Home » Dell Manuals » Hubs & Switches » Dell PowerConnect W Clearpass 100 Software » Manual Viewer

Dell PowerConnect W Clearpass 100 Software 3.9 Deployment Guide - Page 54

Revoking Credentials to Prevent Network Access, Re-Provisioning a Device, Working with Certificates

View all Dell PowerConnect W Clearpass 100 Software manuals

Add to My Manuals
Save this manual to your list of manuals

Page 54 highlights

To disable network access for a device, revoke the TLS client certificate provisioned to the device. See "Working with Certificates". Note: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability. Revoking Credentials to Prevent Network Access Revoking a device's certificate will also prevent the device from being re-provisioned. This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To reprovision the device, the revoked certificate must be deleted. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate's state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access. Note: When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a realtime status update for certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the device will be denied access. Note: OCSP and CRL are not used when using PEAP unique device credentials. The Onboard server automatically updates the status of the username when the device's client certificate is revoked. Re-Provisioning a Device Because "bring your own" devices are not under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device. For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device. When these events occur, the user will not be able to access the provisioned network and will need to reprovision their device. The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process and re-provision the device. Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials are still valid. If the TLS client certificate has expired then the device will be issued a new certificate. This enables reprovisioning to occur on a regular basis. If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked certificate must be deleted before the device is able to be provisioned. 54 | Onboard ClearPass Guest 3.9 | Deployment Guide

