authentication When this option is selected KAP TLS must be selected on the 1 Protocols tab XP Credentials e Username amp Password A device certificate will be provisioned but the client authentication will use unique device credentials as for Onboard devices When this option is selected EAP TTLS or PEAP must be selected on the Protocols tab 2 The Windows Authentication options that may be selected are Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Device Authentication Setting
495. that a guest password must contain Disallowed Password Characters Characters which cannot appear in a user generated password Disallowed Password Words Comma separated list of words disallowed in the random words password generator Note there is an internal exclusion list built into the server e Site SSID The Site SSID is the public name of the wireless local area network WLAN The default setting for this field is Aruba and can be changed The site SSID is displayed in the guest receipt as the WiFi Network as shown below Dell Networking W ClearPass Guest 6 0 Deployment Guide kusema es iat rae Figure 23 Sample Guest Receipt Showing Aruba as the Default Site SSID User Name WiFi Network Aruba Visitor Account and Wi Fi Instructions Make sure your wireless adapter is set to dynamically obtain an IP address Connect to the wireless network Aruba Enter credentials Username usert Password secret Account expires Wednesday August 1 2012 14 15 Site WPA Key The encryption key used to secure the wireless network If a value is entered in this field it will appear on guest print receipts Username T ype The default method used to generate random account usernames when creating groups of accounts This may be overridden by using the random username method field Username Length This field is displayed if the Username Type is set to Random digits Random letters Ra
496. that apply to currently active sessions e JQDisconnect causes a Disconnect Request message to be sent to the NAS for an active session requesting that the NAS terminate the session immediately The NAS should respond with a Disconnect ACK message if the session was terminated or Disconnect NAK if the session was not terminated o TV Reauthorize causes a Disconnect Request message to be sent to the NAS for an active session This message will contain a Service T ype attribute with the value Authorize Only The NAS should respond with a Disconnect NAK message and should then reauthorize the session by sending an Access Request message to the RADIUS server The RADIUS servers response will contain the current authorization details for the visitor account which will then update the corresponding properties in the NAS session If the NAS does not support RFC 3576 attempts to perform dynamic authorization will time out and result in a No response from NAS error message Refer to RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol Filtering the List of Active Sessions You can use the W Filter tab to narrow the search parameters and quickly find all matching sessions Filter Settings Filter l Search all fields that have been configured for quick search Username Enter a username to show sessions for a single user or leave empty for all users Session State Only sho
497. the Onboard weblogin page Select this option to create the default device_provisioning Web login page if it has been deleted or has been modified and no longer functions correctly All certificates and settings are left unmodified e Delete all certificates and reset configuration to factory defaults Removes all certificates from Certificate Management including the certificate authority s root certificate intermediate certificate profile signing certificate and any server certificates The provisioning settings for 1OS and Onboard capable devices are restored to the default settings The default certificate authority will be recreated Mark the Reset the specified items check box to indicate that the reset operation should be performed and then click Reset to Factory Defaults to perform the operation Onboard Troubleshooting If you encounter a problem that is not listed here refer to the Onboard Deployment Checklist on page 66 and check each of the configuration steps listed there iOS Device Provisioning Failures Symptom Device provisioning fails on 1OS with the message The server certificate for https is invalid Dell Networking W ClearPass Guest 6 0 Deployment Guide Onboard Troubleshooting 131 cription This configuration profile has network and security settings for your device to allow you to The server certificate for https 10 100 9 52 mdps_ pro file php id 1 54
498. the invoice number is created You can also customize the currency displayed on the invoice To customize the hotspot invoice l Go to Configuration gt Hotspot Manager gt Manage Hotspot Invoice The Manage Hotspot Invoice form opens Manage Invoice lt b gt Your Company Name lt b gt lt br gt Your contact details Invoice Title Enter the HTML template code to display as the title of the customer s invoice Specify format using template Invoice Numbering Choose the way in which invoice numbers will be generated P nwa makeid file s ite HotspotiInvoiceNumber dat output 1 Invoice Number Es r Insert content item Enter an expression that describes the invoice number format P 3 Preview ae ee This is a sample invoice number generated with the current settings 1 000 00 Currency Format p l SS The currency format to use when formatting a monetary amount for display AUD Currency Code The currency code to specify to the transaction service provider Script type text javascript gt lt literal function browser home i if typeof window home function window home else window location about home Login Code 3 fi gt literal lt script gt Sees ees eee 1 Ss ele M eee eee Oh eee PO orl Ree es ee TE sve AA Insert content item The HTML template code to display in the bottom panel of the invoice
499. the user s enterprise credentials from Active Directory If the user is authorized to provision a mobile device the over the air provisioning workflow is then triggered see Figure 16 below 4 After provisioning has completed the device switches to EAP T LS authentication using the newly provisioned client certificate Mutual authentication is performed the authentication server verifies the client certificate and the client verifies the authentication server s certificate 5 The device is now onboard and 1s able to securely access the provisioned network Over the air provisioning is used to securely provision a device and configure it with network settings Figure 16 shows a sequence diagram that explains the steps involved in this workflow Figure 16 Over the Air Provisioning Workflow for iOS Platform Network ClearPass ClearPass iOS Device Infrastructure Onboard Policy Manager Apple Over the Air Provisioning User authenticated for device provisioning Start device provisioning signed profile payload 4 Request for device provisioning SCEP provisioning profile 4 Request device certificate using SCEP Request device configuration profile signed Device configuration profile signed encrypted d Refresh device provisioning progress page Provisioning Complete User accepts provisioning profile Issue SCEP certificate for device Install device identity certifica
500. this will be String with and The body parameter if set indicates that the string quotes are already supplied in this case the beginning and ending quotes are not included in the output nwa_radius_query nwa radius query method MethodName _assign var s Smarty registered template function Performs accounting based queries on the RADIUS server and returns the result for use in a template Usage example nwa radius query method GetCallingStationTraffic callingstationid Sdhcp lease mac address from time 86400 in out out assign total traffic This example uses the GetCallingStationTraffic query function and passes the callingstationid from time and in out parameters The result is assigned to a template variable called total traffic and will not generate any output This template function accepts the following parameters to select a RADIUS database and other connection options _db ID of the RADIUS database service handler this parameter is optional the default service handler will be used if it not set _debug Set to a nonzero value to enable debugging _quiet Set to a nonzero value to inhibit waming error messages The following parameters control the query to be executed _method required Name of the query function to execute A brief listing of the available methods is provided below _arg0 argl argN optional Positional arguments for the query function
