| Access Code | {$u.username|htmlspecialchars} |
{if $u.create_result.Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Go to Configuration > Pages > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists but is not bolded and enabled, select it and click Enable Field.
4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure See "Create the Print Template" on page 202 for a description of this procedure. A new window or tab will open with the cards. Dell Networking W-ClearPass Guest 6.
Pages The Pages area of the user interface lets you customize the pages that are available to guests and sponsors. To work with pages configuration, go to Configuration > Pages > Start Here. This section includes: l "Customizing Fields" on page 206 l "Customizing Forms and Views" on page 212 l "Customizing Guest Self-Registration" on page 235 l "Managing Web Logins" on page 260 Customizing Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization.
The Field Name is not permitted to have spaces but you can use underscores. The Field Type can be one of String, Integer, Boolean or No data type. The No data type field would be used as a label, or a submit button. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form. You can specify the default properties to use when adding this field to a view.
You can specify the default validation rules that should be applied to this field when it is added to a form. See "Form Validation Properties" on page 227 in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See "View Field Editor" on page 234 in this chapter for more information about advanced properties.
Displaying Forms that Use a Field To see a list of the forms that use a field, go to Configuration > Pages > Fields, click the field, and then click its Show Forms link. The list displays the forms that use the selected field. It also allows you to edit the form’s fields by clicking the Edit Fields link. Click the Use link to open the form that uses that field. If the field is used on multiple forms, you can select which form you would like to view.
3. In the User Interface drop-down list, select Checklist. 4. In the Description text box, delete the existing text, then enter Select the location IDs where this device will be shared. Leave blank to share with all locations. 5. Delete any text from the CSS Class and the CSS Style fields. 6. In the Options Generator drop-down list, select (Use options). 7. In the Options text box, enter a list of values to use as the checklist options that presented to the user.
2. In the Conversion drop-down list, select NwaImplodeComma. The form expands to include the Type Error row. 3. In the Display Function drop-down list, select NwaExplodeComma. The form expands to include the Display Param and Display Arguments rows. 4. In the Display Param text field, enter the value _self. Be sure to include the leading underscore character. 5. Click Save Changes.
The user interface appears as follows: Customizing Forms and Views You can view a list of W-ClearPass Guest's forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field. To view or customize forms and views, go to Configuration > Pages > Forms & Views. The Customize Forms and Views page opens. You can open a form or view directly from the Forms and Views page.
Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Pages > Forms & Views, click the form’s or view’s row in the list, and then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used.
Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Pages > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens. Field Description Rank Specifies the relative ordering of the fields when displaying the form. This list always shows the fields in order by rank. Field The name of the field in the database.
Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field. To open the Form Field Editor, go to Configuration > Pages > Forms & Views, click a form or view, click its Edit Fields link, click the field, and then click the field's Edit link. Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form.
l No user interface – The field does not have a user interface specified. Using this value will cause a diagnostic message to be displayed (“Form element is missing the ‘ui’ element”) when using the form. l CAPTCHA security code – A distorted image of several characters will be displayed to the user, as shown below: A new image may be generated, or the image may be played as an audio sample for visually impaired users.
l Checklist – A list of check boxes is displayed, as shown below: The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box. Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type.
For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array ("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
l Drop-down list – The field is displayed allowing a single choice from a drop-down list. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. If the “Hide when no options are selectable” check box is selected, and there is only a single option in the drop-down list, it will be displayed as a static text item rather than as a list with only a single item in it.
value when the form is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see "Advanced Form Field Properties" on page 230. To set the value to submit for this field, use the Initial Value option in the form field editor. l Multiple Selection List -- A list of selectable options will be displayed. The text displayed for each check box or radio button is the value from the options list.
l Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. Dell Networking W-ClearPass Guest 6.
The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-tobottom or left-to-right order. The default is “Vertical” if not specified. l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted.
l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. Dell Networking W-ClearPass Guest 6.
If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string.
l Submit button – The field is displayed as a clickable form submit button, with the label of the field as the label of the button. The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form.
It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style option (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area). l Text field – The field is displayed as a single-line text box. The text typed in this box is submitted as the value for the field. A short text label may be placed after the text box using the Label After option.
Form Validation Properties On the Form Field Editor (see "Form Field Editor " on page 215), the form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.
Argument. Validators such as IsEqual, IsInRange and IsRegexMatch use the argument to perform validation. Examples of Form field Validation Example 1 – To create a form field that requires an integer value between 1 and 100 (inclusive) to be provided, use the following settings in the form field editor (see "Form Field Editor " on page 215): The form field will contain an integer value, so you should set the field's type to Integer when you create it.
Example 2 – To create a form field that accepts one of a small number of string values, use the following settings in the form field editor: This example could be used for a string field named visitor_department. Because the values are known in advance, a drop-down list is the most suitable user interface. An initial value for the form field, as shown above, could be used if most visitors are in fact there to visit the sales team.
Advanced Form Field Properties On the Form Field Editor (see "Form Field Editor " on page 215), the Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor.
if a list of email addresses and phone numbers was imported for pre-registration, each visitor’s entries for those fields at registration must match. Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on a form and the various conversion and display options available on the Form Field Editor (see "Form Field Editor " on page 215) .
In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600). The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation.
Unlike the other parts of the form field editor, the Enable If and Visible If expressions are evaluated by the operator’s Web browser. These expressions are not used by the server for any other purpose. The expression must be a Boolean expression in the JavaScript language; statements and other code should not be included as this will cause a syntax error when the form is displayed in a Web browser.
View fields have a Rank number, which specifies the relative ordering of the columns when displaying the view. The Customize View Fields editor always shows the columns in order by rank. The Type of each field is displayed. This controls what kind of user interface element is used to display the column, and whether the column is to be sortable or not. The Title of the column and the Width of the column are also shown in the list view.
To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading.
l The receipt page typically contains static information about the guest account, but several different actions can be included, enabling visitors to obtain their receipt in different ways. The receipt page can also be used to automatically log the guest into a Network Access Server, enabling them to start using the network immediately. Detailed user interface customization can be performed for all parts of the self-registration process.
Field Description Go to Portal Displays a preview of the Self Service Login portal. See "The "Go to Portal" Option " on page 238. Go to Login Displays a preview of the Network Login form. See "The "Go to Login" Option" on page 239. Create new selfregistration Create a new self-registration page. See "Creating a Self-Registration Page" on page 241.
The Receipt Page After the visitor successfully registers, the receipt page is their confirmation and provides their login and access information. The "Go to Portal" Option When you choose the Go To Portal option for a self-registration page, the row expands to show an active preview of the Self Service Login page and form as the visitor would see it. This form lets the visitor access their account information. You may test the behavior of the form.
The "Go to Login" Option When you choose the Go To Login option for a self-registration page, the row expands to show an active preview of the Network Login page and form as the visitor would see it. This is the page the visitor sees when they log in to the network. You may test the behavior of the form. Self-Registration Sequence Diagram To set up a captive portal with guest self-registration, you configure your Network Access Servers to redirect guests to the URL of the ‘Go To’ link.
Figure 29 Sequence Diagram for Guest Self-Registration In this diagram, the stages in the self-registration process are identified by the numbers in brackets, as follows: The captive portal redirects unauthorized users [1] to the registration page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account.
Figure 30 Guest Self-Registration Workflow Diagram . The diagram shows the guest self-registration process. The solid orange arrows show the workflow for the visitor. The dotted blue arrows show the workflow for the administrator. The blue headings in the diagram are links to the corresponding sections of the Customize Guest Registration form. Click an icon or label in the diagram to jump directly to the editor for that item.
Field Description Name (Required) The name of this self-registration page to identify it —for example, "Guest Self-Registration". This name can include spaces. This name is only displayed to administrators within W-ClearPass; it is not seen by the visitor. Description You may enter comments to further identify or describe this page. This description is only displayed within W-ClearPass. Enabled When creation of this page is complete, select this check box to make it available to use.
Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration. The Basic Properties window has configurable settings such as Name, Description, enabling guest-self registration, Register Page, Parent, and Authentication. Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu.
The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: l 1.2.3.4 – IP address l 1.2.3.4/24 – IP address with network prefix length l 1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied.
Editing Registration Page Properties To edit the properties of the registration page: 1. Go to Configuration > Pages > Guest Self-Registration. 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. Click the Register Page link, or one of the Title, Header, or Footer fields for the Register Page. Figure 31 The Customize Guest Registration Form Template code for the title, header, and footer may be specified.
The default settings for this form are as follows: l The visitor_name and email fields are enabled. The email address of the visitor will become their username for the network. l The expire_after field is set to a value of 24 by default; this sets the default expiration time for a selfregistered visitor account to be 1 day after it was created. This field is hidden by default on the register page.
Table 35: Form Editor Options Field Description Edit Make changes to an existing field. The Form Field Editor opens. Any changes made to the field using this editor will apply only to this field on this form. Edit Base Field Make changes to an existing field’s definition. Any changes made to the field using this editor will apply to all forms that are using this field (except where the form field has already been modified to be different from the underlying field definition).
5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field. 6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty. 7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited.
Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the selfregistered account. To enable role selection by the sponsor: 1. Go to Configuration > Pages > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. Dell Networking W-ClearPass Guest 6.
The Receipt Actions form opens. 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6.
When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form. 9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button.
Editing Email Delivery of Guest Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration.
Editing SMS Delivery of Guest Receipts The SMS Delivery options available for the receipt page actions allow you to specify the print template to use, the field containing the visitor’s phone number, and the name of an auto-send field. These options under Enabled are available to control delivery of SMS receipts: l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. In the Vendor Settings field, if Single Sign-On - SAML Identity Provider is selected, an appropriate service must be created in CPPM using the ClearPass IDP service template. The external service provider must then be configured to use the SAML Web login page as the IdP.
Table 36: The Customize Guest Self-Registration Form, Login Form and Post-Authentication Field Description Custom Form Indicates you will provide a custom login form. If selected, you must supply your own HTML login form for the header or footer HTML areas. Custom Labels Enables altering the default labels and error messages. Username Label Label that appears on the form for the username field. Leave blank to use the default, (Username:).
Field Description Terms Layout Layout for the terms and conditions text—either above or below the Terms check box. Terms Error Text to display if the terms are not accepted. Leave blank to use the default (In order to log in, you must accept the terms and conditions.). Log In Label Label that appears on the form for the login button. Leave blank to use the default (Log In). Health Check Requires the visitor to pass a health check before they can access the network.
Table 37: The Customize Guest Self-Registration Form, Login UI Section Field Description Login Page Title The title that will be displayed on the NAS login page. Header HTML The HTML content to display above the NAS login form. You can use the drop-down lists to add images or other content items. Footer HTML The HTML content to display below the NAS login form. You can use the drop-down lists to add images or other content items.
To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal. The behavioral properties of the self-service portal are described below: l The “Enable self-service portal” check box must be selected for guests to be able to access the portal.
The default user interface for the self-service portal is shown below: Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk.
With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form.
Table 38: The Web Logins List View Field Description Edit Edit any of a Web login page's attributes. The Web Login Editor form opens. For more information, see "Creating and Editing Web Login Pages" on page 261. Duplicate Create a copy of a Web login page to use as a basis for a new page. A progress bar is shown while the page settings are duplicated. When it is complete, the new page is displayed in the list with "Copy of" prepended to its name.
Onboard creates a default Web login page that is used to start the device provisioning process. To create a new Web login page, go to Configuration > Pages > Web Logins and click the Create new Web login page link in the upper-right corner. The Web Login Editor form opens. Table 39: Web Login Editor, General Properties Field Description Name (Required) Enter a name for the page. Page Name Identifier page name that will appear in the URL -- for example, "/guest/page_name.php".
Field Description l Address Secure Login Policy Initiated—An enforcement policy will control a change of authorization— This option should be selected if a Policy Manager policy that includes a "bounce client" will be run as part of the page's actions. This option should be selected if you are using OnGuard health checks. (Required) IP address or hostname of the vendor's product. Security option to use for the Web login process.
