Home » Dell Manuals » Hubs & Switches » Dell Powerconnect W-ClearPass Virtual Appliances » Manual Viewer

Dell Powerconnect W-ClearPass Virtual Appliances W-ClearPass Guest 6.0 Deploym - Page 70

Certificate Configuration in a Cluster, Revoking Unique Device Credentials

View all Dell Powerconnect W-ClearPass Virtual Appliances manuals

Add to My Manuals
Save this manual to your list of manuals

Page 70 highlights

Certificate Configuration in a Cluster When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the "verified" message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication. In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration, these are self-signed certificates-that is, they are not issued by a root CA. This configuration of multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed certificates are not. There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster: l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster. l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard. Provisioning and authentication will then work across the entire cluster. Revoking Unique Device Credentials Because each provisioned device uses unique credentials to access the network, it is possible to disable network access for an individual device. This offers a greater degree of control than traditional user-based authentication - disabling a user's account would impact all devices using those credentials. To disable network access for a device, revoke the TLS client certificate provisioned to the device. See "Working with Certificates in the List " on page 97. NOTE: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability. Revoking Credentials to Prevent Network Access NOTE: Revoking a device's certificate will also prevent the device from being re-provisioned. This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the device, the revoked certificate must be deleted. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate's state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access. NOTE: When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the device will be denied access. NOTE: OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onbord server automatically updates the status of the username when the device's client certificate is revoked. 70 | Certificate Configuration in a Cluster Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

