User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerconnect W-ClearPass Hardware Appliances

Dell Networking W-ClearPass

Guest 6.4

User Guide

Summary of content (558 pages)

PAGE 1
User Guide Dell Networking W-ClearPass Guest 6.
PAGE 2
Copyright © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
PAGE 3
Contents About this Guide 17 Audience 17 Conventions 17 Contacting Support W-ClearPass Guest Overview 18 19 About Dell Networking W-ClearPass Guest 19 Visitor Access Scenarios 20 Reference Network Diagram 21 Key Interactions 22 AAA Framework 23 Key Features 24 Visitor Management Terminology 25 W-ClearPass Guest Deployment Process 26 Operational Concerns 26 Network Provisioning 26 Site Preparation Checklist 27 Security Policy Considerations 27 AirGroup Deployment Process 2
PAGE 4
Filtering the List of Active Sessions 36 Disconnecting Multiple Active Sessions 37 Sending Multiple SMS Alerts 37 About SMS Guest Account Receipts 38 Using Standard Guest Management Features 38 Creating a Guest Account 39 Creating a Guest Account Receipt 41 Creating a Device 41 Creating Devices Manually in W-ClearPass Guest 42 Creating Devices During Self-Registration - MAC Only 44 Creating Devices During Self-Registration - Paired Accounts 44 Creating Multiple Guest Accounts 45 Crea
PAGE 5
Importing MAC Devices 77 Advanced MAC Features 77 User Detection on Landing Pages 77 Click-Through Login Pages 78 Onboard 79 Accessing Onboard 79 About W-ClearPass Onboard 80 Onboard Deployment Checklist 81 Onboard Feature List 83 Supported Platforms 84 Public Key Infrastructure for Onboard 85 Certificate Hierarchy 85 Certificate Configuration in a Cluster 86 Revoking Unique Device Credentials 86 Revoking Credentials to Prevent Network Access 86 Re-Provisioning a Device 87 Ne
PAGE 6
Installing a Certificate Authority’s Certificate 105 Using Microsoft Active Directory Certificate Services 107 Management and Control Device Management (View by Device) 110 Device Management (View by Username) 113 Certificate Management (View by Certificate) 115 Searching for Certificates in the List 116 Working with Certificates in the List 116 Working with Certificate Signing Requests 119 Importing a Code-Signing Certificate 122 Importing a Trusted Certificate 123 Creating a Certificat
PAGE 7
Windows Applications 163 Configuring App Sets 163 Deployment and Provisioning 164 Configuration Profiles Creating and Editing Configuration Profiles Provisioning Settings 165 165 168 About Configuring Provisioning Settings 169 Configuring Basic Provisioning Settings 170 Configuring Provisioning Settings for the Web Login Page 174 Configuring Provisioning Settings for iOS and OS X 176 Configuring Provisioning Settings for Legacy OS X Devices 178 Configuring Provisioning Settings for Windows
PAGE 8
Create the Print Template 202 Customize the Guest Accounts Form 204 Create the Access Code Guest Accounts 204 Pages 206 Customizing Fields 206 Creating a Custom Field 206 Duplicating a Field 208 Editing a Field 208 Deleting a Field 208 Displaying Forms that Use a Field 209 Displaying Views that Use a Field 209 Customizing AirGroup Registration Forms 209 Customizing Forms and Views 212 Editing Forms and Views 213 Duplicating Forms and Views 213 Editing Forms 214 Form Field Edi
PAGE 9
Resetting Passwords with the Self-Service Portal Managing Web Logins Creating and Editing Web Login Pages Receipts Digital Passes 258 260 261 270 271 About Digital Passes 271 Viewing Digital Pass Certificates 274 Installing Digital Pass Certificates 275 Managing Digital Passes 276 Creating and Editing a Digital Pass Template 277 Example Template Code Variables 283 Images in Digital Passes 283 Email Receipts and SMTP Services 284 About Email Receipts 284 Configuring Email Receipts 285 E
PAGE 10
Advertising Services About Advertising Services 313 Materials 313 Promotions 313 Campaigns 314 Spaces 314 Pages 314 Advertising Services Process Overview 314 About the Tutorial Navigating the Tutorial Advertising Pages Editing Advertising Pages The nwa_adspace Smarty Template Tag Advertising Spaces Creating and Editing Advertising Spaces 314 315 315 316 320 323 324 "Other Location" Example 326 "Maximum Height" Example 327 "Maximum Width" Example 328 Advertising Campaigns Creating and E
PAGE 11
Managing Existing Transaction Processors 348 Managing Customer Information 348 Managing Hotspot Invoices 348 Customizing the User Interface 349 Customizing Visitor Sign-Up Page One 349 Customizing Visitor Sign-Up Page Two 351 Customizing Visitor Sign-Up Page Three 354 Viewing the Hotspot User Interface Administration 355 357 Accessing Administration 357 AirGroup Services 358 AirGroup Controllers 358 Creating and Editing AirGroup Controllers 359 Configuring AirGroup Services 361 A
PAGE 12
Setting API Privileges in Operator Profiles 379 About OAuth 380 OAuth Basics 380 OAuth2 Client or App 381 Client ID and Secret 381 Redirect URI 381 Authorization Grant Types for OAuth 381 Application Service Accounts for OAuth 383 SOAP Web Services and API Viewing Available Web Services 384 Configuring Web Services 385 SOAP API Introduction 385 Audience 386 API Documentation Overview 386 Disclaimer 386 About the SOAP API 386 Using the SOAP API 388 Integration Example 391 AP
PAGE 13
Import Information: Onboard 440 Import Information: Operator Logins 440 Import Information: Palo Alto Network Services 440 Import Information: RADIUS Services 440 Import Information: Reporting Manager Definitions 441 Import Information: Server Configuration 442 Import Information: SMS Services 443 Import Information: SMTP Services 443 Plugin Manager 444 Viewing Available Plugins 444 Configuring Plugins 445 Configuring the Kernel Plugin 446 Configuring the Aruba W-ClearPass Skin Plugi
PAGE 14
Creating a New Operator External Operator Authentication 465 Manage LDAP Operator Authentication Servers 465 Viewing the LDAP Server List 466 Creating an LDAP Server 467 Advanced LDAP URL Syntax 469 LDAP Operator Server Troubleshooting 469 Testing Connectivity 470 Testing Operator Login Authentication 470 Looking Up Sponsor Names 470 Troubleshooting Error Messages 471 LDAP Translation Rules 472 Custom LDAP Translation Processing 474 Reference Basic HTML Syntax 477 477 Standard HTML
PAGE 15
nwa_makeid 492 nwa_nav 493 nwa_plugin 494 nwa_privilege 494 nwa_replace 495 nwa_text 495 nwa_userpref 495 nwa_youtube 495 Date/Time Format Syntax 496 nwadateformat Modifier 496 nwatimeformat Modifier 497 Date/Time Format String Reference 497 Programmer’s Reference 498 NwaAlnumPassword 499 NwaBoolFormat 499 NwaByteFormat 499 NwaByteFormatBase10 499 NwaComplexPassword 500 NwaCsvCache 500 NwaDigitsPassword($len) 500 NwaDynamicLoad 500 NwaGeneratePictureString 500 Nwa
PAGE 16
Format Picture String Symbols 515 Form Field Validation Functions 516 Form Field Conversion Functions 521 Form Field Display Formatting Functions 522 View Display Expression Technical Reference 523 LDAP Standard Attributes for User Class 525 Regular Expressions 526 Chromebook in Onboard 527 About Chromebook in Onboard 527 Caveats and Recommendations 528 Google Admin Chromebook License is Required 528 Managed Chromebook Deployment is Required 528 Chrome Extension is Required 528 Chr
PAGE 17
Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This User Guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.
PAGE 18
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 18 | About this Guide Dell Networking W-ClearPass Guest 6.
PAGE 19
Chapter 2 W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
PAGE 20
Visitor Access Scenarios The following figure shows a high-level representation of a typical visitor access scenario. Figure 1 Visitor access using W-ClearPass Guest In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password.
PAGE 21
Reference Network Diagram The following figure shows the network connections and protocols used by W-ClearPass Guest. Figure 2 Reference network diagram for visitor access The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.
PAGE 22
Key Interactions The following figure shows the key interactions between W-ClearPass Guest and the people and other components involved in providing guest access. Figure 3 Interactions involved in guest access W-ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.
PAGE 23
AAA Framework W-ClearPass Guest is built on the industry standard AAA framework, which consists of authentication, authorization, and accounting components. The following figure shows how the different components of this framework are employed in a guest access scenario.
PAGE 24
Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this User Guide.
PAGE 25
Feature Reference Administrative Management Features Operators defined and authenticated locally "Local Operator Authentication" on page 464 Operators authenticated via LDAP "External Operator Authentication" on page 465 Role based access control for operators "Operator Profiles" on page 458 Plugin-based application features, automatically updated by W-ClearPass Policy Manager "Plugin Manager" on page 444 User Interface Features Context-sensitive help with searchable online documentation "Documen
PAGE 26
Term Explanation Sponsor Operator User Database Database listing the guest accounts in W-ClearPass Guest. View In a user interface, a table displaying data, such as visitor account information, to operators. Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server. Visitor Account Settings for a visitor stored in the user database, including username, password and other fields. Web Login/NAS Login Login page displayed to a guest user.
PAGE 27
Site Preparation Checklist The following is a checklist of the items that should be considered when setting up W-ClearPass Guest.
PAGE 28
l What resources are you going to make available to guests (for example, type of network access; permitted times of day; bandwidth allocation)? l Will guest access be separated into different roles? If so, what roles are needed? l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and nonguest accounts? l What will be the password format for guest accounts? Will you be changing this format on a regular basis? l What requirements will you place on t
PAGE 29
Documentation and User Assistance This section describes the variety of user assistance available for W-ClearPass Guest. User Guide and Online Help This User Guide provides complete information for all W-ClearPass Guest features. The following quick links may be useful in getting started. Table 6: Quick Links For information about... Refer to...
PAGE 30
application without further assistance or training. Quick Help In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list. On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.
PAGE 31
Chapter 3 W-ClearPass Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.
PAGE 32
About Guest Management Processes There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in this chapter. Sponsored Guest Access The following figure shows the process of sponsored guest access. Figure 5 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account.
PAGE 33
Figure 6 Guest access when guest is self-provisioned The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self-registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in.
PAGE 34
l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 35 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To reauthorize a session that was disconnected, click the session’s row in the list, then click its Reauthorize link.
PAGE 35
l To include additional fields in the Active Sessions list, or delete fields from it, click the More Options tab. The Customize View Fields page opens. For more information, see "Editing Forms " on page 214. l You can use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
PAGE 36
Filtering the List of Active Sessions On the Guest > Active Sessions list, you can use the quickly find all matching sessions: Filter tab to narrow the search parameters and Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this option, use the Choose Columns command link on the More Options tab.
PAGE 37
Disconnecting Multiple Active Sessions To disconnect multiple sessions, click the l Manage Multiple tab. The Manage Multiple Sessions form opens. To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All active sessions are closed and are removed from the Active Sessions list. You can specify sessions in a time range. 1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar picker opens.
PAGE 38
4. Click Send. About SMS Guest Account Receipts You can send SMS receipts for guest accounts that are created using either sponsored guest access or selfprovisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt. Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt: 1.
PAGE 39
l "Managing Single Guest Accounts " on page 55 l "Managing Multiple Guest Accounts " on page 64 l "Exporting Guest Account Information " on page 50 l "Importing Guest Accounts" on page 52 l "Managing Single Guest Accounts " on page 55 l "Managing Devices " on page 59 l "Managing Multiple Guest Accounts " on page 64 To customize guest self-registration, please see Configuration on page 187.
PAGE 40
Table 8: The Create New Guest Account Form Field Description Guest's Name (Required) Name of the guest user for this account. Company Name (Required) Name of the organization the guest user belongs to. Email Address (Required) The guest user's email address. This email address will be the guest's username. Account Activation You can select an activation time from this drop-down list. The guest's account cannot be used before the activation time.
PAGE 41
Field Description Notes You may enter notes about this guest account. Terms of Use (Required) You must select the check box in in this field in order to create the account. Create When your entries on the form are complete, click this button to create the guest's account. Creating a Guest Account Receipt After you click the Create button on the Create New Guest Account form, the details for that account are displayed.
PAGE 42
Creating Devices Manually in W-ClearPass Guest If you have the MAC address, you can create a new device manually. To create a new device, go to Guest > Create Device, or go to Guest > Manage Devices and click the Create link. The Create New Device form opens. Table 9: New Device Field Description MAC Address (Required) Enter the device's MAC address. Device Name (Required) Enter the name for the device.
PAGE 43
Field Description Shared Locations Locations where the device can be shared. When you type a location name in the Shared Locations field and press the Enter key, the location appears as a "tag" and is created in the system when the form is saved. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators). Shared Roles User roles that can share this device.
PAGE 44
Creating Devices During Self-Registration - MAC Only This section describes how to configure a guest self-registration so that it creates a MAC device account. After the guest is registered, future authentication can take place without the need for the guest to enter their credentials. A registration can be converted to create a MAC device instead of standard guest credentials. This requires a vendor to pass a MAC parameter in the redirect URL.
PAGE 45
other properties. This requires a vendor passing a mac parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP. To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth_pair in the list, click the Customize fields link above the list. Click the Edit link in the field’s row.
PAGE 46
Table 10: The Create New Guest Account Form Field Description Number of Accounts (Required) Enter the number of accounts to create. Account Activation You can select an activation time from this drop-down list. The guests' accounts cannot be used before the activation time. Options include: l Now l Disable account l Tomorrow l Next Monday l 1 hour from now l 1 day from now l 1 week from now l Activate at specified time...
PAGE 47
Field Description Notes You may enter notes about this guest account. Terms of Use (Required) You must select the check box in in this field in order to create the account. Create Accounts When your entries on the form are complete, click this button to create the guests' accounts. A random username and password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The default password length is six characters.
PAGE 48
To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file. The fields available in the CSV file are: l Number – The sequential number of the visitor account, starting at one. l Username – The username for the visitor account. l Password – The password for the visitor account. The default password length is six characters. l Role – The visitor account’s role.
PAGE 49
To create multiple accounts that all use the same password: 1. Go to Guest > Create Multiple. The Create Guest Accounts form opens, and includes the Visitor Password field. 2. In the Number of Accounts field, enter the number of accounts you wish to create. 3. In the Visitor Password field, enter the password that is to be used by all the accounts. The minimum password length is six characters. 4. Complete the other fields with the appropriate information, then click Create Accounts.
PAGE 50
Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. To export a file with the current list of guest accounts, go to Guest > Export Accounts, or go to Guest > Start Here and click the Export Guest Accounts command link. The Export Accounts page opens with three options displayed. Click the appropriate command link to save a list of all guest accounts in commaseparated values (CSV), tab-separated values (TSV), or XML format.
PAGE 51
The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process.
PAGE 52
tagValue="ff" tagName="Company Name"/> tagValue="2012-12-04 12:39:14" tagName="Create Time"/> tagValue="fff@df" tagName="Email"/> tagValue="ff" tagName="first_name"/> tagValue="plan0" tagName="hotspot_plan_id"/> tagValue="Free Access" tagName="hotspot_plan_name"/> tagValue="ff" tagName="last_name"/> tagValue="ff ff" tagName="Visitor Name"/> tagValue="ff" tagNam
PAGE 53
l n Tab separated values n Pipe ( | ) separated values n Colon ( : ) separated values n Semicolon ( ; ) separated values Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected. Click Next Step to upload the account data. In step 2 of 3, W-ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields to the data.
PAGE 54
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account. Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation.
PAGE 55
l Click the Existing link to select all existing user accounts in the list. Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating Multiple Guest Account Receipts" on page 47 in this chapter for more information. Managing Single Guest Accounts Use the Manage Guest Accounts list view to work with individual guest accounts.
PAGE 56
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 11: Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
PAGE 57
Click Update Account to reset the guest account’s password. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Change expiration – Changes the expiration time for a guest account. This form (change_expiration) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views" on page 212 for details about this customization process.
PAGE 58
l Edit – Changes the properties of a guest account. This form can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views" on page 212 for details about this customization process. Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Sessions – Displays the active sessions for a guest account.
PAGE 59
Managing Devices To view the list of current MAC devices, go to Guest > Manage Devices. The Guest Manager Devices page opens. All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration time; activate, remove, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.
PAGE 60
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of any fields that are configured for search, and you can include the following operators: Table 12: Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
PAGE 61
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table.
PAGE 62
Editing a Device To edit a device’s account, click the device’s row in the Guest Manager Devices list, then click its Edit link. The row expands to include the Edit Device form. You can edit any of the device's properties. Table 13: New Device Field Description MAC Address The device's MAC address. Device Name The name for the device.
PAGE 63
Field Description and press the Enter key, the role appears as a "tag" and is created in the system when the form is saved. Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators). Shared Groups User groups that can share this device. These will be available in the Shared Groups field for users to choose from when they share a device.
PAGE 64
Printing Device Details To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link. The row expands to include the Account Details form and a dropdown list of information that can be printed for the device. Choosing an option in the Open print window using template drop-down list opens a print preview window and the printer dialog.
PAGE 65
hour. In addition, icons in the Username column indicate the account’s activation status: l n —Visitor account is active n —Visitor account was created but is not activated yet n —Visitor account was disabled by Administrator n —Visitor account has expired You can use the Filter field to narrow the search parameters.
PAGE 66
Use the Edit tab to make changes to multiple visitor accounts at once. This option is not active if there are no visitor accounts selected. The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. This is the guest_multi_form form. The Results tab will be automatically selected after you have made changes to one or more guest accounts.
PAGE 67
Registering Groups of Devices or Services This functionality is only available to AirGroup administrators. To register and manage an organization’s shared devices and configure device access, log in as the AirGroup administrator and go to Guest > Create Device. The Register Shared Device form opens. 1. In the Device Name field, enter the name used to identify the device. 2. In the Device Type field, use the drop-down list to select the device type. 3.
PAGE 68
Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators). l If the Share With field is left blank, this device can be accessed by all devices. l If users are entered in the Shared With field, the device can only be accessed by the specified users. 6. In the Shared Roles field, enter the user roles that are allowed to use the device. Use commas to separate the roles in the list.
PAGE 69
3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles. 4. When your edits are complete, click Save Changes. Registering Personal Devices This functionality is available to AirGroup operators. To register your personal devices and define a group who can share them: 1. Log in as the AirGroup operator and go to Guest > Create Device.
PAGE 70
l If the Shared With field is left blank, this device can only be accessed by devices registered by the same operator or with a dot1x username that matches the operator’s name. l If users are entered in the Shared With field, the device can be accessed by the device owner and by the specified users. 7. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.
PAGE 71
4. When your edits are complete, click Save Changes. AirGroup Time-Based Sharing Syntax Examples This section provides examples and discussions of syntax for time-based sharing policies for AirGroup shared devices. For information on using time-based sharing for AirGroup, see "About AirGroup Time-Based Sharing" on page 75. For supplemental time-based syntax information, see "Time-Based Syntax Reference" on page 73.
PAGE 72
Example: default deny not before 1/1/14 not after 01-Feb-2014 periodic mon 9am to 10am shared users A, B The device is shared with users A and B, from 9am to 10am every Monday. The not before date sets the beginning of the time sharing policy. In this case, Monday, January 6, 2014 is the first day that this time sharing policy will take effect. Prior to 9am 6 January 2014, the device is not shared (due to the default deny).
PAGE 73
is in effect. (The rule could instead have been written "periodic mon 9am to 5pm shared roles default_role, other_role" if this was the desired result.) This example shows how to use an overlapping time range: place the most general time range first, with more specific time ranges later. In particular, reversing the order of the periodic statements will not work.
PAGE 74
used. Without a day-list, all days of the week are matched. Time may be specified in 12 or 24 hour format, with the special time 24:00 indicating the end of the day. Example: periodic monday 8:00 to friday 17:00 matches between 8am and 5pm, Monday through Friday. Example: periodic weekdays 8:00 to 17:00 specifies the same thing as the example in the previous line. Example: periodic wed 11am to 11pm matches between 11:00 and 23:00 on a Wednesday.
PAGE 75
l time zone Etc/GMT 9:00 to 18:00 not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010, in the GMT time zone (useful if server is in a different time zone) About AirGroup Time-Based Sharing This section discusses time-based sharing policies for an AirGroup shared device.
PAGE 76
On the same screen, the next step is then to enter the rules for the time-based sharing policy, using the group names you created. For more information, see "AirGroup Time-Based Sharing Syntax Examples" on page 71 MAC Authentication in W-ClearPass Guest W-ClearPass Guest supports a number of options for MAC Authentication and the ability to authenticate devices. The advanced features described in this section generally require a WLAN capable of MAC authentication with captive portal fallback.
PAGE 77
guest self-registration workflow. This customization option is available if a valid Local or RADIUS preauthentication check was performed. To configure auto-registration for an address through a Web login page: 1. Go to Configuration > Pages > Web Logins, click the row of the page you wish to configure, then click its Edit link. The RADIUS Web Login Editor form opens. 2. Scroll down to the Post-Authentication area. 3.
PAGE 78
{else} Welcome to the show! {/if}
3. For debugging purposes, include the following to see all the fields available: {dump var=$guest_receipt export=html} Click-Through Login Pages A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection. To use this feature: 1.
PAGE 79
Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs).
PAGE 80
About W-ClearPass Onboard Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and virtual private networks (VPNs). W-ClearPass Onboard includes the following key features: l Automatic configuration of network settings for wired and wireless endpoints. l Provisioning of unique device credentials for BYOD and IT-managed devices.
PAGE 81
l "Network Architecture for Onboard" on page 89 l "The W-ClearPass Onboard Process" on page 91 l "Configuring the User Interface for Device Provisioning" on page 95 l "Onboard Troubleshooting" on page 96 Onboard Deployment Checklist Table 16 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard deployment. Onboard events are stored in the Application Log for seven days by default.
PAGE 82
Deployment Step Reference Configure the Onboard certificate authority. Decide whether to use the Root CA or Intermediate CA mode of operation. Create the certificate for the certificate authority. "Certificate Authorities " on page 97 Configure device provisioning settings. Select certificate options for device provisioning. Select which device types should be supported. "About Configuring Provisioning Settings " on page 169 Configure network settings for device provisioning. Set network properties.
PAGE 83
Onboard Feature List The following features are available in Dell Networking W-ClearPass Onboard. Table 17: OnboardFeatures Feature Uses Automatic configuration of network settings for wired and wireless endpoints. l l l l l Secure provisioning of unique device credentials for BYOD and IT-managed devices. l Support for Windows, Mac OS X, iOS, and Android devices. l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
PAGE 84
Supported Platforms The platforms supported by Dell Networking W-ClearPass Onboard and the version requirements for each platform are summarized in the following table. Table 18: Platforms Supported by W-ClearPass Onboard Platform Example Devices Version Required for Onboard Support Notes Apple iOS iPhone iPad iPod Touch iOS 4 iOS 5 1, 3 Apple Mac OS X MacBook Pro MacBook Air Mac OS X 10.8 “Mountain Lion” Mac OS X 10.7 “Lion” 1 Mac OS X 10.6 “Snow Leopard” Mac OS X 10.
PAGE 85
Public Key Infrastructure for Onboard During the device provisioning process, one or more digital certificates are issued to the device. These are used as the unique credentials for a device. To issue the certificate, Dell Networking W-ClearPass Onboard must operate as a certificate authority (CA). The following sections explain how the certificate authority works, and which certificates are used in this process.
PAGE 86
You may revoke the profile signing certificate. It will be recreated when it is needed for the next device provisioning attempt. Certificate Configuration in a Cluster When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication.
PAGE 87
Re-Provisioning a Device Because “bring your own” devices are not under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device. For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device.
PAGE 88
Using Different SSID for Provisioning and Provisioned Networks To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate network, use the following guidelines: l Configure the provisioning SSID to use PEAP, or another suitable authentication method. l When a user connects to the provisioning SSID, place them into a provisioning role.
PAGE 89
Network Architecture for Onboard The high-level network architecture for the Onboard solution is shown in the following figure. Figure 11 ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1. Users bring their own device to the enterprise. 2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. 3.
PAGE 90
The components shown in Figure 12 are: 1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction.
PAGE 91
The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are implementation differences between these approaches. The W-ClearPass Onboard Process Devices Supporting Over-the-Air Provisioning Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14.
PAGE 92
Figure 15 Sequence Diagram for the W-Onboard Workflow on iOS Platform 1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate.
PAGE 93
1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity. 2. An iOS device will have two certificates after over-the-air provisioning is complete: a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning process.
PAGE 94
Figure 18 Sequence Diagram for the Onboard Workflow on Android Platform 1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type: a.
PAGE 95
The Onboard provisioning workflow is used to securely provision a device and configure it with network settings. Figure 19 shows a sequence diagram that explains the steps involved in this workflow. Figure 19 Onboard Provisioning Workflow in the QuickConnect App Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways: l Customizing the Web login page used for device provisioning.
PAGE 96
Table 19: Properties Available with the (nwa_mdps_config Smarty Template Function Name Description root_cert URL of the Onboard certificate authority’s root certificate. Browsing to this URL will install the root certificate on the device, which is required as part of the pre-provisioning step. Example: Install Onboard root certificate wifi_ssid Name of the wireless network. See "Configuring Basic Network Access Settings " on page 131.
PAGE 97
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices.
PAGE 98
l To create a copy of a certificate authority configuration to use as a basis for a new certificate authority, click its Duplicate link. The first page of the Certificate Authority Settings form opens with the identity, private key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename the new certificate authority and edit any of its attributes. l To delete a certificate authority, you can click its Delete link.
PAGE 99
l Configure the identity, private key, and self-signed certificate attributes To create an Onboard certificate authority: 1. Go to Onboard > Certificate Authorities, and then either click the Duplicate link for a certificate authority in the Certificate Authorities list or click the Create new certificate authority link. The initial setup page of the Certificate Authority Settings form opens. 2. In the Name field, give the CA a short name that identifies it clearly.
PAGE 100
l Intermediate CA—The Onboard certificate authority is issued a certificate by an external certificate authority. The Onboard certificate authority issues client and server certificates using this certificate. Use this option when you already have a public-key infrastructure (PKI), and would like to include the certificate issued for Onboard devices in that infrastructure. l Imported CA— If you choose Imported CA, the following fields are removed from the form.
PAGE 101
l 1024-bit RSA (not recommended for a root certificate) l 2048-bit RSA (recommended for general use) l 4096-bit RSA (higher security) l X9.62/SECG curve over a 256-bit prime field l NIST/SECG curve over a 384-bit prime field 10.In the Self-Signed Certificate area, for a root certificate the CA Expiration field is included in the form. Use this field to specify the lifetime of the root certificate in days. The default value is 365 days. 11.
PAGE 102
Field Description Name Short name that identifies the certificate clearly. Certificate authority names can include spaces. Description Briefly describes the CA. This description is shown in the Certificate Authorities list. Mode Either Root, Intermediate, or Imported. The certificate's mode cannot be edited after creation.
PAGE 103
Subject Alternative Name To include additional fields in the TLS client certificate issued for a device, mark the Include device information in TLS client certificates check box. These fields are stored in the subject alternative name (subjectAltName) of the certificate. Refer to Table 20 for a list of the fields that are stored in the certificate when this option is enabled.
PAGE 104
Field Description Minimum Period Specify values that are appropriate for your organization’s retention policy. The default data retention policy specifies a minimum period of 12 weeks and a maximum period of 52 weeks. Maximum Period To enable the Delete Certificate and Delete Request actions in the Certificate Management list view, use a blank value for Minimum Period. This is useful for testing and initial deployment.
PAGE 105
Field Description SCEP & EST Server To enable access to the SCEP and EST servers, select this check box. The form expands to include SCEP and EST server configuration options. SCEP URL Shows the SCEP URL for this SCEP server. EST URL Shows the EST URL for this SCEP server. SCEP & EST Secret Enter the shared secret that SCEP and EST clients must supply. Allowed Access Enter the IP addresses and networks from which logins are permitted.
PAGE 106
This form may be used multiple times in order to import each of the certificates in the trust chain. Check the message displayed above the form to determine which certificate or type of file must be uploaded next. To upload a certificate: 1. On either the Certificate Management or Intermediate Certificate Settings page, click the Import Certificate link above the form. The Step 1 area of the CA Certificate Import form opens. 2.
PAGE 107
Confirm Passphrase fields. The private key will be automatically matched to its corresponding certificate when uploaded. l To upload a combined certificate and private key, choose a file in either PEM (base-64 encoded) or PKCS#12 format. If the private key has a passphrase, enter it in the Private Key Passphrase and Confirm Passphrase fields. 5. Click Upload Certificate to save your changes. If additional certificates are required, you will remain at the same page.
PAGE 108