501. through associative arrays indexed by key as the key is immediately available with each item A name attribute may be supplied with the opening foreach tag When a name is supplied the following additional Smarty variables are available for use inside the foreach foreach block smarty foreach namefirst true if the item being processed is the first item in the collection smarty foreach namelast true if the item being processed is the last item in the collection smarty foreach nameindex counter for the current item starting at 0 for the first item smarty foreach nameiteration counter for the current item starting at 1 for the first item smarty foreach name total value indicating the total number of items in the collection Dell Networking W ClearPass Guest 6 0 Deployment Guide Script Blocks 265 The content after a foreachelse tag is included only if the foreach block would otherwise be empty Modifiers Smarty provides modifiers that can be used to gain greater control over the formatting of data Modifiers can be included by following a variable with a vertical bar and the name of the modifier Any arguments to the modifier can be specified using a colon followed by the arguments The following example prints a date using the YYYY MM DD syntax Sexpire time nwadateformat sY sm d See Date Time Format Syntax on page 279 for detailed information on the date time format mod
502. tificate area with fields for uploading the certificate uploading the private key and entering the passphrase Code Signing Certificate Import PKCS 7 Binary or Base 64 p7b p7m pem Certificate Type ya Choose the format of your certificate Certificate 3 E Certificate ea Choose the code signing certificate to upload Browse Private Key Y Choose the code signing private key to upload The private key must be PEM encoded file pem Private Key Passphrase Enter the passphrase that was used to encrypt the private key If the private key is not encrypted leave this field blank Confirm Passphrase mu Re enter the private key s passphrase If the private key is not encrypted leave this field blank 4 Upload Certificate For PFX and PKCS 12 files the private key must be included in the certificate file so the Private Key upload option is not available in the form The private key passphrase is required For SPC and PKCS 7 files a PEM encoded private key must be uploaded separately using the Private Key upload option on the form If it is encrypted the passphrase must also be provided 3 Click Upload Certificate The certificate chain is displayed To use the certificate for code signing 1 Go to Onboard gt Provisioning Settings and scroll to the Windows Provisioning section of the form Windows Provisioning These options control Windows device provisioning W Enable Windows
503. tificate file Step 3 Specify the passphrase for the private key Private Key 2 Passphrase Enter the passphrase that was to encrypt the private key If the private key is not encrypted leave this field blank Confirm i i Passphrase Re enter the private key s passphrase If the private key is not encrypted leave this field blank Upload Certificate 6 Click the V Upload Certificate button to save your changes If additional certificates are required you will remain at the same page Check the message displayed above the form to determine which certificate or type of file must be uploaded next When the trust chain is complete it will be displayed This completes the initialization of the certificate authority Renewing the Certificate Authority s Certificate When a root certificate is close to expiration it must be renewed Navigate to Onboard gt Certificate Authority Settings and click the Renew Root Certificate link The Root Certificate Renewal form is displayed Root Certificate Renewal Basic Renewal Renewal Type Basic renewal will reissue the certificate with the same private key and an updated validity period Replacement renewal will reissue the certificate with a new private key and an updated validity period E Renew Root Certificate Select an option in the Renewal Type drop down list e Basic Renewal Uses the same private key for the root certificate but reissues th
504. tificates maintained by a certificate authority and regularly updated CSV Comma separated values device provisioning Process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters digital certificate Contains identification data see distinguished name and the public key portion of a public private key pair and a signature that is generated by a certificate authority The signature ensures the integrity of the data in the certificate only the certificate authority can create valid certificates Disconnect Ack NAS response packet to a Disconnect Request indicating that the session was disconnected Disconnect Nak NAS response packet to a Disconnect Request indicating that the session could not be disconnected Dell Networking W ClearPass Guest 6 0 Deployment Guide Glossary 307 Disconnect Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected distinguished name Series of fields in a digital certificate that taken together constitute the unique identity of the person or device that owns the digital certificate Common fields in a distinguished name include country state locality organization organizational unit and the common name which is the primary name used to identify the certificate DN See distinguished name EAP Extensible Authentication Protocol RFC 3748 An authentication
505. time date to display UTF 8 is the character encoding used throughout the application as this covers languages Dell Networking W ClearPass Guest 6 0 Deployment Guide nwa_userpref 279 such as Spanish that use non ASCII characters The full list of special formats is Table 28 Date and Time Formats Preset Name Date Time Format Example longdate OGA d B Y I M p The items on the right hand side are the same as those supported by the php function strftime The string if present will return the string following the if the time value is 0 Otherwise the format string up to the is used See Date lime Format String Reference on page 281 in this chapter for a full list of the supported date time format string arguments Examples of date formatting using the nwadateformat Smarty modifier are as follows u expire_time nwadateformat longdate Monday 07 April 2008 2 13 PM u expire_time nwadateformat iso8601 20080407 u expire_time nwadateformat iso 8601t 2008 04 07 14 13 45 u expire_time nwadateformat iso8601 N A 20080407 or N A if no time specified u expire_time nwadateformat m d Y 04 07 2008 nwatimeformat Modifier The nwatimeformat modifier takes one argument the format description The minutes_to_natural argument converts an argument specified in minutes to a text string describing an equivalent but more natural me
506. timized for working with individual accounts 144 Standard Forms and Views Dell Networking W ClearPass Guest 6 0 Deployment Guide Es Customizing Fields T Custom fields are fields that you define yourself to cater for areas of interest to your organization You are able to define custom fields for your guest accounts as well as edit the existing fields In addition you can delete and duplicate fields For your convenience you are also able to list any forms or views that use a particular field NOTE Fields that have a lock symbol cannot be deleted Define custom fields for visitor accounts or change the behaviour of existing fields A complete list of fields is displayed when you click the Fields command link on the Customize Guest Manager page Column Title Abc account_activation a strin be mia j Activation 9 The current activation time in long form A 5 airgroup_enable Flag indicating that this account has been created for AirGroup AirGroup bool 8 USE 4 airgroup_shared Flag indicating that this account has been created by an Shared bool amp AirGroup administrator for sharing F Edit ES Duplicate ES Show Forms m Show Views To display only the fields that you have been created click the SCustom Fields Only link in the bottom row of the list view To retum to displaying all fields click the BAN Fields link Creating a Custom Field To create a custom field click the P Create tab at
