Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W Clearpass 100 Software » Manual Viewer

Dell PowerConnect W Clearpass 100 Software 3.7 Deployment Guide - Page 217

Importing MAC Devices, Advanced MAC Features, 2-Factor Authentication, MAC-Based Derivation of Role

View all Dell PowerConnect W Clearpass 100 Software manuals

Add to My Manuals
Save this manual to your list of manuals

Page 217 highlights

Importing MAC Devices The standard Guests > Import Guests supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of two-factor authentication, however. The 2-factors are performed as follows: 1. Regular RADIUS authentication using username and password 2. Role checks the user account mac against the passed Calling-Station-Id. Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to Enter conditional expression. return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject(); There is an alternative syntax where you keep the condition at Always and instead adjust the Value.

Section	Page
Amigopod 3.7	1
Contents	3
Figures	13
Tables	15
Amigopod Visitor Management Appliance	17
About this Manual	17
Documentation Conventions	17
Documentation Overview	18
Getting Support	19
Field Help	19
Quick Help	19
Context-Sensitive Help	19
Searching Help	19
If You Need More Assistance	20
Management Overview	21
Visitor Access Scenarios	21
Reference Network Diagram	22
Key Interactions	22
AAA Framework	23
Key Features	25
Visitor Management Terminology	27
Deployment Process	28
Security Policy Considerations	28
Operational Concerns	28
Network Provisioning	28
Site Preparation Checklist	29
Setup Guide	31
Hardware Appliance Setup	31
Default Network Configuration	31
Virtual Appliance Setup	32
VMware Workstation or VMware Player	32
VMware ESXi	32
Accessing the Console User Interface	33
Console Login	33
Console User Interface Functions	33
Accessing the Graphical User Interface	34
Setup Wizard	34
Login Screen	35
Amigopod License Agreement	35
Set Administrator Password	36
Set System Hostname	36
Configure Network Interfaces	37
Configure HTTP Proxy	38
Configure SMTP Mail Settings	39
Configure SNMP	40
Configure Server Time and Time Zone	40
Configure Default RADIUS NAS Vendor Type	41
RADIUS Network Access Servers	42
Configure Amigopod Subscription ID	42
Install Subscription Updates	43
Setup Complete	44
RADIUS Services	45
Accessing RADIUS Services	45
Server Control	45
RADIUS Log Snapshot	45
Debug RADIUS Server	46
Viewing Failed Authentications	46
Server Configuration	47
Example: Removing a User-Name Suffix	49
Removing a variable-length suffix	49
Example: Correcting the NAS-IP-Address Attribute	49
Example: Adding a Reply-Message to an Access-Reject Packet	49
User Roles	49
Creating a User Role	50
Role Attributes	51
Attribute Tags	52
Attribute Authorization Conditions	52
Example: Time of Day Conditions	52
Example: Time-Based Authorization	53
Example: Accounting-Based Authorization	53
Attribute Value Expressions	54
Example: Using Request Attributes in a Value Expression	54
Example: Location-Specific VLAN Assignment	54
Network Access Servers	55
Creating a Network Access Server Entry	55
Importing a List of Network Access Servers	57
Web Logins	59
Creating a Web Login Page	60
Universal Access Method (UAM) Password Encryption	65
NAS Redirect Parameters	65
NAS Login Parameters	66
Using Web Login Parameters	66
Apple Captive Network Assistant Bypass with Amigopod	67
Solution Implementation	69
Captive Portal Profile Configuration	70
Database Lists	71
Database Maintenance Tasks	72
Dictionary	72
Import Dictionary	73
Export Dictionary	73
Reset Dictionary	73
Vendors	73
Creating a New Vendor	74
Edit Vendor	74
Delete Vendor	74
Export Vendor	74
Vendor-Specific Attributes	74
Add a Vendor-Specific Attribute (VSA)	75
Edit Vendor-Specific Attribute	76
Delete Vendor-Specific Attribute	76
Add Attribute Value	76
Edit Attribute Value	76
Delete Attribute Value	77
EAP and 802.1X Authentication	77
Specifying Supported EAP Types	78
Creating a Server Certificate and Self-Signed Certificate Authority	79
Creating the Certificate Signing Request	80
Signing RADIUS Server Certificate	81
Installing the Self-Signed RADIUS Server Certificate	81
Requesting a Certificate from a Certificate Authority	81
Importing a Server Certificate	82
Installing a Server Certificate from a Certificate Authority	83
Installing an Imported Server Certificate	83
Exporting Server Certificates	83
PEAP Sample Configuration	83
Importing a Root Certificate – Microsoft Windows Vista and Windows 7	84
Active Directory Domain Services	88
Joining an Active Directory Domain	88
Testing Active Directory User Authentication	90
Configuring Active Directory Domain Authentication	90
Leaving an Active Directory Domain	91
External Authentication Servers	91
Types of External Authentication Server	91
Managing External Authentication Servers	92
Configuring Properties for External Authentication Servers	92
Configuring an Active Directory External Authentication Server	93
Configuring an LDAP External Authentication Server	96
Configuring a Proxy RADIUS External Authentication Server	98
Configuring a Local Certificate Authority External Authentication Server	98
Configuring Authorization for External Authentication Servers	99
About Authorization Methods in External Authentication Servers	101
Testing External Authentication Servers	104
Testing a Local Certificate Authority External Authentication Server	104