Click the link to submit an advanced certificate request. The Advanced Certificate Request page opens. Click the link to submit a request using a base-64-encoded CMC or PKCS #10 file. The Submit a Certificate Request or Renewal Request page is displayed. Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list.
PAGE 109
If the Certificate Pending page is displayed, follow the directions on the page to retrieve the certificate when it is issued. If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system.
PAGE 110
Device Management (View by Device) The Device Management (View by Device) page lists all devices and lets you manage the devices' access to the network. For each device, you can allow or deny network access. To work with the list of device users, see "Device Management (View by Username)" on page 113. When a device is denied access, its certificates are revoked. For a device that has had its access denied, you can grant access again, allowing it to re-enroll and obtain a new certificate.
PAGE 111
4. To change a device's access status, click its Manage Access link. In the Manage Access window that opens, use the drop-down list in the Access field to select either Allow access to this device or Deny access to this device. When you select the Deny option, a message advises you that any certificates associated with it will be revoked. The device cannot be re-enrolled as long as access is denied. To re-enroll the device, you must use this field to allow access again. 5.
PAGE 112
The Manage Certificates form lets you revoke or delete all TLS client certificates issued to the device. Mark the appropriate radio button, and then click Manage Certificates. 7. To delete a device, click its Delete Device link. You will be asked to confirm the deletion. Deleting the device will also delete all user, certificate, and other data associated with the device. Certificates are deleted according to the Certificate Authority's retention policy.
PAGE 113
Device Management (View by Username) The Device Management (View by Username) page lists all users associated with devices.
PAGE 114
4. To view details of certificates belonging to this user, or to revoke or delete all client certificates issued to the user, click the Certificates link. The form expands to include both the Certificate Information view and the Manage Certificates form. The Certificate Information view lets you review all details of the certificate: The Manage Certificates form lets you revoke or delete all TLS client certificates issued to the user. Mark the appropriate radio button, and then click Manage Certificates.
PAGE 115
Certificate Management (View by Certificate) To view the list of certificates and work with them, go to Onboard > Management and Control > View by Certificate. The Certificate Management list view opens. This list displays all of the certificates and certificate requests in the Onboard system.
PAGE 116
Certificate Type “Type” Column Notes Code-signing certificate ca Used for signing the Windows provisioning application Revoked certificate -- Certificate that has been administratively revoked and is no longer valid Expired certificate -- Certificate that is outside its validity period and is no longer valid l To create a new certificate, see "Creating a Certificate " on page 123. l To search for certificates, see "Searching for Certificates in the List " on page 116.
PAGE 117
Use the Format drop-down list to select the format in which the certificate should be exported. The following formats are supported: l PKCS#7 Certificates (.p7b)—Exports the certificate, and optionally the other certificates forming the trust chain for the certificate, as a PKCS#7 container. l Base-64 Encoded (.pem)—Exports the certificate as a base-64 encoded text file. This is also known as “PEM format”. You may optionally include the other certificates forming the trust chain for the certificate.
PAGE 118
Mark the Revoke this client certificate check box to confirm that the certificate should be revoked, and then click the Revoke Certificate button. After the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error.
PAGE 119
The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority.
PAGE 120
If you choose Base-64 Encoded, the form expands to include the Trust Chain row. You can use this option to create and export a certificate bundle that includes the Intermediate CA and Root CA and can be imported in ClearPass Policy Manager as the server certificate (ClearPass Policy Manager does not accept PKCS#7).
PAGE 121
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. The Delete Request form is displayed.
PAGE 122
Importing a Code-Signing Certificate W-ClearPass Onboard supports importing a code-signing certificate chain and private key for signing the Windows provisioning application. Certificates can be uploaded as PFX, PKCS-12, SPC, or PKCS-7, and can include a chain of certificates. An operator’s profile must include the Import Code-Signing Certificate privilege in order to access this feature. The procedure for importing a profile-signing certificate is the same as that for importing a code-signing certificate.
PAGE 123
Importing a Trusted Certificate Onboard’s Certificate Management page supports importing trusted certificates. Certificates may be uploaded in PEM format (*.pem). (To import a code-signing certificate, see "Importing a Code-Signing Certificate " on page 122 To import a trusted certificate: 1. Go to Onboard > Management and Control > View by Certificate and click the Upload a trusted certificate link in the upper-right corner. The Trusted Certificate Import form opens. 2.
PAGE 124
To create a new certificate or certificate signing request: In the Certificate Authority drop-down list, select the certificate authority that will be used to sign the request. In the Certificate Type drop-down list, select the type of certificate you want to create: l l TLS Client Certificate—Use this option when the certificate is to be issued to a client, such as a user or a user’s device.
PAGE 125
l State l Locality l Organization l Organizational Unit l Common Name – this is the primary name used to identify the certificate l Email Address The Key Type drop-down list specifies the type of private key that should be created for the certificate.
PAGE 126
Table 22: Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Description Device Type Type of device, such as “iOS”, “Android”, etc. Device Name The hostname of the device at the time of enrollment. Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32 or 40 characters, respectively).
PAGE 127
Providing a Certificate Signing Request in Text Format If you have a certificate signing request in text format, click the Copy and paste certificate signing request as text radio button on the Certificate Signing Request form. Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines.
PAGE 128
The file should be a base-64 encoded (PEM format) PKCS#10 certificate signing request. Specifying Certificate Properties On the Certificate Signing Request form, select the type of certificate from the Certificate Type dropdown list. Choose from one of the following options: l TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device.
PAGE 129
The first certificate listed is the root certificate. Root certificates are always self-signed and are explicitly trusted by clients. Each additional certificate shown is an intermediate certificate. The last certificate in the list is the signing certificate that is used to issue client and server certificates. To view the properties of a certificate in the trust chain, click the Information view opens. Show certificate link. The Certificate To export a certificate: 1. Click the Download Bundle link.
PAGE 130
2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, and then click Export Certificate. Considerations for iOS Devices The server certificate is used by W-ClearPass to secure Web (HTTPS) and authentication (RADIUS) traffic. It can be configured in W-ClearPass Policy Manager under Administration > Certificates > Server Certificate.
PAGE 131
All networks that have been provisioned are included in the list. You can click a network's row in the list for additional options: Table 23: The Network Settings List Field Description Show Details Displays details for the network. The form expands to show its name, description, and configuration values for network access, wireless networks, enterprise protocols, enterprise authentication, enterprise trust, Windows networking, and proxy settings. Edit Edit any of a network's attributes.
PAGE 132
Tab Description Access Specifies basic network properties, such as the name of the wireless network and the type of security that is used. This form is described below. Protocols Specifies the 802.1X authentication protocols that are used by the network. See "Configuring Enterprise Protocol Settings" on page 134. Authentication Specifies the type of device authentication to be used for the network. See "Configuring Device Authentication Settings" on page 135.
PAGE 133
2. (Optional) You may enter additional identifying information in the Description field. 3. The options available in the Network Type drop-down list are: l Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use this option when you have 802.1X configured for all types of network access. l Wireless only – Configures only wireless network adapters. l Wired only – Configures only wired (Ethernet) network adapters. 4.
PAGE 134
Configuring Enterprise Protocol Settings On the Onboard > Configuration > Network Settings form, click the Enterprise Protocols form. Protocols tab to display the Use this form to specify the authentication methods required by your network infrastructure. The default EAP type is TLS for all platforms that support this method. l The iOS & OS X EAP option supports TLS, TTLS, PEAP, and EAP-FAST. l The Legacy OS X EAP option supports only PEAP with MSCHAPv2.
PAGE 135
authentication process. Use this option to enforce network access control (NAC) protections on the network. If TLS is selected, Enforce Network Access Protection is not available. l Enforce Cryptobinding – Cryptobinding is a process that protects the authentication protocol negotiation against man-in-the-middle attacks. The cryptobinding request and response performs a two-way handshake between the peer and the authentication server using key materials.
PAGE 136
l Machine and User – Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication. 3. Do one of the following: l Click Previous to return to the Protocols tab.
PAGE 137
Configuring Trust Settings Manually 1. In the Configure Trust drop-down list: l If you are using Policy Manager for authentication, leave this option set to Automatically configure trust settings. The complete trust chain is included in the profile download. l To change the recommended default setting and configure trust settings manually, choose Manually configure certificate trust settings . The form expands to include configuration options. 2.
PAGE 138
7. In the Windows Trust area, mark the Validate the server certificate check box. This ensures that the provisioned device will check the server certificate is valid before using the server for authentication. If this check box is unmarked, the configuration will not be secure. An attacker could provide another server certificate which the client would not verify. 8. Do one of the following: l Click Previous to return to the Authentication tab.
PAGE 139
installation to be done during onboarding by end users who otherwise do not have admin privileges. (Not supported by Windows 8 or above) l Do one of the following: n Click Previous to return to the Trust tab. n Click Next to continue to the n Click Save Changesto make the new network configuration settings take effect. n Click Cancel to discard your changes and return to the main Onboard configuration user interface. Proxy tab.
PAGE 140
iOS Settings You can manage iOS device settings for provisioned devices. A variety of settings are available, including such things as contacts, email, passcode policy, VPN, and Web clips settings. After you define each of the settings you wish to use, you can include them in configuration profiles. The configuration profiles are available in the Provisioning Settings form, and can be associated with a device provisioning configuration set.
PAGE 141
l "Configuring Global HTTP Proxy Settings" on page 151 l "Configuring an iOS Device Passcode Policy " on page 152 l "Configuring Single Sign-On Settings" on page 154 l "Configuring Calendar Subscription Settings" on page 155 l "Configuring an iOS Device VPN Connection" on page 156 l "Configuring Web Clips" on page 160 l "Configuring Web Content Filter Settings" on page 161 Configuring ActiveSync Settings Exchange ActiveSync configurations you define can be used in configuration profiles to au
PAGE 142
3. In the Magic String field, enter the value to send as the "X-Apple-Config-Magic" header in each EAS HTP request. 4. To allow the user to move messages out of this email account into another account, select the check box in the Allow Move field. Leave this field blank to prevent moving messages between accounts, and to prevent forwarding or replying from other than the message's originating account. 5.
PAGE 143
l 2 weeks l 1 month 2. Click Save Changes. The Exchange ActiveSync setting is available as a configuration unit on the Configuration Profile form. For more information about configuration profiles, see "Configuration Profiles" on page 165 Configuring AirPlay Settings AirPlay settings you define can be used in configuration profiles for an iOS device. An AirPlay setting includes its name and description, the destinations that are available to the device, and passwords for each destination.
PAGE 144
6. Click Save Changes. The AirPlay setting is available as a configuration unit on the Configuration Profile form. For more information about configuration profiles, see "Configuration Profiles" on page 165 Configuring AirPrint Settings AirPrint settings you define can be used in configuration profiles for an iOS device. An AirPrint setting includes its name and description, and AirPrint printer locations that are available to the user. You can define multiple AirPrint settings.
PAGE 145
Configuring APN Settings APN settings you define can be used in configuration profiles for an iOS device. An APN setting includes its name and description, carrier and proxy server information, and user account provisioning details. You can define multiple APN settings. APN settings are only supported on iOS devices; they are ignored by all other devices. To configure an APN setting: 1. Go to Onboard > Configuration > iOS Settings.
PAGE 146
To configure a CalDAV account: 1. Go to Onboard > Configuration > iOS Settings. Either click an existing Calendar setting's name in the list; or click Add New, select Calendar Settings in the Settings Type drop-down list, and click Create. The CalDAV Account Settings form opens. 2. In the Name field, give this calendar setting a short name that identifies it clearly. Calendar settings names can include spaces. If you are duplicating a calendar setting, the original name has "Copy" appended to it.
PAGE 147
For more information about configuration profiles, see "Configuration Profiles" on page 165 Configuring Contacts Settings CardDAV settings you define can be used in configuration profiles for an iOS device. CardDAV accounts allow users of a provisioned device to access and share contact data on a server. A CardDAV setting includes its name and description, the account description and hostname, port, principal URL, and whether SSL is enabled, as well as additional account details.
PAGE 148
9. (Required) Choose an option from the Account Details drop-down list to indicate how user account information should be supplied. Options available in the list include: l User provided - entered by user on device l Provisioning - values acquired during device provisioning l Shared preset values - testing only 10.If Shared preset values - testing only is selected in the Account Details drop-down list, the Username and Password fields are added to the form.
PAGE 149
5. In the Get Email Address From field, choose an option from the drop-down list to indicate how user account information should be supplied. Options available in the list include: l User provided - entered by user on device l Provisioning - values acquired during device provisioning l Shared preset values - testing only The remaining fields available in the General Settings area will vary according to your choice in the this dropdown list. 6.
PAGE 150
l Provisioning - values acquired during device provisioning l Shared preset values - testing only 6. If Shared preset values - testing only is selected in the Account Details drop-down list, the Username and Password fields are added to the form. Enter the CalDAV username and password for connecting to the server for incoming mail. The minimum password length is six characters. In the Outgoing Mail Server Settings area: 1.
PAGE 151
Configuring Global HTTP Proxy Settings Global HTTP proxy settings you define can be used in configuration profiles for an iOS device. A global HTTP proxy setting includes its name, description, and common global HTTP proxy settings. You can define multiple global HTTP proxy settings. Global HTTP proxy settings are only supported on supervised iOS devices; they are ignored by all other devices. To configure a global HTTP proxy setting: 1. Go to Onboard > Configuration > iOS Settings.
PAGE 152
10.To allow the device to bypass the proxy server and display the login page for captive networks, mark the check box in the Captive Networks Login field. This option is only available for iOS 7.0 and later. 11.To allow devices to connect directly to the destination if the PAC file is unreachable, mark the check box in the Allow Fallback field. If this check box is not selected, devices are prevented from connecting directly to the destination in the event that the PAC file is unreachable.
PAGE 153
5. If the passcode will not need restrictions on repeated or sequential characters, you can mark the check box in the Allow Simple field. 6. If the passcode must include alphabetic characters in addition to numbers, mark the check box in the Require Alphanumeric field. 7. To disable all push operations while the user is roaming, requiring the user to manually fetch new data, mark the check box in the Manual Fetching When Roaming field. 8.
PAGE 154
14.To specify that when the user changes their passcode the new value cannot be one that was used within a defined period of the passcode's history, use the counter in the PIN History field. The number you select is the number of recent passwords whose values will not be allowed. 15.Click Save Changes. The passcode policy is available as a configuration unit on the Configuration Profile form.
PAGE 155
l Primary = First part of the principal name. For a user, it is the username. For a host, the it is the word "host". l Instance = Optional string. Must be separated from the primary by a slash character. For a user, the instance might be null. For a host, this is the fully-qualified hostname—for example, "support.exampleSchool.edu". l Realm = The Kerberos realm. Usually the same as the domain name, in uppercase letters—for example, "EXAMPLESCHOOL.EDU". 7.
PAGE 156
If you are duplicating a calendar subscription setting, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, you can briefly describe the characteristics of the calendar subscription settings. 4. In the Account Description field, you can enter the display name for the calendar subscription. 5. In the Server field, enter the URL of the calendar file. 6.
PAGE 157
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4. In the Connection Type drop-down list, choose Dell VIA. The Dell VIA Settings form expands to include additional options. 5.
PAGE 158
b. If you choose the IKEv2 protocol, you can specify the following authentication types. For VIA deployments that use IKEv2, the VPN server always uses a certificate for IKEv2 authentication phase. However, the devices can use certificates, EAP-MSCHAPv2, or EAP-TLS n Certificate n EAP-TLS n EAP-MSCHAPv2 8. Enter the Internal IP address assigned to the controller. 9. In the DNS Suffix field, enter the DNS domain name for the resolution of the internal resources. 10.
PAGE 159
2. In the Name field, give the VPN configuration a short name that identifies it clearly. VPN configuration names can include spaces. If you are duplicating a VPN configuration, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the VPN configuration. 4.
PAGE 160
6. In the Machine Authentication area, you may enter a value in the Shared Secret fields, or leave them blank to prompt the user to create the shared secret. 7. In the User Authentication area of the form, you may enter a value in the Account field, or leave them blank to prompt the user to enter the account. 8. In the User Authentication field, select either Password or RSA SecurID as the authentication type for the connection. 9. You can specify a proxy server to use when the VPN connection is active.
PAGE 161
To configure a Web clip setting: 1. Go to Onboard > Configuration > iOS Settings. Either click an existing Web clip setting's name in the list; or click Add New, select Web Clip Settings in the Settings Type drop-down list, and click Create. The Web Clip Settings form opens. 2. In the Name field, give the Web clip a short name that identifies it clearly. Web clip names can include spaces. If you are duplicating a Web clip, the original name has "Copy" appended to it.
PAGE 162
Web content filter settings are only supported on supervised iOS 7 devices; they are ignored by all other devices. To configure a Web content filter setting: 1. Go to Onboard > Configuration > iOS Settings. Either click an existing Web content filter setting's name in the list; or click Add New, select Web Content Filter Settings in the Settings Type drop-down list, and click Create. The Web Content Filter Settings form opens. 2.
PAGE 163
Windows Applications Application sets let you specify either individual apps or groups of apps that should be installed during device provisioning, and indicate whether they should be restarted when the device is provisioned. After you define each of the sets you wish to use, you can include them in configuration profiles. The configuration profiles are available in the Provisioning Settings form, and can be associated with a device provisioning configuration set.
PAGE 164
2. In the Name field, give the app set a short name that identifies it clearly. App set names can include spaces. If you are duplicating an app set, the original name has "Copy" appended to it. You may highlight this name and replace it with a new name. 3. In the Description field, briefly describe the characteristics of the app set. 4. In the Windows Applications area, apps you have downloaded through the Content Manager are listed in the Installers field.
PAGE 165
Configuration Profiles Onboard lets you create and manage multiple configuration profiles to choose from for your captive portal pages. To manage the configuration profiles that will be provisioned to onboarded devices, go to Onboard > Deployment and Provisioning > Configuration Profiles. The Configuration Profiles list view opens. All configuration profiles that have been created are included in the list.
PAGE 166
2. Click the Create new configuration profile link or click the Edit or Duplicate link for a profile in the list. The Configuration Profile form opens. 166 | Onboard Dell Networking W-ClearPass Guest 6.
PAGE 167
Table 26: Create/Edit Configuration Profile Fields Field Description Name (Required) Short name that identifies the configuration profile clearly. Configuration profile names can include spaces. If you are duplicating a profile, the original name has a number appended to it. You may highlight this name and replace it with a new name. Description (Optional) Brief description of the characteristics of the profile.
PAGE 168
Field Description information, see "Configuring Web Clips" on page 160. Global HTTP Proxy (Optional) HTTP proxy settings in this list were created on the Onboard > Configuration > iOS Settings > Global HTTP Proxy Settings form. This option is only available for supervised devices. For more information, see "Configuring Global HTTP Proxy Settings" on page 151.
PAGE 169
l To create a new provisioning set, click the Create new provisioning settings link in the upper right corner. The Device Provisioning Settings form opens. For information on creating, editing, or duplicating a configuration profile, see "About Configuring Provisioning Settings " on page 169. About Configuring Provisioning Settings On the Onboard > Deployment and Provisioning > Provisioning Settings list view, to modify a provisioning set for Onboard captive portal pages, click its Edit link.
PAGE 170
Tab Description page 181. Chromebook Onboard Client Specifies options for Chromebook device provisioning such as instructions shown to the user during provisioning. See "Configuring Provisioning Settings for Chromebook" on page 182. For more information about using Chromebook, see the appendix "Chromebook in Onboard " on page 527 Specifies options for Windows, Android, and legacy OS X (10.
PAGE 171
Table 28: Device Provisioning Settings, General Tab, Identity Area Field Description Certificate Authority (Required) You may select a different certificate authority (CA) if one has been created. This drop-down list originally contains a single certificate authority by default. If additional certificate authorities are created, they are included in this drop-down list (see "Creating a New Certificate Authority" on page 98).
PAGE 172
Field Description provision. To be enrolled, a device must have a currently valid certificate, and its status set to Allowed (at Onboard > Management and Control > View by Device). Unique Device Credentials Adds the username as a prefix to the device's PEAP credentials. Table 30: Device Provisioning Settings, General Tab, Supported Devices Area Field Description iOS & OS X Devices OS X 10.5.
PAGE 173
Table 31: Device Provisioning Settings, General Tab, Actions Area Field Description Certificate Expiry Specifies that users will receive an email notification when their device's network credentials are about to expire. The form expands to include options for configuring the notification email. Send Email Notification When to send the email. Options include one, two, three, or four weeks before expiration.
PAGE 174
Configuring Provisioning Settings for the Web Login Page Onboard creates a default Web login page that is used to start the device provisioning process. To specify options for the Web login landing page: 1. Go to Onboard > Deployment and Provisioning, expand the provioning setting's row in the list, and click its Edit link. In the Device Provisioning Settings form, click the Web Login tab. 2. In the Page Name field, enter the page name for the Web login page. 3.
PAGE 175
5. To force the user to accept a "Terms and Conditions" statement, mark the check box in the Terms row. The form expands to include the Terms Label, Terms Text, Terms Layout, and Terms Error fields. Complete these fields with your customized values. 6. In the Custom Fields text box, you can enter values for custom fields that you have created in Guest Manager to be displayed on the Web login page. In the Login Page area: 1. Use the Skin drop-down list to specify the skin to use for the login page. 2.
PAGE 176
Configuring Provisioning Settings for iOS and OS X To specify provisioning settings related to iOS and OS X devices: 1. Go to Onboard > Deployment and Provisioning, expand the provioning setting's row in the list, and click its Edit link. On the Device Provisioning Settings form, click the iOS & OS X tab. 2. Use the Display Name and Profile Description text fields to control the user interface displayed during device provisioning. 3.
PAGE 177
5. In the Edit ID row, Mark the Change the profile ID check box to change the unique value associated with the configuration profile. This value is used to identify the configuration settings as being from a particular source, and should be globally unique. When an iOS device receives a new configuration profile that has the same profile ID as an existing profile, the existing profile will be replaced with the new profile.
PAGE 178
3. In the Manual Reconnect Interface row, enter the text that will be shown to the user if manual reconnect is allowed and applicable. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 4. In the Connect Success row, enter the text that will be shown to the user after successful reconnect. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 5.
PAGE 179
3. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4. In the Before Web Login area, enter the instructions that are shown to the user before they log in to provision an OS X 10.5 or 10.6 device. The text can be entered as HTML code, and you can use Smarty template functions.
PAGE 180
4. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions.
PAGE 181
2. In the Android Rootkit Detection drop-down list, choose one of the following options: l Provision all devices— All Android devices will be provisioned. l Do not provision rooted devices—Onboard will detect a jailbroken Android device and will not provision the device if it has been compromised. 3. In the Before Web Login area, enter the instructions that are shown to the user before they log in to provision an Android device.
PAGE 182
2. In the Before Web Login text box, enter the instructions that are shown to the user before they log in to provision an Ubuntu device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their Ubuntu device. The text can be entered as HTML code, and you can use Smarty template functions.
PAGE 183
2. In the Chromebook Extension field, read and follow the instructions for configuring the Chromebook extension in the Google admin console and adding the custom app. This field provides ID and server information that is specific to your installation. 3. In the Before Web Login text box, enter the instructions that are shown to the user before they log in to provision a Chromebook device. The text can be entered as HTML code, and you can use Smarty template functions.
PAGE 184
Configuring Options for Onboard Client Devices The Onboard Client tab is used to edit basic configuration options for Windows, Android, and legacy OS X (10.5 and 10.6) devices. This form is not used for iOS or OS X 10.7+ devices. To specify provisioning settings related to these Onboard-capable devices: 1. Go to Onboard > Deployment and Provisioning, expand the provioning setting's row in the list, and click its Edit link. On the Device Provisioning Settings form, click the Onboard Client tab. 2.
PAGE 185
and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”. 5. The Validate Certificate drop-down list is used to specify whether the SSL server’s certificate should be validated as trusted.
PAGE 186
l Report a device as lost or stolen. For more information on various device actions, see "Device Management (View by Device) " on page 110. 186 | Onboard Dell Networking W-ClearPass Guest 6.
PAGE 187
Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application.
PAGE 188
Configuring W-ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W-ClearPass Guest application. To configure W-ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 188 | Configuration Dell Networking W-ClearPass Guest 6.
PAGE 189
2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row. This requires a network access server (NAS) type that supports RFC-3576. 3. In the NAS Type row, use the drop-down list to choose the default type for network access servers. 4. To force a specific bind address for RFC-3576 requests, enter a value in the RFC-3576 Bind Address row. This might be needed in an AirGroup environment. 5.
PAGE 190
The list views and procedures are the same for both private and public files. Columns in the list show the filename, owner, file type, last modification date, and file size. Table 32: Content Files List View, Private Files or Public Files Field Description Upload New Content Add a new content item from your system. See "Uploading Content " on page 190. Download New Content Add a new content item from another Web server. See "Downloading Content" on page 191.
PAGE 191
You can upload single content files, multiple content asset files and folders, or a Web deployment archive. To upload multiple assets, first compress the files as a “tarball” or zip file, then browse to it in the File field. Allowed file formats are .tgz, .tar.gz, .tb2, .tar.bz2, or .zip. When you have uploaded the file, the Extract option lets you create the new directory, navigate into it, and view and extract the files. Directory structure is preserved when extracting. 4.
PAGE 192
3. In the New Filename row, enter the name for the new subdirectory. 4. (Optional) You may enter a description of the directory in the Description text area. 5. Click Create Directory. If you clicked the Create New Directory link on the Private Files list view, the subdirectory is added under the private directory in W-ClearPass. If you clicked the link on the Public Files list view, it is added under the public directory on the Web server.
PAGE 193
Field Description Username Type The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field. Username Length This field is displayed if the Username Type is set to “Random digits”, “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field.
PAGE 194
Field Description contain different combinations of uppercase letters, lowercase letters, digits and symbols (!#$%&() *+,-./:;<=>?@[\\]^_{|}~,).
PAGE 195
Field Description Expire Action l Default action when the expiration time is reached. Available options available are: Disable at specified time l Delete and logout at specified time l Delete at specified time l Disable and logout at specified time Expiration Options The options that should be available to select from when choosing the expiration time of a guest account (expire_after). These options are displayed as the values of the “Expires After” field when creating a user account.
PAGE 196
Field Description Email Message Use the drop-down list to specify the print template to use when generating the email message. Options include: l Account List l Certificate Expiry l Download Receipt l Guest Account Expiry l GuestManager Receipt l One account per page l SMS Receipt l SMS Sponsor Confirmation Alert l Sponsorship Confirmation l Two-column scratch cards Email Skin The format for the email receipts.
PAGE 197
Field Description Figure 26 Example Guest Receipt, Showing Site SSID Displayed as the WiFi Network Figure 27 Configure Guest Manager, General Options Dell Networking W-ClearPass Guest 6.
PAGE 198
Field Description Terms of Use URL (Optional) URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use by using the Content Manager (See "Managing Content: Private Files and Public Files" on page 189). If this file is called terms.html, then the Terms of Use URL should be public/terms.html. l If your site is hosted externally, be sure the proper access control lists (ACLs) are in place.
PAGE 199
n “password” to use the password specified in the password field n “random_password” to use the password specified in the random_password field n If blank or unset, the default password behavior is used, which is to use any available value from the random_password field and the password field, or assume that “reset” was specified otherwise. l password: This field is the password for the visitor account and may be provided directly.
PAGE 200
Visitor Account Expiration Properties l do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire. n If modify_expire_time is “none”, then the account has no expiration time set. n If modify_expire_time is “now”, then the account is disabled and has no expiration time set.
PAGE 201
Standard Forms and Views The figure below shows the standard forms and views in the application. The table below lists all the forms and views used for visitor management.
PAGE 202
These forms are accessed through the action row of the guest_users view: l change_expiration form – change expiration time for a single account l guest_multi_form form – editing multiple accounts l guest_edit form – editing single account l reset_password form – reset password for a single account These forms are the standard self-registration forms: l guest_register form – self-registration form l guest_register_receipt form – self-registration receipt These standard views are defined in Guest