507. tings for iOS and OS X on page 110 to make changes to the content of this profile e Customizing the user interface of the QuickConnect app for Windows Mac OS X and Android devices The provisioning process for Windows Mac OS X and Android devices uses a separate app which has a customizable user interface See Configuring Options for Legacy OS X Windows and Android Devices on page 116 to make changes to the user interface Customizing the Device Provisioning Web Login Page Onboard creates a default Web login page that is used to start the device provisioning process To edit this page navigate to Configuration gt Start Here then click the Web Logins command link Click to expand the Onboard Provisioning row in the list and then click F Edit The RADIUS Web Login Editor form for Onboard opens Scroll to the Onboard Device Provisioning rows of the form Onboard Device Provisioning Options for specifying the behaviour and content of the login form WV Enable device provisioning Device Provisioning li ji l If selected authenticated users with supported devices will be provisioned using Onboard Local Device Provisioning lv Configuration 9 Select the configuration that will be used when users login using this web login form The Onboard specific settings required for a device provisioning page are described below Mark the Enable device provisioning check box to activate the Onboard features for this Web login
508. tion Review the Onboard feature list to identify the major areas of interest for Gaban Trene eur ery your deployment Review the list of platforms supported by Onboard and identify the it apparted Pima pre ti platforms of interest for your deployment Review the Onboard public key infrastructure and identify any certificate Public Key Infrastructure for Onboard on page authorities that will be needed during the deployment 65 Refer to the ClearPass Policy Manager documentation and Network Architecture for Onboard on page 72 in this chapter Review the network requirements and the network architecture diagrams to determine how and where to deploy the Onboard solution Configure the hostname and networking properties of the Onboard provisioning server DNS is required for SSL Ensure that hostname resolution will work for devices being provisioned Refer to the ClearPass Policy Manager documentation Configure SSL certificate for the Onboard provisioning server A commercial SSL certificate is required to enable secure device provisioning for iOS devices Refer to the ClearPass Policy Manager documentation Configure the Onboard certificate authority Decide whether to use the Root CA or Intermediate CA mode of Configuring the Certificate Authority on operation page 81 Create the certificate for the certificate authority Configuring Data Retention Policy for Configure the data retention policy for the certificate a
509. tion from the Parent field drop down menu 174 Configuring Basic Properties for Self Registration Dell Networking W ClearPass Guest 6 0 Deployment Guide Paying for Access If you select a standalone self registration No parent standalone option you can also configure the Hotspot option You can configure this setting so that registrants have to pay for access Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account select the Require operator credentials prior to registering guest check box The sponsor s operator profile must have the Guest Manager gt Create New Guest Account privilege already configured If you choose this option the authenticated page it produces for creating accounts is very simple and does not include navigation or other links that would otherwise be available in the operator user interface You can specify access restrictions for the self registration page in the Access Control section of this form Access Control Controls access to the registration page W Require operator credentials prior to registering the guest Authentication If checked access to this registration page will require operator credentials The sponsor s operator profile must have the Guest Manager gt Create New Guest Account privilege Allowed Access Enter the IP addresses and networks from which self registration is permitted Denied Ac
510. tions Network Settings Enterprise Trust g Access T Protocols ay Authentication _ ES Trust fii Windows J Proxy Enterprise Trust Certificate trust options for 802 1 protocols supported on the network Manually configure certificate trust settings Configure Trust Use automatic configuration if you are using Policy Manager for authentication Otherwise select manual configuration a Trusted Server Names Enter the certificate names expected from the authentication server one per line Wildcards may be used to specify the name e g wpa example com If a server presents a certificate that isn t in this list it won t be trusted ClearPass RADIUS recommended Trusted Certificates E 10 100 9 67 Select certificates that the dewice should trust during authentication This should include the root CA that has issued the authentication server s certificate a Choose File No file chosen Upload Upload Certificate t P Upload a new trusted certificate from your computer PEM format pem Dynamic Trust E Allow trust exceptions 7 a Select this option to enable trust decisions via dialog to be made by the user Android Trust ClearPass RADIUS recommended Trusted Certificate Android only supports a single trusted certificate This must be the root CA that has issued the authentication server s certificate Select a certificate that the device should trust Windows Trust Validate
511. tivate or edit the device view active sessions or details for the device or print details receipts confirmations or other information The MAC Address Role State Activation and Expiration columns display information about the device accounts that have been created e The value in the Expiration column is colored red if the device account will expire within the next 24 hours The expiration time is additionally highlighted in boldface if the device account will expire within the next hour e In addition icons in the MAC Address column indicate the device account s activation status a W Device account is active a 5 Device account was created but is not activated yet Device account was disabled by Administrator ja A a Device account has expired Oo JI Device account was deleted You can use the Filter field to narrow the search parameters You may enter a simple substring to match a portion of any fields that are configured for search and you can include the following operators Dell Networking W ClearPass Guest 6 0 Deployment Guide Managing Devices 45 Table 9 Operators supported in filters Operator Meaning Additional Information sem pie Is not equal to 5 is greater than You may search for multiple values when using the equality or inequality operators To specify multiple values list is greater hanot edual to them separated by the pipe character z Secim For example
512. to indicate years weeks days hours minutes seconds respectively A number to set the cumulative usage expiration time to the value specified Any other value to leave expire_usage unmodified This field controls account modifications itis not stored with the visitor account String Value indicating how to modify the account password It may be one of the following values modify_password random password to use the password specified in the random password field reset to create a new password using the method specified in the random password_method field or the global defaults if no value is available in this field 290 GuestManager Standard Fields Dell Networking W ClearPass Guest 6 0 Deployment Guide Dell Networking W ClearPass Guest 6 0 Deployment Guide Description password to use the value from the password field Any other value leaves the password unmodified This field controls account creation and modification behavior itis not stored with created or modified visitor accounts String Value indicating how to modify the schedule_time field It may be one of the following values none to disable the account activation time now to activate the account immediately schedule time to use the activation time specified in the schedule time form field normally a UNIX time but may be 0 to disable activation time schedule after to set the activation time to the cur