Table 40: Web Login Editor, Login Form Properties Field Description Submit URL URL of the NAS device's login form. Submit Method Method to use when submitting the login form to the NAS. Options include: POST l GET l Authentication Authentication requirement options include: Credentials — Require a username and password l Access Code — Only require a username for authentication—This option does not require a password.
Field Description UAM Secret Shared secret between the NAS device and the Web login form. Pre-Auth Check How the username and password should be checked before authentication.
Table 41: Web Login Editor, Default Destination Properties Field Description Default URL The default URL for the redirect page. For external domains, this must include the http:// prefix. Override Destination Forces the default destination for all clients, overriding any default value already set on the client.
Field Description registration link. Login Message Enter the HTML template code for the text to display while the login attempt is in progress. The default content is shown, and can be modified. You can also use the drop-down list to add images or other content items. Login Delay Specifies the number of seconds to delay while displaying the login message. Options in the Social Logins area let you present guests with various social login options: Dell Networking W-ClearPass Guest 6.
Table 43: Web Logins Editor, Social Logins Properties Field Description Social Login To enable the use of social network credentials to log in, select this check box. The form expands to include social login configuration options. Authentication Providers All social network providers that have been configured are included in this list. Add new authentication provider Opens the properties form for adding and configuring a social network provider.
Field Description Notes You may enter additional notes or comments about the provider. This description is only seen by administrators. Email If selected, allows the provider to request access to the guest's email address. Access requires additional permission for the provider. Google Plus if selected, allows the provider to request access to the guest's Google Plus profile. Access requires additional permission for the provider.
Options in the Post-Authentication area control the actions to perform after a successful pre-authentication: Table 45: Web Login Editor, Post-Authentication Properties Field Description Health Check Requires the visitor to pass a health check before they can access the network. The health check is done automatically through the OnGuard dissolvable agent. Client Agents l Header HTML The HTML content to display above the health check text. The default content is shown, and can be modified.
Digital Passes Digital passes are cryptographically signed files containing fields and images that are used as boarding passes, event tickets, coupons, store passes, or other scannable items. In Dell Networking W-ClearPass Guest, you can upload and install digital pass certificates, create new templates for digital passes, and use the passes for guest receipts. To work with digital passes, go to Configuration > Receipts > Digital Pass Templates.
Passes can be organized in Apple Passbook on the user's device. Good visual design practices ensure that each pass can be quickly recognized when displayed amongst other passes. (Apple Passbook is available on Apple iOS 6+ devices.) To use a pass such as a membership card or store card, the user selects it from the passbook and displays it so the barcode can be scanned.
Template" on page 277. Pass templates define: l Name and a description: Used to identify the template in W-ClearPass administrative forms and views. l Style: Boarding Pass, Event ticket, Coupon, Store Pass, or Generic. l Colors: Foreground, background, and label. If no alternate colors are specified, then default colors will be used. If there are alternate colors specified, then they will be used instead of the default colors. l Summary: Short description for a voice-over.
3. Create a certificate for your Pass Type ID. 4. Follow the portal’s instructions to create a certificate signing request using Keychain Access (a standard Mac OS X application) and submit it to the portal. 5. Download the Pass Type ID certificate. You also need to provide the private key for the pass certificate. If you created the certificate signing request using Keychain Access: 1. In Keychain Access, locate the private key for the certificate signing request. 2.
If no pass certificate is installed yet, no details are displayed. Click the Upload pass certificate link to obtain and install a certificate. See "Installing Digital Pass Certificates" on page 275. Installing Digital Pass Certificates You must have a valid Pass Certificate issued by Apple in order to generate and download passes. To obtain a pass certificate, you first need an Apple developer account. Developer accounts are free; to register for an account, go to developer.apple.
Field Description Format Specify whether you will upload the certificate as a file or paste in the certificate text. The form expands to include the Step 2 options. Certificate For certificates pasted as text, copy and paste the digital certificate's text. This is a block of encoded text and should include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. For uploaded certificate files, browse to the certificate to upload. This should be one of the following: PEM encoded X.
Field Description Edit Edit any of the template's properties. Copy Make a copy of the template to use as a basis for a new template. Reset to Defaults Resets the default template to its original settings if changes were made. (Only available for the default template) Delete Deletes the pass template. (The default Guest Receipt template cannot be deleted) Create a new template Create a new template.
Defining Pass Properties For examples of variables that can be used in the Summary and Logo Text fields described in the following table, click the Example 'template code' replacements link above the form, or see "Example Template Code Variables" on page 283. For a list of image fields supported by each of the different pass styles, click the A note regarding images and icons link above the form, or see "Images in Digital Passes" on page 283.
Field Description Icon Image Icon shown on the lock screen and in notifications and emails where the pass is attached. To use the default icon, leave this field blank. The low-resolution version of the icon image should be 29 x 29 pixels. If an "@2x" high-resolution version is available, it will also be added to the pass. The "@2x" high-resolution version should be 58 x 58 pixels. Logo Image Logo shown at the top-left corner of the front of the pass. To use the default logo, leave this field blank.
Defining Pass Fields Table 48: Pass Fields, Pass Template Settings Field Description Fields List of fields currently included in this pass template, with descriptions. You can click a field's row for configuration options. Edit Opens the Field Properties editor, where you can enable the field and modify its placement, content, and presentation properties. Disable Disables the field for the pass. To enable it again, click its Enable link. Move Up Fields are shown in this list in their rank order.
Table 49: Relevant Locations, Pass Template Settings Field Description Relevant Locations If selected, shows the digital pass on the user's lock screen when near a given location. Passbook determines the appropriate distance around the location for the pass to be displayed on the lock screen. Location Limit A pass template may only contain 10 locations. More may be added here, but only the first 10 valid locations will be included in the pass.
Field Description l l Optional — The pass can still be generated even if no value is supplied for the date field Required — The pass will not be generated if the value for the date field is empty Date Rank Rank order for processing the date field defined here. If multiple relevant date fields are included in the template, they are processed in ascending order, and the first field that has a valid date will be the relevant date for the pass. Date Text for the relevant date.
Example Template Code Variables When you create or edit a digital pass template, many of the settings accept standard template code. This is the same code that is supported for print templates. This allows you to specify either simple direct values or more complex values based upon the evaluation of template code. All template code is evaluated when the pass is generated from the pass template, using values from the guest receipt as inputs to the pass template.
Only PNG image files (*.png) are supported by passes. A pass can contain both a low-resolution version (i.e. for non-Retina displays) and a high-resolution version (i.e. for Retina displays) of each image. If it has been uploaded to the content manager, the high-resolution version of an image is also automatically included in the pass. The high-resolution version must be named with the suffix @2x at the end of the filename, just before the file extension—for example: l Company_Logo.
The following options are available in the Enabled drop-down list to control email delivery: Table 52: Email Delivery Options, Customize Guest Self-Registration Field Description Disable sending guest receipts by email Email receipts are never sent for a guest registration. Always auto-send guest receipts by email An email receipt is always generated using the selected options, and is sent to the visitor’s email address.
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. To configure email receipt options, go to Configuration > Pages > Email Receipts. The Customize Email Receipt form opens. Figure 32 Customize Email Receipt page Table 53: The Customize Email Receipt Form Field Description Subject Line May contain template code, including references to guest account fields.
Field Description the email receipt will be sent to the current operator. Send Copies Choose a value from the drop-down list to specify how copies of the email receipts will be sent to the additional email addresses listed in the Copies To field: l Do not send copies – The Copies To list is ignored and email is not copied. l Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available).
Figure 33 Example of Email Receipt Test Message Content About Customizing SMTP Email Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per-user basis. Table 54: SMTP Email Receipt Fields Field Description smtp_enabled May be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.
Field Description smtp_auto_send_field Specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send email or always send email, respectively. smtp_cc_list Sspecifies a list of additional email addresses that will receive a copy of the visitor account receipt.
Field Description smtp_warn_before_cc_list This overrides the list of additional email addresses that receive a copy of the visitor account receipt under Logout Warnings on the email receipt.If the value is “default”, the default carbon-copy list under Logout Warnings from the email receipt configuration is used. smtp_warn_before_cc_action This field overrides how copies are sent as indicated under Logout Warnings on the email receipt. to send copies of email receipts.
l sms_template_id – This field specifies the print template ID for the SMS receipt. If blank or unset, the default value from the SMS plugin configuration is used. l sms_phone_field – This field specifies the name of the field that contains the visitor’s phone number. If blank or unset, the default value from the SMS plugin configuration is used. l sms_auto_send_field – This field specifies the name of the field that contains the auto-send flag.
Plain text print templates may be used with SMS services to send guest account receipts; see "About SMS Guest Account Receipts " on page 304 for details. Because SMS has a 160 character limit, the number of characters used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb).
You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 480 for further information on Smarty template syntax. You can use an {if} statement to define a single print template that caters to multiple situations.
Each of the basic styles provides support for a logo image, title area, subtitle area, notes area, and footer text. These items can be customized by typing in an appropriate value in the Print Template Wizard. As the print template is a HTML template, it is possible to use HTML syntax as well as Smarty template code in these areas. See the "Reference" on page 477 chapter for reference material about HTML and Smarty template code. The print template may also contain visitor account fields.
The permissions defined on this screen apply to the print template identified in the “Object” line. The owner profile always has full access to the print template. To control access to this print template by other entities, add or modify the entries in the “Access” list. To add an entry to the list, or remove an entry from the list, click one of the icons in the row. A Delete icon and an Add icon will then be displayed for that row.
n Full access (ownership) – the print template is visible in the list, and may be edited or deleted. The permissions for the print template can be modified, if the operator has the Object Permissions privilege. SMS Services With SMS Services, you can configure W-ClearPass Guest to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone. You can also use SMS Services to send an SMS from your Web browser.
l To work with a gateway, click its row in the list. The gateway’s row expands to include the Edit, Duplicate, Delete, Make Default, and Send SMS options. Table 56: SMS Gateways List l Field Description Edit Lets you make changes to the gateway. See "Editing an SMS Gateway" on page 301. Duplicate Lets you make a copy of the gateway to use as a base for a new gateway. A new gateway will be added to the list with the name “Copy of ”.
Table 57: SMS Gateway Configuration -- Gateway and Service Settings Options Field SMS Gateway Description (Required) The SMS gateway service to use. Options in this drop-down list include: ClearPass Guest SMS Service l Custom HTTP Handler l SMS over SMTP l External Providers The options presented in the Service Settings area depend on the gateway selected here. l Display Name Carrier Selection Name for this gateway service handler.
Field Description Address (Required) If a fixed email address was specified, enter the email address to which all SMS messages will be sent. Address Template (Required) If a template to determine the address was specified, enter an example address that will be used as the pattern for the address format. Number Format Choose a country code requirement option from this drop-down list. The available options are Use the visitor’s value, Always include the country code, or Never include the country code.
Field Description leave this field blank. Confirm Passphrase SMS Source Address Enter the originator address of sent SMS messages. Depending on the provider, this may be either a phone number or a short string. Message Format If needed for custom SMS handlers, you can select the check box to specify that the message format should be converted to hex-encoded UTF-16 (Unicode).
Table 59: SMS Gateway Configuration -- Connection Settings, Debug, and Test SMS Settings Options Field Description Connection Timeout (Required) The connection timeout for this SMS service, in seconds. HTTP Timeout (Required) The timeout for the HTTP transfer to complete, in seconds. Enable Debug To log detailed information in the application log for each stage of the HTTP transaction, select the check box in this row. Message (Required) To verify the configuration, enter a test message.
3. The SMS Gateway field displays the gateway service that was selected when the gateway was created. This cannot be edited after creation. 4. In the Service Settings area, you may edit the Display Name. 5. When you duplicate an SMS over SMTP gateway, the Carrier Selection configuration options are included. In the Carrier Selection drop-down list, choose one of the following options: l Registration form will have the visitor_carrier field—The visitor will supply the carrier information when they register.
n Number Format—Choose a country code requirement option from this drop-down list. The available options are Use the visitor’s value, Always include the country code, or Never include the country code. n Subject Line—You may enter text for the message’s subject line. This field supports Smarty template syntax. For a Smarty template syntax description, See "Smarty Template Syntax" on page 480. 6.