Section	Page
ClearPass Guest 3.9	1
Contents	3
Figures	15
Tables	17
ClearPass Guest	19
About this Manual	19
Documentation Conventions	19
Documentation Overview	20
Getting Support	21
Field Help	21
Quick Help	21
Context-Sensitive Help	21
Searching Help	21
If You Need More Assistance	22
Management Overview	23
Visitor Access Scenarios	23
Reference Network Diagram	24
Key Interactions	24
AAA Framework	25
Key Features	27
Visitor Management Terminology	29
Deployment Process	30
Security Policy Considerations	30
Operational Concerns	30
Network Provisioning	30
Site Preparation Checklist	31
Setup Guide	33
Hardware Appliance Setup	33
Default Network Configuration	33
Setting Up the Virtual Appliance	34
VMware Workstation or VMware Player	34
VMware ESXi	34
Accessing the Console User Interface	35
Console Login	35
Console User Interface Functions	36
Accessing the Graphical User Interface	37
Initial Configuraton Using the Setup Wizard	37
Logging In	37
Accepting the ClearPass Guest License Agreement	38
Setting the Administrator Password	38
Setting the System Hostname	39
Configuring Network Interfaces	40
Configuring HTTP Proxy Settings	41
Configuring SMTP Mail Settings	42
Configuring SNMP Settings	42
Configuring Server Time and Time Zone	43
Configuring the Default RADIUS NAS Vendor Type	44
Defining RADIUS Network Access Servers	44
Configuring the ClearPass Guest Subscription ID	45
Installing Subscription Updates	46
Setup Completion	47
Onboard	49
About ClearPass Onboard	49
Onboard Deployment Checklist	49
Onboard Feature List	51
Supported Platforms	51
Public Key Infrastructure for Onboard	52
Certificate Hierarchy	52
Revoking Unique Device Credentials	53
Revoking Credentials to Prevent Network Access	54
Re-Provisioning a Device	54
Network Requirements for Onboard	55
Using the Same SSID for the Provisioning and Provisioned Networks	55
Using a Different SSID for the Provisioning and Provisioned Networks	55
Configuring the Online Certificate Status Protocol for the Provisioned Network	55
Configuring a Certificate Revocation List (CRL) for the Provisioned Network	56
Network Architecture for Onboard	56
Network Architecture for Onboard when Using ClearPass Guest	57
The ClearPass Onboard Process	58
Devices Supporting Over-the-Air Provisioning	58
Devices Supporting Onboard Provisioning	61
Accessing Onboard	64
Configuring the User Interface for Device Provisioning	64
Customizing the Device Provisioning Web Login Page	65
Using the {nwa_mdps_config} Template Function	66
Configuring ClearPass Servers for Device Provisioning	66
Configuring the Certificate Authority	68
Setting Up the Certificate Authority	69
Setting Up a Root Certificate Authority	70
Setting Up an Intermediate Certificate Authority	72
Obtaining a Certificate for the Certificate Authority	74
Using Microsoft Active Directory Certificate Services	74
Installing a Certificate Authority’s Certificate	77
Renewing the Certificate Authority’s Certificate	78
Configuring Data Retention Policy for Certificates	79
Uploading Certificates for the Certificate Authority	79
Viewing the Certificate Authority’s Trust Chain	79
Creating a Certificate	80
Specifying the Identity of the Certificate Subject	81
Issuing the Certificate Request	82
Managing Certificates	82
Searching for Certificates	83
Working with Certificates	83
Working with Certificate Signing Requests	85
Requesting a Certificate	87
Providing a Certificate Signing Request in Text Format	87
Providing a Certificate Signing Request File	88
Specifying Certificate Properties	89
Configuring Provisioning Settings	89
Configuring Basic Provisioning Settings	90
Configuring Certificate Properties for Device Provisioning	90
Configuring Provisioning Settings for iOS and OS X	93
Configuring Provisioning Settings for Mac OS X, Windows, and Android Devices	94
Configuring User Interface Options for Mac OS X, Windows, and Android Devices	96
Configuring Authorization Settings for Device Provisioning	96
Configuring Network Settings for Device Provisioning	97
Configuring Basic Network Access Settings	97
Configuring 802.1X Authentication Network Settings	99
Configuring Device Authentication Settings	100
Configuring Mutual Authentication Settings	100
Configuring Windows-Specific Network Settings	102
Configuring Proxy Settings	102
Configuring Post-Installation Instructions	103
Configuring an iOS Device VPN Connection	104
Configuring an iOS Device Email Account	106
Configuring an iOS Device Passcode Policy	108
Resetting Onboard Certificates and Configuration	110
Advanced: Device Authentication During Provisioning	110
Onboard Troubleshooting	111
iOS Device Provisioning Failures	112
RADIUS Services	113
Accessing RADIUS Services	113
Server Control	113
RADIUS Log Snapshot	113
Debug RADIUS Server	114
Viewing Failed Authentications	114
Server Configuration	115
Example: Removing a User-Name Suffix	117
Removing a Variable-Length Suffix	117
Example: Correcting the NAS-IP-Address Attribute	117
Example: Adding a Reply-Message to an Access-Reject Packet	117
User Roles	117
Creating a User Role	118
Adding Role Attributes	119
Defining Attribute Tags	120
Adding Authorization Conditions to Attribute Definitions	120
Example: Time of Day Conditions	121
Example: Time-Based Authorization	121
Example: Accounting-Based Authorization	121
Calculating Attribute Value Expressions	122
Example: Using Request Attributes in a Value Expression	122
Example: Location-Specific VLAN Assignment	123
Configuring MAC Caching During User Authentication	123
Network Access Servers	124
Creating a Network Access Server Entry	125
Importing a List of Network Access Servers	126
Web Logins	128
Creating a Web Login Page	129
Universal Access Method (UAM) Password Encryption	134
NAS Redirect Parameters	134
NAS Login Parameters	135