513. top IsValidTimestamp Checks that the value is a numeric UNIX timestamp which measures the time in seconds since January 1 1970 at midnight UTC IsValidTimeZone Checks that the value is a valid string describing a recognized time zone IsValidUrl Checks that the value appears to be a valid URL that includes a scheme hostname and path For example in the URL http www example com the scheme is http the hostname 1s www example com and the path is The validator argument may optionally be an array containing a scheme key that specifies an array of acceptable URL protocols IsValidUsername Checks that the value is a valid username Usernames cannot be blank or contain spaces 300 Form Field Validation Functions Dell Networking W ClearPass Guest 6 0 Deployment Guide NwaCaptchalIsValid Checks that the value matches the security code generated in the CAPTCHA image This validator should only be used with the standard captcha field NwaGuestManagerIsValidRoleId Checks that the value is a valid role ID for the current operator and user database NwalsValidE xpireAfter Checks that the value is one of the account expiration time options specified in the Guest Manager configuration NwalsValidLifetime Checks that the value is one of the account lifetime options specified in the Guest Manager configuration Form Field Conversion Functions The Conversion and Value Format functions that are avai
514. tor Servers and the Translation Rules commands allow you to set up operator logins integrated with a Microsoft Active Directory domain or another LDAP server Manage Operator Servers Manage the list of servers used for operator authentication via directory services Translation Rules Define translation rules used to determine an operator profile from LDAP attributes gt NOTE The operator management features such as creating and editing operator logins apply only to local operator logins defined in ClearPass Guest You cannot create or edit operator logins using LDAP Only authentication is supported 248 Creating a New Operator Dell Networking W ClearPass Guest 6 0 Deployment Guide Manage LDAP Operator Authentication Servers Dell Networking W ClearPass Guest supports a flexible authentication mechanism that can be readily adapted to any LDAP server s method of authenticating users by name There are built in defaults for Microsoft Active Directory servers POSTX compliant directory servers and RADIUS servers When an operator attempts to log in each LDAP server that is enabled for authentication is checked in order of priority from lowest to highest Once a server is found that can authenticate the operator s identity typically with a username and password the LDAP server is queried for the attributes associated with the user account These LDAP attributes are then translated to operator
515. trollers amp Remove da Add a new controller Shared Secret Shared secret for RFC 3576 Define the Aruba controllers that should receive AirGroup asynchronous information updates 5 seconds Timeout Timeout for sending an AirGroup message Attempts 3 Maximum number of attempts to use when sending an AirGroup message Save Configuration 2 In the AirGroup Logging drop down list choose one of the following options Disabled Do not log AirGroup related events Standard Recommended Log basic information Extended Log additional information Debug Log debug information Trace Log all debug information 3 In the Controllers row to add a new AirGroup controller and enable it to receive dynamic notifications of AirGroup events click the Add a new controller link The row expands to include fields for entering the controller s properties 4 Specify the following properties for each AirGroup enabled controller d b C Hostname or IP address Port number This should be airgroup cppm server aaa rfc3576 server the UDP port number of the AirGroup process on the controller This is the same port number that was defined when the CPPM interface was configured The default in ClearPass Guest is 5999 Shared secret This is the rfc 3576 udp port shared secret used for AirGroup gt In the Timeout row enter the number of seconds after which an attempt to send an AirGroup
516. ts e List guest accounts and edit individual or multiple accounts e View and manage active sessions e Import new accounts from a text file e Export a list of accounts e View MAC devices e Create new MAC devices Many features can also be customized For information on customizing Guest Manager settings forms and views guest self registration and print templates see Configuration on page 133 Accessing Guest Manager To access Dell Networking W ClearPass Guest s guest management features click the Guest link in the left navigation gt e Active Sessions 8 Create Account dpe Create Device a Create Multiple 3 Edit Accounts ip Export Accounts r Import Accounts g List Accounts gf List Devices Dell Networking W ClearPass Guest 6 0 Deployment Guide Guest Manager 27 About Guest Management Processes There are two major ways to manage guest access either by your operators provisioning guest accounts or by the guests self provisioning their own accounts Both of these processes are described in the next sections Sponsored Guest Access The following figure shows the process of sponsored guest access Figure 5 Sponsored guest access with guest created by operator Gateway Router Internet S g 7 ClearPass Guest a ag a st a Visitors Wireless AP Network Visitor Operator Access Management e Operator login Server Appliance e Guest account provisioning e Generate p
517. ual Private Network ID Add this VPN to the device profile Active Select this option to include this VPN in the device profile Connection Name _ Display name of the connection displayed on the device L2TP x Connection Type ji The type of connection enabled by this policy L2TP Connection Settings These options configure the L2TP connection Server Hostname or IP address of the server the device will connect to A hostname will only be accepted if the corresponding IP address can be resolved L Send all traffic through the VPN connection Override Routing j Select this option to override the primary route and send all traffic over the VPN connection Machine Authentication Shared Secret Shared secret for the connection Leave blank to prompt the user on the device Confirm l Re enter the shared secret for the connection User Authentication Account User account for authenticating the connection Leave blank to prompt the user on the device Password RSA SecurID User Authentication n Authentication type for the connection Proxy Settings Configures proxies to be used with this VPN connection Save Changes Mark the Add this VPN to the device profile check box to enable provisioning of VPN settings Proxy Setup None x The Display Name text field specifies the name for this VPN connection This will be displayed on the device in the Settings app
518. ugin a blank plugin if you are providing your own complete HTML page or custom skin plugins that let you configure the colors navigation logo and icons l To modify the standard Dell ClearPass skin plugin click its Configuration link on the Available Plugins page Configure Dell ClearPass Skin 6 1 4 23982 Print Template Options The following colors and styles are used in the stock HTML based print templates Trebuchet MS Arial sans serif Font Family Enter a list of fonts as the font family Welcome Background D2DAE3 Color Select the background color to be used in the welcome block Welcome Foreground EK Color Select the foreground color to be used in the welcome block 1359A3 Welcome Highlight Select the color to highlight the name 292929 Select the color for the network section Network Color 1359A3 Select the color to highlight the network Network Highlight 2B2D33 Select the color for the instructions Instructions Color 1359A3 Select the highlight color for the instructions Save Configuration 2 The default navigation layout is expanded To change the behavior of the navigation menu click the Instructions Highlight Navigation Layout drop down list and select a different expansion level for menu items The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page 4 Inthe Font Famil