Managing Certificates for External Authentication Servers	106
Operator Logins	109
Accessing Operator Logins	109
About Operator Logins	109
Role-Based Access Control for Multiple Operator Profiles	109
Operator Profiles	110
Creating an Operator Profile	110
Operator Profile Privileges	114
Managing Operator Profiles	115
Local Operator Authentication	115
Creating a New Operator	116
Viewing All Operator Logins	117
Changing Operator Passwords	119
LDAP Operator Authentication	119
Manage LDAP Servers	119
Creating an LDAP Server	119
Advanced LDAP URL Syntax	122
Viewing the LDAP Server List	122
LDAP Operator Server Troubleshooting	123
Testing Connectivity	123
Testing Operator Login Authentication	123
Looking Up Sponsor Names	124
Troubleshooting Error Messages	124
LDAP Translation Rules	125
Custom LDAP Translation Processing	127
Operator Logins Configuration	129
Custom Login Message	129
Operator Password Options	130
Advanced Operator Login Options	131
Automatic Logout	131
Guest Management	133
Accessing Guest Manager	133
About Guest Management Processes	133
Sponsored Guest Access	134
Self Provisioned Guest Access	134
Standard Guest Management Features	135
Creating a Guest Account	135
Creating a Guest Account Receipt	136
Creating Multiple Guest Accounts	137
Creating Multiple Guest Account Receipts	138
Managing Guest Accounts	139
Managing Multiple Guest Accounts	142
Importing Guest Accounts	144
Exporting Guest Account Information	148
Guest Manager Customization	148
Default Settings for Account Creation	149
About Fields, Forms, and Views	153
Business Logic for Account Creation	153
Verification Properties	153
Basic User Properties	153
Visitor Account Activation Properties	154
Visitor Account Expiration Properties	155
Other Properties	155
Account Expiration Types	155
Standard Fields	156
Standard Forms and Views	156
Customization of Fields	157
Creating a Custom Field	158
Duplicating a Field	159
Editing a Field	159
Deleting a Field	159
Displaying Forms that Use a Field	159
Displaying Views that Use a Field	159
Customization of Forms and Views	160
Editing Forms and Views	160
Duplicating Forms and Views	160
Editing Forms	161
Form Field Editor	162
Form Display Properties	162
Form Validation Properties	172
Examples of Form field Validation	173
Advanced Form Field Properties	175
Form Field Validation Processing Sequence	176
Editing Views	179
View Field Editor	180
Customizing Self Provisioned Access	181
Self-Registration Sequence Diagram	181
Creating a Self-Registration Page	182
Editing Self-Registration Pages	183
Basic Properties for Self-Registration	184
Using a Parent Page	184
Paying for Access	185
Requiring Operator Credentials	185
Registration Page Properties	186
Default Self-Registration Form Settings	187
Receipt Page Properties	188
Receipt Actions	189
Download and Print Actions	189
Email Delivery of Receipts	190
SMS Delivery of Receipts	190
NAS Login Properties	191
Login Page Properties	192
Self-Service Portal Properties	193
Resetting Passwords with the Self-Service Portal	195
Customizing Print Templates	196
Creating New Print Templates	197
Print Template Wizard	198
Modifying Wizard-Generated Templates	199
Setting Print Template Permissions	199
Configuring Access Code Logins	200
Customize Random Username and Passwords	200
Create the Print Template	201
Customize the Guest Accounts Form	202
Create Access Code Guest Accounts	202
MAC Authentication on Amigopod	204
MAC Address Formats	204
Managing Devices	205
Changing a Device’s Expiration Date	206
Disabling and Deleting Devices	207
Activating a Device	208
Editing a Device	208
Viewing Current Sessions for a Device	210
Viewing and Printing Device Details	210
MAC Creation Modes	210
Creating Devices Manually in Amigopod	210
Creating Devices During Guest Self-Registration - MAC Only	212
Creating Devices During Guest Self-Registration - Paired Accounts	213
Accounting-Based MAC Authentication	214
Importing MAC Devices	217
Advanced MAC Features	217
2-Factor Authentication	217
MAC-Based Derivation of Role	217
User Detection on Landing Pages	217
Click-Through Login Pages	218
Active Sessions Management	218
Session States	220
RFC 3576 Dynamic Authorization	220
Filtering the List of Active Sessions	221
Managing Multiple Active Sessions	221
Closing All Stale Sessions Immediately	222
Closing All Stale Sessions and Specifying a Duration	222
Closing Specified Open Sessions	223
Disconnecting or Reauthorizing Active Sessions	225
Sending Multiple SMS Alerts	226
SMS Services	227
Configuring SMS Gateways	227
Sending an SMS	228
About SMS Credits	229
About SMS Guest Account Receipts	229
SMS Receipt Options	230
Customize SMS Receipt	232
SMS Receipt Fields	233
SMTP Services	234
Configuring SMTP Services	234
About Email Receipts	234
Email Receipt Options	236
SMTP Receipt Fields	238
Report Management	241
Accessing Reporting Manager	241
Viewing Reports	241
Running and Managing Reports	242
Viewing the Most Recent Report	242
Report History	242
Previewing the Report	242
Run Default	242
Run	243
Edit a report	243
Delete a Report	244
Duplicate a Report	244
Permissions	244
Exporting Report Definitions	246
Importing report Definitions	247
Resetting Report Definitions	247
About Custom Reports	248
Data Sources	249
Binning	249
Binning Example – Time Measurements	249
Groups	250
Statistics from Classification Groups	251
Components of the Report Editor	251