Using Web Login Parameters	135
Apple Captive Network Assistant Bypass with ClearPass Guest	136
Solution Implementation	138
Captive Portal Profile Configuration	139
Database Lists	140
Database Maintenance Tasks	141
Dictionary	141
Import Dictionary	142
Export Dictionary	142
Reset Dictionary	142
Vendors	143
Creating a New Vendor	143
Edit Vendor	143
Delete Vendor	143
Export Vendor	143
Vendor-Specific Attributes	144
Add a Vendor-Specific Attribute (VSA)	144
Edit Vendor-Specific Attribute	144
Delete Vendor-Specific Attribute	145
Add Attribute Value	145
Editing Attribute Value	145
Deleting Attribute Value	146
EAP and 802.1X Authentication and Certificate Management	146
Specifying Supported EAP Types	147
Creating a Server Certificate and Self-Signed Certificate Authority	148
Creating the Certificate Signing Request	149
Signing RADIUS Server Certificate	150
Installing the Self-Signed RADIUS Server Certificate	150
Requesting a Certificate from a Certificate Authority	150
Importing a Server Certificate	151
Installing a Server Certificate from a Certificate Authority	152
Installing an Imported Server Certificate	152
Exporting Server Certificates	152
PEAP Sample Configuration	152
Importing a Root Certificate – Windows Vista and Windows 7	153
Active Directory Domain Services	157
Joining an Active Directory Domain	158
Testing Active Directory User Authentication	159
Configuring Active Directory Domain Authentication	160
Leaving an Active Directory Domain	160
External Authentication Servers (EAS)	161
Types of External Authentication Server	161
Managing External Authentication Servers	162
Configuring Properties for External Authentication Servers	162
Configuring an Active Directory EAS	163
Configuring an LDAP EAS	166
Configuring a Proxy RADIUS EAS	168
Configuring a Local Certificate Authority EAS	169
Configuring Authorization for External Authentication Servers	170
About Authorization Methods in External Authentication Servers	171
Testing External Authentication Servers	174
Testing a Local Certificate Authority EAS	175
Managing Certificates for External Authentication Servers	176
Operator Logins	179
Accessing Operator Logins	179
About Operator Logins	179
Role-Based Access Control for Multiple Operator Profiles	179
Operator Profiles	180
Creating an Operator Profile	180
Configuring the User Interface	184
Customizing Forms and Views	185
Operator Profile Privileges	186
Managing Operator Profiles	186
Local Operator Authentication	187
Creating a New Operator	187
Viewing All Operator Logins	188
Changing Operator Passwords	190
LDAP Operator Authentication	190
Manage LDAP Servers	190
Creating an LDAP Server	190
Advanced LDAP URL Syntax	193
Viewing the LDAP Server List	193
LDAP Operator Server Troubleshooting	194
Testing Connectivity	194
Testing Operator Login Authentication	194
Looking Up Sponsor Names	195
Troubleshooting Error Messages	195
LDAP Translation Rules	196
Custom LDAP Translation Processing	198
Operator Logins Configuration	200
Custom Login Message	200
Operator Password Options	201
Advanced Operator Login Options	202
Automatic Logout	202
Guest Management	203
Accessing Guest Manager	203
About Guest Management Processes	203
Sponsored Guest Access	204
Self Provisioned Guest Access	204
Standard Guest Management Features	205
Creating a Guest Account	205
Creating a Guest Account Receipt	206
Creating Multiple Guest Accounts	207
Creating Multiple Guest Account Receipts	208
Creating a Single Password for Multiple Accounts	209
Managing Guest Accounts	211
Managing Multiple Guest Accounts	214
Importing Guest Accounts	216
Exporting Guest Account Information	220
Guest Manager Customization	220
Default Settings for Account Creation	221
About Fields, Forms, and Views	225
Business Logic for Account Creation	225
Verification Properties	225
Basic User Properties	225
Visitor Account Activation Properties	226
Visitor Account Expiration Properties	227
Other Properties	227
Account Expiration Types	227
Standard Fields	228
Standard Forms and Views	228
Customization of Fields	229
Creating a Custom Field	230
Duplicating a Field	231
Editing a Field	231
Deleting a Field	231
Displaying Forms that Use a Field	231
Displaying Views that Use a Field	232
Customization of Forms and Views	232
Editing Forms and Views	232
Duplicating Forms and Views	233
Editing Forms	233
Form Field Editor	234
Form Display Properties	235
Form Validation Properties	245
Examples of Form field Validation	246
Advanced Form Field Properties	248
Form Field Validation Processing Sequence	249
Editing Views	252
View Field Editor	253
Customizing Self Provisioned Access	254
Self-Registration Sequence Diagram	254
Creating a Self-Registration Page	255
Editing Self-Registration Pages	256
Configuring Basic Properties for Self-Registration	257
Using a Parent Page	258
Paying for Access	258
Requiring Operator Credentials	258
Editing Registration Page Properties	259
Editing the Default Self-Registration Form Settings	260
Editing Guest Receipt Page Properties	261
Editing Receipt Actions	262
Enabling Sponsor Confirmation for Role Selection	262
Editing Download and Print Actions for Guest Receipt Delivery	264
Editing Email Delivery of Guest Receipts	264
Editing SMS Delivery of Guest Receipts	265
Enabling and Editing NAS Login Properties	266
Editing Login Page Properties	267
Self-Service Portal Properties	268
Resetting Passwords with the Self-Service Portal	270
Customizing Print Templates	271
Creating New Print Templates	272
Print Template Wizard	273
Modifying Wizard-Generated Templates	274
Setting Print Template Permissions	274
Configuring Access Code Logins	275
Customize Random Username and Passwords	276
Create the Print Template	276
Customize the Guest Accounts Form	277
Create Access Code Guest Accounts	278