Section	Page
About this Guide	13
Audience	13
Conventions	13
Contacting Support	14
Dell Networking W-ClearPass Guest Overview	15
About Dell Networking W-ClearPass Guest	15
Visitor Access Scenarios	16
Reference Network Diagram	16
Key Interactions	17
AAA Framework	18
Key Features	19
Visitor Management Terminology	20
ClearPass Guest Deployment Process	21
Operational Concerns	21
Network Provisioning	21
Site Preparation Checklist	22
Security Policy Considerations	23
AirGroup Deployment Process	23
Documentation and User Assistance	24
Deployment Guide and Online Help	24
Context-Sensitive Help	24
Field Help	25
Quick Help	25
If You Need More Assistance	25
Use of Cookies	25
Guest Manager	27
Accessing Guest Manager	27
About Guest Management Processes	28
Sponsored Guest Access	28
Self Provisioned Guest Access	28
Using Standard Guest Management Features	29
Creating a Guest Account	29
Creating a Guest Account Receipt	30
Creating Multiple Guest Accounts	30
Creating Multiple Guest Account Receipts	31
Creating a Single Password for Multiple Accounts	32
Managing Guest Accounts	34
Managing Multiple Guest Accounts	38
Importing Guest Accounts	40
Exporting Guest Account Information	43
About CSV and TSV Exports	43
About XML Exports	43
MAC Authentication in ClearPass Guest	44
MAC Address Formats	44
Managing Devices	44
Changing a Device’s Expiration Date	46
Disabling and Deleting Devices	47
Activating a Device	47
Editing a Device	47
Viewing Current Sessions for a Device	49
Viewing and Printing Device Details	49
MAC Creation Modes	49
Creating Devices Manually in ClearPass Guest	50
Creating Devices During Self-Registration - MAC Only	51
Creating Devices During Self-Registration - Paired Accounts	52
AirGroup Device Registration	53
Registering Groups of Devices or Services	53
Registering Personal Devices	55
Automatically Registering MAC Devices in ClearPass Policy Manager	56
Importing MAC Devices	57
Advanced MAC Features	57
2-Factor Authentication	57
MAC-Based Derivation of Role	57
User Detection on Landing Pages	58
Click-Through Login Pages	58
Active Sessions Management	59
Session States	60
RFC 3576 Dynamic Authorization	61
Filtering the List of Active Sessions	61
Disconnecting Multiple Active Sessions	62
Sending Multiple SMS Alerts	63
About SMS Guest Account Receipts	63
Onboard	65
Accessing Onboard	65
About ClearPass Onboard	65
Onboard Deployment Checklist	66
Onboard Feature List	67
Supported Platforms	68
Public Key Infrastructure for Onboard	68
Certificate Hierarchy	69
Certificate Configuration in a Cluster	70
Revoking Unique Device Credentials	70
Revoking Credentials to Prevent Network Access	70
Re-Provisioning a Device	71
Network Requirements for Onboard	71
Using Same SSID for Provisioning and Provisioned Networks	71
Using Different SSID for Provisioning and Provisioned Networks	71
Configuring Online Certificate Status Protocol	72
Configuring Certificate Revocation List (CRL)	72
Network Architecture for Onboard	72
Network Architecture for Onboard when Using ClearPass Guest	74
The ClearPass Onboard Process	75
Devices Supporting Over-the-Air Provisioning	75
Devices Supporting Onboard Provisioning	76
Managing Provisioned Applications	78
Configuring the User Interface for Device Provisioning	79
Customizing the Device Provisioning Web Login Page	79
Using the {nwa_mdps_config} Template Function	80
Configuring the Certificate Authority	81
Setting Up the Certificate Authority	81
Setting Up a Root Certificate Authority	82
Setting Up an Intermediate Certificate Authority	84
Obtaining a Certificate for the Certificate Authority	86
Using Microsoft Active Directory Certificate Services	86
Installing a Certificate Authority’s Certificate	88
Renewing the Certificate Authority’s Certificate	90
Configuring Data Retention Policy for Certificates	90
Uploading Certificates for the Certificate Authority	91
Creating a Certificate	93
Specifying the Identity of the Certificate Subject	93
Issuing the Certificate Request	95
Managing Certificates	95
Searching for Certificates in the List	96
Working with Certificates in the List	97
Working with Certificate Signing Requests	99
Importing a Code-Signing Certificate	101
Importing a Trusted Certificate	103
Requesting a Certificate	104
Providing a Certificate Signing Request in Text Format	104
Providing a Certificate Signing Request File	105
Specifying Certificate Properties	106
Configuring Provisioning Settings	106
Configuring Basic Provisioning Settings	107
Configuring Certificate Properties for Device Provisioning	107
Configuring Revocation Checks and Authorization	109
Configuring Provisioning Settings for iOS and OS X	110
Configuring Instructions for iOS and OS X	111
Configuring Reconnect Behavior for iOS and OS X	111
Configuring Provisioning Settings for Legacy OS X Devices	112
Configuring Provisioning Settings for Windows Devices	113
Configuring Provisioning Settings for Android Devices	114
Configuring Options for Legacy OS X, Windows, and Android Devices	116
Configuring Network Settings for Device Provisioning	117
Configuring Basic Network Access Settings	118
Configuring 802.1X Authentication Network Settings	120
Configuring Device Authentication Settings	121
Configuring Mutual Authentication Settings	122
Configuring Trust Settings Automatically	122
Configuring Trust Settings Manually	123
Configuring Windows-Specific Network Settings	124
Configuring Proxy Settings	125
Configuring an iOS Device VPN Connection	125
Configuring an iOS Device Email Account	127
Configuring an iOS Device Passcode Policy	129
Resetting Onboard Certificates and Configuration	130
Onboard Troubleshooting	131
Configuration	133
Accessing Configuration	133
Configuring ClearPass Guest Authentication	134
Content Manager	134
Uploading Content	135
Downloading Content	135
Additional Content Actions	136
Customizing Guest Manager	137
Default Settings for Account Creation	137
About Fields, Forms, and Views	141
Business Logic for Account Creation	141
Verification Properties	141
Basic User Properties	141
Visitor Account Activation Properties	142
Visitor Account Expiration Properties	142
Other Properties	143
Standard Forms and Views	143
Customizing Fields	145
Creating a Custom Field	145
Duplicating a Field	147
Editing a Field	147
Deleting a Field	147
Displaying Forms that Use a Field	147
Displaying Views that Use a Field	147
Customizing AirGroup Registration Forms	147
Configuring the Shared Locations and Shared Role Fields	147
Example:	149
