Home » Dell Manuals » Hubs & Switches » Dell Powerconnect W-ClearPass Virtual Appliances » Manual Viewer

Dell Powerconnect W-ClearPass Virtual Appliances W-ClearPass Guest 6.0 Deploym - Page 57

Importing MAC Devices, Advanced MAC Features, 2-Factor Authentication, MAC-Based Derivation of Role

View all Dell Powerconnect W-ClearPass Virtual Appliances manuals

Add to My Manuals
Save this manual to your list of manuals

Page 57 highlights

3. In the Policy Manager row, mark the check box to register the guest's MAC address with ClearPass Policy Manager. The Advanced row is added to the form. 4. In the Advanced row, mark the check box to enable advanced options in ClearPass Policy Manager. The Endpoint Attributes row is added to the form. 5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed. 6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and Reload to proceed to Policy Manager and apply the network settings. Importing MAC Devices The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of two-factor authentication, however. The 2-factors are performed as follows: 1. Regular RADIUS authentication using username and password 2. Role checks the user account mac against the passed Calling-Station-Id. Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to Enter conditional expression. return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject(); There is an alternative syntax where you keep the condition at Always and instead adjust the Value.

Section	Page
About this Guide	13
Audience	13
Conventions	13
Contacting Support	14
Dell Networking W-ClearPass Guest Overview	15
About Dell Networking W-ClearPass Guest	15
Visitor Access Scenarios	16
Reference Network Diagram	16
Key Interactions	17
AAA Framework	18
Key Features	19
Visitor Management Terminology	20
ClearPass Guest Deployment Process	21
Operational Concerns	21
Network Provisioning	21
Site Preparation Checklist	22
Security Policy Considerations	23
AirGroup Deployment Process	23
Documentation and User Assistance	24
Deployment Guide and Online Help	24
Context-Sensitive Help	24
Field Help	25
Quick Help	25
If You Need More Assistance	25
Use of Cookies	25
Guest Manager	27
Accessing Guest Manager	27
About Guest Management Processes	28
Sponsored Guest Access	28
Self Provisioned Guest Access	28
Using Standard Guest Management Features	29
Creating a Guest Account	29
Creating a Guest Account Receipt	30
Creating Multiple Guest Accounts	30
Creating Multiple Guest Account Receipts	31
Creating a Single Password for Multiple Accounts	32
Managing Guest Accounts	34
Managing Multiple Guest Accounts	38
Importing Guest Accounts	40
Exporting Guest Account Information	43
About CSV and TSV Exports	43
About XML Exports	43
MAC Authentication in ClearPass Guest	44
MAC Address Formats	44
Managing Devices	44
Changing a Device’s Expiration Date	46
Disabling and Deleting Devices	47
Activating a Device	47
Editing a Device	47
Viewing Current Sessions for a Device	49
Viewing and Printing Device Details	49
MAC Creation Modes	49
Creating Devices Manually in ClearPass Guest	50
Creating Devices During Self-Registration - MAC Only	51
Creating Devices During Self-Registration - Paired Accounts	52
AirGroup Device Registration	53
Registering Groups of Devices or Services	53
Registering Personal Devices	55
Automatically Registering MAC Devices in ClearPass Policy Manager	56
Importing MAC Devices	57
Advanced MAC Features	57
2-Factor Authentication	57
MAC-Based Derivation of Role	57
User Detection on Landing Pages	58
Click-Through Login Pages	58
Active Sessions Management	59
Session States	60
RFC 3576 Dynamic Authorization	61
Filtering the List of Active Sessions	61
Disconnecting Multiple Active Sessions	62
Sending Multiple SMS Alerts	63
About SMS Guest Account Receipts	63
Onboard	65
Accessing Onboard	65
About ClearPass Onboard	65
Onboard Deployment Checklist	66
Onboard Feature List	67
Supported Platforms	68
Public Key Infrastructure for Onboard	68
Certificate Hierarchy	69
Certificate Configuration in a Cluster	70
Revoking Unique Device Credentials	70
Revoking Credentials to Prevent Network Access	70
Re-Provisioning a Device	71
Network Requirements for Onboard	71
Using Same SSID for Provisioning and Provisioned Networks	71
Using Different SSID for Provisioning and Provisioned Networks	71
Configuring Online Certificate Status Protocol	72
Configuring Certificate Revocation List (CRL)	72
Network Architecture for Onboard	72
Network Architecture for Onboard when Using ClearPass Guest	74
The ClearPass Onboard Process	75
Devices Supporting Over-the-Air Provisioning	75
Devices Supporting Onboard Provisioning	76
Managing Provisioned Applications	78
Configuring the User Interface for Device Provisioning	79
Customizing the Device Provisioning Web Login Page	79