519. unts You can create new guest account receipts or download the updated guest account information See Creating Multiple Guest Account Receipts on page 31 in this chapter for more information The E More Options tab includes the Choose Columns command link You can click this link to open the Configuration module s Customize View Fields form which may be used to customize the Edit Guest Accounts view Choose Columns E Add or remove columns from the list Importing Guest Accounts Guest accounts may be created from an existing list by uploading the list to ClearPass Guest To upload a list of existing accounts go to Guest gt Import Accounts or click the Import Guest Accounts command link on the Guest Manager page The Upload User List form opens Import Guest Accounts iH Import a list of guests from a text file and create a guest account for each entry in the list The Upload User List form provides you with different options for importing guest account data Upload User List Maximum file upload size 5 0 MB A maximum of 1000 records can be imported at one time Browse Upload a file containing a list of user accounts This field may be left blank if you provide the list in the field below Size Limit Accounts File Accounts Text Type in or paste the list of user accounts This field may be left blank if you upload a file Advanced W Show additional import options Character Se
520. upplies the credentials Default Profile The default operator profile to assign to operators authorized by this server Select the Enabled check box under Sponsor Lookups if you want to enable the validation of sponsor emails during self registration When this option is selected this server will look up sponsors during self registration and double check the attribute used for emails on the LDAP server This option requires that the sponsor email and do_Idap_ lookup fields are enabled in the registration form This feature requires you to have the LDAP Sponsor Lookup plugin installed Use the Plugin Manager to verify that this plugin is available YA LDAP Sponsor Lookup jy Ly Performs an LDAP lookup of a particular field to continue the registration process 6 0 0 Enabled 4 Configuration i About When you have completed the form you can check your settings Use the Test Username and Test Password fields to supply a username and password for the authentication check then click the Test Settings button If the 250 Creating an LDAP Server Dell Networking W ClearPass Guest 6 0 Deployment Guide authentication is successful the operator profile assigned to the username will be displayed If the authentication fails an error message will be displayed See LDAP Operator Server Troubleshooting on page 252 for information about common error messages and troubleshooting steps to diagnose the problem Click the Save Chan
521. ural time representation such as 2 minutes 3 hours 11 days Converts a numerical value to a string If the value has an Nwa_NumberFormat va ue if_undefined Nwa_ undefined type in other words has not been set and the if_ NumberFormat undefined parameter was provided returns if_undefined value decimals Nwa_NumberFormat Otherwise the number is converted to a string using the number of value decimals dec_point thousands_sepl if_ decimal places specified in decimals default 0 the decimal point undefined character in dec point default and the thousands separator character in thousands_sep default i Trims excessively long strings to a maximum of ength characters Nwa_TrimTextivalue length appending an ellipsis if the string was trimmed If the value has an undefined type in other words has not been set and the f_undefined parameter was provided returns f_ undefined or a HTML non breaking space amp nbsp otherwise Otherwise the va ue is converted to a string for display Nwa_ValueText va uel if undefined LDAP Standard Attributes for User Class The following list provides some of the attributes for the LDAP User class For a complete list you should consult http msdn2 microsoft com en us library ms683980 VS 85 aspx windows 2000 server attributes userPrincipalName The userPrincipalName is a single valued and indexed property that is a string that
522. ure ClearPass Guest to send customized guest account receipts to visitors and sponsors by email Email receipts may be sent in plain text or HTML format You may also send email receipts using any of the installed skins to provide a look and feel To use the email sending features you must have the SMTP Services Plugin installed About Email Receipts You can send email receipts for guest accounts that are created using either sponsored guest access or self provisioned guest access This is convenient in situations where the visitor may not be physically present to receive a printed receipt ClearPass Guest may be configured to automatically send email receipts to visitors or to send receipts only on demand Email receipts may be sent manually from the guest account receipt page by clicking the 2 Send email receipt link displayed there When using guest self registration the email delivery options available for the receipt page actions allow you to specify the email subject line the print template and email format and other fields relevant to email delivery To configure these email delivery options 1 Go to Configuration gt Guest Self Registration Click to expand the Guest Self Registration row in the form then click its Edit link The Customize Guest Self Registration diagram opens 2 In the Receipt Page area click the Actions link The Receipt Actions form opens Dell Networking W ClearPass Guest 6 0 Deployment Guide
523. use the argument to perform validation Examples of Form field Validation Example To create a form field that requires an integer value between and 100 inclusive to be provided use the following settings in the form field editor Form Validation Properties These properties control how the value of this field is checked v Field value must be supplied Field Required a g Select this option if the field cannot be omitted or left blank Initial Value Value to initialize this field with when the form is first displayed IsinRange Validator a The function used to validate the contents of a field None Validator Param Optional name of field whose value will be supplied as the argument to a validator array i 100 Validator Argument 7 Optional value to supply as the argument to a validator Please enter a number between 1 and 100 Validation Error The error message to display if the field s value fails validation and the validator does not return an error message directly NOTE The form field will contain an integer value so you should set the field s type to Integer when creating it Use the PHP syntax array 1 100 to specify the minimum and maximum values for the IsInRange validator After saving changes on the form this value will be internally converted to the equivalent code array g gt 1 1 gt 100 With these validator settings users that enter an in
524. use when configuring OS X 10 5 6 Leopard Snow Leopard devices Android EAP PEAP with MSCHAPv2 Select the authentication protocol to use when configuring an Android device Android EAP Windows EAP PEAP with MSCHAPv2 The authentication protocol to use when configuring a Windows device Windows EAP Fast Reconnect W Enable Fast Reconnect E Enforce Network Access Protection Quarantine _ his setting is labeled Enable Quarantine checks in older versions of Windows Cryptobinding Enforce Cryptobinding oo Use this form to specify the authentication methods required by your network infrastructure e The iOS amp OS X EAP option supports TLS TTLS PEAP and EAP FAST e The Legacy OS X EAP option supports only PEAP with MSCHAPy2 e The Android EAP option supports PEAP with MSCHAPv2 PEAP with GTC TTLS with MSCHAPv2 TTLS with GTC TTLS with PAP and TLS e The Windows EAP option supports PEAP with MSCHAPv2 and TLS These best practices are recommended when choosing the 802 1 X authentication methods to provision 120 Configuring 802 1X Authentication Network Settings Dell Networking W ClearPass Guest 6 0 Deployment Guide e Configure PEAP with MSCHAPy2 for Onboard devices Android Windows and legacy OS X 10 5 10 6 e Configure EAP TLS for iOS devices and OS X 10 7 or later e Other EAP methods while possible are limited in their applicability and should only be us