Report Type	252
Report Parameters	253
Parameter User Interface Editing	255
Data Source	256
Select Fields	257
Source Filters	259
Classification Groups	261
Statistics and Metrics	263
Output Series	266
Output Series Fields	267
Output Filters	268
Presentation Options	270
Chart Presentations	270
Table Presentations	271
Text Presentations	271
Final Report	272
Creating Reports	272
Creating the Report – Step 1	273
Creating the Report – Step 2	273
Creating Sample Reports	274
Report Based on Modifying an Existing Report	274
Report Created from Report Manager using Create New Report	275
Report Created by Duplicating an Existing Report	277
Report Troubleshooting	279
Report Preview with Debugging	279
Troubleshooting Tips	280
Administrator Tasks	281
Accessing Administrator	281
Network Setup	281
Automatic Network Diagnostics	282
System Hostname	282
Network Interfaces	283
Changing Network Interface Settings	284
About default gateway settings	286
Managing Static Routes	287
Creating a Tunnel Network Interface	287
Creating a VLAN Interface	288
Managing VLAN Interfaces	289
Creating a Secondary Network Interface	290
Login Access Control	291
Network Diagnostic Tools	292
Network Diagnostics – Packet Capturing	294
Network Hosts	296
HTTP Proxy Configuration	297
SNMP Configuration	297
Supported MIBs	299
SMTP Configuration	300
SSL Certificate	301
Requesting an SSL Certificate	301
Installing an SSL Certificate	302
Displaying the Current SSL Certificate	304
Backup and Restore	305
Backing Up Appliance Configuration	305
Scheduling Automatic Backups	306
Restoring a Backup	308
Content Manager	309
Uploading Content	310
Downloading Content	310
Additional Content Actions	311
Security Manager	311
Performing a Security Audit	311
Reviewing Security Audit Results	312
Changing Network Security Settings	312
Resetting the Root Password	313
Notifications	313
OS Updates	314
Manual Operating System Updates	314
Reviewing the Operating System Update Log	314
Determining Installed Operating System Packages	315
Plugin Manager	315
Managing Subscriptions	316
Viewing Available Plugins	316
Adding or Updating New Plugins	317
Configuring Plugin Update Notifications	318
Configuring Plugins	318
Configuring the Amigopod Kernel Plugin	319
Configuring the Amigopod Skin Plugin	320
Server Time	321
System Control	323
Changing System Configuration Parameters	323
System Log Configuration	323
Log Rotation: Configuring Data Retention	324
Log Collector: Storing Incoming Syslog Messages	324
Facility: Redirecting Application Log Messages	325
Managing Data Retention	326
Changing Database Configuration Parameters	328
Changing Web Application Configuration	329
Changing Web Server Configuration	330
System Information	330
Adding Disk Space	331
System Log	333
Filtering the System Log	333
Exporting the System Log	334
Viewing the Application Log	334
Searching the Application Log	335
Exporting the Application Log	335
Hotspot Manager	337
Manage Hotspot Sign-up	338
Captive Portal Integration	339
Look and Feel	339
SMS Services	339
Hotspot Plans	339
Modifying an Existing Plan	340
Creating New Plans	341
Managing Transaction Processors	341
Creating a New Transaction Processor	342
Managing Existing Transaction Processors	342
Managing Customer Information	342
Managing Hotspot Invoice	342
Customize User Interface	343
Customize Page One	344
Customize Page Two	344
Customize Page Three	346
View Hotspot User Interface	346
High Availability Services	347
Accessing High Availability	347
About High Availability Systems	347
Terminology & Concepts	347
Network Architecture	348
Deploying an SSL Certificate	349
Normal Cluster Operation	349
Failure Detection	349
Database Replication	349
Configuration Replication	350
Primary Node Failure	351
Secondary Node Failure	351
Email Notification	352
Cluster Status	352
Cluster Setup	353
Prepare Primary Node	354
Prepare Secondary Node	356
Cluster initialization	356
Cluster Deployment	357
Cluster Maintenance	357
Recovering From a Failure	358
Recovering From a Temporary Outage	358
Recovering From a Hardware Failure	359
Performing Scheduled Maintenance	359
Updating Plugins	360
Destroying a Cluster	360
Cluster Troubleshooting	360
Reference	363
Basic HTML Syntax	363
Standard HTML Styles	364
Smarty Template Syntax	365
Basic Template Syntax	365
Text Substitution	365
Template File Inclusion	365
Comments	366
Variable Assignment	366
Conditional Text Blocks	366
Script Blocks	366
Repeated Text Blocks	366
Foreach Text Blocks	367
Modifiers	367
Predefined Template Functions	368
dump	368
nwa_commandlink	368
nwa_iconlink	369
nwa_icontext	369
nwa_quotejs	370
nwa_radius_query	370
Advanced Developer Reference	372
nwa_assign	372
nwa_bling	372
nwa_makeid	373
nwa_nav	373
nwa_plugin	374
nwa_privilege	375
nwa_replace	375
nwa_text	375
nwa_userpref	375
nwa_youtube	376
Date/Time Format Syntax	376
nwadateformat Modifier	376
nwatimeformat Modifier	377
Date/Time Format String Reference	378
Programmer’s Reference	379
NwaAlnumPassword	379
NwaBoolFormat	379
NwaByteFormat	379
NwaByteFormatBase10	379
NwaComplexPassword	379
NwaCsvCache	379
NwaDigitsPassword($len)	380
NwaDynamicLoad	380
NwaGeneratePictureString	380
NwaGenerateRandomPasswordMix	380
NwaLettersDigitsPassword	380
NwaLettersPassword	380
NwaMoneyFormat	380
NwaParseCsv	381
NwaParseXml	382
NwaPasswordByComplexity	382
NwaSmsIsValidPhoneNumber	382
NwaStrongPassword	382
NwaVLookup	383