Using the {nwa_mdps_config} Template Function	80
Configuring the Certificate Authority	81
Setting Up the Certificate Authority	81
Setting Up a Root Certificate Authority	82
Setting Up an Intermediate Certificate Authority	84
Obtaining a Certificate for the Certificate Authority	86
Using Microsoft Active Directory Certificate Services	86
Installing a Certificate Authority’s Certificate	88
Renewing the Certificate Authority’s Certificate	90
Configuring Data Retention Policy for Certificates	90
Uploading Certificates for the Certificate Authority	91
Creating a Certificate	93
Specifying the Identity of the Certificate Subject	93
Issuing the Certificate Request	95
Managing Certificates	95
Searching for Certificates in the List	96
Working with Certificates in the List	97
Working with Certificate Signing Requests	99
Importing a Code-Signing Certificate	101
Importing a Trusted Certificate	103
Requesting a Certificate	104
Providing a Certificate Signing Request in Text Format	104
Providing a Certificate Signing Request File	105
Specifying Certificate Properties	106
Configuring Provisioning Settings	106
Configuring Basic Provisioning Settings	107
Configuring Certificate Properties for Device Provisioning	107
Configuring Revocation Checks and Authorization	109
Configuring Provisioning Settings for iOS and OS X	110
Configuring Instructions for iOS and OS X	111
Configuring Reconnect Behavior for iOS and OS X	111
Configuring Provisioning Settings for Legacy OS X Devices	112
Configuring Provisioning Settings for Windows Devices	113
Configuring Provisioning Settings for Android Devices	114
Configuring Options for Legacy OS X, Windows, and Android Devices	116
Configuring Network Settings for Device Provisioning	117
Configuring Basic Network Access Settings	118
Configuring 802.1X Authentication Network Settings	120
Configuring Device Authentication Settings	121
Configuring Mutual Authentication Settings	122
Configuring Trust Settings Automatically	122
Configuring Trust Settings Manually	123
Configuring Windows-Specific Network Settings	124
Configuring Proxy Settings	125
Configuring an iOS Device VPN Connection	125
Configuring an iOS Device Email Account	127
Configuring an iOS Device Passcode Policy	129
Resetting Onboard Certificates and Configuration	130
Onboard Troubleshooting	131
Configuration	133
Accessing Configuration	133
Configuring ClearPass Guest Authentication	134
Content Manager	134
Uploading Content	135
Downloading Content	135
Additional Content Actions	136
Customizing Guest Manager	137
Default Settings for Account Creation	137
About Fields, Forms, and Views	141
Business Logic for Account Creation	141
Verification Properties	141
Basic User Properties	141
Visitor Account Activation Properties	142
Visitor Account Expiration Properties	142
Other Properties	143
Standard Forms and Views	143
Customizing Fields	145
Creating a Custom Field	145
Duplicating a Field	147
Editing a Field	147
Deleting a Field	147
Displaying Forms that Use a Field	147
Displaying Views that Use a Field	147
Customizing AirGroup Registration Forms	147
Configuring the Shared Locations and Shared Role Fields	147
Example:	149
Customizing Forms and Views	150
Editing Forms and Views	151
Duplicating Forms and Views	151
Editing Forms	152
Form Field Editor	152
Form Validation Properties	162
Examples of Form field Validation	163
Advanced Form Field Properties	165
Form Field Validation Processing Sequence	166
Editing Views	169
View Field Editor	169
Customizing Self-Provisioned Access	171
Self-Registration Sequence Diagram	171
Creating a Self-Registration Page	172
Editing Self-Registration Pages	173
Configuring Basic Properties for Self-Registration	174
Using a Parent Page	174
Paying for Access	175
Requiring Operator Credentials	175
Editing Registration Page Properties	176
Editing the Default Self-Registration Form Settings	177
Creating a Single Password for Multiple Accounts	177
Editing Guest Receipt Page Properties	178
Editing Receipt Actions	178
Enabling Sponsor Confirmation for Role Selection	179
Editing Download and Print Actions for Guest Receipt Delivery	181
Editing Email Delivery of Guest Receipts	181
Editing SMS Delivery of Guest Receipts	182
Enabling and Editing NAS Login Properties	183
Editing Login Page Properties	184
Self-Service Portal Properties	186
Resetting Passwords with the Self-Service Portal	187
Email Receipts and SMTP Services	189
About Email Receipts	189
Configuring Email Receipts	190
Email Receipt Options	190
About Customizing SMTP Email Receipt Fields	192
Customizing Print Templates	194
Creating New Print Templates	194
Print Template Wizard	196
Modifying Wizard-Generated Templates	196
Setting Print Template Permissions	197
Customize SMS Receipt	198
SMS Receipt Fields	199
Configuring Access Code Logins	199