PAGE 203

5. Remove extraneous data from the User Account HTML field. Example text is shown below.

{if $u.create_result.

Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Go to Configuration > Pages > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists but is not bolded and enabled, select it and click Enable Field.

PAGE 205

4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure See "Create the Print Template" on page 202 for a description of this procedure. A new window or tab will open with the cards. Dell Networking W-ClearPass Guest 6.

PAGE 206

Pages The Pages area of the user interface lets you customize the pages that are available to guests and sponsors. To work with pages configuration, go to Configuration > Pages > Start Here. This section includes: l "Customizing Fields" on page 206 l "Customizing Forms and Views" on page 212 l "Customizing Guest Self-Registration" on page 235 l "Managing Web Logins" on page 260 Customizing Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization.

PAGE 207

The Field Name is not permitted to have spaces but you can use underscores. The Field Type can be one of String, Integer, Boolean or No data type. The No data type field would be used as a label, or a submit button. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form. You can specify the default properties to use when adding this field to a view.

PAGE 208

You can specify the default validation rules that should be applied to this field when it is added to a form. See "Form Validation Properties" on page 227 in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See "View Field Editor" on page 234 in this chapter for more information about advanced properties.

PAGE 209

Displaying Forms that Use a Field To see a list of the forms that use a field, go to Configuration > Pages > Fields, click the field, and then click its Show Forms link. The list displays the forms that use the selected field. It also allows you to edit the form’s fields by clicking the Edit Fields link. Click the Use link to open the form that uses that field. If the field is used on multiple forms, you can select which form you would like to view.

PAGE 210

3. In the User Interface drop-down list, select Checklist. 4. In the Description text box, delete the existing text, then enter Select the location IDs where this device will be shared. Leave blank to share with all locations. 5. Delete any text from the CSS Class and the CSS Style fields. 6. In the Options Generator drop-down list, select (Use options). 7. In the Options text box, enter a list of values to use as the checklist options that presented to the user.

PAGE 211

2. In the Conversion drop-down list, select NwaImplodeComma. The form expands to include the Type Error row. 3. In the Display Function drop-down list, select NwaExplodeComma. The form expands to include the Display Param and Display Arguments rows. 4. In the Display Param text field, enter the value _self. Be sure to include the leading underscore character. 5. Click Save Changes.

PAGE 212

The user interface appears as follows: Customizing Forms and Views You can view a list of W-ClearPass Guest's forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field. To view or customize forms and views, go to Configuration > Pages > Forms & Views. The Customize Forms and Views page opens. You can open a form or view directly from the Forms and Views page.

PAGE 213

Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Pages > Forms & Views, click the form’s or view’s row in the list, and then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.

PAGE 214

Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Pages > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens. Field Description Rank Specifies the relative ordering of the fields when displaying the form. This list always shows the fields in order by rank. Field The name of the field in the database.

PAGE 215

Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field. To open the Form Field Editor, go to Configuration > Pages > Forms & Views, click a form or view, click its Edit Fields link, click the field, and then click the field's Edit link. Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form.

PAGE 216

l No user interface – The field does not have a user interface specified. Using this value will cause a diagnostic message to be displayed (“Form element is missing the ‘ui’ element”) when using the form. l CAPTCHA security code – A distorted image of several characters will be displayed to the user, as shown below: A new image may be generated, or the image may be played as an audio sample for visually impaired users.

PAGE 217

l Checklist – A list of check boxes is displayed, as shown below: The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box. Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type.

PAGE 218

For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array ("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.

PAGE 219

l Drop-down list – The field is displayed allowing a single choice from a drop-down list. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. If the “Hide when no options are selectable” check box is selected, and there is only a single option in the drop-down list, it will be displayed as a static text item rather than as a list with only a single item in it.

PAGE 220

value when the form is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see "Advanced Form Field Properties" on page 230. To set the value to submit for this field, use the Initial Value option in the form field editor. l Multiple Selection List -- A list of selectable options will be displayed. The text displayed for each check box or radio button is the value from the options list.

