Home » Dell Manuals » Hubs & Switches » Dell Powerconnect W-ClearPass Virtual Appliances » Manual Viewer

Dell Powerconnect W-ClearPass Virtual Appliances W-ClearPass Guest 6.0 Deploym - Page 108

Table 18, bit RSA - created by server

View all Dell Powerconnect W-ClearPass Virtual Appliances manuals

Add to My Manuals
Save this manual to your list of manuals

Page 108 highlights

l The "not valid before" time is set to the current time, less the clock skew allowance. l The "not valid after" time is first calculated as the earliest of the following: l The current time, plus the maximum validity period. l The expiration time of the user account for whom the device certificate is being issued. l The "not valid after" time is then increased by the clock skew allowance. 5. The Key Type drop-down list specifies the type of private key that should be created when issuing a new certificate. You can select one of these options: l 1024-bit RSA - created by device: Lower security. Uses SCEP to provision the EAP-TLS certificate. l 2048-bit RSA - created by device: Recommended for general use. Uses SCEP to provision the EAP-TLS certificate. l 1024-bit RSA - created by server: Lower security. l 2048-bit RSA - created by server: Recommended for general use. l 4096-bit RSA - created by server: Higher security. NOTE: Using a private key containing more bits will increase security, but will also increase the processing time required to create the certificate and authenticate the device. The additional processing required will also affect the battery life of a mobile device. It is recommended to use the smallest private key size that is feasible for your organization. The "created by device" options use SCEP to provision the EAP-TLS device certificate, so the private key is known only to the device rather than also known by the user. When a "created by device" option is selected, the generated key is used instead of a username/password authentication defined in Network Settings. 6. Mark the Include device information in TLS client certificates check box to include additional fields in the TLS client certificate issued for a device. These fields are stored in the subject alternative name (subjectAltName) of the certificate. Refer to Table 18 for a list of the fields that are stored in the certificate when this option is enabled. Storing additional device information in the client certificate allows for additional authorization checks to be performed during device authentication. NOTE: If you are usinga W-Series Controller to perform EAP-TLS authentication using these client certificates, you must have Aruba OS 6.1 or later to enable this option. Table 18: Device Information Stored in TLS Client Certificates Name Description Device ICCID Integrated Circuit Card Identifier (ICCID) number from the Subscriber Identity Module (SIM) card present in the device. This is only available for devices with GSM (cellular network) capability, where a SIM card has been installed. Device IMEI International Mobile Equipment Identity (IMEI) number allocated to this device. This is only available for devices with GSM (cellular network) capability. Device Serial Serial number of the device. Device Type Type of device, such as "iOS", "Android", etc. Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32, or 40 OID mdpsDeviceIccid (.4) mdpsDeviceImei (.3) mdpsDeviceSerial (.9) mdpsDeviceType (.1) mdpsDeviceUdid (.2) 108 | Configuring Certificate Properties for Device Provisioning Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