Customize Random Username and Passwords	199
Create the Print Template	199
Customize the Guest Accounts Form	201
Create the Access Code Guest Accounts	201
Hotspot Manager	203
Accessing Hotspot Manager	203
About Hotspot Management	203
Managing the Hotspot Sign-up Interface	204
Captive Portal Integration	205
Web Site Look-and-Feel	206
SMS Services	206
Managing Hotspot Plans	206
Editing or Creating a Hotspot Plan	207
Managing Transaction Processors	209
Creating a New Transaction Processor	209
Managing Existing Transaction Processors	210
Managing Customer Information	210
Managing Hotspot Invoices	210
Customizing the User Interface	211
Customizing Visitor Sign-Up Page One	212
Customizing Visitor Sign-Up Page Two	212
Customizing Visitor Sign-Up Page Three	215
Viewing the Hotspot User Interface	217
Administration	219
AirGroup Services	220
Configuring the AirGroup Services Plugin	220
Creating AirGroup Administrators	221
Creating AirGroup Operators	221
Authenticating AirGroup Users via LDAP	221
Data Retention	221
Import Configuration	222
Plugin Manager	223
Viewing Available Plugins	223
Configuring Plugins	224
Configuring the Kernel Plugin	225
Configuring the Dell W-ClearPass Skin Plugin	226
Configuring the SMS Services Plugin	227
SMS Services	228
Viewing SMS Gateways	228
Creating a New SMS Gateway	229
Editing an SMS Gateway	231
Sending an SMS	232
About SMS Credits	233
About SMS Guest Account Receipts	233
SMS Receipt Options	234
Working with the SMTP Carrier List	234
Support Services	236
Viewing the Application Log	237
Exporting the Application Log	238
Contacting Support	239
Viewing Documentation	239
Operator Logins	241
Accessing Operator Logins	241
About Operator Logins	241
Role-Based Access Control for Multiple Operator Profiles	242
Operator Profiles	242
Creating an Operator Profile	242
Configuring the User Interface	245
Customizing Forms and Views	245
Operator Profile Privileges	246
Managing Operator Profiles	247
Configuring AirGroup Operator Device Limit	247
Local Operator Authentication	247
Creating a New Operator	248
External Operator Authentication	248
Manage LDAP Operator Authentication Servers	249
Creating an LDAP Server	249
Advanced LDAP URL Syntax	251
Viewing the LDAP Server List	251
LDAP Operator Server Troubleshooting	252
Testing Connectivity	252
Testing Operator Login Authentication	252
Looking Up Sponsor Names	253
Troubleshooting Error Messages	253
LDAP Translation Rules	254
Custom LDAP Translation Processing	256
Operator Logins Configuration	257
Custom Login Message	258
Advanced Operator Login Options	259
Automatic Logout	259
Reference	261
Basic HTML Syntax	261
Standard HTML Styles	262
Smarty Template Syntax	264
Basic Template Syntax	264
Text Substitution	264
Template File Inclusion	264
Comments	264
Variable Assignment	264
Conditional Text Blocks	264
Script Blocks	265
Repeated Text Blocks	265
Foreach Text Blocks	265
Modifiers	266
Predefined Template Functions	266
dump	266
nwa_commandlink	267
nwa_iconlink	267
nwa_icontext	268
nwa_quotejs	269
nwa_radius_query	269
ChangeToRole()	270
GetCallingStationCurrentSession()	270
GetCallingStationSessions()	270
GetCallingStationTime()	270
GetCallingStationTraffic()	271
GetCurrentSession()	271
GetIpAddressCurrentSession()	272
GetIpAddressSessions()	272
GetIpAddressTime()	272
GetIpAddressTraffic()	272
GetSessions()	273
GetSessionTimeRemaining()	273
GetTime()	273
GetTraffic()	274
GetUserActiveSessions()	274
GetUserActiveSessionCount()	274
GetUserCumulativeUsage()	274
GetUserCurrentSession()	274
GetUserFirstLoginTime()	274
GetUserSessions()	275
GetUserTraffic()	275
Advanced Developer Reference	275
nwa_assign	275
nwa_bling	275
nwa_makeid	276
nwa_nav	276
nwa_plugin	277
nwa_privilege	278
nwa_replace	278
nwa_text	278
nwa_userpref	279
nwa_youtube	279
Date/Time Format Syntax	279
nwadateformat Modifier	279
nwatimeformat Modifier	280
Date/Time Format String Reference	281
Programmer’s Reference	282
NwaAlnumPassword	282
NwaBoolFormat	282
NwaByteFormat	283
NwaByteFormatBase10	283
NwaComplexPassword	283
NwaCsvCache	283
NwaDigitsPassword($len)	283
NwaDynamicLoad	283
NwaGeneratePictureString	283
NwaGenerateRandomPasswordMix	284
NwaLettersDigitsPassword	284
NwaLettersPassword	284
NwaMoneyFormat	284
NwaParseCsv	284
NwaParseXml	285
NwaPasswordByComplexity	285
NwaSmsIsValidPhoneNumber	286
NwaStrongPassword	286
NwaVLookup	286
NwaWordsPassword	287
Field, Form, and View Reference	287
GuestManager Standard Fields	287
Hotspot Standard Fields	294
SMS Services Standard Fields	295
SMTP Services Standard Fields	296
Format Picture String Symbols	297
Form Field Validation Functions	298
Form Field Conversion Functions	301
Form Field Display Formatting Functions	301
View Display Expression Technical Reference	303
LDAP Standard Attributes for User Class	304
Regular Expressions	305
Glossary	307