PAGE 221

l Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. Dell Networking W-ClearPass Guest 6.

PAGE 222

The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-tobottom or left-to-right order. The default is “Vertical” if not specified. l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted.

PAGE 223

l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. Dell Networking W-ClearPass Guest 6.

PAGE 224

If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string.

PAGE 225

l Submit button – The field is displayed as a clickable form submit button, with the label of the field as the label of the button. The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form.

PAGE 226

It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style option (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area). l Text field – The field is displayed as a single-line text box. The text typed in this box is submitted as the value for the field. A short text label may be placed after the text box using the Label After option.

PAGE 227

Form Validation Properties On the Form Field Editor (see "Form Field Editor " on page 215), the form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.

PAGE 228

Argument. Validators such as IsEqual, IsInRange and IsRegexMatch use the argument to perform validation. Examples of Form field Validation Example 1 – To create a form field that requires an integer value between 1 and 100 (inclusive) to be provided, use the following settings in the form field editor (see "Form Field Editor " on page 215): The form field will contain an integer value, so you should set the field's type to Integer when you create it.

PAGE 229

Example 2 – To create a form field that accepts one of a small number of string values, use the following settings in the form field editor: This example could be used for a string field named visitor_department. Because the values are known in advance, a drop-down list is the most suitable user interface. An initial value for the form field, as shown above, could be used if most visitors are in fact there to visit the sales team.

PAGE 230

Advanced Form Field Properties On the Form Field Editor (see "Form Field Editor " on page 215), the Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor.

PAGE 231

if a list of email addresses and phone numbers was imported for pre-registration, each visitor’s entries for those fields at registration must match. Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on a form and the various conversion and display options available on the Form Field Editor (see "Form Field Editor " on page 215) .

PAGE 232

In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600). The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation.

PAGE 233

Unlike the other parts of the form field editor, the Enable If and Visible If expressions are evaluated by the operator’s Web browser. These expressions are not used by the server for any other purpose. The expression must be a Boolean expression in the JavaScript language; statements and other code should not be included as this will cause a syntax error when the form is displayed in a Web browser.

PAGE 234

View fields have a Rank number, which specifies the relative ordering of the columns when displaying the view. The Customize View Fields editor always shows the columns in order by rank. The Type of each field is displayed. This controls what kind of user interface element is used to display the column, and whether the column is to be sortable or not. The Title of the column and the Width of the column are also shown in the list view.

PAGE 235

To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading.

PAGE 236

l The receipt page typically contains static information about the guest account, but several different actions can be included, enabling visitors to obtain their receipt in different ways. The receipt page can also be used to automatically log the guest into a Network Access Server, enabling them to start using the network immediately. Detailed user interface customization can be performed for all parts of the self-registration process.

PAGE 237

Field Description Go to Portal Displays a preview of the Self Service Login portal. See "The "Go to Portal" Option " on page 238. Go to Login Displays a preview of the Network Login form. See "The "Go to Login" Option" on page 239. Create new selfregistration Create a new self-registration page. See "Creating a Self-Registration Page" on page 241.

PAGE 238

The Receipt Page After the visitor successfully registers, the receipt page is their confirmation and provides their login and access information. The "Go to Portal" Option When you choose the Go To Portal option for a self-registration page, the row expands to show an active preview of the Self Service Login page and form as the visitor would see it. This form lets the visitor access their account information. You may test the behavior of the form.

PAGE 239

The "Go to Login" Option When you choose the Go To Login option for a self-registration page, the row expands to show an active preview of the Network Login page and form as the visitor would see it. This is the page the visitor sees when they log in to the network. You may test the behavior of the form. Self-Registration Sequence Diagram To set up a captive portal with guest self-registration, you configure your Network Access Servers to redirect guests to the URL of the ‘Go To’ link.

PAGE 240

Figure 29 Sequence Diagram for Guest Self-Registration In this diagram, the stages in the self-registration process are identified by the numbers in brackets, as follows: The captive portal redirects unauthorized users [1] to the registration page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account.

PAGE 241

Figure 30 Guest Self-Registration Workflow Diagram . The diagram shows the guest self-registration process. The solid orange arrows show the workflow for the visitor. The dotted blue arrows show the workflow for the administrator. The blue headings in the diagram are links to the corresponding sections of the Customize Guest Registration form. Click an icon or label in the diagram to jump directly to the editor for that item.

PAGE 242

Field Description Name (Required) The name of this self-registration page to identify it —for example, "Guest Self-Registration". This name can include spaces. This name is only displayed to administrators within W-ClearPass; it is not seen by the visitor. Description You may enter comments to further identify or describe this page. This description is only displayed within W-ClearPass. Enabled When creation of this page is complete, select this check box to make it available to use.

PAGE 243

Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration. The Basic Properties window has configurable settings such as Name, Description, enabling guest-self registration, Register Page, Parent, and Authentication. Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu.

PAGE 244

The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: l 1.2.3.4 – IP address l 1.2.3.4/24 – IP address with network prefix length l 1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied.

PAGE 245

Editing Registration Page Properties To edit the properties of the registration page: 1. Go to Configuration > Pages > Guest Self-Registration. 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. Click the Register Page link, or one of the Title, Header, or Footer fields for the Register Page. Figure 31 The Customize Guest Registration Form Template code for the title, header, and footer may be specified.

PAGE 246

The default settings for this form are as follows: l The visitor_name and email fields are enabled. The email address of the visitor will become their username for the network. l The expire_after field is set to a value of 24 by default; this sets the default expiration time for a selfregistered visitor account to be 1 day after it was created. This field is hidden by default on the register page.

PAGE 247

Table 35: Form Editor Options Field Description Edit Make changes to an existing field. The Form Field Editor opens. Any changes made to the field using this editor will apply only to this field on this form. Edit Base Field Make changes to an existing field’s definition. Any changes made to the field using this editor will apply to all forms that are using this field (except where the form field has already been modified to be different from the underlying field definition).

PAGE 248

5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field. 6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty. 7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited.

PAGE 249

Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the selfregistered account. To enable role selection by the sponsor: 1. Go to Configuration > Pages > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. Dell Networking W-ClearPass Guest 6.

PAGE 250

The Receipt Actions form opens. 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6.

PAGE 251

When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form. 9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button.

PAGE 252

Editing Email Delivery of Guest Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration.

PAGE 253

Editing SMS Delivery of Guest Receipts The SMS Delivery options available for the receipt page actions allow you to specify the print template to use, the field containing the visitor’s phone number, and the name of an auto-send field. These options under Enabled are available to control delivery of SMS receipts: l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.

PAGE 254

If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. In the Vendor Settings field, if Single Sign-On - SAML Identity Provider is selected, an appropriate service must be created in CPPM using the ClearPass IDP service template. The external service provider must then be configured to use the SAML Web login page as the IdP.

PAGE 255

Table 36: The Customize Guest Self-Registration Form, Login Form and Post-Authentication Field Description Custom Form Indicates you will provide a custom login form. If selected, you must supply your own HTML login form for the header or footer HTML areas. Custom Labels Enables altering the default labels and error messages. Username Label Label that appears on the form for the username field. Leave blank to use the default, (Username:).

PAGE 256

Field Description Terms Layout Layout for the terms and conditions text—either above or below the Terms check box. Terms Error Text to display if the terms are not accepted. Leave blank to use the default (In order to log in, you must accept the terms and conditions.). Log In Label Label that appears on the form for the login button. Leave blank to use the default (Log In). Health Check Requires the visitor to pass a health check before they can access the network.

PAGE 257

Table 37: The Customize Guest Self-Registration Form, Login UI Section Field Description Login Page Title The title that will be displayed on the NAS login page. Header HTML The HTML content to display above the NAS login form. You can use the drop-down lists to add images or other content items. Footer HTML The HTML content to display below the NAS login form. You can use the drop-down lists to add images or other content items.

PAGE 258

To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal. The behavioral properties of the self-service portal are described below: l The “Enable self-service portal” check box must be selected for guests to be able to access the portal.

PAGE 259

The default user interface for the self-service portal is shown below: Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk.

PAGE 260

With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form.

PAGE 261

Table 38: The Web Logins List View Field Description Edit Edit any of a Web login page's attributes. The Web Login Editor form opens. For more information, see "Creating and Editing Web Login Pages" on page 261. Duplicate Create a copy of a Web login page to use as a basis for a new page. A progress bar is shown while the page settings are duplicated. When it is complete, the new page is displayed in the list with "Copy of" prepended to its name.

PAGE 262

Onboard creates a default Web login page that is used to start the device provisioning process. To create a new Web login page, go to Configuration > Pages > Web Logins and click the Create new Web login page link in the upper-right corner. The Web Login Editor form opens. Table 39: Web Login Editor, General Properties Field Description Name (Required) Enter a name for the page. Page Name Identifier page name that will appear in the URL -- for example, "/guest/page_name.php".

PAGE 263

Field Description l Address Secure Login Policy Initiated—An enforcement policy will control a change of authorization— This option should be selected if a Policy Manager policy that includes a "bounce client" will be run as part of the page's actions. This option should be selected if you are using OnGuard health checks. (Required) IP address or hostname of the vendor's product. Security option to use for the Web login process.

PAGE 264

Table 40: Web Login Editor, Login Form Properties Field Description Submit URL URL of the NAS device's login form. Submit Method Method to use when submitting the login form to the NAS. Options include: POST l GET l Authentication Authentication requirement options include: Credentials — Require a username and password l Access Code — Only require a username for authentication—This option does not require a password.

PAGE 265

Field Description UAM Secret Shared secret between the NAS device and the Web login form. Pre-Auth Check How the username and password should be checked before authentication.

PAGE 266

Table 41: Web Login Editor, Default Destination Properties Field Description Default URL The default URL for the redirect page. For external domains, this must include the http:// prefix. Override Destination Forces the default destination for all clients, overriding any default value already set on the client.

PAGE 267

Field Description registration link. Login Message Enter the HTML template code for the text to display while the login attempt is in progress. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items. Login Delay Specifies the number of seconds to delay while displaying the login message. Options in the Social Logins area let you present guests with various social login options: Dell Networking W-ClearPass Guest 6.

PAGE 268

Table 43: Web Logins Editor, Social Logins Properties Field Description Social Login To enable the use of social network credentials to log in, select this check box. The form expands to include social login configuration options. Authentication Providers All social network providers that have been configured are included in this list. Add new authentication provider Opens the properties form for adding and configuring a social network provider.

PAGE 269

Field Description Notes You may enter additional notes or comments about the provider. This description is only seen by administrators. Email If selected, allows the provider to request access to the guest's email address. Access requires additional permission for the provider. Google Plus if selected, allows the provider to request access to the guest's Google Plus profile. Access requires additional permission for the provider.

PAGE 270

Options in the Post-Authentication area control the actions to perform after a successful pre-authentication: Table 45: Web Login Editor, Post-Authentication Properties Field Description Health Check Requires the visitor to pass a health check before they can access the network. The health check is done automatically through the OnGuard dissolvable agent. Client Agents l Header HTML The HTML content to display above the health check text. The default content is shown, and can be modified.

PAGE 271

Digital Passes Digital passes are cryptographically signed files containing fields and images that are used as boarding passes, event tickets, coupons, store passes, or other scannable items. In Dell Networking W-ClearPass Guest, you can upload and install digital pass certificates, create new templates for digital passes, and use the passes for guest receipts. To work with digital passes, go to Configuration > Receipts > Digital Pass Templates.

PAGE 272

Passes can be organized in Apple Passbook on the user's device. Good visual design practices ensure that each pass can be quickly recognized when displayed amongst other passes. (Apple Passbook is available on Apple iOS 6+ devices.) To use a pass such as a membership card or store card, the user selects it from the passbook and displays it so the barcode can be scanned.

PAGE 273

Template" on page 277. Pass templates define: l Name and a description: Used to identify the template in W-ClearPass administrative forms and views. l Style: Boarding Pass, Event ticket, Coupon, Store Pass, or Generic. l Colors: Foreground, background, and label. If no alternate colors are specified, then default colors will be used. If there are alternate colors specified, then they will be used instead of the default colors. l Summary: Short description for a voice-over.

PAGE 274

3. Create a certificate for your Pass Type ID. 4. Follow the portal’s instructions to create a certificate signing request using Keychain Access (a standard Mac OS X application) and submit it to the portal. 5. Download the Pass Type ID certificate. You also need to provide the private key for the pass certificate. If you created the certificate signing request using Keychain Access: 1. In Keychain Access, locate the private key for the certificate signing request. 2.

PAGE 275

If no pass certificate is installed yet, no details are displayed. Click the Upload pass certificate link to obtain and install a certificate. See "Installing Digital Pass Certificates" on page 275. Installing Digital Pass Certificates You must have a valid Pass Certificate issued by Apple in order to generate and download passes. To obtain a pass certificate, you first need an Apple developer account. Developer accounts are free; to register for an account, go to developer.apple.

PAGE 276

Field Description Format Specify whether you will upload the certificate as a file or paste in the certificate text. The form expands to include the Step 2 options. Certificate For certificates pasted as text, copy and paste the digital certificate's text. This is a block of encoded text and should include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. For uploaded certificate files, browse to the certificate to upload. This should be one of the following: PEM encoded X.

PAGE 277

Field Description Edit Edit any of the template's properties. Copy Make a copy of the template to use as a basis for a new template. Reset to Defaults Resets the default template to its original settings if changes were made. (Only available for the default template) Delete Deletes the pass template. (The default Guest Receipt template cannot be deleted) Create a new template Create a new template.

PAGE 278

Defining Pass Properties For examples of variables that can be used in the Summary and Logo Text fields described in the following table, click the Example 'template code' replacements link above the form, or see "Example Template Code Variables" on page 283. For a list of image fields supported by each of the different pass styles, click the A note regarding images and icons link above the form, or see "Images in Digital Passes" on page 283.

PAGE 279

Field Description Icon Image Icon shown on the lock screen and in notifications and emails where the pass is attached. To use the default icon, leave this field blank. The low-resolution version of the icon image should be 29 x 29 pixels. If an "@2x" high-resolution version is available, it will also be added to the pass. The "@2x" high-resolution version should be 58 x 58 pixels. Logo Image Logo shown at the top-left corner of the front of the pass. To use the default logo, leave this field blank.

PAGE 280

Defining Pass Fields Table 48: Pass Fields, Pass Template Settings Field Description Fields List of fields currently included in this pass template, with descriptions. You can click a field's row for configuration options. Edit Opens the Field Properties editor, where you can enable the field and modify its placement, content, and presentation properties. Disable Disables the field for the pass. To enable it again, click its Enable link. Move Up Fields are shown in this list in their rank order.

PAGE 281

Table 49: Relevant Locations, Pass Template Settings Field Description Relevant Locations If selected, shows the digital pass on the user's lock screen when near a given location. Passbook determines the appropriate distance around the location for the pass to be displayed on the lock screen. Location Limit A pass template may only contain 10 locations. More may be added here, but only the first 10 valid locations will be included in the pass.

PAGE 282

Field Description l l Optional — The pass can still be generated even if no value is supplied for the date field Required — The pass will not be generated if the value for the date field is empty Date Rank Rank order for processing the date field defined here. If multiple relevant date fields are included in the template, they are processed in ascending order, and the first field that has a valid date will be the relevant date for the pass. Date Text for the relevant date.

PAGE 283

Example Template Code Variables When you create or edit a digital pass template, many of the settings accept standard template code. This is the same code that is supported for print templates. This allows you to specify either simple direct values or more complex values based upon the evaluation of template code. All template code is evaluated when the pass is generated from the pass template, using values from the guest receipt as inputs to the pass template.

PAGE 284

Only PNG image files (*.png) are supported by passes. A pass can contain both a low-resolution version (i.e. for non-Retina displays) and a high-resolution version (i.e. for Retina displays) of each image. If it has been uploaded to the content manager, the high-resolution version of an image is also automatically included in the pass. The high-resolution version must be named with the suffix @2x at the end of the filename, just before the file extension—for example: l Company_Logo.

PAGE 285

The following options are available in the Enabled drop-down list to control email delivery: Table 52: Email Delivery Options, Customize Guest Self-Registration Field Description Disable sending guest receipts by email Email receipts are never sent for a guest registration. Always auto-send guest receipts by email An email receipt is always generated using the selected options, and is sent to the visitor’s email address.

PAGE 286

Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. To configure email receipt options, go to Configuration > Pages > Email Receipts. The Customize Email Receipt form opens. Figure 32 Customize Email Receipt page Table 53: The Customize Email Receipt Form Field Description Subject Line May contain template code, including references to guest account fields.

PAGE 287

Field Description the email receipt will be sent to the current operator. Send Copies Choose a value from the drop-down list to specify how copies of the email receipts will be sent to the additional email addresses listed in the Copies To field: l Do not send copies – The Copies To list is ignored and email is not copied. l Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available).

PAGE 288

Figure 33 Example of Email Receipt Test Message Content About Customizing SMTP Email Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per-user basis. Table 54: SMTP Email Receipt Fields Field Description smtp_enabled May be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.

PAGE 289

Field Description smtp_auto_send_field Specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send email or always send email, respectively. smtp_cc_list Sspecifies a list of additional email addresses that will receive a copy of the visitor account receipt.

PAGE 290

Field Description smtp_warn_before_cc_list This overrides the list of additional email addresses that receive a copy of the visitor account receipt under Logout Warnings on the email receipt.If the value is “default”, the default carbon-copy list under Logout Warnings from the email receipt configuration is used. smtp_warn_before_cc_action This field overrides how copies are sent as indicated under Logout Warnings on the email receipt. to send copies of email receipts.

PAGE 291

l sms_template_id – This field specifies the print template ID for the SMS receipt. If blank or unset, the default value from the SMS plugin configuration is used. l sms_phone_field – This field specifies the name of the field that contains the visitor’s phone number. If blank or unset, the default value from the SMS plugin configuration is used. l sms_auto_send_field – This field specifies the name of the field that contains the auto-send flag.

PAGE 292

Plain text print templates may be used with SMS services to send guest account receipts; see "About SMS Guest Account Receipts " on page 304 for details. Because SMS has a 160 character limit, the number of characters used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb).

PAGE 293

You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 480 for further information on Smarty template syntax. You can use an {if} statement to define a single print template that caters to multiple situations.

PAGE 294

Each of the basic styles provides support for a logo image, title area, subtitle area, notes area, and footer text. These items can be customized by typing in an appropriate value in the Print Template Wizard. As the print template is a HTML template, it is possible to use HTML syntax as well as Smarty template code in these areas. See the "Reference" on page 477 chapter for reference material about HTML and Smarty template code. The print template may also contain visitor account fields.

PAGE 295

The permissions defined on this screen apply to the print template identified in the “Object” line. The owner profile always has full access to the print template. To control access to this print template by other entities, add or modify the entries in the “Access” list. To add an entry to the list, or remove an entry from the list, click one of the icons in the row. A Delete icon and an Add icon will then be displayed for that row.

PAGE 296

n Full access (ownership) – the print template is visible in the list, and may be edited or deleted. The permissions for the print template can be modified, if the operator has the Object Permissions privilege. SMS Services With SMS Services, you can configure W-ClearPass Guest to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You can also use SMS Services to send an SMS from your Web browser.

PAGE 297

l To work with a gateway, click its row in the list. The gateway’s row expands to include the Edit, Duplicate, Delete, Make Default, and Send SMS options. Table 56: SMS Gateways List l Field Description Edit Lets you make changes to the gateway. See "Editing an SMS Gateway" on page 301. Duplicate Lets you make a copy of the gateway to use as a base for a new gateway. A new gateway will be added to the list with the name “Copy of ”.

PAGE 298

Table 57: SMS Gateway Configuration -- Gateway and Service Settings Options Field SMS Gateway Description (Required) The SMS gateway service to use. Options in this drop-down list include: ClearPass Guest SMS Service l Custom HTTP Handler l SMS over SMTP l External Providers The options presented in the Service Settings area depend on the gateway selected here. l Display Name Carrier Selection Name for this gateway service handler.

PAGE 299

Field Description Address (Required) If a fixed email address was specified, enter the email address to which all SMS messages will be sent. Address Template (Required) If a template to determine the address was specified, enter an example address that will be used as the pattern for the address format. Number Format Choose a country code requirement option from this drop-down list. The available options are Use the visitor’s value, Always include the country code, or Never include the country code.