Section	Page
About this Guide	13
Audience	13
Conventions	13
Contacting Support	14
Dell Networking W-ClearPass Guest Overview	15
About Dell Networking W-ClearPass Guest	15
Visitor Access Scenarios	16
Reference Network Diagram	16
Key Interactions	17
AAA Framework	18
Key Features	19
Visitor Management Terminology	20
ClearPass Guest Deployment Process	21
Operational Concerns	21
Network Provisioning	21
Site Preparation Checklist	22
Security Policy Considerations	23
AirGroup Deployment Process	23
Documentation and User Assistance	24
Deployment Guide and Online Help	24
Context-Sensitive Help	24
Field Help	25
Quick Help	25
If You Need More Assistance	25
Use of Cookies	25
Guest Manager	27
Accessing Guest Manager	27
About Guest Management Processes	28
Sponsored Guest Access	28
Self Provisioned Guest Access	28
Using Standard Guest Management Features	29
Creating a Guest Account	29
Creating a Guest Account Receipt	30
Creating Multiple Guest Accounts	30
Creating Multiple Guest Account Receipts	31
Creating a Single Password for Multiple Accounts	32
Managing Guest Accounts	34
Managing Multiple Guest Accounts	38
Importing Guest Accounts	40
Exporting Guest Account Information	43
About CSV and TSV Exports	43
About XML Exports	43
MAC Authentication in ClearPass Guest	44
MAC Address Formats	44
Managing Devices	44
Changing a Device’s Expiration Date	46
Disabling and Deleting Devices	47
Activating a Device	47
Editing a Device	47
Viewing Current Sessions for a Device	49
Viewing and Printing Device Details	49
MAC Creation Modes	49
Creating Devices Manually in ClearPass Guest	50
Creating Devices During Self-Registration - MAC Only	51
Creating Devices During Self-Registration - Paired Accounts	52
AirGroup Device Registration	53
Registering Groups of Devices or Services	53
Registering Personal Devices	55
Automatically Registering MAC Devices in ClearPass Policy Manager	56
Importing MAC Devices	57
Advanced MAC Features	57
2-Factor Authentication	57
MAC-Based Derivation of Role	57
User Detection on Landing Pages	58
Click-Through Login Pages	58
Active Sessions Management	59
Session States	60
RFC 3576 Dynamic Authorization	61
Filtering the List of Active Sessions	61
Disconnecting Multiple Active Sessions	62
Sending Multiple SMS Alerts	63
About SMS Guest Account Receipts	63
Onboard	65
Accessing Onboard	65
About ClearPass Onboard	65
Onboard Deployment Checklist	66
Onboard Feature List	67
Supported Platforms	68
Public Key Infrastructure for Onboard	68
Certificate Hierarchy	69
Certificate Configuration in a Cluster	70
Revoking Unique Device Credentials	70
Revoking Credentials to Prevent Network Access	70
Re-Provisioning a Device	71
Network Requirements for Onboard	71
Using Same SSID for Provisioning and Provisioned Networks	71
Using Different SSID for Provisioning and Provisioned Networks	71
Configuring Online Certificate Status Protocol	72
Configuring Certificate Revocation List (CRL)	72
Network Architecture for Onboard	72
Network Architecture for Onboard when Using ClearPass Guest	74
The ClearPass Onboard Process	75
Devices Supporting Over-the-Air Provisioning	75
Devices Supporting Onboard Provisioning	76
Managing Provisioned Applications	78
Configuring the User Interface for Device Provisioning	79
Customizing the Device Provisioning Web Login Page	79
Using the {nwa_mdps_config} Template Function	80
Configuring the Certificate Authority	81
Setting Up the Certificate Authority	81
Setting Up a Root Certificate Authority	82
Setting Up an Intermediate Certificate Authority	84
Obtaining a Certificate for the Certificate Authority	86
Using Microsoft Active Directory Certificate Services	86
Installing a Certificate Authority’s Certificate	88
Renewing the Certificate Authority’s Certificate	90
Configuring Data Retention Policy for Certificates	90
Uploading Certificates for the Certificate Authority	91
Creating a Certificate	93
Specifying the Identity of the Certificate Subject	93
Issuing the Certificate Request	95
Managing Certificates	95
Searching for Certificates in the List	96
Working with Certificates in the List	97
Working with Certificate Signing Requests	99
Importing a Code-Signing Certificate	101
Importing a Trusted Certificate	103
Requesting a Certificate	104
Providing a Certificate Signing Request in Text Format	104
