Home » Dell Manuals » Hubs & Switches » Dell Powerconnect W-ClearPass Virtual Appliances » Manual Viewer

Dell Powerconnect W-ClearPass Virtual Appliances W-ClearPass Guest 6.0 Deploym - Page 71

Re-Provisioning a Device, Network Requirements for Onboard

View all Dell Powerconnect W-ClearPass Virtual Appliances manuals

Add to My Manuals
Save this manual to your list of manuals

Page 71 highlights

Re-Provisioning a Device Because "bring your own" devices are not under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device. For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device. When these events occur, the user will not be able to access the provisioned network and will need to re-provision their device. The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process and re-provision the device. Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials are still valid. If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning to occur on a regular basis. If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked certificate must be deleted before the device is able to be provisioned. Network Requirements for Onboard For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network: l The provisioning network must use a captive portal or other method to redirect a new device to the device provisioning page. l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be provisioned. In practice, this means a commercial SSL certificate is required. l The provisioned network l must support EAP-TLS and PEAP-MSCHAPv2 authentication methods. l The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked and deny access to the network. Using Same SSID for Provisioning and Provisioned Networks To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines: l Configure the network to use both PEAP and EAP-TLS authentication methods. l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role. l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role. l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned role. For provisioned devices, additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role. Using Different SSID for Provisioning and Provisioned Networks To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate network, use the following guidelines: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Re-Provisioning a Device | 71