Match case Limit results 1 per page

Amigopod 3.7

Deployment Guide

Guest Management

217

Importing MAC Devices

The standard

Guests > Import Guests

supports importing MAC devices. At a minimum the following two

columns are required:

mac

and

mac_auth

mac_auth,mac,notes

1,aa:aa:aa:aa:aa:aa,Device A

1,bb:bb:bb:bb:bb:bb,Device B

1,cc:cc:cc:cc:cc:cc,Device C

Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

2-Factor Authentication

2-factor authentication checks against both credentials and the MAC address on record.

Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you

would probably add

mac

as a text field to the

create_user

form. When

mac

is enabled in a self-registration

it will be included in the account as long as

mac

is passed in the URL. Relying on self-registration may

defeat the purpose of two-factor authentication, however.

The 2-factors are performed as follows:

Regular RADIUS authentication using username and password

Role checks the user account mac against the passed Calling-Station-Id.

Edit the user role and the attribute for

Reply-Message

Aruba-User-Role

. Adjust the condition from

Always

Enter conditional expression

return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();

There is an alternative syntax where you keep the condition at

Always

and instead adjust the

Value

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] :

AccessReject()

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()

MAC-Based Derivation of Role

Depending on whether the MAC address matches a registered value, you can also adjust which role is

returned. The controller must be configured with the appropriate roles and the reply attributes mapping to

them as expected.

Edit the

Value

of the attribute within the role returning the role to the controller.

If you are on the registered MAC, apply the

Employee

role, otherwise set them as

Guest

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'

This can be expanded if you create multiple MAC fields. Navigate to

Customize > Fields

and duplicate

mac

. Rename it as mac_byod and then add it to the 'create_user and guest_edit forms. In this example the

account has a registered employee device under mac, and a registered BYOD device under mac_byod.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac_byod']) ? 'BYOD' :

(MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest')

User Detection on Landing Pages

When

mac

is passed in the redirect URL, the user is detected and a customized message displays on the

landing page.