To determine the number of remaining SMS credits for a service, go to the Configuration > SMS Services > Gateways list, and find the service's row in the list. The Credits Available column indicates the number of remaining SMS credits for your account. This value is determined when the first message is sent, and is updated after sending each message. When credits are running low, a warning message is emailed to the administrator group.
When using guest self-registration, SMS Delivery options are available for the receipt page actions; See "Editing Receipt Actions" on page 248 for full details. For more information on SMS services, see "SMS Services" on page 296. SMS Receipt Options SMS receipt configuration options are available in the Customization module (see "Customizing SMS Receipt" on page 290).
3. To enable, disable, or delete a carrier, click the carrier in the list. The carrier’s row expands to include the Edit, Enable or Disable, and Delete options. l To enable a carrier, click the Enable link in its row, then refresh the screen. The carrier will then be available to work with and will be included in the drop-down lists when you click the Display Lists link. 4. The procedures for adding and for editing a carrier are the same.
l n The default is to substitute the number for all characters preceding the @ sign, producing the pattern number@address. n Some carriers require additional characters before or after the phone number. In this case, use the keyword string NUMBER in the pattern to limit the substitution to just the phone number portion of the address—for example, NUMBER.msg@carrier.example.com, or username+NUMBER@mymail.
l To view the Translation Plugin settings, see "Configuring the Translations Plugin" on page 450 in the Administration module. Translation Packs To work with individual translation packs, go to Configuration > Translations > Translation Packs. The Language Packs list view opens. All translation packs that have been enabled are included in the list.
Table 61: Translation Pack Configuration Field Description Parent Name of the translation pack you used as a basis. This field only appears if you are duplicating a translation pack, Name Name of this translation pack. This identifying name is different from the display name, and is only seen by application administrators. Enabled You can select the check box to enable this translation pack, or leave it unselected to create the translation pack but not enable it yet.
Translation Assistant To configure some basic user assistance features for the user interface's language settings, go to Configuration > Translations > Translation Assistant. The Translation Assistant form opens. Table 62: Translation Assistant Configuration Field Description Default Language Sets the default language pack for the user's application. Auto-Detection If selected, disables automatic browser-based language detection and enforces the default translation pack instead.
Customizing Translated User Interface Text You can override the default translations provided for labels and messages in the user interface, customizing these items in each translation pack. To customize label and message text for a translation pack, do one of the following: l Go to Configuration > Translations > Translation Packs, and then click the Override Translations link for a translation pack in the list. The Edit Translations form opens.
Table 63: The Translation Pack Configuration Form Field Description Name Display Name These fields show the information for this translation pack and cannot be edited on this form. Language Code Locales Enabled If selected, enables this translation pack. If this translation pack should not be enabled at this time, leave this check box unselected. Each language code can have only one corresponding translation pack enabled at a time.
Chapter 6 Advertising Services Advertising Services lets you deliver marketing promotions and advertisements to your users on a variety of Guest Management registration, receipt, and login pages. To work with W-ClearPass Guest Advertising Services, go to Configuration > Advertising > Start Here.
Materials and promotions are then organized into advertising campaigns that run over a specified date range and with a specified priority (rank and weight). Campaigns An advertising campaign is the strategy by which you organize the presentation of your ads. It defines which promotions and materials to deliver, and when they should be delivered. You can rank and weight a campaign to balance it against other campaigns.
Topics in the tutorial cover how to create materials, promotions, and campaigns and configure spaces. You can view the finished product of the practice exercises. Tips are provided on how to troubleshoot the different stages of the process. Navigating the Tutorial Table 64: Tutorial Navigation Elements To: Do This: Move through the tutorial sequentially Click the Continue link in the bottom right corner next to the count of completed tasks.
Columns show the page group, the type of page, and the number of child pages in that group. For example, the Guest Management page group has four child pages and the Guest Self-Registration page group has eight child pages, as shown in the following table.
In the General Properties area of the form, select either the page group or page and configure the basic properties. If you leave the Edit Page form set to the parent page, your edits will apply to the parent page of the group and to all the child pages in the group. To override these settings for a child page, you must click Show Children, and then click the Page advertising settings link for the child page. Table 67: General Properties, Edit Page Field Description Page The page group being edited.
In the Space Options area of the form, set the options that control which advertising spaces can be shown on this page. The final set of advertising spaces that is used is determined by first applying the Allowed Spaces policy, and then applying the Denied Spaces policy. Table 68: Space Options, Edit Page Field Allowed Spaces Policy Description Specifies which spaces to use.
In the Campaign Options area of the form, set the options that control which campaigns can deliver advertising on this page. The final set of advertising campaigns that is used is determined by first applying the Allowed Campaigns Policy, and then applying the Denied Campaigns Policy. Table 69: Campaign Options, Edit Page Field Allowed Campaigns Policy Description Specifies which campaigns to use.
Field Description row. Deny advertising from all campaigns—Denies advertising from all campaigns for this page. Suggestion: You can also use this field to specify an exception to an "Allow advertising from all campaigns" setting. l Denied Campaigns If Deny advertising from... is selected, use the controls in this field to specify the denied campaigns. Preview Displays a preview of the form showing your changes.
To see which Location value a space uses, review the Location column in the Advertising Spaces list view ("Advertising Spaces" on page 323). Advertising spaces support a number of preset Location options as well as custom locations via the Other Location field.
Table 71: Values for the media Parameter Value Description sms Specify this value to deliver SMS advertisements only. web Specify this value to deliver Web and Email advertisements only. stage The value of the Stage field that must be set for an advertising campaign to be matched. You must specify a stage value. The nwa_adspace tag will be unable to match any advertising campaigns if you do not specify this parameter. The stage parameter is used when processing advertising campaigns.
style The style attribute of the HTML container element. This parameter is only relevant when the media parameter is set to web and an HTML tag name has been specified for the container parameter. If you specify a container, you can use the style parameter to specify style attributes for the container. The style parameter is optional. Advertising Spaces Spaces are the areas of a page that are defined for advertising content.
Table 73: Advertising Spaces List Field Description Edit Edit any of the space's properties. See "Creating and Editing Advertising Spaces" on page 324. Delete Deletes a custom space. You will be asked to confirm the deletion. Not available for built-in spaces. Enable Enable the space so advertising will be displayed in it. Before advertising will be delivered in an enabled space on a specific page, the page's settings also need to allow advertising in the space.
In the General Properties area of the form, set the basic properties for the space: Table 74: General Properties, Edit Space Field Description Name (Required) Name that clearly identifies this space. For a built-in space, this cannot be edited. Enabled If selected, allows advertising to be shown in this space. If this check box is not selected, the space will not show any advertisements.
"Other Location" Example If you wanted to add a custom advertising space that is positioned on the far-right edge of the registration page, you could do it as shown in the following example: 1. Choose Other - for user defined locations in the Location field. 2. In the Other Location field, create the name custom_right. 3.
Table 75: Geometry Options, Edit Space Field Description Screen Types Limits the types of screen that will show this space. This setting only applies to Web advertising. Options include: l All Screens — show on both small and large screens—Ignores the detected screen type. l Small Screens — show on small screens only (phones; mobile devices)—This space will only be shown if the user's device is detected to be a small-screen device.
l Two rows with heights 60 and 40 l Two rows with heights 50 and 50 l One row of height 80 l One row of height 100 "Maximum Width" Example If a maximum width was specified, the system will only output as many columns as will fit within the maximum width constraint for the space.
Advertising Campaigns An advertising campaign is the strategy by which you organize the presentation of your ads. It defines which promotions and materials to deliver, and when they should be delivered. The system requires at least one advertising campaign to be configured and enabled for any advertisements to be delivered. To create and work with advertising campaigns, go to Configuration > Advertising > Campaigns. The Advertising Campaigns list view opens.
l On the registration receipt l On the self-service portal pages l Immediately after login l On the SMS registration receipt You can edit advertising campaigns, and you can create new advertising campaigns. l To edit an advertising campaign, go to Configuration > Advertising > Campaigns, and then click the Edit link for a campaign in the list. The Edit Campaign form opens. l To create a new advertising campaign, click the Create new advertising campaign link in the upper-right corner.
Field Description Rank (Required) Applies a relative rank to the campaign, which defines the order in which campaigns are processed when delivering ads. A rank of 1 is higher than a rank of 2. For information about campaign ranks, see "Campaign Rank and Weight" on page 332. Weight (Required) Applies a weight to a campaign. If two campaigns have equal rank, one with a greater weight will be displayed more than the other. For information about campaign weights, see "Campaign Rank and Weight" on page 332.
Field Description None With SelfService Select the promotion to deliver on the self-service portal pages. To not display ads at this stage, select None After Login Select the promotion to deliver when the user has logged in. To not display ads at this stage, select None With Receipt Select the promotion to deliver on the SMS registration receipt. To not display ads at this stage, select None Campaign Rank and Weight Each advertising campaign must be assigned a rank and weight.
All advertising promotions that have been created are included in this list. You can click a promotion's row in the list for additional options. Table 80: Advertising Promotions List Field Description Edit Edit any of the promotion's properties. See "Creating and Editing Advertising Promotions" on page 333. Delete Delete the promotion from the system. You will be asked to confirm the deletion. Enable Enable the promotion so it will provide advertisements. Disable Disable the promotion.
In the General Properties area of the form, set the basic properties for the promotion: Table 81: General Properties, Edit Promotion Field Description Name (Required) Name that clearly identifies this promotion. Enabled If selected, allows this promotional to deliver ads. If this check box is not selected, no ads will be provided by this promotion. Start Date (Optional) Date and time when the promotion can start providing ads.
Depending on the selection in the Type field, the next area of the form will be either Rotating Content, Weighted Content, Fixed Content, or Labeled Content. In this area, set the options that control the content of the promotion. Table 82: Rotating, Fixed, Weighted, or Labeled Content, Edit Promotion Field Description Content For fixed content, select a single content item for the promotion. Content Items (Required) For rotating or weighted content, all items in this list are initially selected.
In the Intelligence area of the form, set the options that control intelligent delivery of content for the promotion: Table 83: Intelligence Options, Edit Promotion Field Description Enabled If selected, allows a more selective delivery by matching user labels to material labels. (Material also inherits labels from the promotions that include it) Requirement Levels How often the specified labels should be matched. These settings override the Default Level in the next field.
6. After the promotions and materials that include the labels and intelligent delivery configuration are complete, include them in a campaign (see "Creating and Editing Advertising Campaigns" on page 329). 7. When a user visits the pages while the campaign is running, Advertising Services displays ads with the labeled content that matches the user's attributes. When you create labels in the Edit Promotion or Edit Materials forms, they are created as "tags" in the system.
Table 84: Advertising Materials List Field Description Edit Edit any of the material's properties. See "Creating and Editing Advertising Materials" on page 338. Delete Delete the material from the system. You will be asked to confirm the deletion. Disable Disable the material. To make the material active again, click the Enable link. Copy Make a copy of the material's settings to use as a basis for a new material. Create new advertising promotion Create a new advertising material.
Field Description Description Optional comments or notes about the material. Labels To apply labels to this material, enter the labels in this field. To create new labels, enter the new label names separated by commas or new lines. The system creates each new label as a "tag". If some labels were already created, clicking in this field displays a list of the existing label tags to choose from. If you include labels here, promotions will detect this material as labeled content.
Field Description down list to add images or other content items. Preview (HTML code) Preview of the HTML. The preview is updated when you modify the contents of the Template Code field. Hyperlink (Image advertisement; Text advertisement) The destination page URL to which the advertisement is linked. To not associate a destination URL with the advertisement, leave this field blank. Image (Image advertisement) The image file for the advertisement.