Providing a Certificate Signing Request File	105
Specifying Certificate Properties	106
Configuring Provisioning Settings	106
Configuring Basic Provisioning Settings	107
Configuring Certificate Properties for Device Provisioning	107
Configuring Revocation Checks and Authorization	109
Configuring Provisioning Settings for iOS and OS X	110
Configuring Instructions for iOS and OS X	111
Configuring Reconnect Behavior for iOS and OS X	111
Configuring Provisioning Settings for Legacy OS X Devices	112
Configuring Provisioning Settings for Windows Devices	113
Configuring Provisioning Settings for Android Devices	114
Configuring Options for Legacy OS X, Windows, and Android Devices	116
Configuring Network Settings for Device Provisioning	117
Configuring Basic Network Access Settings	118
Configuring 802.1X Authentication Network Settings	120
Configuring Device Authentication Settings	121
Configuring Mutual Authentication Settings	122
Configuring Trust Settings Automatically	122
Configuring Trust Settings Manually	123
Configuring Windows-Specific Network Settings	124
Configuring Proxy Settings	125
Configuring an iOS Device VPN Connection	125
Configuring an iOS Device Email Account	127
Configuring an iOS Device Passcode Policy	129
Resetting Onboard Certificates and Configuration	130
Onboard Troubleshooting	131
Configuration	133
Accessing Configuration	133
Configuring ClearPass Guest Authentication	134
Content Manager	134
Uploading Content	135
Downloading Content	135
Additional Content Actions	136
Customizing Guest Manager	137
Default Settings for Account Creation	137
About Fields, Forms, and Views	141
Business Logic for Account Creation	141
Verification Properties	141
Basic User Properties	141
Visitor Account Activation Properties	142
Visitor Account Expiration Properties	142
Other Properties	143
Standard Forms and Views	143
Customizing Fields	145
Creating a Custom Field	145
Duplicating a Field	147
Editing a Field	147
Deleting a Field	147
Displaying Forms that Use a Field	147
Displaying Views that Use a Field	147
Customizing AirGroup Registration Forms	147
Configuring the Shared Locations and Shared Role Fields	147
Example:	149
Customizing Forms and Views	150
Editing Forms and Views	151
Duplicating Forms and Views	151
Editing Forms	152
Form Field Editor	152
Form Validation Properties	162
Examples of Form field Validation	163
Advanced Form Field Properties	165
Form Field Validation Processing Sequence	166
Editing Views	169
View Field Editor	169
Customizing Self-Provisioned Access	171
Self-Registration Sequence Diagram	171
Creating a Self-Registration Page	172
Editing Self-Registration Pages	173
Configuring Basic Properties for Self-Registration	174
Using a Parent Page	174
Paying for Access	175
Requiring Operator Credentials	175
Editing Registration Page Properties	176
Editing the Default Self-Registration Form Settings	177
Creating a Single Password for Multiple Accounts	177
Editing Guest Receipt Page Properties	178
Editing Receipt Actions	178
Enabling Sponsor Confirmation for Role Selection	179
Editing Download and Print Actions for Guest Receipt Delivery	181
Editing Email Delivery of Guest Receipts	181
Editing SMS Delivery of Guest Receipts	182
Enabling and Editing NAS Login Properties	183
Editing Login Page Properties	184
Self-Service Portal Properties	186
Resetting Passwords with the Self-Service Portal	187
Email Receipts and SMTP Services	189
About Email Receipts	189
Configuring Email Receipts	190
Email Receipt Options	190
About Customizing SMTP Email Receipt Fields	192
Customizing Print Templates	194
Creating New Print Templates	194
Print Template Wizard	196
Modifying Wizard-Generated Templates	196
Setting Print Template Permissions	197
Customize SMS Receipt	198
SMS Receipt Fields	199
Configuring Access Code Logins	199
Customize Random Username and Passwords	199
Create the Print Template	199
Customize the Guest Accounts Form	201
Create the Access Code Guest Accounts	201
Hotspot Manager	203
Accessing Hotspot Manager	203
About Hotspot Management	203
Managing the Hotspot Sign-up Interface	204
Captive Portal Integration	205
Web Site Look-and-Feel	206
SMS Services	206
Managing Hotspot Plans	206
Editing or Creating a Hotspot Plan	207
Managing Transaction Processors	209
Creating a New Transaction Processor	209