Section	Page
About this Guide	13
Audience	13
Conventions	13
Contacting Support	14
Dell Networking W-ClearPass Guest Overview	15
About Dell Networking W-ClearPass Guest	15
Visitor Access Scenarios	16
Reference Network Diagram	16
Key Interactions	17
AAA Framework	18
Key Features	19
Visitor Management Terminology	20
ClearPass Guest Deployment Process	21
Operational Concerns	21
Network Provisioning	21
Site Preparation Checklist	22
Security Policy Considerations	23
AirGroup Deployment Process	23
Documentation and User Assistance	24
Deployment Guide and Online Help	24
Context-Sensitive Help	24
Field Help	25
Quick Help	25
If You Need More Assistance	25
Use of Cookies	25
Guest Manager	27
Accessing Guest Manager	27
About Guest Management Processes	28
Sponsored Guest Access	28
Self Provisioned Guest Access	28
Using Standard Guest Management Features	29
Creating a Guest Account	29
Creating a Guest Account Receipt	30
Creating Multiple Guest Accounts	30
Creating Multiple Guest Account Receipts	31
Creating a Single Password for Multiple Accounts	32
Managing Guest Accounts	34
Managing Multiple Guest Accounts	38
Importing Guest Accounts	40
Exporting Guest Account Information	43
About CSV and TSV Exports	43
About XML Exports	43
MAC Authentication in ClearPass Guest	44
MAC Address Formats	44
Managing Devices	44
Changing a Device’s Expiration Date	46
Disabling and Deleting Devices	47
Activating a Device	47
Editing a Device	47
Viewing Current Sessions for a Device	49
Viewing and Printing Device Details	49
MAC Creation Modes	49
Creating Devices Manually in ClearPass Guest	50
Creating Devices During Self-Registration - MAC Only	51
Creating Devices During Self-Registration - Paired Accounts	52
AirGroup Device Registration	53
Registering Groups of Devices or Services	53
Registering Personal Devices	55
Automatically Registering MAC Devices in ClearPass Policy Manager	56
Importing MAC Devices	57
Advanced MAC Features	57
2-Factor Authentication	57
MAC-Based Derivation of Role	57
User Detection on Landing Pages	58
Click-Through Login Pages	58
Active Sessions Management	59
Session States	60
RFC 3576 Dynamic Authorization	61
Filtering the List of Active Sessions	61
Disconnecting Multiple Active Sessions	62
Sending Multiple SMS Alerts	63
About SMS Guest Account Receipts	63
Onboard	65
Accessing Onboard	65
About ClearPass Onboard	65
Onboard Deployment Checklist	66
Onboard Feature List	67
Supported Platforms	68
Public Key Infrastructure for Onboard	68
Certificate Hierarchy	69
Certificate Configuration in a Cluster	70
Revoking Unique Device Credentials	70
Revoking Credentials to Prevent Network Access	70
Re-Provisioning a Device	71
Network Requirements for Onboard	71
Using Same SSID for Provisioning and Provisioned Networks	71
Using Different SSID for Provisioning and Provisioned Networks	71
Configuring Online Certificate Status Protocol	72
Configuring Certificate Revocation List (CRL)	72
Network Architecture for Onboard	72
Network Architecture for Onboard when Using ClearPass Guest	74
The ClearPass Onboard Process	75
Devices Supporting Over-the-Air Provisioning	75
Devices Supporting Onboard Provisioning	76
Managing Provisioned Applications	78
Configuring the User Interface for Device Provisioning	79
Customizing the Device Provisioning Web Login Page	79
Using the {nwa_mdps_config} Template Function	80
Configuring the Certificate Authority	81
Setting Up the Certificate Authority	81
Setting Up a Root Certificate Authority	82
Setting Up an Intermediate Certificate Authority	84
Obtaining a Certificate for the Certificate Authority	86
Using Microsoft Active Directory Certificate Services	86
Installing a Certificate Authority’s Certificate	88
Renewing the Certificate Authority’s Certificate	90
Configuring Data Retention Policy for Certificates	90
Uploading Certificates for the Certificate Authority	91
Creating a Certificate	93
Specifying the Identity of the Certificate Subject	93
Issuing the Certificate Request	95
Managing Certificates	95
Searching for Certificates in the List	96
Working with Certificates in the List	97
Working with Certificate Signing Requests	99
Importing a Code-Signing Certificate	101
Importing a Trusted Certificate	103
Requesting a Certificate	104
Providing a Certificate Signing Request in Text Format	104
Providing a Certificate Signing Request File	105
Specifying Certificate Properties	106
Configuring Provisioning Settings	106
Configuring Basic Provisioning Settings	107
Configuring Certificate Properties for Device Provisioning	107
Configuring Revocation Checks and Authorization	109
Configuring Provisioning Settings for iOS and OS X	110
Configuring Instructions for iOS and OS X	111
Configuring Reconnect Behavior for iOS and OS X	111
Configuring Provisioning Settings for Legacy OS X Devices	112
Configuring Provisioning Settings for Windows Devices	113
Configuring Provisioning Settings for Android Devices	114
Configuring Options for Legacy OS X, Windows, and Android Devices	116
Configuring Network Settings for Device Provisioning	117
Configuring Basic Network Access Settings	118
Configuring 802.1X Authentication Network Settings	120
Configuring Device Authentication Settings	121
Configuring Mutual Authentication Settings	122
Configuring Trust Settings Automatically	122
Configuring Trust Settings Manually	123
Configuring Windows-Specific Network Settings	124
Configuring Proxy Settings	125
Configuring an iOS Device VPN Connection	125
Configuring an iOS Device Email Account	127
Configuring an iOS Device Passcode Policy	129
Resetting Onboard Certificates and Configuration	130
Onboard Troubleshooting	131
Configuration	133
Accessing Configuration	133
Configuring ClearPass Guest Authentication	134
Content Manager	134
Uploading Content	135
Downloading Content	135
Additional Content Actions	136
Customizing Guest Manager	137
Default Settings for Account Creation	137
About Fields, Forms, and Views	141
Business Logic for Account Creation	141
Verification Properties	141
Basic User Properties	141
Visitor Account Activation Properties	142
Visitor Account Expiration Properties	142
Other Properties	143
Standard Forms and Views	143
Customizing Fields	145
Creating a Custom Field	145
Duplicating a Field	147
Editing a Field	147
Deleting a Field	147
Displaying Forms that Use a Field	147
Displaying Views that Use a Field	147
Customizing AirGroup Registration Forms	147
Configuring the Shared Locations and Shared Role Fields	147
Example:	149