MAC Authentication in ClearPass Guest	279
MAC Address Formats	279
Managing Devices	280
Changing a Device’s Expiration Date	281
Disabling and Deleting Devices	282
Activating a Device	283
Editing a Device	283
Viewing Current Sessions for a Device	285
Viewing and Printing Device Details	285
MAC Creation Modes	285
Creating Devices Manually in ClearPass Guest	285
Creating Devices During Guest Self-Registration - MAC Only	287
Creating Devices During Guest Self-Registration - Paired Accounts	288
Accounting-Based MAC Authentication	289
Automatically Registering MAC Devices in ClearPass Policy Manager	292
Importing MAC Devices	292
Advanced MAC Features	293
2-Factor Authentication	293
MAC-Based Derivation of Role	293
User Detection on Landing Pages	293
Click-Through Login Pages	294
Active Sessions Management	294
Session States	295
RFC 3576 Dynamic Authorization	296
Filtering the List of Active Sessions	296
Managing Multiple Active Sessions	297
Closing All Stale Sessions Immediately	297
Closing All Stale Sessions and Specifying a Duration	297
Closing Specified Open Sessions	299
Disconnecting or Reauthorizing Active Sessions	300
Sending Multiple SMS Alerts	301
SMS Services	302
Configuring SMS Gateways	302
Sending an SMS	304
About SMS Credits	305
About SMS Guest Account Receipts	305
SMS Receipt Options	306
Customize SMS Receipt	308
SMS Receipt Fields	309
SMTP Services	310
Configuring SMTP Services	310
About Email Receipts	310
Email Receipt Options	312
SMTP Receipt Fields	314
Report Management	317
Accessing Reporting Manager	317
Viewing Reports	317
Running and Managing Reports	318
Viewing the Most Recent Report	318
Report History	318
Previewing the Report	318
Run Default	318
Run	319
Edit a report	319
Delete a Report	320
Duplicate a Report	320
Permissions	320
Exporting Report Definitions	322
Importing report Definitions	323
Resetting Report Definitions	323
About Custom Reports	324
Data Sources	325
Binning	325
Binning Example – Time Measurements	325
Groups	326
Statistics from Classification Groups	327
Components of the Report Editor	327
Report Type	328
Report Parameters	329
Parameter User Interface Editing	331
Data Source	332
Select Fields	333
Source Filters	335
Classification Groups	337
Statistics and Metrics	339
Output Series	342
Output Series Fields	343
Output Filters	344
Presentation Options	346
Chart Presentations	346
Table Presentations	347
Text Presentations	347
Final Report	348
Creating Reports	348
Creating the Report – Step 1	349
Creating the Report – Step 2	349
Creating Sample Reports	350
Report Based on Modifying an Existing Report	350
Report Created from Report Manager using Create New Report	351
Report Created by Duplicating an Existing Report	353
Report Troubleshooting	355
Report Preview with Debugging	355
Troubleshooting Tips	356
Administrator Tasks	357
Accessing Administrator	357
Network Setup	357
Configuring Integration with Other ClearPass Servers	358
Automatic Network Diagnostics	360
Viewing or Setting System Hostname	361
Viewing Network Interface Settings	361
Changing Network Interface Settings	362
About Default Gateway Settings	364
Managing Static Routes	365
Creating a Tunnel Network Interface	365
Creating a VLAN Interface	366
Managing VLAN Interfaces	367
Creating a Secondary Network Interface	368
Login Access Control	369
Network Diagnostic Tools	370
Network Diagnostics – Packet Capturing	372
Network Hosts	374
HTTP Proxy Configuration	375
SNMP Configuration	375
Supported MIBs	377
SMTP Configuration	378
SSL Certificate	379
Requesting an SSL Certificate	379
Installing an SSL Certificate	380
Displaying the Current SSL Certificate	382
Backup and Restore	383
Backing Up Appliance Configuration	383
Scheduling Automatic Backups	384
Restoring a Backup	386
Content Manager	387
Uploading Content	388
Downloading Content	389
Additional Content Actions	389
Security Manager	389
Performing a Security Audit	390
Reviewing Security Audit Results	390
Changing Network Security Settings	391
Resetting the Root Password	391
Notifications	391
OS Updates	392
Manual Operating System Updates	392
Reviewing the Operating System Update Log	392
Determining Installed Operating System Packages	393
Plugin Manager	393
Managing Subscriptions	394
Viewing Available Plugins	394
Adding or Updating New Plugins	395
Configuring Plugin Update Notifications	396
Configuring Plugins	396
Configuring the Kernel Plugin	397
Configuring the Aruba ClearPass Skin Plugin	398
Server Time	399
System Control	401
Changing System Configuration Parameters	401
System Log Configuration	401
Log Rotation: Configuring Data Retention	402
Log Collector: Storing Incoming Syslog Messages	402
Facility: Redirecting Application Log Messages	403
Managing Data Retention	404
Changing Database Configuration Parameters	406
Changing Web Application Configuration	407
Changing Web Server Configuration	408
System Information	408
Adding Disk Space	409
System Log	411
Filtering the System Log	411
Exporting the System Log	412
Viewing the Application Log	412
Searching the Application Log	413
Exporting the Application Log	413
Hotspot Manager	415
Manage Hotspot Sign-up	416
Captive Portal Integration	417
Look and Feel	417
SMS Services	417
Hotspot Plans	417
Modifying an Existing Plan	418
Creating New Plans	419
Managing Transaction Processors	419
Creating a New Transaction Processor	420
Managing Existing Transaction Processors	420
Managing Customer Information	420
Managing Hotspot Invoice	420
Customize User Interface	421
Customize Page One	422
Customize Page Two	422
Customize Page Three	424
View Hotspot User Interface	424
High Availability Services	425
Accessing High Availability	425
About High Availability Systems	425
Terminology & Concepts	425
Network Architecture	426
Deploying an SSL Certificate	427
Normal Cluster Operation	427