Match case Limit results 1 per page

In the

Policy Manager

row, mark the check box to register the guest’s MAC address with ClearPass Policy

Manager. The Advanced row is added to the form.

In the

Advanced

row, mark the check box to enable advanced options in ClearPass Policy Manager. The

Endpoint Attributes row is added to the form.

In the

Endpoint Attributes

row, enter name|value pairs for the user fields and Endpoint Attributes to be passed.

Click

Save Changes

to complete this configuration and continue with other tasks, or click

Save and Reload

proceed to Policy Manager and apply the network settings.

Importing MAC Devices

The standard

Guest > Import Accounts

form supports importing MAC devices. At a minimum the following two

columns are required:

mac

and

mac_auth

mac_auth,mac,notes

1,aa:aa:aa:aa:aa:aa,Device A

1,bb:bb:bb:bb:bb:bb,Device B

1,cc:cc:cc:cc:cc:cc,Device C

Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

2-Factor Authentication

2-factor authentication checks against both credentials and the MAC address on record.

Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would

probably add

mac

as a text field to the

create_user

form. When

mac

is enabled in a self-registration it will be

included in the account as long as

mac

is passed in the URL. Relying on self-registration may defeat the purpose of

two-factor authentication, however.

The 2-factors are performed as follows:

Regular RADIUS authentication using username and password

Role checks the user account mac against the passed Calling-Station-Id.

Edit the user role and the attribute for

Reply-Message

Aruba-User-Role

. Adjust the condition from

Always

Enter conditional expression

return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();

There is an alternative syntax where you keep the condition at

Always

and instead adjust the

Value

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] : AccessReject()

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()

MAC-Based Derivation of Role

Depending on whether the MAC address matches a registered value, you can also adjust which role is returned. The

controller must be configured with the appropriate roles and the reply attributes mapping to them as expected.

Edit the

Value

of the attribute within the role returning the role to the controller.

If you are on the registered MAC, apply the

Employee

role, otherwise set them as

Guest

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'

Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

Importing MAC Devices |