Managing Existing Transaction Processors	210
Managing Customer Information	210
Managing Hotspot Invoices	210
Customizing the User Interface	211
Customizing Visitor Sign-Up Page One	212
Customizing Visitor Sign-Up Page Two	212
Customizing Visitor Sign-Up Page Three	215
Viewing the Hotspot User Interface	217
Administration	219
AirGroup Services	220
Configuring the AirGroup Services Plugin	220
Creating AirGroup Administrators	221
Creating AirGroup Operators	221
Authenticating AirGroup Users via LDAP	221
Data Retention	221
Import Configuration	222
Plugin Manager	223
Viewing Available Plugins	223
Configuring Plugins	224
Configuring the Kernel Plugin	225
Configuring the Dell W-ClearPass Skin Plugin	226
Configuring the SMS Services Plugin	227
SMS Services	228
Viewing SMS Gateways	228
Creating a New SMS Gateway	229
Editing an SMS Gateway	231
Sending an SMS	232
About SMS Credits	233
About SMS Guest Account Receipts	233
SMS Receipt Options	234
Working with the SMTP Carrier List	234
Support Services	236
Viewing the Application Log	237
Exporting the Application Log	238
Contacting Support	239
Viewing Documentation	239
Operator Logins	241
Accessing Operator Logins	241
About Operator Logins	241
Role-Based Access Control for Multiple Operator Profiles	242
Operator Profiles	242
Creating an Operator Profile	242
Configuring the User Interface	245
Customizing Forms and Views	245
Operator Profile Privileges	246
Managing Operator Profiles	247
Configuring AirGroup Operator Device Limit	247
Local Operator Authentication	247
Creating a New Operator	248
External Operator Authentication	248
Manage LDAP Operator Authentication Servers	249
Creating an LDAP Server	249
Advanced LDAP URL Syntax	251
Viewing the LDAP Server List	251
LDAP Operator Server Troubleshooting	252
Testing Connectivity	252
Testing Operator Login Authentication	252
Looking Up Sponsor Names	253
Troubleshooting Error Messages	253
LDAP Translation Rules	254
Custom LDAP Translation Processing	256
Operator Logins Configuration	257
Custom Login Message	258
Advanced Operator Login Options	259
Automatic Logout	259
Reference	261
Basic HTML Syntax	261
Standard HTML Styles	262
Smarty Template Syntax	264
Basic Template Syntax	264
Text Substitution	264
Template File Inclusion	264
Comments	264
Variable Assignment	264
Conditional Text Blocks	264
Script Blocks	265
Repeated Text Blocks	265
Foreach Text Blocks	265
Modifiers	266
Predefined Template Functions	266
dump	266
nwa_commandlink	267
nwa_iconlink	267
nwa_icontext	268
nwa_quotejs	269
nwa_radius_query	269
ChangeToRole()	270
GetCallingStationCurrentSession()	270
GetCallingStationSessions()	270
GetCallingStationTime()	270
GetCallingStationTraffic()	271
GetCurrentSession()	271
GetIpAddressCurrentSession()	272
GetIpAddressSessions()	272
GetIpAddressTime()	272
GetIpAddressTraffic()	272
GetSessions()	273
GetSessionTimeRemaining()	273
GetTime()	273
GetTraffic()	274
GetUserActiveSessions()	274
GetUserActiveSessionCount()	274
GetUserCumulativeUsage()	274
GetUserCurrentSession()	274
GetUserFirstLoginTime()	274
GetUserSessions()	275
GetUserTraffic()	275
Advanced Developer Reference	275
nwa_assign	275
nwa_bling	275
nwa_makeid	276
nwa_nav	276
nwa_plugin	277
nwa_privilege	278
nwa_replace	278
nwa_text	278
nwa_userpref	279
nwa_youtube	279
Date/Time Format Syntax	279
nwadateformat Modifier	279
nwatimeformat Modifier	280
Date/Time Format String Reference	281
Programmer’s Reference	282
NwaAlnumPassword	282
NwaBoolFormat	282
NwaByteFormat	283
NwaByteFormatBase10	283
NwaComplexPassword	283
NwaCsvCache	283
NwaDigitsPassword($len)	283
NwaDynamicLoad	283
NwaGeneratePictureString	283
NwaGenerateRandomPasswordMix	284
NwaLettersDigitsPassword	284
NwaLettersPassword	284
NwaMoneyFormat	284
NwaParseCsv	284
NwaParseXml	285
NwaPasswordByComplexity	285
NwaSmsIsValidPhoneNumber	286
NwaStrongPassword	286
NwaVLookup	286
NwaWordsPassword	287
Field, Form, and View Reference	287
GuestManager Standard Fields	287
Hotspot Standard Fields	294
SMS Services Standard Fields	295
SMTP Services Standard Fields	296
Format Picture String Symbols	297
Form Field Validation Functions	298
Form Field Conversion Functions	301
Form Field Display Formatting Functions	301
View Display Expression Technical Reference	303
LDAP Standard Attributes for User Class	304
Regular Expressions	305
Glossary	307