Chapter 7 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, go to Configuration > Hotspot Manager. Dell Networking W-ClearPass Guest 6.
About Hotspot Management The following diagram shows how the process of customer self provisioning works. Figure 35 Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created.
The Enable guest access self-provisioning check box must be selected for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows an HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 480 in the Reference chapter for details about the template syntax you may use to format this message.
The Manage Hotspot Plans page opens, showing the list of default plans. Plans that are enabled have their name in bold and their icon in color: . Plans that are not enabled have their icon in gray: . l To create or edit an existing plan, see "Editing or Creating a Hotspot Plan" on page 345. l To delete a plan, click the undo the deletion. Delete button in the plan’s row.
Figure 37 Edit Hotspot Plan, User Account Details 4. In the User Account Details area, you can specify the usage of numbers, letters, and symbols in the generated username and password. To use only digits, leave the value in the Generated Username and Generated Password fields set to ######.
l CyberSource l eWAY l Micros Fidelio l Netregistry l Paypal l WorldPay W-ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor The Transaction Processor Configuration form is used to create and to edit transaction processors. To define a new transaction processor: 1.
l Signature l Test Environment URL l Test WSDL l Transaction Key l Transaction Password l Transactions Timeout If your transaction processor requires visitors to enter their address,W-ClearPass Guest will automatically include address fields in the guest self-registration forms that use that transaction processor. Managing Existing Transaction Processors After you define a transaction processor, it is included in the transaction processor list.
To customize the hotspot invoice: 1. Go to Configuration > Hotspot Manager > Start Here and then click the Manage Hotspot Invoice link. The Manage Hotspot Invoice form opens. 2. The Invoice Title must be written in HTML. See "Basic HTML Syntax" on page 477 for details about basic HTML syntax. 3. Complete the rest of the fields appropriately. You can use Smarty functions on this page. See "Smarty Template Syntax" on page 480 for further information on these.
To customize how this page is displayed to the guest, go to Configuration > Hotspot Manager > Start Here, click the Manage Hotspot Sign-Up link, and then click the Customize page 1 (Choose Plan) link in the upper-right corner. The Edit Hotspot Plan Selection Page form opens. You can use this form to edit the title, introductory text, and footer of the “Choose Plan” page. The introduction and the footer are HTML text that can use template syntax.
Customizing Visitor Sign-Up Page Two Page two of the guest self-provisioning process asks the guest to provide their personal details and payment method. The example below shows the default “Your Details” page if the customer chooses to pay for the Hourly Access plan. Although it is not shown in this illustration, the default page also includes footer text providing information about privacy policies and security pertaining to the data collected by this page. Dell Networking W-ClearPass Guest 6.
The example below shows the default “Your Details” page for a customer who chooses the Free Access plan. To customize how the “Your Details” page is displayed to the guest, go to Configuration > Hotspot Manager > Start Here, click the Manage Hotspot Sign-Up link, and then click the Customize page 2 (Customer Details) link in the upper-right corner. The Edit Hotspot User Details Page form opens.
See "Smarty Template Syntax" on page 480 for details about the template syntax you may use to format the content on this page. Dell Networking W-ClearPass Guest 6.
Customizing Visitor Sign-Up Page Three Page three of the guest self-provisioning process provides the customer an invoice containing confirmation of their transaction and the details of their newly created wireless account. An example of the default “Your Receipt” page is shown below.
See "Smarty Template Syntax" on page 480 for details about the template syntax you may use to format the content on this page. Viewing the Hotspot User Interface The Hotspot Manager allows you to view and test Hotspot self-provisioning pages, as well as log in to and view the Hotspot self-service portal that allows customers to view their current account expiration date, purchase time extensions, log out of the Hotspot, or change their user password.
| Hotspot Manager Dell Networking W-ClearPass Guest 6.
Chapter 8 Administration The Administration module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of Dell Networking W-ClearPass Guest. Accessing Administration To access Dell Networking W-ClearPass Guest’s administration features, click the Administration link in the left navigation. Figure 39 The Administration Module’s Left Navigation Dell Networking W-ClearPass Guest 6.
AirGroup Services This section describes creating and managing AirGroup controllers and configuring the AirGroup plugin, and provides links to other AirGroup steps performed in Dell Networking W-ClearPass Guest. For an overview of AirGroup functionality, see "AirGroup Deployment Process" on page 28. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the W-ClearPass Policy Manager documentation.
Table 87: AirGroup List Options Field Description Show Details View details for the AirGroup controller: Name, hostname or IP address and port number, configuration status, last polling time, currently defined roles and AP groups, and AP database details. See "AirGroup Controller Details" on page 359 Edit Edit the AirGroup controller's attributes. The Edit AirGroup Controller form opens. For more information, see "Creating and Editing AirGroup Controllers " on page 359 .
1. Go to Administration > AirGroup Services > Controllers, then either click Create AirGroup controller at the top of the form, or click a controller's Edit link. The Create Controller form opens. Table 88: Create AirGroup Controller Field Description Name Short name that identifies the controller clearly. AirGroup controller names can include spaces. Description Additional useful information about the controller. Enabled Enables Policy Manager's AirGroup notification service for the controller.
Configuring AirGroup Services To enable support for dynamic notification of AirGroup events when new devices are added, each AirGroupenabled controller must also be defined in Dell Networking W-ClearPass Guest. Configuration options include specifying roles to exclude from the user interface, and setting an automatic polling schedule, message parameters, and logging levels. To configure AirGroup Services, go to Administration > AirGroup Services > Configuration. The Configure AirGroup Services form opens.
Field Description When a poll is run, you may click Show Details in the Controllers list to view the updated configuration. For more information, see "AirGroup Controllers" on page 358. Automatic polling is run only on the publisher node. Group Names Enter names of shared groups that should be available in the Shared Groups field for users to choose from when they share a device.
When you choose the diagnostic you want to run, the form expands to include fields for identifying information. When you enter the information and click Submit, the results of the query are displayed below the form. To run another diagnostic, click the Reset Form link before selecting the diagnostic. Table 90: AirGroup Diagnostics Field Show information about a device Description Enter the device's MAC address.
Creating AirGroup Operators AirGroup Operators are users of Dell Networking W-ClearPass Guest who can provision a limited number of their own personal devices. Each device provisioned by an operator is automatically shared with all of that operator’s provisioned devices. The operator can also define a group of other users who are allowed to share the operator’s devices. The AirGroup Operator profile is automatically created in W-ClearPass Guest when the AirGroup Services plugin is installed.
3. Search results are returned to the portal user, who can then select from one of the matching item, or continue typing to further narrow the search. Configuration Summary To configure LDAP user search for AirGroup, you will: 1. Create a W-ClearPass Guest LDAP server 2. Enable user search for this server 3. Configure the user interface for the airgroup_shared_user field 4. Specify user search options for the user interface Each of these steps is described in the following sections.
User Search Settings In the User Search area of the Edit Authentication Server form: Table 92: Edit Authentication Server, User Search Field Description Enabled Mark the Use this server to search for matching users checkbox. The form expands to include additional options. Filter (Required) Select one of the following options: Use the default LDAP filter—Uses an LDAP filter suitable for an Active Directory search operation.
l sAMAccountName = id—The username is used as the value for a selected item. l displayName = text—The user’s full name is displayed as the label for a matching item. l # title = desc—Commented out and not used by default. Enables the title of the user to be shown in the description. l userPrincipalName = desc—The user’s email address is displayed as descriptive text for a matching item.
In the Advanced Properties area of the form, you will customize the user interface for single and multipleselection capabilities. Table 94: Advanced Properties, Relevant Fields Field Description Advanced Select the Show advanced properties check box. Additional configuration options are added to the form. Select2 Options Used to customize the user interface for the “select2” control, which provides both single and multiple-selection capabilities. Default values are preconfigured for these fields.
Option Description resultsCss.max-height = 400px Specifies that the list of matching items should be up to 400 pixels in height. Additional CSS properties may be specified using the “resultsCss” value, if required. ajax.dataType = sajax Specifies that the field should use a dynamic query mechanism to look up a search term. This parameter should not be changed. ajax.url = NwaAirGroupUserSearchAjax Specifies that the field should perform a user search. This parameter should not be changed. ajax.args.
To change the behavior of the “select2” control, you need to attach a JavaScript function definition to one or more properties of the hook function’s argument. The hook function may also set or update any of the properties specified in the “Select2 Options”. A simple example is included as the default value with the airgroup_shared_user field: function (args) { args.formatInputTooShort = function (text) { return "Start typing a user name.
l There is no additional license fee for these devices: Although MACTrac is part of W-ClearPass Guest, MACTrac device registrations do not count against the W-ClearPass Guest license. l As with other W-ClearPass Guest forms and views, the MACTrac user interface can be customized by adding a custom skin or options such as an "Add Another Device" button.
MACTrac operators can create and manage multiple device accounts. Options include editing, printing details, disabling, and deleting accounts. To work with MACTrac devices, log in to W-ClearPass Guest as a MACTrac operator and go to Guest > List Devices. The MACTrac Devices list view opens. All MACTrac devices that have been registered are included in the list. You can click a device account's row in the list for additional options: l To edit any of a device account's attributes, click its Edit link.
l To disable or delete a device account, click its Remove link. A confirmation dialog opens. You may specify either Disable or Delete, then click Make Changes. To enable a disabled account, click its Activate link. Registering MACTrac Devices The Register Device form is used by MACTrac operators to create their device accounts on their local network. There is no limit to the number of accounts an operator can create, and no expiration time is set on device accounts. To register a MACTrac device: 1.
3. (Optional) Enter a name for the device in the Device Name field. 4. (Optional) The Device Type field is prepopulated if detected, and indicates whether it is a computer, printer, or other type of device. 5. (Optional) The Device Platform field is prepopulated if detected, and indicates whether it is a Windows, Mac, Linux, or Android platform, and whether it is a mobile phone. 6.
API Services API Services includes all APIs and API-related privileges that are available for W-ClearPass Guest. To work with API services, go to Administration > API Services.
Table 98: AirGroup List Options Field Description Edit Edit theAPI client's attributes. The Edit API Client form opens. For more information, see "Creating and Editing API Clients" on page 376. Disable Disables the API client. You will be asked to confirm the action. Disabling an API client also invalidates any access tokens, refresh tokens, or authorization codes associated with it. Enable Enables a disabled API client. Delete Deletes the API client. You will be asked to confirm the deletion.
Field Description l l l l l l l l l BYOD Operator Device Registration Help Desk Network Administrator Null Profile Operations and Marketing Read-only Administrator Receptionist Super Administrator Grant Type (Required) Specifies the OAuth2 grant type authentication method to be used with this API client ID. Only the selected authentication method will be allowed.
Configuring the API Framework Plugin The API Framework plugin supports OAuth2 authentication and authorization, and provides all application programming interface (API) services for W-ClearPass Guest. Settings you can configure for this plugin include the access token lifetime, the authorization code lifetime, the refresh token lifetime, and the API logging level.
Field API Logging Description (Required) Specifies the logging level for API-related events. Options include: Disabled - do not log API-related events l Standard (Recommended) - log basic information l Extended - log additional information (this option logs all API calls) l Debug - log debug information l Trace - log all debug information l Save Configuration Commits your changes.
l Read Only l Full l Allow Access 5. If you want to allow the API operator profile to query for Guest Manager configuration settings, set the Manage Customization privilege to Read Only access. 6. Complete the rest of the settings appropriately for the operator profile and then click Save Changes. About OAuth The OAuth 2 RFC 6749 specification for accessing a new set of modern API’s is supported by W-ClearPass 6.4 and later.
specification does not dictate whether they should be co-located or separated. For simplicity, the rest of this document assumes the resource server and authorization server are co-located on the same server. OAuth2 Client or App Before any OAuth transactions can be processed, the first step is to register a new app with the service (API Client definition in W-ClearPass).