525. username and password A guest account may be provisioned by a corporate operator such as a receptionist who can then give the visitor a print receipt that shows their username and password for the network When visitors use self registration as might be the case for a network offering public access the process 1s broadly similar but does not require a corporate operator to create the guest account The username and password for a self provisioned guest account may be delivered directly to the visitors Web browser or sent via SMS or email Reference Network Diagram The following figure shows the network connections and protocols used by ClearPass Guest Dell Networking W ClearPass Guest 6 0 Deployment Guide Figure 2 Reference network diagram for visitor access Visitors Operators Network Access Servers RADIUS ia HTTP S gmt ew ewer ewe ew ew ew ew ewe ee aaa 3 Network y ClearPass Guest Visitor Management Appliance Network Administrator The network administrator operators and visitors may use different network interfaces to access the visitor management features The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points Key Interactions The following figure shows the key interactions between ClearPass Guest and the people a
526. ustomize Fields page and then add them to a view by choosing appropriate display options for each new column To add a new field to a view reorder the fields or make changes to an existing field in a view select the view in the Customize Forms amp Views list and click the MlEdit Fields link This opens the Customize View Fields editor Quick Help wf Add Field 10 username sort Username 160px 15 visitor_name sort Full Name 120px 20 visitor_company sort Company 100px 30 visitor_phone sort Phone 120px Es Edit ia Edit Base Field Remove gt Insert Before ap Insert After YA Enable Field 50 sponsor_name sort Sponsor 100px 60 role_name static_options Role 120px 70 current_state text State 75pX View fields have a Rank number which specifies the relative ordering of the columns when displaying the view The Customize View Fields editor always shows the columns in order by rank The Type of each field is displayed This controls what kind of user interface element is used to display the column and whether the column is to be sortable or not The Title of the column and the Width of the column are also shown in the list view Values displayed in italics are default values defined for the field being displayed Click a view field in the list view to select it Use the LY Edit link to make changes to an existing column using the View Field Editor Any changes made to the field using this editor will apply only to this field on th
527. uthority Certificates on page 90 66 Onboard Deployment Checklist Dell Networking W ClearPass Guest 6 0 Deployment Guide Deployment Step Configure device provisioning settings Select certificate options for device provisioning Select which device types should be supported Configure network settings for device provisioning Set network properties Upload 802 1X server certificates Set device specific networking settings Configure networking equipment for non provisioned devices Set authentication for the provisioning SSID if required Ensure the captive portal redirects non provisioned devices to the device provisioning page Configure networking equipment to authenticate provisioned devices Ensure 802 1X authentication methods and trust settings are configured correctly for all EAP types that are required Configure OCSP or CRL on the authentication server to check for client certificate validity Configure the user interface for device provisioning Set display options for iOS devices Set user interface options for other Onboard devices Setup the device provisioning Web login page Reference Configuring Provisioning Settings on page 106 Configuring Network Settings for Device Provisioning on page 117 Network Requirements for Onboard on page 71 Network Reguirements for Onboard on page 71 Configuring the User Interface for Device Provisioning on page 79 Testing and Verificat
528. valid value will now receive a validation error message 1 100 Sample Field Please enter a number between 1 and 100 This is a sample field Furthermore note that blank values or non numeric values will result in a different error message 1 100 Sample Field r A amp Parameter must be an intege This is a sample field Examples of Form field Validation 163 The reason for this is that in this case the validation has failed due to a type error the field is specified to have an integer type and a blank or non numeric value cannot be converted to an integer To set the error message to display in this case use the Type Error option under the Advanced Properties Example 2 To create a form field that accepts one of a small number of string values use the following settings in the form field editor V Field value must be supplied Field Required q Select this option if the field cannot be omitted or left blank Initial Value sales Value to initialize this field with when the form is first displayed lsArrayValue Validator y The function used to validate the contents of a field None Validator Param Optional name of field whose value will be supplied as the argument to a validator array r Validator accounting hr research sales Argument support lt Optional value to supply as the argument to a validator Please select from one of the following option
529. veSync settings and passcode policy on these devices Public Key Infrastructure for Onboard During the device provisioning process one or more digital certificates are issued to the device These are used as the unique credentials for a device To issue the certificate Dell Networking W ClearPass Onboard must operate as 68 Supported Platforms Dell Networking W ClearPass Guest 6 0 Deployment Guide a certificate authority CA The following sections explain how the certificate authority works and which certificates are used in this process Certificate Hierarchy In a public key infrastructure PKI system certificates are related to each other in a tree like structure Figure 10 Relationship of Certificates in the Onboard Public Key Infrastructure Root CA Enterprise certificates Intermediate CA Profile Device Certificate Server Certificate Signin OO OOS Other certificates Unique device credentials The root certificate authority CA is typically an enterprise certificate authority with one or more intermediate CAs used to issue certificates within the enterprise Onboard may operate as a root CA directly or as an intermediate CA See Configuring the Certificate Authority on page 81 For information on setting up certificates when using Onboard in a cluster see Certificate Configuration in a Cluster on page 70 The Onboard CA issues certificates for sever
530. vice The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed 4 In the 1OS 4 Same SSID text box enter the instructions that are shown to the user of an iOS 4 device if they attempt to provision their device while connected to an SSID that will be provisioned Same SSID provisioning is not supported The text can be entered as HTML code and you can use Smarty template functions If this field is left empty the default text will be displayed Configuring Reconnect Behavior for 10S and OS X Reconnect is only supported by 1085 5 and OS X 10 7 Lion or later devices To configure the reconnect behavior iOS and OS X devices 1 Go to Onboard gt Provisioning Settings click the iOS amp OS X tab and scroll to the Reconnect area of the form 2 Inthe Allow Automatic Reconnect row mark the check box if you want to allow the device to be automatically reconnected to the provisioned network Automatic reconnect only applies when there is a single network configured to Automatically join network Dell Networking W ClearPass Guest 6 0 Deployment Guide Configuring Instructions for iOS and OS X 111 3 In the Allow Manual Reconnect row mark the check box if you want to allow the device to be manually reconnected to the provisioned network Manual reconnect only applies when automatic reconnect is not allowed or not applicable 4 In the