Customizing Forms and Views	150
Editing Forms and Views	151
Duplicating Forms and Views	151
Editing Forms	152
Form Field Editor	152
Form Validation Properties	162
Examples of Form field Validation	163
Advanced Form Field Properties	165
Form Field Validation Processing Sequence	166
Editing Views	169
View Field Editor	169
Customizing Self-Provisioned Access	171
Self-Registration Sequence Diagram	171
Creating a Self-Registration Page	172
Editing Self-Registration Pages	173
Configuring Basic Properties for Self-Registration	174
Using a Parent Page	174
Paying for Access	175
Requiring Operator Credentials	175
Editing Registration Page Properties	176
Editing the Default Self-Registration Form Settings	177
Creating a Single Password for Multiple Accounts	177
Editing Guest Receipt Page Properties	178
Editing Receipt Actions	178
Enabling Sponsor Confirmation for Role Selection	179
Editing Download and Print Actions for Guest Receipt Delivery	181
Editing Email Delivery of Guest Receipts	181
Editing SMS Delivery of Guest Receipts	182
Enabling and Editing NAS Login Properties	183
Editing Login Page Properties	184
Self-Service Portal Properties	186
Resetting Passwords with the Self-Service Portal	187
Email Receipts and SMTP Services	189
About Email Receipts	189
Configuring Email Receipts	190
Email Receipt Options	190
About Customizing SMTP Email Receipt Fields	192
Customizing Print Templates	194
Creating New Print Templates	194
Print Template Wizard	196
Modifying Wizard-Generated Templates	196
Setting Print Template Permissions	197
Customize SMS Receipt	198
SMS Receipt Fields	199
Configuring Access Code Logins	199
Customize Random Username and Passwords	199
Create the Print Template	199
Customize the Guest Accounts Form	201
Create the Access Code Guest Accounts	201
Hotspot Manager	203
Accessing Hotspot Manager	203
About Hotspot Management	203
Managing the Hotspot Sign-up Interface	204
Captive Portal Integration	205
Web Site Look-and-Feel	206
SMS Services	206
Managing Hotspot Plans	206
Editing or Creating a Hotspot Plan	207
Managing Transaction Processors	209
Creating a New Transaction Processor	209
Managing Existing Transaction Processors	210
Managing Customer Information	210
Managing Hotspot Invoices	210
Customizing the User Interface	211
Customizing Visitor Sign-Up Page One	212
Customizing Visitor Sign-Up Page Two	212
Customizing Visitor Sign-Up Page Three	215
Viewing the Hotspot User Interface	217
Administration	219
AirGroup Services	220
Configuring the AirGroup Services Plugin	220
Creating AirGroup Administrators	221
Creating AirGroup Operators	221
Authenticating AirGroup Users via LDAP	221
Data Retention	221
Import Configuration	222
Plugin Manager	223
Viewing Available Plugins	223
Configuring Plugins	224
Configuring the Kernel Plugin	225
Configuring the Dell W-ClearPass Skin Plugin	226
Configuring the SMS Services Plugin	227
SMS Services	228
Viewing SMS Gateways	228
Creating a New SMS Gateway	229
Editing an SMS Gateway	231
Sending an SMS	232
About SMS Credits	233
About SMS Guest Account Receipts	233
SMS Receipt Options	234
Working with the SMTP Carrier List	234
Support Services	236
Viewing the Application Log	237
Exporting the Application Log	238
Contacting Support	239
Viewing Documentation	239
Operator Logins	241
Accessing Operator Logins	241
About Operator Logins	241
Role-Based Access Control for Multiple Operator Profiles	242
Operator Profiles	242
Creating an Operator Profile	242
Configuring the User Interface	245
Customizing Forms and Views	245
Operator Profile Privileges	246
Managing Operator Profiles	247
Configuring AirGroup Operator Device Limit	247
Local Operator Authentication	247
Creating a New Operator	248
External Operator Authentication	248
Manage LDAP Operator Authentication Servers	249
Creating an LDAP Server	249
Advanced LDAP URL Syntax	251
Viewing the LDAP Server List	251
LDAP Operator Server Troubleshooting	252
Testing Connectivity	252
Testing Operator Login Authentication	252
Looking Up Sponsor Names	253
Troubleshooting Error Messages	253
LDAP Translation Rules	254
Custom LDAP Translation Processing	256
Operator Logins Configuration	257
Custom Login Message	258
Advanced Operator Login Options	259
Automatic Logout	259
Reference	261
Basic HTML Syntax	261
Standard HTML Styles	262
Smarty Template Syntax	264
Basic Template Syntax	264
Text Substitution	264
Template File Inclusion	264
Comments	264
Variable Assignment	264
Conditional Text Blocks	264
Script Blocks	265
Repeated Text Blocks	265
Foreach Text Blocks	265
Modifiers	266
Predefined Template Functions	266
dump	266
nwa_commandlink	267
nwa_iconlink	267
nwa_icontext	268
nwa_quotejs	269
nwa_radius_query	269
ChangeToRole()	270
GetCallingStationCurrentSession()	270
GetCallingStationSessions()	270
GetCallingStationTime()	270
GetCallingStationTraffic()	271
GetCurrentSession()	271
GetIpAddressCurrentSession()	272
GetIpAddressSessions()	272
GetIpAddressTime()	272
GetIpAddressTraffic()	272
GetSessions()	273
GetSessionTimeRemaining()	273
GetTime()	273
GetTraffic()	274
GetUserActiveSessions()	274
GetUserActiveSessionCount()	274
GetUserCumulativeUsage()	274
GetUserCurrentSession()	274
GetUserFirstLoginTime()	274
GetUserSessions()	275
GetUserTraffic()	275
Advanced Developer Reference	275
nwa_assign	275
nwa_bling	275
nwa_makeid	276
nwa_nav	276
nwa_plugin	277
nwa_privilege	278
nwa_replace	278
nwa_text	278
nwa_userpref	279
nwa_youtube	279
Date/Time Format Syntax	279
nwadateformat Modifier	279
nwatimeformat Modifier	280
Date/Time Format String Reference	281
Programmer’s Reference	282
NwaAlnumPassword	282
NwaBoolFormat	282
NwaByteFormat	283
NwaByteFormatBase10	283
NwaComplexPassword	283
NwaCsvCache	283
NwaDigitsPassword($len)	283
NwaDynamicLoad	283
NwaGeneratePictureString	283
NwaGenerateRandomPasswordMix	284
NwaLettersDigitsPassword	284
NwaLettersPassword	284
NwaMoneyFormat	284
NwaParseCsv	284
NwaParseXml	285
NwaPasswordByComplexity	285
NwaSmsIsValidPhoneNumber	286
NwaStrongPassword	286
NwaVLookup	286
NwaWordsPassword	287
Field, Form, and View Reference	287
GuestManager Standard Fields	287
Hotspot Standard Fields	294
SMS Services Standard Fields	295
SMTP Services Standard Fields	296
Format Picture String Symbols	297
Form Field Validation Functions	298
Form Field Conversion Functions	301
Form Field Display Formatting Functions	301
View Display Expression Technical Reference	303
LDAP Standard Attributes for User Class	304
Regular Expressions	305
Glossary	307