The following diagram shows the transaction flow of password grant type. 1. The user enters credentials directly into the app’s native user interface. The app should not cache user credentials under any circumstances. 2. The app submits the user credentials to the authorization server. Credentials include grant_type=password, user, password, client_id, and client_secret. The client_secret is not required if the OAuth2 app is defined as a public client. 3.
1. The first-party app submits an access token request to the authorization server. This includes grant_ type=client_credentials, client_id, and client_secret. 2. The resource server returns the access token to use in subsequent API calls. This includes access_token, expiry time, and token_type=bearer. 3. The app includes the access token in the HTTP Authorization header. This includes Bearer access_token. 4. The resource server returns authenticated API payload.
Viewing Available Web Services To view the Web services available in Dell Networking W-ClearPass Guest: 1. Go to Administration > Web Services > List Web Services. The Available Web Services list view opens. 2. To view details for a service, click its image in the Web Service field. The row expands to include the Service URL and Service Info fields for that Web service. 3. The Service Info field briefly describes the processes this Web service provides.
4. When you have finished reviewing the available Web services, click Done. Configuring Web Services To configure the SOAP Web Services plugin: 1. Go to Administration > Web Services > Configure Web Services. The Configure Web Services form opens. 2. To allow operators to make WSDL requests without being logged in, mark the check box in the WSDL Access field. 3. Use the counter in the Maximum Request Size field to set the maximum size in kilobytes that will be allowed for a SOAP request. 4.
Audience This API is intended for developers of applications that must interoperate with a W-ClearPass Guest-based visitor management solution. Solution developers are assumed to be familiar with HTTP-based Web services and the associated concepts and technologies related to these services, including Extensible Markup Language (XML), XML Schemas, Web Service Definition Language (WSDL), and the Simple Object Access Protocol (SOAP).
l At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. l The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the appliance. l The services layer provides one or more implementations of application services that are used by the layers above.
Table 101: Fault Codes and Descriptions Fault Reason for Fault Client.BadRequest Request exceeds the maximum allowable size. Increase the maximum SOAP request size, or reduce the size of the request. Client.Authentication Invalid username or password. Check that the credentials supplied are correct. Client.MethodNotFound The SOAP method request was not found. Client.Error Another non-specific client error occurred. Check the for more details. Server.
SOAP Debugging Select a higher level for the SOAP Debugging configuration option to log additional details to the application log. To access the application log, go to Administration > Plugin Manager > Application Log. At the highest debugging level of 4, every SOAP request and response will be logged including full HTTP headers and contents, which may be useful when trying to identify the exact cause of a problem.
After you have created a suitable operator profile, create the operator login. See "Local Operator Authentication" on page 464 and "External Operator Authentication" on page 465, or refer to the "Configuring LDAP Operator Logins" article on Arubapedia. Accessing the WSDL Use the List Web Services command link to browse the available Web services and obtain additional details about each one. 390 | Administration Dell Networking W-ClearPass Guest 6.
In the Web Service field, click the icon for GuestManager Web Services to view the Service URL and additional information about the service. If the "Allow anonymous access to WSDL" option is specified in the SOAP Web Services configuration, accessing the WSDL through the specified Service URL does not require logging in to the W-ClearPass Guest user interface. For more information, see "Configuring Web Services " on page 385.
The Add Service Reference dialog box appears. Enter the Service URL for the GuestManager Web Services into the Address box, and click the Go button. The WSDL is downloaded, and a list of the Web services and operations found is displayed. In the Namespace text field, type in a name. This name is used to organize the automatically generated code that interfaces with the Web service. Click the OK button to create the Web service reference.
Configuring HTTP Basic Authentication Performing a simple API call, such as the “Ping” operation described in "Operations" on page 398, can be used to verify that the Web service is correctly configured and ready for use. Because the SOAP API requires HTTP Basic authentication, ensure that you have a suitable operator profile and operator login credentials, as explained in"Using the SOAP API" on page 388. Configuring the Web service reference to use authentication requires editing the app.
The following code can now be added to invoke the Ping operation and display the result. When invoked, this performs the Ping operation and displays the following output: Securing Web Services Using HTTPS Because HTTP Basic authentication is insecure, it is strongly recommended that the HTTPS transport be used for all SOAP API calls.
Additionally, if a self-signed certificate is being used on the remote server, you will need to provide a suitable ServerCertificateValidationCallback implementation to validate the peer’s certificate. The following code is a minimal implementation that accepts all server certificates without verification: // Trust self-signed certificates System..Net.ServicePointManager.
Table 102: XML Namespaces Component XML Namespace SOAP Envelope http://schemas.xmlsoap.org/wsdl/soap/ SOAP Encoding http://schemas.xmlsoap.org/soap/encoding/ WSDL http://schemas.xmlsoap.org/wsdl/ XML Schema http://www.w3.org/2001/XMLSchema SOAP Addressing Web Service Endpoint The endpoint of the SOAP service is located at the relative URL: soap_guestmanager.php.
l Example: IdType Specifies a user ID. The user ID is a positive integer value, starting at 1. l Example: ResultType Operations return a standard result type. The flag indicates if the operation completed successfully. If the operation failed, the contains a description of the error. l Example of a successful operation: l Example of a successful operation with message: l Example of an unsuccessful operation: UserResultType Standard result type, with an optional element.
l Example of an unsuccessful operation: UserType The User type defines a visitor account, which consists of a number of fields. The fields available may be customized in Guest Manager. Go to Guest Manager > Configuration > Fields to create new fields or modify existing fields. Adding or removing fields will update the UserType schema in the WSDL for GuestManager Web Services. Ensure that you update any clients using this WSDL if the fields are modified.
l The standard business logic for visitor account creation applies to visitor accounts created with the SOAP API. For details, refer to the section “Business logic for account creation” in the W-ClearPass Guest User Guide, or search for this term in the online help. l The creator_accept_terms field must be set to the Boolean value “true” in order to create an account. l A value for the role_id field must be specified to create a visitor account.
Successful response: Failure response: DeleteUser Deletes a user account by ID or matching fields 400 | Administration Dell Networking W-ClearPass Guest 6.
l This operation deletes a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned and no visitor accounts will be deleted. Example code implementing visitor account deletion: Example request for DeleteUser: Successful response: Dell Networking W-ClearPass Guest 6.
Failure response: EditUser Modifies properties of a user account by ID. l This operation modifies the properties of a visitor account to match the field values specified in the user parameter. l The id field must be specified to indicate the ID of the visitor account to modify. This field is assigned by the system when the visitor account is created and cannot be changed. Example code implementing visitor account modification: 402 | Administration Dell Networking W-ClearPass Guest 6.
Example request for EditUser: Successful response: Failure response: FindUser Returns properties of a user account by matching fields. Dell Networking W-ClearPass Guest 6.
l This operation locates a single visitor account that matches all of the field values specified in the user parameter. l Exactly one account must match; if more than one match is found, or if no match is found, an error will be returned. l If a visitor account was found, its properties will be returned in the element of the result. Example code implementing search for a visitor account based on a username.
Successful response: Failure response: GetUser Returns properties of a user account by ID. Dell Networking W-ClearPass Guest 6.
l Returns a element corresponding to the visitor account with the specified ID. l If the specified ID is invalid, no element is returned and the flag is set to 1. Example code implementing a guest lookup operation: Example request for GetUser: Successful response: Failure response -- for example, user ID not found: 406 | Administration Dell Networking W-ClearPass Guest 6.
Ping Checks that the SOAP server is alive. l Returns a standard result type with the message set to "pong". Example code implementing a Ping test operation. Example request for Ping: Successful response: Dell Networking W-ClearPass Guest 6.
The XML-RPC Interface and API This section describes the XML-RPC interface available to third-party applications that will integrate with the Dell Networking W-ClearPass Guest Visitor Management Appliance. Audience: l Developers of integrated applications. Some familiarity with HTTP based web services and XMLRPC is assumed. l System administrators of the W-ClearPass Guest application. System Requirements: l W-ClearPass Guest 6.1.
At the lowest level, the kernel provides basic functions common to the entire system. This includes the Web interface framework, appliance operating system, and runtime support services. The network layer provides critical networking support, including the RADIUS server and the ability for network administrators to manage and control the networking aspects of the VMA. The services layer provides one or more implementations of application services that are used by the layers above.
Parameter Names The parameter names passed to the XML-RPC interface are the same as the field names in the HTML user interface. Parameter Validation Each field of the forms in the HTML user interface is subject to validation according to the rules defined for that field. The same rules also apply to XML-RPC parameters. If a required field is missing, or an invalid value for a field is supplied, an error is generated by the presentation layer and returned to the XML-RPC client.
Table 104: XML-RPC Faults Name Type Description error Flag Set to 1 for an XML-RPC Fault faultCode Integer Status code indicating the cause of the fault faultString String Description of the fault This type of return might appear as: 'error' => 1, 'faultCode' => 401, 'faultString' => 'Invalid username or password', These are the predefined XML-RPC Fault codes: Table 105: XML-RPC Faults Code Description 401 Authentication problem -- invalid username or password 404 File implementation of XM
7. Click Save Changes. The profile is added to the Operator Profiles list. Creating the Role After you create the profile, the next step is to create the role: 1. In W-ClearPass Policy Manager, go to Configuration > Identity > Roles and click the Add User link. The Add New Role form opens. 2. Enter a name and description that clearly identify the role. 3. Click Save. The role is added to the Roles list. Creating the Local User After you create the role, you create the local user: 1.
2. In the Role drop-down list, choose the XML-RPC Operator role you created. 3. Complete the rest of the fields appropriately, then click Add. The new XML-RPC operator is added the Local Users list. Creating the Translation Rule After you have created the profile, role, and local user (operator), create a translation rule to map the role name to the operator profile. 1. In W-ClearPass Guest, go to Administration > Operator Logins > Translation Rules and click the Create new translation rule link.
SSL Security Different levels of certificate validation checks may be necessary, depending on the SSL certificate that has been installed. This corresponds to the user interface provided by Web browsers for certificate trust and verification. The examples presented in this document assume a self-signed certificate has been installed, and reduce the level of SSL verification accordingly.
l "Method amigopod.mac.create" on page 426 l "Method amigopod.mac.edit" on page 428 l "Method amigopod.mac.list" on page 430 Method amigopod.guest.change.expiration Change the expiration time of a guest account.
'error' => 1, Method amigopod.guest.create Create a new guest account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the guest account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email addresss. This will become their username to log in to the network. expire_after Numeric Amount of time before the account will expire. Specified in hours.
Example Usage Sample parameters for the call: 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'expire_after' => 4, 'expire_time' => '', 'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.
Name Type Description uid Integer ID of the guest account to delete delete_account Flag Set to 0 to disable the guest account, 1 to delete the guest account Return Values This function might return a Boolean false value if some input parameters are invalid.
Method amigopod.guest.edit Change one of more properties of a guest account.
Return Values Name Type Description error Flag Set to 1 if the guest account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the guest account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Edit
'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.
Access Control Requires the remove_account privilege (Guest Manager > Remove Accounts in the Operator Profile Editor). Example Usage Sample parameters for the call: 'uid' => '162', Sample successful call: 'error' => 0, 'message' => 'Guest account has been re-enabled', 'item' => array ( 'id' => 162, 'enabled' => 1, 'username' => '', ), Sample failed call: 'error' => 1, 'message' => 'Account not found: ID 162', Method amigopod.guest.get List one or more guest accounts.
array ( 0 => 150, 1 => 162, ), 'users' => array ( 0 => array ( 'id' => '150', 'username' => '44454318', 'enabled' => '1', 'role_id' => '2', 'email' => '', 'notes' => 'GuestManager account 22 of 30 created by root from 192.168.2.3', 'do_expire' => '0', 'expire_time' => '', 'simultaneous_use' => '1', 'expire_postlogin' => '0', 'do_schedule' => '0', 'schedule_time' => '', 'ip_address' => '', 'netmask' => '', ), 1 => array ( 'id' => '162', 'username' => 'demo@example.