Customizing Forms and Views	150
Editing Forms and Views	151
Duplicating Forms and Views	151
Editing Forms	152
Form Field Editor	152
Form Validation Properties	162
Examples of Form field Validation	163
Advanced Form Field Properties	165
Form Field Validation Processing Sequence	166
Editing Views	169
View Field Editor	169
Customizing Self-Provisioned Access	171
Self-Registration Sequence Diagram	171
Creating a Self-Registration Page	172
Editing Self-Registration Pages	173
Configuring Basic Properties for Self-Registration	174
Using a Parent Page	174
Paying for Access	175
Requiring Operator Credentials	175
Editing Registration Page Properties	176
Editing the Default Self-Registration Form Settings	177
Creating a Single Password for Multiple Accounts	177
Editing Guest Receipt Page Properties	178
Editing Receipt Actions	178
Enabling Sponsor Confirmation for Role Selection	179
Editing Download and Print Actions for Guest Receipt Delivery	181
Editing Email Delivery of Guest Receipts	181
Editing SMS Delivery of Guest Receipts	182
Enabling and Editing NAS Login Properties	183
Editing Login Page Properties	184
Self-Service Portal Properties	186
Resetting Passwords with the Self-Service Portal	187
Email Receipts and SMTP Services	189
About Email Receipts	189
Configuring Email Receipts	190
Email Receipt Options	190
About Customizing SMTP Email Receipt Fields	192
Customizing Print Templates	194
Creating New Print Templates	194
Print Template Wizard	196
Modifying Wizard-Generated Templates	196
Setting Print Template Permissions	197
Customize SMS Receipt	198
SMS Receipt Fields	199
Configuring Access Code Logins	199
Customize Random Username and Passwords	199
Create the Print Template	199
Customize the Guest Accounts Form	201
Create the Access Code Guest Accounts	201
Hotspot Manager	203
Accessing Hotspot Manager	203
About Hotspot Management	203
Managing the Hotspot Sign-up Interface	204
Captive Portal Integration	205
Web Site Look-and-Feel	206
SMS Services	206
Managing Hotspot Plans	206
Editing or Creating a Hotspot Plan	207
Managing Transaction Processors	209
Creating a New Transaction Processor	209
Managing Existing Transaction Processors	210
Managing Customer Information	210
Managing Hotspot Invoices	210
Customizing the User Interface	211
Customizing Visitor Sign-Up Page One	212
Customizing Visitor Sign-Up Page Two	212
Customizing Visitor Sign-Up Page Three	215
Viewing the Hotspot User Interface	217
Administration	219
AirGroup Services	220
Configuring the AirGroup Services Plugin	220
Creating AirGroup Administrators	221
Creating AirGroup Operators	221
Authenticating AirGroup Users via LDAP	221
Data Retention	221
Import Configuration	222
Plugin Manager	223
Viewing Available Plugins	223
Configuring Plugins	224
Configuring the Kernel Plugin	225
Configuring the Dell W-ClearPass Skin Plugin	226
Configuring the SMS Services Plugin	227
SMS Services	228
Viewing SMS Gateways	228
Creating a New SMS Gateway	229
Editing an SMS Gateway	231
Sending an SMS	232
About SMS Credits	233
About SMS Guest Account Receipts	233
SMS Receipt Options	234
Working with the SMTP Carrier List	234
Support Services	236
Viewing the Application Log	237
Exporting the Application Log	238
Contacting Support	239
Viewing Documentation	239
Operator Logins	241
Accessing Operator Logins	241
About Operator Logins	241
Role-Based Access Control for Multiple Operator Profiles	242
Operator Profiles	242
Creating an Operator Profile	242
Configuring the User Interface	245
Customizing Forms and Views	245
Operator Profile Privileges	246
Managing Operator Profiles	247
Configuring AirGroup Operator Device Limit	247
Local Operator Authentication	247
Creating a New Operator	248
External Operator Authentication	248
Manage LDAP Operator Authentication Servers	249
Creating an LDAP Server	249
Advanced LDAP URL Syntax	251
Viewing the LDAP Server List	251
LDAP Operator Server Troubleshooting	252
Testing Connectivity	252
Testing Operator Login Authentication	252
Looking Up Sponsor Names	253
Troubleshooting Error Messages	253
LDAP Translation Rules	254
Custom LDAP Translation Processing	256
Operator Logins Configuration	257
Custom Login Message	258
Advanced Operator Login Options	259
Automatic Logout	259
Reference	261
Basic HTML Syntax	261
Standard HTML Styles	262
Smarty Template Syntax	264
Basic Template Syntax	264
Text Substitution	264
Template File Inclusion	264
Comments	264
Variable Assignment	264
Conditional Text Blocks	264
Script Blocks	265
Repeated Text Blocks	265
Foreach Text Blocks	265
Modifiers	266
Predefined Template Functions	266
dump	266
nwa_commandlink	267
nwa_iconlink	267
nwa_icontext	268
nwa_quotejs	269
nwa_radius_query	269
ChangeToRole()	270
GetCallingStationCurrentSession()	270
GetCallingStationSessions()	270
GetCallingStationTime()	270
GetCallingStationTraffic()	271
GetCurrentSession()	271
GetIpAddressCurrentSession()	272
GetIpAddressSessions()	272
GetIpAddressTime()	272
GetIpAddressTraffic()	272
GetSessions()	273
GetSessionTimeRemaining()	273
GetTime()	273
GetTraffic()	274
GetUserActiveSessions()	274
GetUserActiveSessionCount()	274
GetUserCumulativeUsage()	274
GetUserCurrentSession()	274
GetUserFirstLoginTime()	274
GetUserSessions()	275
GetUserTraffic()	275
Advanced Developer Reference	275
nwa_assign	275
nwa_bling	275
nwa_makeid	276
nwa_nav	276
nwa_plugin	277
nwa_privilege	278
nwa_replace	278
nwa_text	278
nwa_userpref	279
nwa_youtube	279
Date/Time Format Syntax	279
nwadateformat Modifier	279
nwatimeformat Modifier	280
Date/Time Format String Reference	281
Programmer’s Reference	282
NwaAlnumPassword	282
NwaBoolFormat	282
NwaByteFormat	283
NwaByteFormatBase10	283
NwaComplexPassword	283
NwaCsvCache	283
NwaDigitsPassword($len)	283
NwaDynamicLoad	283
NwaGeneratePictureString	283
NwaGenerateRandomPasswordMix	284
NwaLettersDigitsPassword	284
NwaLettersPassword	284
NwaMoneyFormat	284
NwaParseCsv	284
NwaParseXml	285
NwaPasswordByComplexity	285
NwaSmsIsValidPhoneNumber	286
NwaStrongPassword	286
NwaVLookup	286
NwaWordsPassword	287
Field, Form, and View Reference	287
GuestManager Standard Fields	287
Hotspot Standard Fields	294
SMS Services Standard Fields	295
SMTP Services Standard Fields	296
Format Picture String Symbols	297
Form Field Validation Functions	298
Form Field Conversion Functions	301
Form Field Display Formatting Functions	301
View Display Expression Technical Reference	303
LDAP Standard Attributes for User Class	304
Regular Expressions	305
Glossary	307