PAGE 300

Field Description leave this field blank. Confirm Passphrase SMS Source Address Enter the originator address of sent SMS messages. Depending on the provider, this may be either a phone number or a short string. Message Format If needed for custom SMS handlers, you can select the check box to specify that the message format should be converted to hex-encoded UTF-16 (Unicode).

PAGE 301

Table 59: SMS Gateway Configuration -- Connection Settings, Debug, and Test SMS Settings Options Field Description Connection Timeout (Required) The connection timeout for this SMS service, in seconds. HTTP Timeout (Required) The timeout for the HTTP transfer to complete, in seconds. Enable Debug To log detailed information in the application log for each stage of the HTTP transaction, select the check box in this row. Message (Required) To verify the configuration, enter a test message.

PAGE 302

3. The SMS Gateway field displays the gateway service that was selected when the gateway was created. This cannot be edited after creation. 4. In the Service Settings area, you may edit the Display Name. 5. When you duplicate an SMS over SMTP gateway, the Carrier Selection configuration options are included. In the Carrier Selection drop-down list, choose one of the following options: l Registration form will have the visitor_carrier field—The visitor will supply the carrier information when they register.

PAGE 303

n Number Format—Choose a country code requirement option from this drop-down list. The available options are Use the visitor’s value, Always include the country code, or Never include the country code. n Subject Line—You may enter text for the message’s subject line. This field supports Smarty template syntax. For a Smarty template syntax description, See "Smarty Template Syntax" on page 480. 6.

PAGE 304

To determine the number of remaining SMS credits for a service, go to the Configuration > SMS Services > Gateways list, and find the service's row in the list. The Credits Available column indicates the number of remaining SMS credits for your account. This value is determined when the first message is sent, and is updated after sending each message. When credits are running low, a warning message is emailed to the administrator group.

PAGE 305

When using guest self-registration, SMS Delivery options are available for the receipt page actions; See "Editing Receipt Actions" on page 248 for full details. For more information on SMS services, see "SMS Services" on page 296. SMS Receipt Options SMS receipt configuration options are available in the Customization module (see "Customizing SMS Receipt" on page 290).

PAGE 306

3. To enable, disable, or delete a carrier, click the carrier in the list. The carrier’s row expands to include the Edit, Enable or Disable, and Delete options. l To enable a carrier, click the Enable link in its row, then refresh the screen. The carrier will then be available to work with and will be included in the drop-down lists when you click the Display Lists link. 4. The procedures for adding and for editing a carrier are the same.

PAGE 307

l n The default is to substitute the number for all characters preceding the @ sign, producing the pattern number@address. n Some carriers require additional characters before or after the phone number. In this case, use the keyword string NUMBER in the pattern to limit the substitution to just the phone number portion of the address—for example, NUMBER.msg@carrier.example.com, or username+NUMBER@mymail.

PAGE 308

l To view the Translation Plugin settings, see "Configuring the Translations Plugin" on page 450 in the Administration module. Translation Packs To work with individual translation packs, go to Configuration > Translations > Translation Packs. The Language Packs list view opens. All translation packs that have been enabled are included in the list.

PAGE 309

Table 61: Translation Pack Configuration Field Description Parent Name of the translation pack you used as a basis. This field only appears if you are duplicating a translation pack, Name Name of this translation pack. This identifying name is different from the display name, and is only seen by application administrators. Enabled You can select the check box to enable this translation pack, or leave it unselected to create the translation pack but not enable it yet.

PAGE 310

Translation Assistant To configure some basic user assistance features for the user interface's language settings, go to Configuration > Translations > Translation Assistant. The Translation Assistant form opens. Table 62: Translation Assistant Configuration Field Description Default Language Sets the default language pack for the user's application. Auto-Detection If selected, disables automatic browser-based language detection and enforces the default translation pack instead.

PAGE 311

Customizing Translated User Interface Text You can override the default translations provided for labels and messages in the user interface, customizing these items in each translation pack. To customize label and message text for a translation pack, do one of the following: l Go to Configuration > Translations > Translation Packs, and then click the Override Translations link for a translation pack in the list. The Edit Translations form opens.

PAGE 312

Table 63: The Translation Pack Configuration Form Field Description Name Display Name These fields show the information for this translation pack and cannot be edited on this form. Language Code Locales Enabled If selected, enables this translation pack. If this translation pack should not be enabled at this time, leave this check box unselected. Each language code can have only one corresponding translation pack enabled at a time.

PAGE 313

Chapter 6 Advertising Services Advertising Services lets you deliver marketing promotions and advertisements to your users on a variety of Guest Management registration, receipt, and login pages. To work with W-ClearPass Guest Advertising Services, go to Configuration > Advertising > Start Here.

PAGE 314

Materials and promotions are then organized into advertising campaigns that run over a specified date range and with a specified priority (rank and weight). Campaigns An advertising campaign is the strategy by which you organize the presentation of your ads. It defines which promotions and materials to deliver, and when they should be delivered. You can rank and weight a campaign to balance it against other campaigns.

PAGE 315

Topics in the tutorial cover how to create materials, promotions, and campaigns and configure spaces. You can view the finished product of the practice exercises. Tips are provided on how to troubleshoot the different stages of the process. Navigating the Tutorial Table 64: Tutorial Navigation Elements To: Do This: Move through the tutorial sequentially Click the Continue link in the bottom right corner next to the count of completed tasks.

PAGE 316

Columns show the page group, the type of page, and the number of child pages in that group. For example, the Guest Management page group has four child pages and the Guest Self-Registration page group has eight child pages, as shown in the following table.

PAGE 317

In the General Properties area of the form, select either the page group or page and configure the basic properties. If you leave the Edit Page form set to the parent page, your edits will apply to the parent page of the group and to all the child pages in the group. To override these settings for a child page, you must click Show Children, and then click the Page advertising settings link for the child page. Table 67: General Properties, Edit Page Field Description Page The page group being edited.

PAGE 318

In the Space Options area of the form, set the options that control which advertising spaces can be shown on this page. The final set of advertising spaces that is used is determined by first applying the Allowed Spaces policy, and then applying the Denied Spaces policy. Table 68: Space Options, Edit Page Field Allowed Spaces Policy Description Specifies which spaces to use.

PAGE 319

In the Campaign Options area of the form, set the options that control which campaigns can deliver advertising on this page. The final set of advertising campaigns that is used is determined by first applying the Allowed Campaigns Policy, and then applying the Denied Campaigns Policy. Table 69: Campaign Options, Edit Page Field Allowed Campaigns Policy Description Specifies which campaigns to use.

PAGE 320

Field Description row. Deny advertising from all campaigns—Denies advertising from all campaigns for this page. Suggestion: You can also use this field to specify an exception to an "Allow advertising from all campaigns" setting. l Denied Campaigns If Deny advertising from... is selected, use the controls in this field to specify the denied campaigns. Preview Displays a preview of the form showing your changes.

PAGE 321

To see which Location value a space uses, review the Location column in the Advertising Spaces list view ("Advertising Spaces" on page 323). Advertising spaces support a number of preset Location options as well as custom locations via the Other Location field.

PAGE 322

Table 71: Values for the media Parameter Value Description sms Specify this value to deliver SMS advertisements only. web Specify this value to deliver Web and Email advertisements only. stage The value of the Stage field that must be set for an advertising campaign to be matched. You must specify a stage value. The nwa_adspace tag will be unable to match any advertising campaigns if you do not specify this parameter. The stage parameter is used when processing advertising campaigns.

PAGE 323

style The style attribute of the HTML container element. This parameter is only relevant when the media parameter is set to web and an HTML tag name has been specified for the container parameter. If you specify a container, you can use the style parameter to specify style attributes for the container. The style parameter is optional. Advertising Spaces Spaces are the areas of a page that are defined for advertising content.

PAGE 324

Table 73: Advertising Spaces List Field Description Edit Edit any of the space's properties. See "Creating and Editing Advertising Spaces" on page 324. Delete Deletes a custom space. You will be asked to confirm the deletion. Not available for built-in spaces. Enable Enable the space so advertising will be displayed in it. Before advertising will be delivered in an enabled space on a specific page, the page's settings also need to allow advertising in the space.

PAGE 325

In the General Properties area of the form, set the basic properties for the space: Table 74: General Properties, Edit Space Field Description Name (Required) Name that clearly identifies this space. For a built-in space, this cannot be edited. Enabled If selected, allows advertising to be shown in this space. If this check box is not selected, the space will not show any advertisements.

PAGE 326

"Other Location" Example If you wanted to add a custom advertising space that is positioned on the far-right edge of the registration page, you could do it as shown in the following example: 1. Choose Other - for user defined locations in the Location field. 2. In the Other Location field, create the name custom_right. 3.

PAGE 327

Table 75: Geometry Options, Edit Space Field Description Screen Types Limits the types of screen that will show this space. This setting only applies to Web advertising. Options include: l All Screens — show on both small and large screens—Ignores the detected screen type. l Small Screens — show on small screens only (phones; mobile devices)—This space will only be shown if the user's device is detected to be a small-screen device.

PAGE 328

l Two rows with heights 60 and 40 l Two rows with heights 50 and 50 l One row of height 80 l One row of height 100 "Maximum Width" Example If a maximum width was specified, the system will only output as many columns as will fit within the maximum width constraint for the space.

PAGE 329

Advertising Campaigns An advertising campaign is the strategy by which you organize the presentation of your ads. It defines which promotions and materials to deliver, and when they should be delivered. The system requires at least one advertising campaign to be configured and enabled for any advertisements to be delivered. To create and work with advertising campaigns, go to Configuration > Advertising > Campaigns. The Advertising Campaigns list view opens.

PAGE 330

l On the registration receipt l On the self-service portal pages l Immediately after login l On the SMS registration receipt You can edit advertising campaigns, and you can create new advertising campaigns. l To edit an advertising campaign, go to Configuration > Advertising > Campaigns, and then click the Edit link for a campaign in the list. The Edit Campaign form opens. l To create a new advertising campaign, click the Create new advertising campaign link in the upper-right corner.

PAGE 331

Field Description Rank (Required) Applies a relative rank to the campaign, which defines the order in which campaigns are processed when delivering ads. A rank of 1 is higher than a rank of 2. For information about campaign ranks, see "Campaign Rank and Weight" on page 332. Weight (Required) Applies a weight to a campaign. If two campaigns have equal rank, one with a greater weight will be displayed more than the other. For information about campaign weights, see "Campaign Rank and Weight" on page 332.

PAGE 332

Field Description None With SelfService Select the promotion to deliver on the self-service portal pages. To not display ads at this stage, select None After Login Select the promotion to deliver when the user has logged in. To not display ads at this stage, select None With Receipt Select the promotion to deliver on the SMS registration receipt. To not display ads at this stage, select None Campaign Rank and Weight Each advertising campaign must be assigned a rank and weight.

PAGE 333

All advertising promotions that have been created are included in this list. You can click a promotion's row in the list for additional options. Table 80: Advertising Promotions List Field Description Edit Edit any of the promotion's properties. See "Creating and Editing Advertising Promotions" on page 333. Delete Delete the promotion from the system. You will be asked to confirm the deletion. Enable Enable the promotion so it will provide advertisements. Disable Disable the promotion.

PAGE 334

In the General Properties area of the form, set the basic properties for the promotion: Table 81: General Properties, Edit Promotion Field Description Name (Required) Name that clearly identifies this promotion. Enabled If selected, allows this promotional to deliver ads. If this check box is not selected, no ads will be provided by this promotion. Start Date (Optional) Date and time when the promotion can start providing ads.

PAGE 335

Depending on the selection in the Type field, the next area of the form will be either Rotating Content, Weighted Content, Fixed Content, or Labeled Content. In this area, set the options that control the content of the promotion. Table 82: Rotating, Fixed, Weighted, or Labeled Content, Edit Promotion Field Description Content For fixed content, select a single content item for the promotion. Content Items (Required) For rotating or weighted content, all items in this list are initially selected.

PAGE 336

In the Intelligence area of the form, set the options that control intelligent delivery of content for the promotion: Table 83: Intelligence Options, Edit Promotion Field Description Enabled If selected, allows a more selective delivery by matching user labels to material labels. (Material also inherits labels from the promotions that include it) Requirement Levels How often the specified labels should be matched. These settings override the Default Level in the next field.

PAGE 337

6. After the promotions and materials that include the labels and intelligent delivery configuration are complete, include them in a campaign (see "Creating and Editing Advertising Campaigns" on page 329). 7. When a user visits the pages while the campaign is running, Advertising Services displays ads with the labeled content that matches the user's attributes. When you create labels in the Edit Promotion or Edit Materials forms, they are created as "tags" in the system.

PAGE 338

Table 84: Advertising Materials List Field Description Edit Edit any of the material's properties. See "Creating and Editing Advertising Materials" on page 338. Delete Delete the material from the system. You will be asked to confirm the deletion. Disable Disable the material. To make the material active again, click the Enable link. Copy Make a copy of the material's settings to use as a basis for a new material. Create new advertising promotion Create a new advertising material.

PAGE 339

Field Description Description Optional comments or notes about the material. Labels To apply labels to this material, enter the labels in this field. To create new labels, enter the new label names separated by commas or new lines. The system creates each new label as a "tag". If some labels were already created, clicking in this field displays a list of the existing label tags to choose from. If you include labels here, promotions will detect this material as labeled content.

PAGE 340

Field Description down list to add images or other content items. Preview (HTML code) Preview of the HTML. The preview is updated when you modify the contents of the Template Code field. Hyperlink (Image advertisement; Text advertisement) The destination page URL to which the advertisement is linked. To not associate a destination URL with the advertisement, leave this field blank. Image (Image advertisement) The image file for the advertisement.

PAGE 341

Chapter 7 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, go to Configuration > Hotspot Manager. Dell Networking W-ClearPass Guest 6.

PAGE 342

About Hotspot Management The following diagram shows how the process of customer self provisioning works. Figure 35 Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created.

PAGE 343

The Enable guest access self-provisioning check box must be selected for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows an HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 480 in the Reference chapter for details about the template syntax you may use to format this message.

PAGE 344

hotspot_plan.php">Hotspot Sign-Up However, in this situation the MAC address of the customer will not be available, and no automatic redirection to the customer's home page will be made. You may want to recommend to your customers that JavaScript be enabled for best results. Web Site Look-and-Feel The skin of a Web site is its external look and feel.

PAGE 345

The Manage Hotspot Plans page opens, showing the list of default plans. Plans that are enabled have their name in bold and their icon in color: . Plans that are not enabled have their icon in gray: . l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan" on page 345. l To delete a plan, click the undo the deletion. Delete button in the plan’s row.

PAGE 346

Figure 37 Edit Hotspot Plan, User Account Details 4. In the User Account Details area, you can specify the usage of numbers, letters, and symbols in the generated username and password. To use only digits, leave the value in the Generated Username and Generated Password fields set to ######.

PAGE 347

l CyberSource l eWAY l Micros Fidelio l Netregistry l Paypal l WorldPay W-ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor The Transaction Processor Configuration form is used to create and to edit transaction processors. To define a new transaction processor: 1.

PAGE 348

l Signature l Test Environment URL l Test WSDL l Transaction Key l Transaction Password l Transactions Timeout If your transaction processor requires visitors to enter their address,W-ClearPass Guest will automatically include address fields in the guest self-registration forms that use that transaction processor. Managing Existing Transaction Processors After you define a transaction processor, it is included in the transaction processor list.

PAGE 349

To customize the hotspot invoice: 1. Go to Configuration > Hotspot Manager > Start Here and then click the Manage Hotspot Invoice link. The Manage Hotspot Invoice form opens. 2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 477 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page. See "Smarty Template Syntax" on page 480 for further information on these.

PAGE 350

To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Start Here, click the Manage Hotspot Sign-Up link, and then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens. You can use this form to edit the title, introductory text, and footer of the “Choose Plan” page. The introduction and the footer are HTML text that can use template syntax.

PAGE 351

Customizing Visitor Sign-Up Page Two Page two of the guest self-provisioning process asks the guest to provide their personal details and payment method. The example below shows the default “Your Details” page if the customer chooses to pay for the Hourly Access plan. Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page. Dell Networking W-ClearPass Guest 6.

PAGE 352

The example below shows the default “Your Details” page for a customer who chooses the Free Access plan. To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Start Here, click the Manage Hotspot Sign-Up link, and then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens.

PAGE 353

See "Smarty Template Syntax" on page 480 for details about the template syntax you may use to format the content on this page. Dell Networking W-ClearPass Guest 6.

PAGE 354

Customizing Visitor Sign-Up Page Three Page three of the guest self-provisioning process provides the customer an invoice containing confirmation of their transaction and the details of their newly created wireless account. An example of the default “Your Receipt” page is shown below.

PAGE 355

See "Smarty Template Syntax" on page 480 for details about the template syntax you may use to format the content on this page. Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password.

PAGE 356

| Hotspot Manager Dell Networking W-ClearPass Guest 6.

PAGE 357

Chapter 8 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation. Figure 39 The Administration Module’s Left Navigation Dell Networking W-ClearPass Guest 6.

PAGE 358

AirGroup Services This section describes creating and managing AirGroup controllers and configuring the AirGroup plugin, and provides links to other AirGroup steps performed in Dell Networking W-ClearPass Guest. For an overview of AirGroup functionality, see "AirGroup Deployment Process" on page 28. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the W-ClearPass Policy Manager documentation.

PAGE 359

Table 87: AirGroup List Options Field Description Show Details View details for the AirGroup controller: Name, hostname or IP address and port number, configuration status, last polling time, currently defined roles and AP groups, and AP database details. See "AirGroup Controller Details" on page 359 Edit Edit the AirGroup controller's attributes. The Edit AirGroup Controller form opens. For more information, see "Creating and Editing AirGroup Controllers " on page 359 .

PAGE 360

1. Go to Administration > AirGroup Services > Controllers, then either click Create AirGroup controller at the top of the form, or click a controller's Edit link. The Create Controller form opens. Table 88: Create AirGroup Controller Field Description Name Short name that identifies the controller clearly. AirGroup controller names can include spaces. Description Additional useful information about the controller. Enabled Enables Policy Manager's AirGroup notification service for the controller.

PAGE 361

Configuring AirGroup Services To enable support for dynamic notification of AirGroup events when new devices are added, each AirGroupenabled controller must also be defined in Dell Networking W-ClearPass Guest. Configuration options include specifying roles to exclude from the user interface, and setting an automatic polling schedule, message parameters, and logging levels. To configure AirGroup Services, go to Administration > AirGroup Services > Configuration. The Configure AirGroup Services form opens.

PAGE 362

Field Description When a poll is run, you may click Show Details in the Controllers list to view the updated configuration. For more information, see "AirGroup Controllers" on page 358. Automatic polling is run only on the publisher node. Group Names Enter names of shared groups that should be available in the Shared Groups field for users to choose from when they share a device.

PAGE 363

When you choose the diagnostic you want to run, the form expands to include fields for identifying information. When you enter the information and click Submit, the results of the query are displayed below the form. To run another diagnostic, click the Reset Form link before selecting the diagnostic. Table 90: AirGroup Diagnostics Field Show information about a device Description Enter the device's MAC address.

PAGE 364

Creating AirGroup Operators AirGroup Operators are users of Dell Networking W-ClearPass Guest who can provision a limited number of their own personal devices. Each device provisioned by an operator is automatically shared with all of that operator’s provisioned devices. The operator can also define a group of other users who are allowed to share the operator’s devices. The AirGroup Operator profile is automatically created in W-ClearPass Guest when the AirGroup Services plugin is installed.

PAGE 365

3. Search results are returned to the portal user, who can then select from one of the matching item, or continue typing to further narrow the search. Configuration Summary To configure LDAP user search for AirGroup, you will: 1. Create a W-ClearPass Guest LDAP server 2. Enable user search for this server 3. Configure the user interface for the airgroup_shared_user field 4. Specify user search options for the user interface Each of these steps is described in the following sections.

PAGE 366

User Search Settings In the User Search area of the Edit Authentication Server form: Table 92: Edit Authentication Server, User Search Field Description Enabled Mark the Use this server to search for matching users checkbox. The form expands to include additional options. Filter (Required) Select one of the following options: Use the default LDAP filter—Uses an LDAP filter suitable for an Active Directory search operation.