Method amigopod.guest.list List guest accounts. (To retrieve devices, see "Method amigopod.mac.list" on page 430) Parameters Name Type Description details Flag Optional parameter; if set to 1 then full details of all guest accounts are returned, otherwise only the IDs are returned sort string Optonal parameter. If set to 1, then sorts first by the specified column, and then by username.
Method amigopod.guest.reset.password Reset a guest account's password to a random value.
Method amigopod.mac.create Create a new MAC device account. Parameters Name Type Description sponsor_name String Name of the person sponsoring the device account. visitor_name String Name of the visitor. visitor_company String Company name of the visitor. email String The visitor's email address. This will become their username to log in to the network. expire_after Numeric Amount of time before the device account will expire. Specified in hours.
Example Usage Sample parameters for the call: 'sponsor_name' => 'Sponsor Name', 'visitor_name' => 'Visitor Name', 'visitor_company' => 'Visitor Company', 'email' => 'demo@example.com', 'expire_after' => 4, 'expire_time' => '', 'role_id' => 2, 'visitor_phone' => '0', 'creator_accept_terms' => 1, Result returned by a successful operation: 'username' => 'demo@example.
Method amigopod.mac.edit Change one of more properties of a device account.
Return Values Name Type Description error Flag Set to 1 if the device account was not modified message String Message describing the success or failure of the operation item Struct User structure containing updated field values uid Integer ID of the device account *_error String Field-specific error message *_error_flag Flag Field-specific error flag, set to 1 if present Access Control Requires the full_user_control privilege (Guest Manager > Full User Control in the Operator Profile Ed
'password_value' => '', 'schedule_time' => '', 'expire_time' => '', 'user_enabled' => '', 'username_error' => 'You cannot leave this field blank.
Return Values Name Type Description ids Array Array of device account IDs (if details was 0). users Array Array of device account structures (if details was 1). Access Control Requires the mac_list privilege (Guest Manager > List MAC Authentication Accounts in the Operator Profile Editor). Example Usage Sample parameters: 'details' => 0, Sample successful call: 'ids' => array ( 0 => '37', 1 => '141', 2 => '40', ...
If you wish to configure the times after which expired accounts are deleted, refer to the Dell Networking WClearPass Policy Manager documentation for cluster-wide parameters. Data retention of guest accounts and logs is configured in CPPM under Administration > Server Configuration > Cluster-Wide Parameters. 3.9 Configuration Import To help W-ClearPass Guest 3.9 customers transition to W-ClearPass Guest 6.
Uploading the 3.9 Backup File To upload a Guest 3.9 configuration to W-ClearPass Guest 6.x: 1. Upgrade your 3.9 system to the latest 3.9.x monthly patch. 2. Deploy your 6.x system, and upgrade it to the latest 6.x monthly patch. 3. In your 3.9 system, make a complete configuration backup. For details on how to back up your system, refer to the "Backup and Restore" section in the "Administrator Tasks" chapter of your "ClearPass Guest 3.9 Deployment Guide." Be sure to use the Complete backup option in your 3.
This form shows every configuration item in your backup file, and provides options for restoring items or excluding them from the restoration. For more information, see the next section, "Restoring Configuration Items " on page 434. Restoring Configuration Items This section describes how to use the Import Configuration: Step 2 form to import 3.9 configuration items to your 6.2 system after you upload them. To select and restore your configuration items: 1.
l To exclude an item from the import, click the X in the item's row. The X turns red to indicate it will be excluded. You can click the X for a category to exclude all items in that category. l To make it easier to select just a few items, you can scroll to the bottom of the list and click the Unselect All link. All items are then marked with a red X and will be excluded from the import. You can then select the l l green check marks for just the items you want.
The Import Notices list provides information about items that were handled during the last import. This list includes the following columns: l Status -- The import status of the item in the same row. Possible statuses include Imported, Migrated, Obsolete, Action Required, Error, Processed, Unsupported, and Warning. These statuses are described more fully in the table below. l Operation/Notice -- This column shows the operation performed on the item, and the name of the item.
Table 107: Configuration Import Statuses Status Description Imported The item was successfully imported with no changes. Migrated The item was successfully imported but some aspects were modified for 6.2, as described in Show Details for the item. For example, if a field imported in a 3.9 configuration has a different name in 6.
l "Import Information: Onboard" on page 440 l "Import Information: Operator Logins" on page 440 l "Import Information: Palo Alto Network Services" on page 440 l "Import Information: RADIUS Services" on page 440 l "Import Information: Reporting Manager Definitions" on page 441 l "Import Information: Server Configuration" on page 442 l "Import Information: SMS Services" on page 443 l "Import Information: SMTP Services" on page 443 Import Information: Advertising Services l Advertising Service
3.9 Name 6.2 Name schedule_time = start_time modify_schedule_time = modify_start_time schedule_after = start_after Custom Forms and Views: l Forms and views that referenced renamed fields are updated to reference the new field name. l Forms and views that referenced obsolete fields have those fields removed from the definition. Print Templates: l Print templates are flagged as Action Required. Print templates might require changes where defaults have changed or fields have been renamed.
Import Information: Onboard To restore your Onboard device provisioning pages, you must import RADIUS Web logins. l The server certificate in CPPM might need to be configured before provisioned devices can connect to the network. l The QuickConnect client provisioning address might need to be verified as the correct one for the new server. Import Information: Operator Logins Operator Login Configuration l A client-side cookie check (nwa_cookiecheck) is added to the Login Message setting.
RADIUS Database Connections l The RADIUS database connection for the local RADIUS server is obsolete. l For any custom user databases, an authentication source must be created in CPPM. RADIUS Database User Accounts l l User accounts are migrated and keep the status (disabled, pending, active, expired) they had in 3.9. Any field names that differ in 6.2 are updated. User accounts with the Deleted status are obsolete. RADIUS Dictionary l The RADIUS dictionary is unsupported.
Import Information: Server Configuration W-ClearPass settings are obsolete. l Data Retention l Data Retention settings for Onboard are imported. Database Configuration l Default (empty) database configuration settings are processed and ignored. Non-default database configuration settings should be reviewed for potential issues. l Installed Plugin List l For imported plugins that were not up-to-date (e.g. pre-3.
l For non-default Application URLs, changes should be reviewed. l Subscription IDs must be added to CPPM. l For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM. System HTTP Proxy l For non-default HTTP Proxy settings, the HTTP proxy must be configured in CPPM. System Kernel Configuration l System kernel configuration is obsolete. System Log Setup l System log setup is obsolete. l If a local collector was enabled, it is unsupported.
n SMTP Server n Subject Line n Username n Use Sendmail n Use SSL encryption Plugin Manager Plugins are the software components that fit together to make your Web application. The Available Plugins list shows all the plugins currently included in your application. It lets you view information about each plugin and configure some aspects of most plugins.
The About link displays information about the plugin, including the installation date and update date. The About page for the Kernel plugin also includes links to verify the integrity of all plugin files or perform an application check. Click a plugin’s Configuration link to view or modify its settings. See "Configuring Plugins" on page 445 for details about the configuration settings. Configuring Plugins You can configure most standard, kernel, skin, and translation plugins.
l SMS Services—See "Configuring Plugins" on page 445 l SMTP Services—See "Email Receipt Options" on page 286 l SOAP Web Services—See "Configuring Web Services " on page 385 l Translation Services—See "Configuring the Translations Plugin" on page 450 Configuring the Kernel Plugin The Kernel Plugin provides the basic framework for the application. Settings you can configure for this plugin include the application title, the debugging level, the base URL, and the application URL, and autocomplete. 1.
7. Review the differences between the current settings and the default configuration. To commit the change to the default settings. click the Restore Default Configuration link. Configuring the Aruba W-ClearPass Skin Plugin A Web application’s skin determines its visual style—the colors, menus, and graphics.
your application’s appearance does not automatically change, find the custom plugin in the list, click Configure, and click its Enable link. If you prefer to use the standard Aruba W-ClearPass skin, navigate to it in the Available Plugins list and click its Enable link. The default skin is displayed on all visitor pages, and on the login page if no other skin is specified for it.
l Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value, will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.
Configuring the Translations Plugin The Translation Assistant plugin shows the current version, type, original installation date, date of last update, whether it can be configured, and the copyright date. The Translation Assistant plugin cannot be configured. By default, the display language for the W-ClearPass Guest user interface is automatically detected based on the user's browser settings.
Viewing the Application Log To view events and messages generated by the application, go to Administration > Support > Application Log. The Application Log view opens. To view in-depth information about an event, click the event’s row. The form expands to show details. Click the event’s row again to close it. To view the logs for a different server when in a cluster, use the Server drop-down list above the table.
l Error—Returns Error items l Warning—Returns Error and Warning items l Info—Returns Error, Warning, and Info items l Debug—Returns Error, Warning, Info, and Debug items 4. By default, only the Client IP and Message fields are searched. To search all fields, mark the check box in the Options row. Events are stored in the Application Log for seven days by default.
Contacting Support To view contact information for Dell Support, go to Administration > Support > Contact Support. The Contact Support page opens. Viewing Documentation To view Dell Networking W-ClearPass Guest documentation, go to Administration > Support > Documentation. The Documentation page opens. l To view this User Guide in your browser as online help, click Browse Documentation. The document opens in a separate browser tab. l To view the User Guide as a PDF, click Deployment Guide.
| Administration Dell Networking W-ClearPass Guest 6.
Chapter 9 Operator Logins An operator is a company’s staff member who is able to log in to Dell Networking W-ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the W-ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in W-ClearPass Guest, or externally in an LDAP directory server.
Two types of operator logins are supported: local operators and operators who are defined externally in your company’s directory server. Both types of operators use the same login screen. Role-Based Access Control for Multiple Operator Profiles Using the operator profile editor, the forms and views used in the application may be customized for a specific operator profile, which enables advanced behaviors to be implemented as part of the role-based access control model.
Custom Login Message If you are deploying W-ClearPass Guest in a multi-lingual environment, you can specify different login messages depending on the currently selected language. The following example from the demonstration site uses Danish (da), Spanish (es) and the default language English, as highlighted in bold: {if $current_language == 'da'}
Indtast brugernavn og password for at
få adgang til W-ClearPass Guest
Kontakt PAGE 458
Advanced Operator Login Options The following options are available in the Logging drop-down list: l No logging l Log only failed operator login attempts l Log only Web logins l Log only XMLRPC access l Log all access Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended.
The Edit Operator Profile (new) form is displayed. This form has several sections, which are described in more detail below. The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the Access area of the form define permissions for the operator profile: 1.
profile to work. See "Operator Profile Privileges" on page 462 for details about the available access levels for each privilege. If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item. 3. The User Roles list allows you to specify which user databases and roles the operator will be able to access. If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account.
Table 108: Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
do only certain tasks, you might want the application to open at the module where those tasks are performed. 3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operator’s language preference from their local system settings. To specify a particular language to use in the application, choose the language from the drop-down list. 4.
Read Only Access means that the operator can see the options available but is unable to make any changes to them. Full Access means that all the options are available to be used by the operator. Custom access allows you to choose individual permissions within each group.
Configuring AirGroup Operator Device Limit By default, an AirGroup operator can create up to five personal devices. To change this default: 1. Go to Administration > Operator Logins > Profiles, then select the AirGroup Operator profile in the list. 2. Click the Edit link. The Edit Operator Profile form opens. 3. In the Account Limit field, specify an appropriate value. This is the maximum number of personal devices that an operator with this profile can create. 4. Click Save Changes.
4. Create a translation rule to map the CPPM role name to the W-ClearPass Guest operator profile: In W-ClearPass Guest, go to Administration > Operator Logins > Translation Rules. 5. In the Translation Rules list, find the profile in the list, look at the Action column to verify the operator profile assignment, and then click its Edit link. The row expands to include the Edit Translation Rule form. 6. Edit the fields appropriately to match the CPPM role name to the W-ClearPass Guest operator profile.