Match case Limit results 1 per page

108

| Configuring Certificate Properties for Device Provisioning

Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

The “not valid before” time is set to the current time, less the clock skew allowance.

The “not valid after” time is first calculated as the earliest of the following:

The current time, plus the maximum validity period.

The expiration time of the user account for whom the device certificate is being issued.

The “not valid after” time is then increased by the clock skew allowance.

The

Key Type

drop-down list specifies the type of private key that should be created when issuing a new

certificate. You can select one of these options:

1024-bit RSA – created by device

: Lower security. Uses SCEP to provision the EAP-TLS certificate.

2048-bit RSA – created by device

: Recommended for general use. Uses SCEP to provision the EAP-TLS

certificate.

1024-bit RSA – created by server

: Lower security.

2048-bit RSA – created by server

: Recommended for general use.

4096-bit RSA – created by server

: Higher security.

NOTE: Using a private key containing more bits will increase security, but will also increase the processing time required to create

the certificate and authenticate the device. The additional processing required will also affect the battery life of a mobile device. It

is recommended to use the smallest private key size that is feasible for your organization. The “created by device” options use SCEP

to provision the EAP-TLS device certificate, so the private key is known only to the device rather than also known by the user. When

a “created by device” option is selected, the generated key is used instead of a username/password authentication defined in

Network Settings.

Mark the

Include device information in TLS client certificates

check box to include additional fields in the

TLS client certificate issued for a device. These fields are stored in the subject alternative name

(subjectAltName) of the certificate. Refer to

Table 18

for a list of the fields that are stored in the certificate

when this option is enabled.

Storing additional device information in the client certificate allows for additional authorization checks to be

performed during device authentication.

NOTE: If you are usinga W-Series Controller to perform EAP-TLS authentication using these client certificates, you must have Aruba

OS 6.1 or later to enable this option.

Name

Description

OID

Device ICCID

Integrated Circuit Card Identifier (ICCID) number from the Subscriber

Identity Module (SIM) card present in the device. This is only available

for devices with GSM (cellular network) capability, where a SIM card

has been installed.

mdpsDeviceIccid (.4)

Device IMEI

International Mobile Equipment Identity (IMEI) number allocated to this

device. This is only available for devices with GSM (cellular network)

capability.

mdpsDeviceImei (.3)

Device Serial

Serial number of the device.

mdpsDeviceSerial (.9)

Device Type

Type of device, such as “iOS”, “Android”, etc.

mdpsDeviceType (.1)

Device UDID

Unique device identifier (UDID) for this device. This is typically a 64-bit,

128-bit or 160-bit number represented in hexadecimal (16, 32, or 40

mdpsDeviceUdid (.2)

Table 18:

Device Information Stored in TLS Client Certificates