PAGE 367

l sAMAccountName = id—The username is used as the value for a selected item. l displayName = text—The user’s full name is displayed as the label for a matching item. l # title = desc—Commented out and not used by default. Enables the title of the user to be shown in the description. l userPrincipalName = desc—The user’s email address is displayed as descriptive text for a matching item.

PAGE 368

In the Advanced Properties area of the form, you will customize the user interface for single and multipleselection capabilities. Table 94: Advanced Properties, Relevant Fields Field Description Advanced Select the Show advanced properties check box. Additional configuration options are added to the form. Select2 Options Used to customize the user interface for the “select2” control, which provides both single and multiple-selection capabilities. Default values are preconfigured for these fields.

PAGE 369

Option Description resultsCss.max-height = 400px Specifies that the list of matching items should be up to 400 pixels in height. Additional CSS properties may be specified using the “resultsCss” value, if required. ajax.dataType = sajax Specifies that the field should use a dynamic query mechanism to look up a search term. This parameter should not be changed. ajax.url = NwaAirGroupUserSearchAjax Specifies that the field should perform a user search. This parameter should not be changed. ajax.args.

PAGE 370

To change the behavior of the “select2” control, you need to attach a JavaScript function definition to one or more properties of the hook function’s argument. The hook function may also set or update any of the properties specified in the “Select2 Options”. A simple example is included as the default value with the airgroup_shared_user field: function (args) { args.formatInputTooShort = function (text) { return "Start typing a user name.

PAGE 371

l There is no additional license fee for these devices: Although MACTrac is part of W-ClearPass Guest, MACTrac device registrations do not count against the W-ClearPass Guest license. l As with other W-ClearPass Guest forms and views, the MACTrac user interface can be customized by adding a custom skin or options such as an "Add Another Device" button.

PAGE 372

MACTrac operators can create and manage multiple device accounts. Options include editing, printing details, disabling, and deleting accounts. To work with MACTrac devices, log in to W-ClearPass Guest as a MACTrac operator and go to Guest > List Devices. The MACTrac Devices list view opens. All MACTrac devices that have been registered are included in the list. You can click a device account's row in the list for additional options: l To edit any of a device account's attributes, click its Edit link.

PAGE 373

l To disable or delete a device account, click its Remove link. A confirmation dialog opens. You may specify either Disable or Delete, then click Make Changes. To enable a disabled account, click its Activate link. Registering MACTrac Devices The Register Device form is used by MACTrac operators to create their device accounts on their local network. There is no limit to the number of accounts an operator can create, and no expiration time is set on device accounts. To register a MACTrac device: 1.

PAGE 374

3. (Optional) Enter a name for the device in the Device Name field. 4. (Optional) The Device Type field is prepopulated if detected, and indicates whether it is a computer, printer, or other type of device. 5. (Optional) The Device Platform field is prepopulated if detected, and indicates whether it is a Windows, Mac, Linux, or Android platform, and whether it is a mobile phone. 6.

PAGE 375

API Services API Services includes all APIs and API-related privileges that are available for W-ClearPass Guest. To work with API services, go to Administration > API Services.

PAGE 376

Table 98: AirGroup List Options Field Description Edit Edit theAPI client's attributes. The Edit API Client form opens. For more information, see "Creating and Editing API Clients" on page 376. Disable Disables the API client. You will be asked to confirm the action. Disabling an API client also invalidates any access tokens, refresh tokens, or authorization codes associated with it. Enable Enables a disabled API client. Delete Deletes the API client. You will be asked to confirm the deletion.

PAGE 377

Field Description l l l l l l l l l BYOD Operator Device Registration Help Desk Network Administrator Null Profile Operations and Marketing Read-only Administrator Receptionist Super Administrator Grant Type (Required) Specifies the OAuth2 grant type authentication method to be used with this API client ID. Only the selected authentication method will be allowed.

PAGE 378

Configuring the API Framework Plugin The API Framework plugin supports OAuth2 authentication and authorization, and provides all application programming interface (API) services for W-ClearPass Guest. Settings you can configure for this plugin include the access token lifetime, the authorization code lifetime, the refresh token lifetime, and the API logging level.

PAGE 379

Field API Logging Description (Required) Specifies the logging level for API-related events. Options include: Disabled - do not log API-related events l Standard (Recommended) - log basic information l Extended - log additional information (this option logs all API calls) l Debug - log debug information l Trace - log all debug information l Save Configuration Commits your changes.

PAGE 380

l Read Only l Full l Allow Access 5. If you want to allow the API operator profile to query for Guest Manager configuration settings, set the Manage Customization privilege to Read Only access. 6. Complete the rest of the settings appropriately for the operator profile and then click Save Changes. About OAuth The OAuth 2 RFC 6749 specification for accessing a new set of modern API’s is supported by W-ClearPass 6.4 and later.

PAGE 381

specification does not dictate whether they should be co-located or separated. For simplicity, the rest of this document assumes the resource server and authorization server are co-located on the same server. OAuth2 Client or App Before any OAuth transactions can be processed, the first step is to register a new app with the service (API Client definition in W-ClearPass).

PAGE 382

The following diagram shows the transaction flow of password grant type. 1. The user enters credentials directly into the app’s native user interface. The app should not cache user credentials under any circumstances. 2. The app submits the user credentials to the authorization server. Credentials include grant_type=password, user, password, client_id, and client_secret. The client_secret is not required if the OAuth2 app is defined as a public client. 3.

PAGE 383

1. The first-party app submits an access token request to the authorization server. This includes grant_ type=client_credentials, client_id, and client_secret. 2. The resource server returns the access token to use in subsequent API calls. This includes access_token, expiry time, and token_type=bearer. 3. The app includes the access token in the HTTP Authorization header. This includes Bearer access_token. 4. The resource server returns authenticated API payload.

PAGE 384

Viewing Available Web Services To view the Web services available in Dell Networking W-ClearPass Guest: 1. Go to Administration > Web Services > List Web Services. The Available Web Services list view opens. 2. To view details for a service, click its image in the Web Service field. The row expands to include the Service URL and Service Info fields for that Web service. 3. The Service Info field briefly describes the processes this Web service provides.

PAGE 385

4. When you have finished reviewing the available Web services, click Done. Configuring Web Services To configure the SOAP Web Services plugin: 1. Go to Administration > Web Services > Configure Web Services. The Configure Web Services form opens. 2. To allow operators to make WSDL requests without being logged in, mark the check box in the WSDL Access field. 3. Use the counter in the Maximum Request Size field to set the maximum size in kilobytes that will be allowed for a SOAP request. 4.

PAGE 386

Audience This API is intended for developers of applications that must interoperate with a W-ClearPass Guest-based visitor management solution. Solution developers are assumed to be familiar with HTTP-based Web services and the associated concepts and technologies related to these services, including Extensible Markup Language (XML), XML Schemas, Web Service Definition Language (WSDL), and the Simple Object Access Protocol (SOAP).

PAGE 387

l At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. l The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the appliance. l The services layer provides one or more implementations of application services that are used by the layers above.

PAGE 388

Table 101: Fault Codes and Descriptions Fault Reason for Fault Client.BadRequest Request exceeds the maximum allowable size. Increase the maximum SOAP request size, or reduce the size of the request. Client.Authentication Invalid username or password. Check that the credentials supplied are correct. Client.MethodNotFound The SOAP method request was not found. Client.Error Another non-specific client error occurred. Check the for more details. Server.

PAGE 389

SOAP Debugging Select a higher level for the SOAP Debugging configuration option to log additional details to the application log. To access the application log, go to Administration > Plugin Manager > Application Log. At the highest debugging level of 4, every SOAP request and response will be logged including full HTTP headers and contents, which may be useful when trying to identify the exact cause of a problem.

PAGE 390

After you have created a suitable operator profile, create the operator login. See "Local Operator Authentication" on page 464 and "External Operator Authentication" on page 465, or refer to the "Configuring LDAP Operator Logins" article on Arubapedia. Accessing the WSDL Use the List Web Services command link to browse the available Web services and obtain additional details about each one. 390 | Administration Dell Networking W-ClearPass Guest 6.

PAGE 391

In the Web Service field, click the icon for GuestManager Web Services to view the Service URL and additional information about the service. If the "Allow anonymous access to WSDL" option is specified in the SOAP Web Services configuration, accessing the WSDL through the specified Service URL does not require logging in to the W-ClearPass Guest user interface. For more information, see "Configuring Web Services " on page 385.

PAGE 392

The Add Service Reference dialog box appears. Enter the Service URL for the GuestManager Web Services into the Address box, and click the Go button. The WSDL is downloaded, and a list of the Web services and operations found is displayed. In the Namespace text field, type in a name. This name is used to organize the automatically generated code that interfaces with the Web service. Click the OK button to create the Web service reference.

PAGE 393

Configuring HTTP Basic Authentication Performing a simple API call, such as the “Ping” operation described in "Operations" on page 398, can be used to verify that the Web service is correctly configured and ready for use. Because the SOAP API requires HTTP Basic authentication, ensure that you have a suitable operator profile and operator login credentials, as explained in"Using the SOAP API" on page 388. Configuring the Web service reference to use authentication requires editing the app.

PAGE 394

The following code can now be added to invoke the Ping operation and display the result. When invoked, this performs the Ping operation and displays the following output: Securing Web Services Using HTTPS Because HTTP Basic authentication is insecure, it is strongly recommended that the HTTPS transport be used for all SOAP API calls.

PAGE 395

Additionally, if a self-signed certificate is being used on the remote server, you will need to provide a suitable ServerCertificateValidationCallback implementation to validate the peer’s certificate. The following code is a minimal implementation that accepts all server certificates without verification: // Trust self-signed certificates System..Net.ServicePointManager.

PAGE 396

Table 102: XML Namespaces Component XML Namespace SOAP Envelope http://schemas.xmlsoap.org/wsdl/soap/ SOAP Encoding http://schemas.xmlsoap.org/soap/encoding/ WSDL http://schemas.xmlsoap.org/wsdl/ XML Schema http://www.w3.org/2001/XMLSchema SOAP Addressing Web Service Endpoint The endpoint of the SOAP service is located at the relative URL: soap_guestmanager.php.

PAGE 397

l Example: IdType Specifies a user ID. The user ID is a positive integer value, starting at 1. l Example: ResultType Operations return a standard result type. The flag indicates if the operation completed successfully. If the operation failed, the contains a description of the error. l Example of a successful operation: l Example of a successful operation with message: l Example of an unsuccessful operation: UserResultType Standard result type, with an optional element.

PAGE 398

l Example of an unsuccessful operation: UserType The User type defines a visitor account, which consists of a number of fields. The fields available may be customized in Guest Manager. Go to Guest Manager > Configuration > Fields to create new fields or modify existing fields. Adding or removing fields will update the UserType schema in the WSDL for GuestManager Web Services. Ensure that you update any clients using this WSDL if the fields are modified.

PAGE 399

l The standard business logic for visitor account creation applies to visitor accounts created with the SOAP API. For details, refer to the section “Business logic for account creation” in the W-ClearPass Guest User Guide, or search for this term in the online help. l The creator_accept_terms field must be set to the Boolean value “true” in order to create an account. l A value for the role_id field must be specified to create a visitor account.

PAGE 400

Successful response: Failure response: DeleteUser Deletes a user account by ID or matching fields 400 | Administration Dell Networking W-ClearPass Guest 6.

PAGE 401

l This operation deletes a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned and no visitor accounts will be deleted. Example code implementing visitor account deletion: Example request for DeleteUser: Successful response: Dell Networking W-ClearPass Guest 6.

PAGE 402

Failure response: EditUser Modifies properties of a user account by ID. l This operation modifies the properties of a visitor account to match the field values specified in the user parameter. l The id field must be specified to indicate the ID of the visitor account to modify. This field is assigned by the system when the visitor account is created and cannot be changed. Example code implementing visitor account modification: 402 | Administration Dell Networking W-ClearPass Guest 6.

PAGE 403

Example request for EditUser: Successful response: Failure response: FindUser Returns properties of a user account by matching fields. Dell Networking W-ClearPass Guest 6.

PAGE 404

l This operation locates a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned. l If a visitor account was found, its properties will be returned in the element of the result. Example code implementing search for a visitor account based on a username.

PAGE 405

Successful response: Failure response: GetUser Returns properties of a user account by ID. Dell Networking W-ClearPass Guest 6.

PAGE 406

l Returns a element corresponding to the visitor account with the specified ID. l If the specified ID is invalid, no element is returned and the flag is set to 1. Example code implementing a guest lookup operation: Example request for GetUser: Successful response: Failure response -- for example, user ID not found: 406 | Administration Dell Networking W-ClearPass Guest 6.

PAGE 407

Ping Checks that the SOAP server is alive. l Returns a standard result type with the message set to "pong". Example code implementing a Ping test operation. Example request for Ping: Successful response: Dell Networking W-ClearPass Guest 6.

PAGE 408

The XML-RPC Interface and API This section describes the XML-RPC interface available to third-party applications that will integrate with the Dell Networking W-ClearPass Guest Visitor Management Appliance. Audience: l Developers of integrated applications. Some familiarity with HTTP based web services and XMLRPC is assumed. l System administrators of the W-ClearPass Guest application. System Requirements: l W-ClearPass Guest 6.1.

PAGE 409

At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the VMA. The services layer provides one or more implementations of application services that are used by the layers above.

PAGE 410

Parameter Names The parameter names passed to the XML-RPC interface are the same as the field names in the HTML user interface. Parameter Validation Each field of the forms in the HTML user interface is subject to validation according to the rules defined for that field. The same rules also apply to XML-RPC parameters. If a required field is missing, or an invalid value for a field is supplied, an error is generated by the presentation layer and returned to the XML-RPC client.

PAGE 411

Table 104: XML-RPC Faults Name Type Description error Flag Set to 1 for an XML-RPC Fault faultCode Integer Status code indicating the cause of the fault faultString String Description of the fault This type of return might appear as: 'error' => 1, 'faultCode' => 401, 'faultString' => 'Invalid username or password', These are the predefined XML-RPC Fault codes: Table 105: XML-RPC Faults Code Description 401 Authentication problem -- invalid username or password 404 File implementation of XM

PAGE 412

7. Click Save Changes. The profile is added to the Operator Profiles list. Creating the Role After you create the profile, the next step is to create the role: 1. In W-ClearPass Policy Manager, go to Configuration > Identity > Roles and click the Add User link. The Add New Role form opens. 2. Enter a name and description that clearly identify the role. 3. Click Save. The role is added to the Roles list. Creating the Local User After you create the role, you create the local user: 1.

PAGE 413

2. In the Role drop-down list, choose the XML-RPC Operator role you created. 3. Complete the rest of the fields appropriately, then click Add. The new XML-RPC operator is added the Local Users list. Creating the Translation Rule After you have created the profile, role, and local user (operator), create a translation rule to map the role name to the operator profile. 1. In W-ClearPass Guest, go to Administration > Operator Logins > Translation Rules and click the Create new translation rule link.

PAGE 414

SSL Security Different levels of certificate validation checks may be necessary, depending on the SSL certificate that has been installed. This corresponds to the user interface provided by Web browsers for certificate trust and verification. The examples presented in this document assume a self-signed certificate has been installed, and reduce the level of SSL verification accordingly.

PAGE 415

l "Method amigopod.mac.create" on page 426 l "Method amigopod.mac.edit" on page 428 l "Method amigopod.mac.list" on page 430 Method amigopod.guest.change.expiration Change the expiration time of a guest account.

PAGE 416

'error' => 1, Method amigopod.guest.create Create a new guest account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the guest account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email addresss. This will become their username to log in to the network. expire_after Numeric Amount of time before the account will expire. Specified in hours.

PAGE 417

Example Usage Sample parameters for the call: 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'expire_after' => 4, 'expire_time' => '', 'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.

PAGE 418

Name Type Description uid Integer ID of the guest account to delete delete_account Flag Set to 0 to disable the guest account, 1 to delete the guest account Return Values This function might return a Boolean false value if some input parameters are invalid.

PAGE 419

Method amigopod.guest.edit Change one of more properties of a guest account.

PAGE 420

Return Values Name Type Description error Flag Set to 1 if the guest account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the guest account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Edit

PAGE 421

'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.

PAGE 422

Access Control Requires the remove_account privilege (Guest Manager > Remove Accounts in the Operator Profile Editor). Example Usage Sample parameters for the call: 'uid' => '162', Sample successful call: 'error' => 0, 'message' => 'Guest account has been re-enabled', 'item' => array ( 'id' => 162, 'enabled' => 1, 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.guest.get List one or more guest accounts.

PAGE 423

array ( 0 => 150, 1 => 162, ), 'users' => array ( 0 => array ( 'id' => '150', 'username' => '44454318', 'enabled' => '1', 'role_id' => '2', 'email' => '', 'notes' => 'GuestManager account 22 of 30 created by root from 192.168.2.3', 'do_expire' => '0', 'expire_time' => '', 'simultaneous_use' => '1', 'expire_postlogin' => '0', 'do_schedule' => '0', 'schedule_time' => '', 'ip_address' => '', 'netmask' => '', ), 1 => array ( 'id' => '162', 'username' => 'demo@example.

PAGE 424

Method amigopod.guest.list List guest accounts. (To retrieve devices, see "Method amigopod.mac.list" on page 430) Parameters Name Type Description details Flag Optional parameter; if set to 1 then full details of all guest accounts are returned, otherwise only the IDs are returned sort string Optonal parameter. If set to 1, then sorts first by the specified column, and then by username.

PAGE 425

Method amigopod.guest.reset.password Reset a guest account's password to a random value.

PAGE 426

Method amigopod.mac.create Create a new MAC device account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the device account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email address. This will become their username to log in to the network. expire_after Numeric Amount of time before the device account will expire. Specified in hours.

PAGE 427

PAGE 428

Method amigopod.mac.edit Change one of more properties of a device account.

PAGE 429

Return Values Name Type Description error Flag Set to 1 if the device account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the device account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Ed

PAGE 430

'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.

PAGE 431

Return Values Name Type Description ids Array Array of device account IDs (if details was 0). users Array Array of device account structures (if details was 1). Access Control Requires the mac_list privilege (Guest Manager > List MAC Authentication Accounts in the Operator Profile Editor). Example Usage Sample parameters: 'details' => 0, Sample successful call: 'ids' => array ( 0 => '37', 1 => '141', 2 => '40', ...

PAGE 432

If you wish to configure the times after which expired accounts are deleted, refer to the Dell Networking WClearPass Policy Manager documentation for cluster-wide parameters. Data retention of guest accounts and logs is configured in CPPM under Administration > Server Configuration > Cluster-Wide Parameters. 3.9 Configuration Import To help W-ClearPass Guest 3.9 customers transition to W-ClearPass Guest 6.

PAGE 433

Uploading the 3.9 Backup File To upload a Guest 3.9 configuration to W-ClearPass Guest 6.x: 1. Upgrade your 3.9 system to the latest 3.9.x monthly patch. 2. Deploy your 6.x system, and upgrade it to the latest 6.x monthly patch. 3. In your 3.9 system, make a complete configuration backup. For details on how to back up your system, refer to the "Backup and Restore" section in the "Administrator Tasks" chapter of your "ClearPass Guest 3.9 Deployment Guide." Be sure to use the Complete backup option in your 3.

PAGE 434

This form shows every configuration item in your backup file, and provides options for restoring items or excluding them from the restoration. For more information, see the next section, "Restoring Configuration Items " on page 434. Restoring Configuration Items This section describes how to use the Import Configuration: Step 2 form to import 3.9 configuration items to your 6.2 system after you upload them. To select and restore your configuration items: 1.

PAGE 435

l To exclude an item from the import, click the X in the item's row. The X turns red to indicate it will be excluded. You can click the X for a category to exclude all items in that category. l To make it easier to select just a few items, you can scroll to the bottom of the list and click the Unselect All link. All items are then marked with a red X and will be excluded from the import. You can then select the l l green check marks for just the items you want.

PAGE 436

The Import Notices list provides information about items that were handled during the last import. This list includes the following columns: l Status -- The import status of the item in the same row. Possible statuses include Imported, Migrated, Obsolete, Action Required, Error, Processed, Unsupported, and Warning. These statuses are described more fully in the table below. l Operation/Notice -- This column shows the operation performed on the item, and the name of the item.