Viewing the LDAP Server List If you have defined one or more LDAP servers, those servers will appear in the LDAP server list at Administration > Operator Logins > Servers. Select any of the LDAP servers in the list to display options to perform the following actions on the selected server: l l l Edit—Opens the Server Configuration form, where you can make changes to the properties of the LDAP server. Delete—Removes the server from the LDAP server list. Duplicate—Creates a copy of an LDAP server.
Creating an LDAP Server To create an LDAP server, go to Administration > Operator Logins > Servers, and click the Create new LDAP server link in the upper-right corner. The authentication Server Configuration form opens. To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See "Advanced LDAP URL Syntax" on page 469 for more details about the types of LDAP URL you may specify.
This form allows you to specify the type of LDAP server your system will use. Click the Server Type drop-down list and select one of the following options: Table 109: Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory l POSIX Compliant l Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind.
and then check the Select2 Options for additional properties. The server will then look up sponsors during selfregistration and double-check the attribute used for emails on the LDAP server. This option requires that the sponsor_email and do_ldap_lookup fields are enabled in the registration form, and that you have the LDAP Sponsor Lookup plugin installed. Use the Plugin Manager to verify that this plugin is available.
Testing Connectivity To test network connectivity between an LDAP server and the W-ClearPass Guest server, click the in the server’s row. The results of the test appear below the server entry in the LDAP server table. Ping link Testing Operator Login Authentication 1. To test authentication of operator login values, select a server name in the LDAP Server table, then click the Test Auth link. The Test Operator Login form is added to the page. 2.
1. To look up a sponsor, select a server name in the LDAP Server table, then click the Test Operator Lookup area is added to the LDAP servers list. Test Lookup link. The 2. In the Lookup field, enter a lookup value. This can be an exact username, or you can include wildcards.If you use wildcards, the search might return multiple values. 3. In the Search Mode field, use the drop-down list to specify whether to search for an exact match or use wildcard values. 4.
LDAP Translation Rules LDAP translation rules specify how to determine operator profiles based on LDAP attributes for an authenticated operator. To create a new LDAP translation rule: 1. Go to Administration > Operator Logins > Translation Rules, and then click the translation rule link. The Edit Translation Rule form opens. Create new 2. In the Name field, enter a self-explanatory name for the translation rule.
6. Click the On Match drop-down list and select the action the system should take when there is a match. Your options here are to: n Do nothing – makes no changes. n Assign fixed operator profile – assigns the selected Operator Profile to the operator. n Assign attribute’s value to operator field – uses the value of the attribute as the value for an operator field. This option can be used to store operator configuration details in the directory.
l l Enable – Re-enables a disabled operator login Edit Profile – Opens the Edit Operator Profile form for the operator profile assigned to the selected translation rule l Move Up – Moves the rule up to a higher priority on the rule list l Move Down – Moves the rule down to a lower priority on the rule list Custom LDAP Translation Processing When matching an LDAP translation rule, custom processing may be performed using a template. The template variables available are listed in the table below.
For example, to permit non-administrator users to access the system only between the hours of 8:00 am and 6:00 pm, you could define the following LDAP translation rule: The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups.
| Operator Logins Dell Networking W-ClearPass Guest 6.
Chapter 10 Reference This chapter includes the following sections: l "Basic HTML Syntax" on page 477 l "Standard HTML Styles" on page 478 l "Smarty Template Syntax" on page 480 l "Date/Time Format Syntax" on page 496 l "Programmer’s Reference" on page 498 l "Field, Form, and View Reference" on page 504 l "LDAP Standard Attributes for User Class" on page 525 l "Regular Expressions" on page 526 Basic HTML Syntax Dell Networking W-ClearPass Guest allows different parts of the user interface to
Item HTML Syntax Text Formatting words to be made bold equivalent syntax words to be made italic equivalent syntax words to underline Shown in fixed-width font Uses CSS formatting Uses predefined style
Uses CSS formatting
Uses predefined style
Hypertext Link text to click on – XHTML equivalent Table 113: Formatting Classes Class Name Applies To Description nwaIndent Tables Indent style used in tables nwaLayout Tables Used when you want to lay out material in a table without the material looking as if it is in a table; in other words, without borders nwaContent Tables Class used for a standard table with borders nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading a
Class Name Applies To Description nwaImportant All Text that should be prominently displayed Table subheadings nwaUsername All Text used to display a username nwaPassword All Text used to display a password Smarty Template Syntax Dell Networking W-ClearPass Guest’s user interface is built using the Smarty template engine. This template system separates the program logic and visual elements, enabling powerful yet flexible applications to be built.
Conditional Text Blocks To include a block of text only if a particular condition is true, use the following syntax: {if $username != ""}
Username: | {$username} |
{else} {/if} The condition tested in the {if} … {/if} block should be a valid PHP expression. The {else} tag does not require a closing tag. Script Blocks The brace characters { and } are specially handled by the Smarty template engine.A name= attribute may be supplied with the opening {foreach} tag. When a name is supplied, the following additional Smarty variables are available for use inside the {foreach} … {/foreach} block: l {$smarty.foreach.name.first} – true if the item being processed is the first item in the collection l {$smarty.foreach.name.last} – true if the item being processed is the last item in the collection l {$smarty.foreach.name.index} – counter for the current item, starting at 0 for the first item l {$smarty.
Functions are of two kinds: block functions, which have a beginning and ending tag enclosing the text operated on by the function, and template functions, which have just a single tag and do not enclose text. To use a function, enclose the function name in curly braces { } and provide any attributes that may be required for the function. Block functions also require a closing tag. dump {dump var=$value} Smarty registered template function. Displays the value of a variable.
l The “target” parameter, if specified, sets the TARGET attribute of the hyperlink. If not specified, no TARGET attribute is provided. The body of the element is the HREF of the command link. The “icon” and “command” parameters are required. All other parameters are optional. nwa_iconlink {nwa_iconlink} … {/nwa_iconlink} Smarty registered block function. Generates a combined icon and text link to a specified URL. Usage example: {nwa_iconlink icon="images/icon-info22.
n info – information symbol n note (or arrow) – right-pointing arrow n ClearPass Guest – ClearPass Guest logo n ok (or tick) – green tick mark n warn (or warning) – warning symbol n wait – animated spinner If “noindent=1” is specified, the block is not indented using the ‘nwaIndent’ style. If “novspace=1” is specified, the block uses a ‘DIV’ element, rather than a ‘P’ element. If neither “icon” nor “type” is supplied, the default behavior is to insert an “info” type image.
The following parameters control the query to be executed: l _method (required) – Name of the query function to execute. A brief listing of the available methods is provided below. l _arg0, _arg1, …, _argN (optional) – Positional arguments for the query function. l Named arguments may also be supplied; the arguments must be named identically to the function arguments listed in the documentation for the query function.
Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified. This should be a sprintf-style format string that accepts 6 arguments (the octets of the MAC address).
l return GetUserTraffic($now - 86400*30, $now, 'out') > 100*1024*1024 && AccessReject() l Limit by MAC address, 50 MB download in past 24 hours: return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetCurrentSession() GetCurrentSession($criteria) Looks up the details for an active session, based on the specified criteria. This is a multi-purpose function that has a very flexible query interface.
Calculate the number of sessions for accounting records matching a specific IP address. The IP address attribute is looked up automatically from the RADIUS Access-Request (Framed-IP-Address attribute). See "GetTraffic()" on page 490 for details on how to specify the time interval. See "GetIpAddressTraffic()" on page 489 for additional details on the $ip_addr argument.
The $format parameter is optional, and defaults to “relative” if not otherwise specified. This parameter may be one of the following values: l “relative” or “session_time”: Calculates the session timeout as for the Session-Timeout RADIUS attribute, that is, the number of seconds before the session should end. If the session does not have a session timeout, the value returned is 0. l “time”: Calculates the session end time, as the UNIX time at which the session should end.
Looks up the list of all sessions for the specified username. The username attribute is looked up automatically from the RADIUS Access-Request (User-Name attribute). If a $callingstationid argument is supplied, sessions that match that Calling-Station-Id are excluded from the count of active sessions. GetUserActiveSessionCount() GetUserActiveSessionCount($username) Counts the number of currently active sessions for the current username.
nwa_assign {nwa_assign …} Smarty registered template function. Assigns a page variable based on the output of a generator function. Simple usage example: {nwa_assign var=my_variable value=my_value} l The “var” parameter specifies the page variable that will receive the output. l The “value” parameter specifies the value to assign to “var”. The various request variables may also be accessed using one of two supported methods: l {nwa_assign var=_GET.get_variable value=...} l {nwa_assign var=smarty.
nwa_nav {nwa_nav} … {/nwa_nav} Smarty registered block function. Defines a block area for navigation, a control, or generates navigation control HTML of a particular type. Blocks are individual components of the navigation area, which basically consist of HTML. Blocks for actual navigation items have substitution tags in the form @tagname@. The recognized tags are described in the table below.
l level1_active l level1_inactive l level2_active l level2_inactive l level2_parent_active l level2_parent_inactive l level3_active l level3_inactive l enter_level1 l enter_level2 l enter_level3 l exit_level1 l exit_level2 l exit_level3 nwa_plugin {nwa_plugin …} Smarty registered template function. Generates plugin information based on the parameters specified. Specifying which plugin: l The ‘id’ parameter specifies a plugin ID.
has read access, that is, not if the user has full access, prefix the privilege name with a # character and use the parameter name “readonly” (or “ro”). {nwa_privilege full=create_user} .. content .. {/nwa_privilege} The “full” (synonym “rw”) parameter specifies the name of a privilege to check for full read-write access. The “name” parameter is the name of the privilege to check. If “name” is prefixed with a “!”, the output is included only if that privilege is NOT granted (inverts the sense of the test).
Not all devices are capable of playing back YouTube video content. Usage example: {nwa_youtube video=Y7dpJ0oseIA width=320 height=240} YouTube is the world’s most popular online video community. {/nwa_youtube} The supported parameters for this block function are: l video (required) – the YouTube video ID to embed. l width (required) – the width in pixels of the video. l height (required) – the height in pixels of the video. l autoplay (optional) – if true, auto-play the video.
Preset Name Date/Time Format Example rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %l:%M %p 2:13 PM recent – 2 minutes ago The % items on the right hand side are the same as those supported by the php function strftime(). The string “?:”, if present will return the string following the “?:” if the time value is 0. Otherwise, the format string up to the “?:” is used.
Format Result %B Full month name for the current locale %c Preferred date and time representation for the current locale %C Century number (2-digit number, 00 to 99) %d Day of the month as a decimal number (01 to 31) %D Same as %m/%d/%y %e Day of the month as a decimal number; a single digit is preceded by a space (‘ 1’ to ‘31’) %h Same as %b %H Hour as a decimal number (00 to 23) %l Hour as a decimal number (01 to 12) %m Month as a decimal number (01 to 12) %M Minute as a decimal num
l "NwaByteFormatBase10" on page 499 l "NwaComplexPassword" on page 500 l "NwaCsvCache" on page 500 l "NwaDigitsPassword($len)" on page 500 l "NwaDynamicLoad" on page 500 l "NwaGeneratePictureString" on page 500 l "NwaGenerateRandomPasswordMix" on page 500 l "NwaLettersDigitsPassword" on page 501 l "NwaLettersPassword" on page 501 l "NwaMoneyFormat" on page 501 l "NwaParseCsv" on page 501 l "NwaParseXml" on page 502 l "NwaPasswordByComplexity" on page 502 l "NwaSmsIsValidPhoneNumbe
Formats a non-negative size in bytes as a human readable number (bytes, KB, MB, GB, etc.) Assumes “base 10” rules in measurement; that is, 1 KB = 1000 bytes, 1 MB = 1000 KB, etc. If a negative value is supplied, returns the $unknown string. If a non-numeric value is supplied, that value is returned directly. NwaComplexPassword NwaComplexPassword($len = 8) Generates complex passwords of at least $len characters in length, where $len must be at least 4.
l $upper specifies the minimum number of uppercase characters to include, or -1 to not use any uppercase characters. l $digit specifies the minimum number of digits to include, or -1 to not use any digits. l $symbol specifies the minimum number of symbol characters to include, or -1 to not use any symbol or punctuation characters. NwaLettersDigitsPassword NwaLettersDigitsPassword($len) Generates an alpha-numeric password of $len characters in length consisting of lowercase letters and digits.