Match case Limit results 1 per page

| Certificate Configuration in a Cluster

Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

Certificate Configuration in a Cluster

When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM

server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server

certificate is valid during EAP-PEAP or EAP-TLS authentication.

In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each

CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration,

these are self-signed certificates—that is, they are not issued by a root CA. This configuration of multiple self-signed

certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed

certificates are not.

There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:

Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the

certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster,

and can perform secure EAP authentication from a provisioned device to any node in the cluster.

Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at the

top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard.

Provisioning and authentication will then work across the entire cluster.

Revoking Unique Device Credentials

Because each provisioned device uses unique credentials to access the network, it is possible to disable network

access for an individual device. This offers a greater degree of control than traditional user-based authentication —

disabling a user’s account would impact all devices using those credentials.

To disable network access for a device, revoke the TLS client certificate provisioned to the device. See

"Working

with Certificates in the List " on page 97

NOTE: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this

capability.

Revoking Credentials to Prevent Network Access

NOTE: Revoking a device's certificate will also prevent the device from being re-provisioned.

This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the

device, the revoked certificate must be deleted.

If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate

authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized

as a revoked certificate and the device will be denied access.

NOTE: When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the

revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is

provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and

password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the

device will be denied access.

NOTE: OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onbord server automatically

updates the status of the username when the device's client certificate is revoked.