PAGE 437

Table 107: Configuration Import Statuses Status Description Imported The item was successfully imported with no changes. Migrated The item was successfully imported but some aspects were modified for 6.2, as described in Show Details for the item. For example, if a field imported in a 3.9 configuration has a different name in 6.

PAGE 438

l "Import Information: Onboard" on page 440 l "Import Information: Operator Logins" on page 440 l "Import Information: Palo Alto Network Services" on page 440 l "Import Information: RADIUS Services" on page 440 l "Import Information: Reporting Manager Definitions" on page 441 l "Import Information: Server Configuration" on page 442 l "Import Information: SMS Services" on page 443 l "Import Information: SMTP Services" on page 443 Import Information: Advertising Services l Advertising Service

PAGE 439

3.9 Name 6.2 Name schedule_time = start_time modify_schedule_time = modify_start_time schedule_after = start_after Custom Forms and Views: l Forms and views that referenced renamed fields are updated to reference the new field name. l Forms and views that referenced obsolete fields have those fields removed from the definition. Print Templates: l Print templates are flagged as Action Required. Print templates might require changes where defaults have changed or fields have been renamed.

PAGE 440

Import Information: Onboard To restore your Onboard device provisioning pages, you must import RADIUS Web logins. l The server certificate in CPPM might need to be configured before provisioned devices can connect to the network. l The QuickConnect client provisioning address might need to be verified as the correct one for the new server. Import Information: Operator Logins Operator Login Configuration l A client-side cookie check (nwa_cookiecheck) is added to the Login Message setting.

PAGE 441

RADIUS Database Connections l The RADIUS database connection for the local RADIUS server is obsolete. l For any custom user databases, an authentication source must be created in CPPM. RADIUS Database User Accounts l l User accounts are migrated and keep the status (disabled, pending, active, expired) they had in 3.9. Any field names that differ in 6.2 are updated. User accounts with the Deleted status are obsolete. RADIUS Dictionary l The RADIUS dictionary is unsupported.

PAGE 442

Import Information: Server Configuration W-ClearPass settings are obsolete. l Data Retention l Data Retention settings for Onboard are imported. Database Configuration l Default (empty) database configuration settings are processed and ignored. Non-default database configuration settings should be reviewed for potential issues. l Installed Plugin List l For imported plugins that were not up-to-date (e.g. pre-3.

PAGE 443

l For non-default Application URLs, changes should be reviewed. l Subscription IDs must be added to CPPM. l For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM. System HTTP Proxy l For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM. System Kernel Configuration l System kernel configuration is obsolete. System Log Setup l System log setup is obsolete. l If a local collector was enabled, it is unsupported.

PAGE 444

n SMTP Server n Subject Line n Username n Use Sendmail n Use SSL encryption Plugin Manager Plugins are the software components that fit together to make your Web application. The Available Plugins list shows all the plugins currently included in your application. It lets you view information about each plugin and configure some aspects of most plugins.

PAGE 445

The About link displays information about the plugin, including the installation date and update date. The About page for the Kernel plugin also includes links to verify the integrity of all plugin files or perform an application check. Click a plugin’s Configuration link to view or modify its settings. See "Configuring Plugins" on page 445 for details about the configuration settings. Configuring Plugins You can configure most standard, kernel, skin, and translation plugins.

PAGE 446

l SMS Services—See "Configuring Plugins" on page 445 l SMTP Services—See "Email Receipt Options" on page 286 l SOAP Web Services—See "Configuring Web Services " on page 385 l Translation Services—See "Configuring the Translations Plugin" on page 450 Configuring the Kernel Plugin The Kernel Plugin provides the basic framework for the application. Settings you can configure for this plugin include the application title, the debugging level, the base URL, and the application URL, and autocomplete. 1.

PAGE 447

7. Review the differences between the current settings and the default configuration. To commit the change to the default settings. click the Restore Default Configuration link. Configuring the Aruba W-ClearPass Skin Plugin A Web application’s skin determines its visual style—the colors, menus, and graphics.

PAGE 448

your application’s appearance does not automatically change, find the custom plugin in the list, click Configure, and click its Enable link. If you prefer to use the standard Aruba W-ClearPass skin, navigate to it in the Available Plugins list and click its Enable link. The default skin is displayed on all visitor pages, and on the login page if no other skin is specified for it.

PAGE 449

l Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value, will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.

PAGE 450

Configuring the Translations Plugin The Translation Assistant plugin shows the current version, type, original installation date, date of last update, whether it can be configured, and the copyright date. The Translation Assistant plugin cannot be configured. By default, the display language for the W-ClearPass Guest user interface is automatically detected based on the user's browser settings.

PAGE 451

Viewing the Application Log To view events and messages generated by the application, go to Administration > Support > Application Log. The Application Log view opens. To view in-depth information about an event, click the event’s row. The form expands to show details. Click the event’s row again to close it. To view the logs for a different server when in a cluster, use the Server drop-down list above the table.

PAGE 452

l Error—Returns Error items l Warning—Returns Error and Warning items l Info—Returns Error, Warning, and Info items l Debug—Returns Error, Warning, Info, and Debug items 4. By default, only the Client IP and Message fields are searched. To search all fields, mark the check box in the Options row. Events are stored in the Application Log for seven days by default.

PAGE 453

Contacting Support To view contact information for Dell Support, go to Administration > Support > Contact Support. The Contact Support page opens. Viewing Documentation To view Dell Networking W-ClearPass Guest documentation, go to Administration > Support > Documentation. The Documentation page opens. l To view this User Guide in your browser as online help, click Browse Documentation. The document opens in a separate browser tab. l To view the User Guide as a PDF, click Deployment Guide.

PAGE 454

| Administration Dell Networking W-ClearPass Guest 6.

PAGE 455

Chapter 9 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the W-ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in W-ClearPass Guest, or externally in an LDAP directory server.

PAGE 456

Two types of operator logins are supported: local operators and operators who are defined externally in your company’s directory server. Both types of operators use the same login screen. Role-Based Access Control for Multiple Operator Profiles Using the operator profile editor, the forms and views used in the application may be customized for a specific operator profile, which enables advanced behaviors to be implemented as part of the role-based access control model.

PAGE 457

Custom Login Message If you are deploying W-ClearPass Guest in a multi-lingual environment, you can specify different login messages depending on the currently selected language. The following example from the demonstration site uses Danish (da), Spanish (es) and the default language English, as highlighted in bold: {if $current_language == 'da'}

Indtast brugernavn og password for at
få adgang til W-ClearPass Guest

Kontakt PAGE 458

Advanced Operator Login Options The following options are available in the Logging drop-down list: l No logging l Log only failed operator login attempts l Log only Web logins l Log only XMLRPC access l Log all access Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended.

PAGE 459

The Edit Operator Profile (new) form is displayed. This form has several sections, which are described in more detail below. The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1.

PAGE 460

profile to work. See "Operator Profile Privileges" on page 462 for details about the available access levels for each privilege. If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item. 3. The User Roles list allows you to specify which user databases and roles the operator will be able to access. If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account.

PAGE 461

Table 108: Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).

PAGE 462

do only certain tasks, you might want the application to open at the module where those tasks are performed. 3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operator’s language preference from their local system settings. To specify a particular language to use in the application, choose the language from the drop-down list. 4.

PAGE 463

Read Only Access means that the operator can see the options available but is unable to make any changes to them. Full Access means that all the options are available to be used by the operator. Custom access allows you to choose individual permissions within each group.

PAGE 464

Configuring AirGroup Operator Device Limit By default, an AirGroup operator can create up to five personal devices. To change this default: 1. Go to Administration > Operator Logins > Profiles, then select the AirGroup Operator profile in the list. 2. Click the Edit link. The Edit Operator Profile form opens. 3. In the Account Limit field, specify an appropriate value. This is the maximum number of personal devices that an operator with this profile can create. 4. Click Save Changes.

PAGE 465

4. Create a translation rule to map the CPPM role name to the W-ClearPass Guest operator profile: In W-ClearPass Guest, go to Administration > Operator Logins > Translation Rules. 5. In the Translation Rules list, find the profile in the list, look at the Action column to verify the operator profile assignment, and then click its Edit link. The row expands to include the Edit Translation Rule form. 6. Edit the fields appropriately to match the CPPM role name to the W-ClearPass Guest operator profile.

PAGE 466

Viewing the LDAP Server List If you have defined one or more LDAP servers, those servers will appear in the LDAP server list at Administration > Operator Logins > Servers. Select any of the LDAP servers in the list to display options to perform the following actions on the selected server: l l l Edit—Opens the Server Configuration form, where you can make changes to the properties of the LDAP server. Delete—Removes the server from the LDAP server list. Duplicate—Creates a copy of an LDAP server.

PAGE 467

Creating an LDAP Server To create an LDAP server, go to Administration > Operator Logins > Servers, and click the Create new LDAP server link in the upper-right corner. The authentication Server Configuration form opens. To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See "Advanced LDAP URL Syntax" on page 469 for more details about the types of LDAP URL you may specify.

PAGE 468

This form allows you to specify the type of LDAP server your system will use. Click the Server Type drop-down list and select one of the following options: Table 109: Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory l POSIX Compliant l Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind.

PAGE 469

and then check the Select2 Options for additional properties. The server will then look up sponsors during selfregistration and double-check the attribute used for emails on the LDAP server. This option requires that the sponsor_email and do_ldap_lookup fields are enabled in the registration form, and that you have the LDAP Sponsor Lookup plugin installed. Use the Plugin Manager to verify that this plugin is available.

PAGE 470

Testing Connectivity To test network connectivity between an LDAP server and the W-ClearPass Guest server, click the in the server’s row. The results of the test appear below the server entry in the LDAP server table. Ping link Testing Operator Login Authentication 1. To test authentication of operator login values, select a server name in the LDAP Server table, then click the Test Auth link. The Test Operator Login form is added to the page. 2.

PAGE 471

1. To look up a sponsor, select a server name in the LDAP Server table, then click the Test Operator Lookup area is added to the LDAP servers list. Test Lookup link. The 2. In the Lookup field, enter a lookup value. This can be an exact username, or you can include wildcards.If you use wildcards, the search might return multiple values. 3. In the Search Mode field, use the drop-down list to specify whether to search for an exact match or use wildcard values. 4.

PAGE 472

LDAP Translation Rules LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator. To create a new LDAP translation rule: 1. Go to Administration > Operator Logins > Translation Rules, and then click the translation rule link. The Edit Translation Rule form opens. Create new 2. In the Name field, enter a self-explanatory name for the translation rule.

PAGE 473

6. Click the On Match drop-down list and select the action the system should take when there is a match. Your options here are to: n Do nothing – makes no changes. n Assign fixed operator profile – assigns the selected Operator Profile to the operator. n Assign attribute’s value to operator field – uses the value of the attribute as the value for an operator field. This option can be used to store operator configuration details in the directory.

PAGE 474

l l Enable – Re-enables a disabled operator login Edit Profile – Opens the Edit Operator Profile form for the operator profile assigned to the selected translation rule l Move Up – Moves the rule up to a higher priority on the rule list l Move Down – Moves the rule down to a lower priority on the rule list Custom LDAP Translation Processing When matching an LDAP translation rule, custom processing may be performed using a template. The template variables available are listed in the table below.

PAGE 475

For example, to permit non-administrator users to access the system only between the hours of 8:00 am and 6:00 pm, you could define the following LDAP translation rule: The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups.

PAGE 476

| Operator Logins Dell Networking W-ClearPass Guest 6.

PAGE 477

Chapter 10 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 477 l "Standard HTML Styles" on page 478 l "Smarty Template Syntax" on page 480 l "Date/Time Format Syntax" on page 496 l "Programmer’s Reference" on page 498 l "Field, Form, and View Reference" on page 504 l "LDAP Standard Attributes for User Class" on page 525 l "Regular Expressions" on page 526 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to

PAGE 478

Item HTML Syntax Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style

Uses CSS formatting

Uses predefined style

Hypertext Link text to click on

– XHTML equivalent

PAGE 479

Table 113: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading a

PAGE 480

Class Name Applies To Description nwaImportant All Text that should be prominently displayed Table subheadings nwaUsername All Text used to display a username nwaPassword All Text used to display a password Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built.

PAGE 481

Conditional Text Blocks To include a block of text only if a particular condition is true, use the following syntax: {if $username != ""}

{else} {/if} The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.

PAGE 482

A name= attribute may be supplied with the opening {foreach} tag. When a name is supplied, the following additional Smarty variables are available for use inside the {foreach} … {/foreach} block: l {$smarty.foreach.name.first} – true if the item being processed is the first item in the collection l {$smarty.foreach.name.last} – true if the item being processed is the last item in the collection l {$smarty.foreach.name.index} – counter for the current item, starting at 0 for the first item l {$smarty.

PAGE 483

Functions are of two kinds: block functions, which have a beginning and ending tag enclosing the text operated on by the function, and template functions, which have just a single tag and do not enclose text. To use a function, enclose the function name in curly braces { } and provide any attributes that may be required for the function. Block functions also require a closing tag. dump {dump var=$value} Smarty registered template function. Displays the value of a variable.

PAGE 484

l The “target” parameter, if specified, sets the TARGET attribute of the hyperlink. If not specified, no TARGET attribute is provided. The body of the element is the HREF of the command link. The “icon” and “command” parameters are required. All other parameters are optional. nwa_iconlink {nwa_iconlink} … {/nwa_iconlink} Smarty registered block function. Generates a combined icon and text link to a specified URL. Usage example: {nwa_iconlink icon="images/icon-info22.

PAGE 485

n info – information symbol n note (or arrow) – right-pointing arrow n ClearPass Guest – ClearPass Guest logo n ok (or tick) – green tick mark n warn (or warning) – warning symbol n wait – animated spinner If “noindent=1” is specified, the block is not indented using the ‘nwaIndent’ style. If “novspace=1” is specified, the block uses a ‘DIV’ element, rather than a ‘P’ element. If neither “icon” nor “type” is supplied, the default behavior is to insert an “info” type image.

PAGE 486

The following parameters control the query to be executed: l _method (required) – Name of the query function to execute. A brief listing of the available methods is provided below. l _arg0, _arg1, …, _argN (optional) – Positional arguments for the query function. l Named arguments may also be supplied; the arguments must be named identically to the function arguments listed in the documentation for the query function.

PAGE 487

Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified. This should be a sprintf-style format string that accepts 6 arguments (the octets of the MAC address).

PAGE 488

l return GetUserTraffic($now - 86400*30, $now, 'out') > 100*1024*1024 && AccessReject() l Limit by MAC address, 50 MB download in past 24 hours: return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetCurrentSession() GetCurrentSession($criteria) Looks up the details for an active session, based on the specified criteria. This is a multi-purpose function that has a very flexible query interface.

PAGE 489

Calculate the number of sessions for accounting records matching a specific IP address. The IP address attribute is looked up automatically from the RADIUS Access-Request (Framed-IP-Address attribute). See "GetTraffic()" on page 490 for details on how to specify the time interval. See "GetIpAddressTraffic()" on page 489 for additional details on the $ip_addr argument.

PAGE 490

The $format parameter is optional, and defaults to “relative” if not otherwise specified. This parameter may be one of the following values: l “relative” or “session_time”: Calculates the session timeout as for the Session-Timeout RADIUS attribute, that is, the number of seconds before the session should end. If the session does not have a session timeout, the value returned is 0. l “time”: Calculates the session end time, as the UNIX time at which the session should end.

PAGE 491

Looks up the list of all sessions for the specified username. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). If a $callingstationid argument is supplied, sessions that match that Calling-Station-Id are excluded from the count of active sessions. GetUserActiveSessionCount() GetUserActiveSessionCount($username) Counts the number of currently active sessions for the current username.

PAGE 492

nwa_assign {nwa_assign …} Smarty registered template function. Assigns a page variable based on the output of a generator function. Simple usage example: {nwa_assign var=my_variable value=my_value} l The “var” parameter specifies the page variable that will receive the output. l The “value” parameter specifies the value to assign to “var”. The various request variables may also be accessed using one of two supported methods: l {nwa_assign var=_GET.get_variable value=...} l {nwa_assign var=smarty.

PAGE 493

nwa_nav {nwa_nav} … {/nwa_nav} Smarty registered block function. Defines a block area for navigation, a control, or generates navigation control HTML of a particular type. Blocks are individual components of the navigation area, which basically consist of HTML. Blocks for actual navigation items have substitution tags in the form @tagname@. The recognized tags are described in the table below.

PAGE 494

l level1_active l level1_inactive l level2_active l level2_inactive l level2_parent_active l level2_parent_inactive l level3_active l level3_inactive l enter_level1 l enter_level2 l enter_level3 l exit_level1 l exit_level2 l exit_level3 nwa_plugin {nwa_plugin …} Smarty registered template function. Generates plugin information based on the parameters specified. Specifying which plugin: l The ‘id’ parameter specifies a plugin ID.

PAGE 495

has read access, that is, not if the user has full access, prefix the privilege name with a # character and use the parameter name “readonly” (or “ro”). {nwa_privilege full=create_user} .. content .. {/nwa_privilege} The “full” (synonym “rw”) parameter specifies the name of a privilege to check for full read-write access. The “name” parameter is the name of the privilege to check. If “name” is prefixed with a “!”, the output is included only if that privilege is NOT granted (inverts the sense of the test).

PAGE 496

Not all devices are capable of playing back YouTube video content. Usage example: {nwa_youtube video=Y7dpJ0oseIA width=320 height=240} YouTube is the world’s most popular online video community. {/nwa_youtube} The supported parameters for this block function are: l video (required) – the YouTube video ID to embed. l width (required) – the width in pixels of the video. l height (required) – the height in pixels of the video. l autoplay (optional) – if true, auto-play the video.

PAGE 497

Preset Name Date/Time Format Example rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %l:%M %p 2:13 PM recent – 2 minutes ago The % items on the right hand side are the same as those supported by the php function strftime(). The string “?:”, if present will return the string following the “?:” if the time value is 0. Otherwise, the format string up to the “?:” is used.

PAGE 498

Format Result %B Full month name for the current locale %c Preferred date and time representation for the current locale %C Century number (2-digit number, 00 to 99) %d Day of the month as a decimal number (01 to 31) %D Same as %m/%d/%y %e Day of the month as a decimal number; a single digit is preceded by a space (‘ 1’ to ‘31’) %h Same as %b %H Hour as a decimal number (00 to 23) %l Hour as a decimal number (01 to 12) %m Month as a decimal number (01 to 12) %M Minute as a decimal num

PAGE 499

l "NwaByteFormatBase10" on page 499 l "NwaComplexPassword" on page 500 l "NwaCsvCache" on page 500 l "NwaDigitsPassword($len)" on page 500 l "NwaDynamicLoad" on page 500 l "NwaGeneratePictureString" on page 500 l "NwaGenerateRandomPasswordMix" on page 500 l "NwaLettersDigitsPassword" on page 501 l "NwaLettersPassword" on page 501 l "NwaMoneyFormat" on page 501 l "NwaParseCsv" on page 501 l "NwaParseXml" on page 502 l "NwaPasswordByComplexity" on page 502 l "NwaSmsIsValidPhoneNumbe

PAGE 500

Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc.) Assumes “base 10” rules in measurement; that is, 1 KB = 1000 bytes, 1 MB = 1000 KB, etc. If a negative value is supplied, returns the $unknown string. If a non-numeric value is supplied, that value is returned directly. NwaComplexPassword NwaComplexPassword($len = 8) Generates complex passwords of at least $len characters in length, where $len must be at least 4.

PAGE 501

l $upper specifies the minimum number of uppercase characters to include, or -1 to not use any uppercase characters. l $digit specifies the minimum number of digits to include, or -1 to not use any digits. l $symbol specifies the minimum number of symbol characters to include, or -1 to not use any symbol or punctuation characters. NwaLettersDigitsPassword NwaLettersDigitsPassword($len) Generates an alpha-numeric password of $len characters in length consisting of lowercase letters and digits.

PAGE 502

Function Description dos_compatible If true, convert \r\n line endings to \n (default true) encoding If set, specifies the input character set to convert from (default not set) out_charset If set, specifies the desired character set to convert to using the iconv() function .