531. vices 44 creating accounts 49 editing 55 filtering 45 Dell Networking W ClearPass Guest 6 0 Deployment Guide Importing 57 expiration personal AirGroup 55 guest accounts editing 36 provisioning configuration 106 exporting shared 53 certificates 97 viewing 55 guest accounts 43 disabling SMTP carrier 234 F disconnecting session 60 61 fields 21 141 documentation viewing 239 account activation 287 downloading content 135 136 address 295 duplicating auto_send_sms 295 fields 147 auto_update_account 141 forms and views 151 card code 295 SMS gateways 228 creating 145 dynamic authorization 59 61 creator_accept_terms 141 customizing 145 E deleting 147 editing duplicating 147 base field 152 169 Importing matching 41 carrier settings 230 modify_expire_time 142 devices 55 modify_schedule_time 142 expiration time guest account 36 multi initial sequence 140 fields 147 password 140 form fields 152 random_username_length 138 forms 151 152 random_username_picture 138 guest accounts 37 252 rank ordering 152 guest self registration 173 show views 147 hotspot plans 207 simultaneous_use 140 multiple guest accounts 38 smtp_cc_list 193 printtemplates 196 Fields receipt pages 178 card_expiry 295 self registration 177 card_name 295 SMS gateway 231 card_number 295 SMS gateways 228 city 295 views 151 169 country 295 email Delete 147 guest self registration receipts 181 do_expire 142 receipts 30 189 do_schedule 142 receipts customizing 190 dyna
532. w active sessions Enter a username or IP address in the Filter field Additional fields can be included in the search if the Include values when performing a quick search option was selected for the field within the view To control this option use the Choose Columns command link on the E More Options tab You may enter a simple substring to match a portion of the username or any other fields that are configured for search and you can include the following operators Dell Networking W ClearPass Guest 6 0 Deployment Guide RFC 3576 Dynamic Authorization 61 Table 11 Operators supported in filters Operator Meaning Additional Information sem pie Is not equal to 5 is greater than You may search for multiple values when using the equality or inequality operators To specify multiple values list is greater hanot edual to them separated by the pipe character z Secim For example specifying the filter role id 2 3 custom_ field Value restricts the accounts displayed to those with role IDs 2 and 3 Guest and Employee and with the field is less than or equal to named custom field set to Value matches the regular expression does not match the regular expression To restore the default view click the Clear Filter link Click the Y Apply Filter button to save your changes and update the view or click the Reset button to remove the filter and return to the default view Disconnecting
533. w the effects of the changes 176 Editing Registration Page Properties Dell Networking W ClearPass Guest 6 0 Deployment Guide Click the ll Save Changes button to return to the process diagram for self registration Click the Save and Continue button to update the self registration page and continue to the next editor Editing the Default Self Registration Form Settings Click the Form link for the Register Page to edit the fields on the self registration form The default settings for this form are as follows The visitor name and email fields are enabled The email address of the visitor will become their username for the network The expire_after field is hidden and set to a value of 24 by default this sets the default expiration time for a self registered visitor account to be day after it was created The role_id field is hidden and set to a value of 2 by default this sets the default role for a self registered visitor account to the built in Guest role The auto update account field is set by default This is to ensure that a visitor who registers again with the same email address has their existing account automatically updated Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password In order to do this you first customize the Create Multiple Guest Accounts form to include the Password field To include the Password field on the Create Multiple Guest Accounts f
534. window using template drop down list opens a print preview window and the printer dialog Options include account details receipts in various formats a session expiration alert and a sponsorship confirmation notice MAC Creation Modes MAC device accounts may be created in three ways Manually in ClearPass Guest using the Create Device form During guest self registration by a mac parameter passed in the redirect URL if the process is configured to create a MAC device account During guest self registration by a mac parameter passed in the redirect URL creating a parallel account paired with the visitor account Dell Networking W ClearPass Guest 6 0 Deployment Guide Viewing Current Sessions for a Device 49 Creating Devices Manually in ClearPass Guest If you have the MAC address you can create a new device manually You do this on the New MAC Authentication form To create a new device l Go to Guest gt List Devices and click the Create link or you can go to the Guest navigation page and click the Create Device command i Create Device Set up a new device for MAC authentication The New MAC Authentication page opens New MAC Authentication Wonderland Name of the person sponsoring this visitor account RabbitHole Name of the device 11 22 33 aa bboce MAC address of the device Now Select an option for changing the activation time of this account 1 day from now Select
535. word may contain uppercase letters lowercase letters digits and certain symbols The strong password does not contain commonly confused characters such as O and 0 capital O and zero I and I capital I and lowercase L 2 and Z two and capital Z or 8 and B eight and capital B NwaVLookup NwaVLookup value Stable Scolumn_index Srange lookup true value column 0 Scmp fn null Table lookup function similar to the Excel function VLOOKUP This function searches for a value in the first column of a table and returns a value in the same row from another column in the table This function supports the values described in the table below Table 31 NwaVLookup Options Option Description value The value to look for Stable A 2D array of data to search for example a data table returned by NwaCsvCache or NwaParseCsv The desired index of the data 286 NwaSmslsValidPhoneNumber Dell Networking W ClearPass Guest 6 0 Deployment Guide Option Description Specifies whether to find an exact or approximate match If true default assumes the table is sorted and returns either an exact match or the match from the row with the next largest value that is less than value If false only an exact match Is returned NULL is returned on no match range_lookup value column Specifies the column index in the table that contains the values the default is 0 in other words
536. words to be made italic lt i gt lt em gt equivalent syntax lt em gt lt u gt words to underline lt u gt lt tt gt Shown in fixed width font lt tt gt lt span style gt Uses CSS formatting lt span gt lt span class gt Uses predefined style lt span gt lt div style gt Uses CSS formatting lt div gt lt div class gt Uses predefined style lt div gt Hypertext lt a href url gt Link text to click on lt a gt lt img src url gt lt img src url gt XHTML equivalent ee s n For more details about HTML syntax and detailed examples of its use consult a HTML tutorial or reference guide Standard HTML Styles Dell Networking W ClearPass Guest defines standard CSS classes you can use to provide consistent formatting within the user interface Examples of these styles are given below 262 Standard HTML Styles Dell Networking W ClearPass Guest 6 0 Deployment Guide Heading 2 Paragraph text Paragraph text in nwalmportant style Paragraph text m nwaerror style Paragraph text in nwaini Heading 3 Following table is nwaContent style Table cell nwaBody Table cell nwaHighlight Table heading Table cell nwaSelectedHighlight Table heading nwaLleft Table cell nwaSelected nw aright Table cell nwalsername text Table cell nwaPassword text Table heading nwaBottom Table 25 Formatting Classes Class Name Applies To Description Used when you want to lay out