Match case Limit results 1 per page

Re-Provisioning a Device

Because “bring your own” devices are not under the complete control of the network administrator, it is possible for

unexpected configuration changes to occur on a provisioned device.

For example, the user may delete the configuration profile containing the settings for the provisioned network,

instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all

the configuration on the device.

When these events occur, the user will not be able to access the provisioned network and will need to re-provision

their device.

The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action

(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the

provisioning process and re-provision the device.

Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials

are still valid.

If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning

to occur on a regular basis.

If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked

certificate must be deleted before the device is able to be provisioned.

Network Requirements for Onboard

For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that

must be met by the provisioning network and the provisioned network:

The provisioning network must use a captive portal or other method to redirect a new device to the device

provisioning page.

The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be

provisioned. In practice, this means a commercial SSL certificate is required.

The provisioned network

must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.

The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked

and deny access to the network.

Using Same SSID for Provisioning and Provisioned Networks

To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:

Configure the network to use both PEAP and EAP-TLS authentication methods.

When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.

The provisioning role should have limited network access and a captive portal that redirects users to the device

provisioning page.

When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.

When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned role.

For provisioned devices, additional authorization steps can be taken after authentication has completed to

determine the appropriate provisioned role.

Using Different SSID for Provisioning and Provisioned Networks

To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate

network, use the following guidelines:

Dell Networking W-ClearPass Guest 6.0 | Deployment Guide

Re-Provisioning a Device |