PAGE 503

l complex – At least one of each: uppercase letter, lowercase letter, digit, and symbol NwaSmsIsValidPhoneNumber NwaSmsIsValidPhoneNumber($phone_number) Validates a phone number supplied in E.164 international dialing format, including country code. l Any spaces and non-alphanumeric characters are removed. l If the first character is a plus sign (+), the phone number is assumed to be in E.

PAGE 504

Be aware of the following differences from Excel VLOOKUP: l Column indexes are 0-based. l Column indexes can also be strings. See "NwaParseCsv" on page 501 and "NwaCsvCache" on page 500. NwaWordsPassword NwaWordsPassword($len) Generates a password consisting of two randomly-chosen words, separated by a small number (1 or 2 digits); that is, in the format word1XXword2. The random words selected will have a maximum length of $len characters, and a minimum length of 3 characters. $len must be at least 3.

PAGE 505

Field Description rather than failing to create the account. This field should normally be enabled for guest self-registration forms, to ensure that a visitor that registers again with the same email address has their existing account automatically updated. Set this field to a non-zero value or a non-empty string to enable automatic update of an existing account. This field controls account creation behavior; it is not stored with created visitor accounts.

PAGE 506

Field Description field is available when modifying an account using the change_expiration or guest_edit forms. dynamic_is_authorized Boolean flag indicating if the user account is authorized to log in. This field is available when modifying an account using the change_expiration or guest_edit forms. dynamic_is_expired Boolean flag indicating if the user account has already expired. This field is available when modifying an account using the change_expiration or guest_edit forms.

PAGE 507

Field Description this field to 0 to disable this account expiration timer. http_user_agent String. Identifies the Web browser that you are using. This tracks user’s browsers when they are registering. This is stored with the user’s account. id String. Internal user ID used to identify the guest account to the system. ip_address String. The IP address to assign to stations authenticating with this account. This field may be up to 20 characters in length.

PAGE 508

Field Description “random_password” to use the password specified in the random_password field; l “reset” to create a new password, using the method specified in the random_password_method field (or the global defaults, if no value is available in this field); l “password” to use the value from the password field; l Any other value leaves the password unmodified. This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts.

PAGE 509

Field Description no_portal Boolean. If set, prevents a user from logging into the guest service portal. Set this field to a non-zero value or a non-empty string to disable guest access to the self-service portal. The default is to allow guest access to the self-service portal, unless this field is set. no_warn_before Boolean. User does not receive a logout expiration warning. The admin or user can opt out of this option by setting the field to 1. notes String.

PAGE 510

Field Description random_password_length String. The length, in characters, of randomly generated account passwords. l For nwa_words_password, the random_password_length is the maximum length of the random words to use. Two random words will be used to create the password, joined together with a small number (up to 2 digits). l For nwa_picture_password, the random_password_length is ignored. random_password_ method String. Identifier specifying how passwords are to be created.

PAGE 511

Field Description l l l l l l string specified by the random_username_picture field. nwa_digits_password to create a username using random digits. The length of the username is specified by the random_username_length field. nwa_letters_password to create a username using random lowercase letters. The length of the username is specified by the random_username_ length field. nwa_lettersdigits_password to create a username using random lowercase letters and digits.

PAGE 512

Field Description sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator. sponsor_name String. Name of the sponsor of the account. The default value of this field is the username of the current operator. submit No Type. Field attached to submit buttons.

PAGE 513

Field Description personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String. The visitor’s state or locality name. submit_free No Type. Field attached to a form submit button. visitor_accept_ terms Boolean. Flag indicating that the visitor has accepted the terms and conditions of use. visitor_fax String.

PAGE 514

Table 123: SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.

PAGE 515

Field Description smtp_warn_before_template_id String. This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_ format String. This field overrides the format in the Email Receipt field under Logout Warnings.

PAGE 516

Symbol Replacement ! Random punctuation symbol, excluding apostrophe and quotation marks & Random character (letter, digit or punctuation excluding apostrophe and quotation marks) @ Random letter or digit, excluding vowels Any other alphanumeric characters in the picture string will be used in the resulting username or password.

PAGE 517

l IsValidAirGroupSharedGroups – Checks that the value is a valid shared group list. Otherwise, returns a description of the error(s). If $arg is an array it may specify the following options: n syntax_only: Default true. If false, requires that the values provided correspond to those from the AirGroup plugin configuration. n protocol_version: Default 2. If 1, changes the default validation properties (see below). n max_groups: Maximum number of groups to allow, default 32.

PAGE 518

n syntax_only: Default true. If false, requires that the values provided correspond to those from the AirGroup controller configuration. n protocol_version: Default 2. If 1, changes the default validation properties (see below). n max_roles: Maximum number of roles to allow, default 100. n max_role_length: Maximum length in characters of any single role name, default 64. n max_role_list_length: Maximum total length of the role list, including comma separator characters, default 1000.

PAGE 519

'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', ), ) n The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively. n An ‘allow’ or ‘deny’ value that is a string is converted to a single element array. n Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix. A ‘*’ component can also be used inside the hostname, and will match zero or more domain name components.

PAGE 520

l IsValidHostnameCidr – Checks that the value is a valid IP address or hostname, which may also have an optional /N suffix indicating the network prefix length in bits (CIDR notation). l IsValidHostnamePort – Checks that the value is a valid IP address or hostname, which may optionally include a port number specified with the syntax hostname:port. l IsValidIpAddr – Checks that the value is a valid IP address.

PAGE 521

l IsValidTimestamp – Checks that the value is a numeric UNIX timestamp (which measures the time in seconds since January 1, 1970 at midnight UTC). l IsValidTimeZone – Checks that the value is a valid string describing a recognized time zone. l IsValidUrl – Checks that the value appears to be a valid URL that includes a scheme, hostname and path. For example, in the URL http://www.example.com/, the scheme is http, the hostname is www.example.com and the path is /.

PAGE 522

Form Field Display Formatting Functions The Display Functions that are available are listed below: Table 127: Form Field Display Functions Function NwaBoolFormat Description Formats a Boolean value as a string. If the argument is 0 or 1, a 0 or 1 is returned for false and true, respectively. l If the argument is a string containing a “|” character, the string is split at the | separator and used for false and true values.

PAGE 523

Function NwaDurationFormat Description Converts a time measurement into a description of the corresponding duration. Format parameters: seconds, minutes, hours, days, weeks. l Any format can be converted to another. l By default, this function converts an elapsed time value specified in seconds to a value that is displayed in weeks, days, hours, minutes and seconds.

PAGE 524

In the above view (the guest_users view), the four columns displayed correspond to the username, role_ name, enabled, and expire_time fields. Table 128: Display Expressions for Data Formatting Value Description Display Expressions data.username.bold() Displays the username string as bold text. data.role_name Displays the name of the role. Nwa_BooleanText(data.enabled, "Enabled", "Disabled") Displays either “Enabled” or “Disabled” depending on the value of the enabled field. (parseInt(data.

PAGE 525

Value Description Nwa_NumberFormat(value[, if_undefined]) Nwa_NumberFormat( value, decimals)Nwa_NumberFormat( value, decimals, dec_point, thousands_sep[, if_ undefined]) Converts a numerical value to a string. If the value has an undefined type (in other words, has not been set), and the if_undefined parameter was provided, returns if_ undefined.

PAGE 526

l sAMAccountType: The sAMAccountType property specifies an integer that represents the account type. l unicodePwd: The unicodePwd property is the password for the user. Regular Expressions The characters shown in Table 129 can be used to perform pattern matching tasks using regular expressions. Table 129: Regular Expressions for Pattern Matching Regex Matches a Any string containing the letter “a” ^a Any string starting with “a” ^a$ Only the string “a” a$ Any string ending with “a” .

PAGE 527

Appendix 1 Chromebook in Onboard This appendix describes Chromebook functionality in W-ClearPass Onboard. It provides an introduction to Chromebook in Onboard, and discusses considerations as well as Onboard and Google Admin configuration for Chromebook.

PAGE 528

l Users, groups, and other details can be provisioned in Google Apps from an existing directory using the Google Apps Directory Sync tool. l W-ClearPass Onboard provides device provisioning and certificate enrollment services. l The Chrome Extension provides support for Onboard device provisioning for Chromebook devices. Caveats and Recommendations This section describes requirements related to licenses, extensions, deployment, versions, certificates, provisioning, and authentication sources.

PAGE 529

Because of this, Chromebook will always create its own private key. The Key Type option in Device Provisioning Settings will be ignored by Chromebook devices, and will always default to created by device. The key size is 1024 bits or 2048 bits, as specified in the Device Provisioning Settings. If an unsupported selection is made in the Provisioning Settings form, the default used will be a 2048-bit private key.

PAGE 530

Directory-Based Authentication Source is Recommended When a Chromebook user with an EAP-TLS certificate connects to the network, an authorization check is performed to ensure that the certificate is still valid, and that the user account associated with the certificate is still permitted to use the network. W-ClearPass Policy Manager provides this capability for multiple authentication sources. However, at this time, no built-in Google Apps authentication source is available.

PAGE 531

The text displayed on the device provisioning page for Chromebook devices can be customized using additional settings on this tab. In addition, to ensure that Chromebook support is enabled, use the Enable Chromebook device provisioning check box on the General tab (this check box is selected by default). For more information, see "Configuring Provisioning Settings for Chromebook" on page 182 in the Onboard chapter.

PAGE 532

4. In the user settings, find the Pre-installed Apps and Extensions section, and then click the Manage preinstalled apps link. 5. Select Specify a Custom App. 6. Enter the ID and URL of the Onboard Chromebook extension and then click Add. The ID and URL infornation is available on the Onboard > Deployment and Provisioning > Provisioning Settings > Chromebook tab. If you have a cluster environment, the URL may be modified to refer to any subscriber node. 7.

PAGE 533

Configuring Network Settings 1. From the Chrome Management page, go to Network. 2. You should see the For Users tab selected. Click the Add Wi-Fi button on the right. 3. Specify a Name and SSID for the network, and select the Automatically Connect option. 4. Change the Security Type to WPA/WPA2 Enterprise (802.1X), 5. Under Extensible Authentication Protocol, select EAP-TLS. 6.

PAGE 534

8. For Client enrollment URL, provide the URL of the Onboard captive portal page—for example, https://server/onboard/device_provisioning.php. 9. You should also specify the Common Name of the Onboard CA’s issuing certificate in Issuer pattern > Common name—for example, “ClearPass Onboard Local Certificate Authority (Signing)”. 10.Click Save to save the network settings, and remember to click Save changes to commit. 534 | Chromebook in Onboard Dell Networking W-ClearPass Guest 6.

PAGE 535

Glossary $criteria Array that consists of one or more criteria on which to perform a data-based search. This array is used for advanced cases where predefined helper functions do not provide required flexibility. 802.1X Standard for port-based network access control, designed to enhance 802.11 WLAN security. The 802.1X standard provides an authentication framework, allowing a user to be authenticated by a central authority.

PAGE 536

authentication source Identity repository against which Policy Manager verifies identity. CPPM supports the following authentication source types: Microsoft Active Directory, LDAP-compliant directories, RSA or other RADIUS-based token servers, and SQL database, as well as Static Host lists for MAC-based authentication. authorization Authorization controls the type of access that an authenticated user is permitted to have. authorization source Collects attributes for use in role-mapping rules.

PAGE 537

device fingerprint Information collected about a device for the purpose of identification. Fingerprints can fully or partially identify individual users or devices even when cookies are turned off. device name Within the device family, a classification based on granular details such as OS version—for example, if the device family is Windows, the value for device name might be Windows 7 or Windows 2008 Server. One of three hierarchical elements in a device profile.

PAGE 538

EAP-TTLS EAP – Transport Layer Security (RFC 5216). A certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. form Interactive page in the application where users can provide or modify data. field In a database or user interface, a single item of information about a visitor account; attribute. FQLN Fully Qualified Location Name. A device location identifier in the format: APname.Floor.Building.Campus.

PAGE 539

NAD Network Access Device. The device that automatically connects the user to the preferred network; for example, an AP or an Ethernet switch. NAK Negative AcKnowledgement code. Response indicating that a transmitted message was received with errors or corrupted, or that the receiving end is not ready to accept transmissions. NAP Network Access Protection.

PAGE 540

PEAP Protected EAP. See EAP-PEAP. persistent agent Functionality within W-ClearPass OnGuard. Provides nonstop monitoring and automatic remediation and control, and supports automatic and manual remediation. When running persistent OnGuard agents, CPPM can centrally send system-wide notifications and alerts, and allow or deny network access. See also dissolvable agent and OnGuard. ping Test network connectivity using an ICMP echo request (“ping”). PKCS#n Public-key cryptography standard N.

PAGE 541

QC See QuickConnect. QuickConnect Functionality within ClearPass used to securely provision an Android, Windows, or OS X device and configure it with network settings. QuickConnect's functionality is now incorporated within Onboard. RADIUS Remote Access Dial-In User Server. Network access-control protocol for verifying and authenticating users; provides AAA management. A RADIUS transaction might be 802.1X, MAC-Auth, or generic RADIUS.

PAGE 542

SSID Service Set Identifier. Unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the basic service set (BSS). SSO Single Sign-On. Access-control property that lets a user log in once to access multiple related but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.

PAGE 543

XML-RPC XML Remote Procedure Call. Protocol that uses XML to encode its calls and HTTP as a transport mechanism. The XML-RPC interface is available to third-party applications that will integrate with the WClearPass Guest Visitor Management Appliance. The W-ClearPass Guest XML-RPC API provides direct access to the underlying functionality of the W-ClearPass Guest Visitor Management Appliance.

PAGE 544

| Glossary Dell Networking W-ClearPass Guest 6.

PAGE 545

Index 1 AirGroup 1024-bit RSA 171 authenticating users via LDAP 364 configuration summary 28 2 2048-bit RSA 171 configuring fields 209 configuring operator device limit 464 A creating groups 67 AAA 23 creating users 464 access control, print templates 294 defining controller 361 account filters, creating 460 enabling dynamic notifications 361 accounting 22-23, 25 LDAP user search, configuring 364 accounts personal devices 69 passwords, multiple 247 registering devices 66 visitor account

PAGE 546

viewing 451 authentication 22-23, 25, 33, 76 authorization 23, 25, 33 access, role-based 22 dynamic 35 authorization servers 380 trust chain 128 character set encoding 52 Chromebook 527 configuring for Onboard 530 configuring Google Admin 531 network architecture 527 B Base-64 encoded 117 binary certificate 117 requirements 528 client applications 380 client credentials grant type 382 C client ID, OAuth 381 caching, CSV 500 client secret, OAuth 381 CalDAV 145 closed session 35 calendar 145 closin

PAGE 547

LDAP user search for AirGroup 364 device accounts 41 legacy OS X provisioning 178 field 206 Onboard deployment and provisioning 164 guest account 39 operator logins 456 hotspot plan 345 pages 206 LDAP server 467 passcode policy 152 LDAP translation rule 472 plugins 445 multiple guest accounts 45, 50 provisioning settings 168-169 operator 464 receipts 270, 305 operator profile 458 self-service portal, display functions 522 operator profiles 458 shared_location field 209 print template 29

PAGE 548

databases, user 26 documentation, viewing 453 default skin 447 duplicating deleting certificate 118 forms and views 213 field 208 SMS gateways 296 SMS gateways 296 SMTP carrier 305 deployment network provisioning 26 operational issues 26 overview 26 security policy 27 site checklist 27 device management 110, 113 device type 115 devices 59 creating accounts 41 editing 70 filtering 60 importing 77 list 110, 113 paired accounts 44 personal, AirGroup 69 provisioning configuration 169 shared 67 viewing 7

PAGE 549

guest accounts 50 expire_usage 200, 506 first_name 512 F fields 25, 198 account_activation 504 address 512 auto_send_sms 513 auto_send_smtp 514 auto_update_account 198, 504 captcha 505 card_code 512 card_expiry 512 card_name 512 card_number 512 change_of_authorization 505 city 512 country 512 create_time 505 creating 206 creator_accept_terms 198, 505 creator_name 505 customizing 206 Delete 208 deleting 208 do_expire 200, 505 do_schedule 199, 505 duplicating 208 dynamic_expire_time 505 dynamic_is_authorize

PAGE 550

rank ordering 214 visitor_carrier 513 remote_addr 511 visitor_company 512 role_id 199, 511 visitor_fax 513 role_name 199, 294, 511 visitor_name 260, 512 schedule_after 199, 511 visitor_phone 512 schedule_time 199, 511 warn_before_from 290, 515 secret_answer 259, 511 warn_before_from_sponsor 290, 515 secret_question 259, 511 zip 513 Show forms 209 show views 209 application log 451 simultaneous_use 198-199, 511 devices 60 sms_auto_send_field 291, 513 guest accounts 56, 65 sms_enabled 29

PAGE 551

text field 226 disable 57 validation errors 227 editing expiration 57 validation properties 227 email receipt 41 validator functions 516 export 50 value conversion 231 exporting 50 value format functions 521 filtering 56, 65 value formatter 232 importing 52 visible if 232 list 55 formats, certificates 117 paging 56 forms 25, 198, 201 print 58 change_expiration 202 receipts 41 create_multi 201 reset password 56 create_user 201 selection row 65 guest_edit 202 SMS receipt 41 guest_m

PAGE 552

searching 29 matching rules 472 hotspot management 341 operator logins 465 captive portal 343 POSIX-compliant servers 465 creating plan 345 server, creating 467 customer information 348 standard attributes 525 customizing invoice 348 translation rules 465 customizing receipt 354 translation rules, creating 472 customizing selection interface 350, 352, URL syntax 469 354 user search for AirGroup, configuring 364 editing plan 345 local operators 464 invoice 348 locations, AirGroup 67 pla

PAGE 553

O passcode policy 152 OAuth 380 provisioning settings 168-169 authorization servers 380 single sign-on (SSO) 154 client applications 380 subscribed calendar 155 client ID 381 VPN 156 client secret 381 VPN IPSec connection 158 grant types 381 VPN VIA connection 156 redirect URI 381 Web clips and bookmarks 160 registering app 381 Web content filter 161 resource owners 380 Windows applications (app sets) 163 resource servers 380 Onboard module 79 service accounts 383 Open SSL text format

PAGE 554

recovery 185 disconnecting session 34-35 resetting 56 reauthorizing session 34-35 picture string 515 reauthorizing PKCS#12 117 PKCS#7 117 session 34-35 receipt page 236 plugin management 444 plugins editing 248 receipts 38, 304 configuring 445, 447 configuring 270, 305 configuring, API Framework 378 email 284 configuring, Kernel 446 redirect URI 381 configuring, skin 447 reference 477 IP Phone Services 449 time-based sharing syntax 73 Plugin Manager 444 Register page 235 SMS Services 4

PAGE 555

editing 245 self-service portal 185, 257 foreach block 481 if block 481 accessing 257 include 480 auto login 258 literal block 481 password generation 258 modifiers 482 resetting passwords 258 nwa_adspace tag 320 secret question 259 Onboard 95 sending SMS alert 37 SMS message 303 sequence diagram section block 481 variables 480 SMS alert for session 37 AAA 23 alerts 37 guest self-registration 240 character limit 292 servers LDAP, creating 467 credits 303 guest account receipts 41 service

PAGE 556

subject line documentation 453 email receipt 284 plugins 444 subscribed calendar 155 sessions, device 63 support 453 SMS gateways 296 support services 450 SMTP carriers 305 syntax users 113 time-based sharing, examples 71 views 26, 198, 202 time-based sharing, reference 73 column format 235 customization 212 T duplicating 213 tab-separated values 50, 52 editing 213, 233 tag=value pair 67 field editor 234 template guest_export 51, 202 predefined template functions 482 guest_multi 64,

PAGE 557

API Symmetry 409 architecture overview 408 data representation 410 data types 410 faults 410 field customization 410 invoking the API 413 method amigopod.guest.change.expiration 415 method amigopod.guest.create 416 method amigopod.guest.delete 417 method amigopod.guest.edit 419 method amigopod.guest.enable 421 method amigopod.guest.get 422 method amigopod.guest.list 424 method amigopod.guest.reset.password 425 method amigopod.mac.create 426 method amigopod.mac.edit 428 method amigopod.mac.

PAGE 558

| Index Dell Networking W-ClearPass Guest 6.

Access Details
	Access Code	{$u.username\|htmlspecialchars}
	Username:	{$username}