537. ws per page e To view details for an active session click the session s row in the list then click its Show Details link The form expands to include the Session Details view Session Details Username test IP Address 5 5 5 252 NAS controller NAS IP Address 10 100 9 25 NAS Port Type Wireless 802 11 Calling Station ID 70DEE2C723B6 Called Station ID OOO0BS66D1F58 Service Type Onboard Service Session ID ROOOOO17f 01 508ef9f4 Session Upload 707 722 bytes Session Download 45 361 239 bytes Session End 2012 10 29 14 51 Termination Cause Lost Service Dell Networking W ClearPass Guest 6 0 Deployment Guide pac MERE SIONS E e Ifthe NAS equipment has RFC 3576 support you can disconnect or dynamically reauthorize active sessions See REC 3576 Dynamic Authorization on page 61 for more information To disconnect an active session click the session s row in the list then click its Disconnect link A message is displayed to show that the disconnect is in progress and acknowledge when it is complete To reauthorize a session that was disconnected click the session s row in the list then click its Reauthorize link The Reauthorize Session form opens Click Reauthorize Session A message is displayed to show that the disconnect is in progress and acknowledge when it is complete Reauthorize Session Radius CoA The reauthorization profile to be applied for this session Reauthorize Session
538. y Access Full Access or Custom access The default in all cases is No Access This means that you must select the appropriate privileges in order for the profile to work See Operator Profile Privileges on page 246 for details about the available access levels for each privilege If you choose the Custom setting for an item the form expands to include additional privileges specific to that item 3 The User Roles list allows you to specify which user databases and roles the operator will be able to access Creating an Operator Profile Dell Networking W ClearPass Guest 6 0 Deployment Guide 243 Name Fd ClearPass Policy Manager Contractor User Roles Guest Employee 10 rows per page Select the visitor account roles that these operators are permitted to use No operator filter Im Operator Filter HT Select the default operator filtering to apply to guest accounts User Account Filter Enter a comma delimited list of field value pairs to create an account filter Session Filter FE TAE Enter a comma delimited list of field value pairs to create a session filter Account Limit Maximum number of accounts the operator can create Leave blank for no limit If one or more roles are selected then only those roles will be available for the operator to select from when creating a new guest account The guest account list is also filtered to show only guest accounts with thes
539. y row to change the font delete the current selection and enter the list of fonts to use 5 To change a color in any of the color fields click the color sample box to open the color picker Set a color then click Select in the color picker for that item Repeat for each color you want to change 6 Click Save Configuration The default skin used by the ClearPass Guest application is the one that is enabled in the Plugin Manager To change the default skin globally navigate to the plugin list and click the Enable link for the skin you would like to use as the default When you install a new custom skin it 1s automatically enabled and becomes the default skin If your application s appearance does not automatically change find the custom plugin in the list click Configure and 226 Configuring the Dell W ClearPass Skin Plugin Dell Networking W ClearPass Guest 6 0 Deployment Guide Dell Networking W ClearPass Guest 6 0 Deployment Guide click its Enable link If you prefer to use the standard Dell ClearPass skin navigate to it in the Available Plugins list and click its Enable link The default skin is displayed on all visitor pages and on the login page if no other skin is specified for it However you can override this for a particular operator profile an individual operator or give the login page a different appearance than the rest of the application You can also specify a skin for guest self registration pages e To us
540. y template syntax For a Smarty template syntax description See Smarty Template Syntax on page 264 6 To log detailed information in the application log for each stage of the HTTP transaction mark the check box in the Enable Debug row 7 To verify the configuration enter a test message in the Message field and enter the test recipient s mobile phone number in the Recipient field then click Send Test Message 8 When all fields are completed appropriately click Save and Close The SMS Gateways list is updated with the changes Sending an SMS You are able to send an SMS message if the system has been configured to allow this i Send SMS A Type in and send s SHS message from your web browser To send an SMS message 1 Go to Administration gt SMS Services gt Send SMS The New SMS Message form opens Ape pending ah MS Dell Networking W ClearPass Guest 6 0 Deployment Guide New SMS Message Service ai cd Select the serice to use when sending the message Recipient a l Enter the mobile telephone number of the recipient in intematicnal format Message 160 characters left Enter the message to send maximum 160 characters Send Message 2 Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to The maximum length for the message is 160 characters If multiple services are available you may also choose the service to us
541. y views include an ability to filter results If checked and this field is enabled it will be included in the search You can specify the default properties to use when adding this field to a view See View Field Editor on page 169 for a description of the view display fields including the Column Type and Column Format fields Default Form Display Properties These properties control the default user interface displayed for this field User No user interface Interface The kind of user interface element to use when entering or editing this field You can specify the default properties to use when adding the field to a form See View Field Editor on page 169 for a list of the available user interface types Form Validation Properties These properties control how the value of this field is checked Field O Field value must be supplied Reguired Select this option if the field cannot be omitted or left blank Initial Value Value to initialize this field with when the form is first displayed No validation Validator The function used to validate the contents of a field You can specify the default validation rules that should be applied to this field when it is added to a form See Form Validation Properties on page 162 in this chapter for further information about form validation properties Advanced Properties These properties control conversion display and dynamic behaviours Adva
542. zation this will be displayed to the user during the device provisioning process Configuring Certificate Properties for Device Provisioning To specify the properties for certificates issued to devices l Go to Onboard gt Provisioning Settings click the General tab and scroll to the Certificate Authority row Local Certificate Authority Root CA Ivi Certificate Authority i Select the certificate authority that will be used to sign profiles and messages 365 gt days validity Period ji j Maximum validity period for client certificates in days 15 minutes Clock Skew Allowance Amount to pre post date certificate validity period in minutes 1024 bit RSA created by device Iv Key Type i Select the type of private key to use for TLS certificates 4 Include device information in TLS client certificates Subject Alternative Name Store information about the device in the subjectAltName extension of the certificate Note Aruba OS version 6 1 or later is required to enable this feature W Include the username in unique device credentials Unique Device Credentials when checked the username is prefixed to the device s PEAP credentials This unique set of credentials is used to identify the user and device on the network 2 The Certificate Authority drop down list can be used to select a different certificate authority By default there is only a single certificate authority 3 Use
Download Pdf Manuals
Related Search