Match case Limit results 1 per page

Onboard

ClearPass Guest 3.9

Deployment Guide

To disable network access for a device, revoke the TLS client certificate provisioned to the device. See

“Working with Certificates”

Note:

Revoking access for a device is only possible when using an enterprise network. Personal (PSK)

networks do not support this capability.

Revoking Credentials to Prevent Network Access

This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-

provision the device, the revoked certificate must be deleted.

If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the

certificate authority to update the certificate’s state. When the certificate is next used for authentication, it

will be recognized as a revoked certificate and the device will be denied access.

Note:

When using EAP-TLS authentication, you must configure your authentication server to use either

OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a real-

time status update for certificates.

If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically

delete the unique username and password associated with the device. When this username is next used for

authentication, it will not be recognized as valid and the device will be denied access.

Note:

OCSP and CRL are not used when using PEAP unique device credentials. The Onboard server

automatically updates the status of the username when the device’s client certificate is revoked.

Re-Provisioning a Device

Because “bring your own” devices are not under the complete control of the network administrator, it is

possible for unexpected configuration changes to occur on a provisioned device.

For example, the user may delete the configuration profile containing the settings for the provisioned

network, instruct the device to forget the provisioned network settings, or reset the device to factory

defaults and destroy all the configuration on the device.

When these events occur, the user will not be able to access the provisioned network and will need to re-

provision their device.

The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable

action (such as connecting to the appropriate network). If this is not possible, the user may choose to

restart the provisioning process and re-provision the device.

Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these

credentials are still valid.

If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-

provisioning to occur on a regular basis.

If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The

revoked certificate must be deleted before the device is able to be provisioned.

Revoking a device’s certificate will also prevent the device from being re-provisioned.