Function Description dos_compatible If true, convert \r\n line endings to \n (default true) encoding If set, specifies the input character set to convert from (default not set) out_charset If set, specifies the desired character set to convert to using the iconv() function .
l complex – At least one of each: uppercase letter, lowercase letter, digit, and symbol NwaSmsIsValidPhoneNumber NwaSmsIsValidPhoneNumber($phone_number) Validates a phone number supplied in E.164 international dialing format, including country code. l Any spaces and non-alphanumeric characters are removed. l If the first character is a plus sign (+), the phone number is assumed to be in E.
Be aware of the following differences from Excel VLOOKUP: l Column indexes are 0-based. l Column indexes can also be strings. See "NwaParseCsv" on page 501 and "NwaCsvCache" on page 500. NwaWordsPassword NwaWordsPassword($len) Generates a password consisting of two randomly-chosen words, separated by a small number (1 or 2 digits); that is, in the format word1XXword2. The random words selected will have a maximum length of $len characters, and a minimum length of 3 characters. $len must be at least 3.
Field Description rather than failing to create the account. This field should normally be enabled for guest self-registration forms, to ensure that a visitor that registers again with the same email address has their existing account automatically updated. Set this field to a non-zero value or a non-empty string to enable automatic update of an existing account. This field controls account creation behavior; it is not stored with created visitor accounts.
Field Description field is available when modifying an account using the change_expiration or guest_edit forms. dynamic_is_authorized Boolean flag indicating if the user account is authorized to log in. This field is available when modifying an account using the change_expiration or guest_edit forms. dynamic_is_expired Boolean flag indicating if the user account has already expired. This field is available when modifying an account using the change_expiration or guest_edit forms.
Field Description this field to 0 to disable this account expiration timer. http_user_agent String. Identifies the Web browser that you are using. This tracks user’s browsers when they are registering. This is stored with the user’s account. id String. Internal user ID used to identify the guest account to the system. ip_address String. The IP address to assign to stations authenticating with this account. This field may be up to 20 characters in length.
Field Description “random_password” to use the password specified in the random_password field; l “reset” to create a new password, using the method specified in the random_password_method field (or the global defaults, if no value is available in this field); l “password” to use the value from the password field; l Any other value leaves the password unmodified. This field controls account creation and modification behavior; it is not stored with created or modified visitor accounts.
Field Description no_portal Boolean. If set, prevents a user from logging into the guest service portal. Set this field to a non-zero value or a non-empty string to disable guest access to the self-service portal. The default is to allow guest access to the self-service portal, unless this field is set. no_warn_before Boolean. User does not receive a logout expiration warning. The admin or user can opt out of this option by setting the field to 1. notes String.
Field Description random_password_length String. The length, in characters, of randomly generated account passwords. l For nwa_words_password, the random_password_length is the maximum length of the random words to use. Two random words will be used to create the password, joined together with a small number (up to 2 digits). l For nwa_picture_password, the random_password_length is ignored. random_password_ method String. Identifier specifying how passwords are to be created.
Field Description l l l l l l string specified by the random_username_picture field. nwa_digits_password to create a username using random digits. The length of the username is specified by the random_username_length field. nwa_letters_password to create a username using random lowercase letters. The length of the username is specified by the random_username_ length field. nwa_lettersdigits_password to create a username using random lowercase letters and digits.
Field Description sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator. sponsor_name String. Name of the sponsor of the account. The default value of this field is the username of the current operator. submit No Type. Field attached to submit buttons.
Field Description personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String. The visitor’s state or locality name. submit_free No Type. Field attached to a form submit button. visitor_accept_ terms Boolean. Flag indicating that the visitor has accepted the terms and conditions of use. visitor_fax String.
Table 123: SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Field Description smtp_warn_before_template_id String. This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_ format String. This field overrides the format in the Email Receipt field under Logout Warnings.
Symbol Replacement ! Random punctuation symbol, excluding apostrophe and quotation marks & Random character (letter, digit or punctuation excluding apostrophe and quotation marks) @ Random letter or digit, excluding vowels Any other alphanumeric characters in the picture string will be used in the resulting username or password.
l IsValidAirGroupSharedGroups – Checks that the value is a valid shared group list. Otherwise, returns a description of the error(s). If $arg is an array it may specify the following options: n syntax_only: Default true. If false, requires that the values provided correspond to those from the AirGroup plugin configuration. n protocol_version: Default 2. If 1, changes the default validation properties (see below). n max_groups: Maximum number of groups to allow, default 32.
n syntax_only: Default true. If false, requires that the values provided correspond to those from the AirGroup controller configuration. n protocol_version: Default 2. If 1, changes the default validation properties (see below). n max_roles: Maximum number of roles to allow, default 100. n max_role_length: Maximum length in characters of any single role name, default 64. n max_role_list_length: Maximum total length of the role list, including comma separator characters, default 1000.
'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', ), ) n The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively. n An ‘allow’ or ‘deny’ value that is a string is converted to a single element array. n Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix. A ‘*’ component can also be used inside the hostname, and will match zero or more domain name components.
l IsValidHostnameCidr – Checks that the value is a valid IP address or hostname, which may also have an optional /N suffix indicating the network prefix length in bits (CIDR notation). l IsValidHostnamePort – Checks that the value is a valid IP address or hostname, which may optionally include a port number specified with the syntax hostname:port. l IsValidIpAddr – Checks that the value is a valid IP address.
l IsValidTimestamp – Checks that the value is a numeric UNIX timestamp (which measures the time in seconds since January 1, 1970 at midnight UTC). l IsValidTimeZone – Checks that the value is a valid string describing a recognized time zone. l IsValidUrl – Checks that the value appears to be a valid URL that includes a scheme, hostname and path. For example, in the URL http://www.example.com/, the scheme is http, the hostname is www.example.com and the path is /.
Form Field Display Formatting Functions The Display Functions that are available are listed below: Table 127: Form Field Display Functions Function NwaBoolFormat Description Formats a Boolean value as a string. If the argument is 0 or 1, a 0 or 1 is returned for false and true, respectively. l If the argument is a string containing a “|” character, the string is split at the | separator and used for false and true values.
Function NwaDurationFormat Description Converts a time measurement into a description of the corresponding duration. Format parameters: seconds, minutes, hours, days, weeks. l Any format can be converted to another. l By default, this function converts an elapsed time value specified in seconds to a value that is displayed in weeks, days, hours, minutes and seconds.
In the above view (the guest_users view), the four columns displayed correspond to the username, role_ name, enabled, and expire_time fields. Table 128: Display Expressions for Data Formatting Value Description Display Expressions data.username.bold() Displays the username string as bold text. data.role_name Displays the name of the role. Nwa_BooleanText(data.enabled, "Enabled", "Disabled") Displays either “Enabled” or “Disabled” depending on the value of the enabled field. (parseInt(data.
Value Description Nwa_NumberFormat(value[, if_undefined]) Nwa_NumberFormat( value, decimals)Nwa_NumberFormat( value, decimals, dec_point, thousands_sep[, if_ undefined]) Converts a numerical value to a string. If the value has an undefined type (in other words, has not been set), and the if_undefined parameter was provided, returns if_ undefined.
l sAMAccountType: The sAMAccountType property specifies an integer that represents the account type. l unicodePwd: The unicodePwd property is the password for the user. Regular Expressions The characters shown in Table 129 can be used to perform pattern matching tasks using regular expressions. Table 129: Regular Expressions for Pattern Matching Regex Matches a Any string containing the letter “a” ^a Any string starting with “a” ^a$ Only the string “a” a$ Any string ending with “a” .
Appendix 1 Chromebook in Onboard This appendix describes Chromebook functionality in W-ClearPass Onboard. It provides an introduction to Chromebook in Onboard, and discusses considerations as well as Onboard and Google Admin configuration for Chromebook.
l Users, groups, and other details can be provisioned in Google Apps from an existing directory using the Google Apps Directory Sync tool. l W-ClearPass Onboard provides device provisioning and certificate enrollment services. l The Chrome Extension provides support for Onboard device provisioning for Chromebook devices. Caveats and Recommendations This section describes requirements related to licenses, extensions, deployment, versions, certificates, provisioning, and authentication sources.
Because of this, Chromebook will always create its own private key. The Key Type option in Device Provisioning Settings will be ignored by Chromebook devices, and will always default to created by device. The key size is 1024 bits or 2048 bits, as specified in the Device Provisioning Settings. If an unsupported selection is made in the Provisioning Settings form, the default used will be a 2048-bit private key.
Directory-Based Authentication Source is Recommended When a Chromebook user with an EAP-TLS certificate connects to the network, an authorization check is performed to ensure that the certificate is still valid, and that the user account associated with the certificate is still permitted to use the network. W-ClearPass Policy Manager provides this capability for multiple authentication sources. However, at this time, no built-in Google Apps authentication source is available.
The text displayed on the device provisioning page for Chromebook devices can be customized using additional settings on this tab. In addition, to ensure that Chromebook support is enabled, use the Enable Chromebook device provisioning check box on the General tab (this check box is selected by default). For more information, see "Configuring Provisioning Settings for Chromebook" on page 182 in the Onboard chapter.
4. In the user settings, find the Pre-installed Apps and Extensions section, and then click the Manage preinstalled apps link. 5. Select Specify a Custom App. 6. Enter the ID and URL of the Onboard Chromebook extension and then click Add. The ID and URL infornation is available on the Onboard > Deployment and Provisioning > Provisioning Settings > Chromebook tab. If you have a cluster environment, the URL may be modified to refer to any subscriber node. 7.
Configuring Network Settings 1. From the Chrome Management page, go to Network. 2. You should see the For Users tab selected. Click the Add Wi-Fi button on the right. 3. Specify a Name and SSID for the network, and select the Automatically Connect option. 4. Change the Security Type to WPA/WPA2 Enterprise (802.1X), 5. Under Extensible Authentication Protocol, select EAP-TLS. 6.
8. For Client enrollment URL, provide the URL of the Onboard captive portal page—for example, https://server/onboard/device_provisioning.php. 9. You should also specify the Common Name of the Onboard CA’s issuing certificate in Issuer pattern > Common name—for example, “ClearPass Onboard Local Certificate Authority (Signing)”. 10.Click Save to save the network settings, and remember to click Save changes to commit. 534 | Chromebook in Onboard Dell Networking W-ClearPass Guest 6.
Glossary $criteria Array that consists of one or more criteria on which to perform a data-based search. This array is used for advanced cases where predefined helper functions do not provide required flexibility. 802.1X Standard for port-based network access control, designed to enhance 802.11 WLAN security. The 802.1X standard provides an authentication framework, allowing a user to be authenticated by a central authority.
authentication source Identity repository against which Policy Manager verifies identity. CPPM supports the following authentication source types: Microsoft Active Directory, LDAP-compliant directories, RSA or other RADIUS-based token servers, and SQL database, as well as Static Host lists for MAC-based authentication. authorization Authorization controls the type of access that an authenticated user is permitted to have. authorization source Collects attributes for use in role-mapping rules.
device fingerprint Information collected about a device for the purpose of identification. Fingerprints can fully or partially identify individual users or devices even when cookies are turned off. device name Within the device family, a classification based on granular details such as OS version—for example, if the device family is Windows, the value for device name might be Windows 7 or Windows 2008 Server. One of three hierarchical elements in a device profile.
EAP-TTLS EAP – Transport Layer Security (RFC 5216). A certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. form Interactive page in the application where users can provide or modify data. field In a database or user interface, a single item of information about a visitor account; attribute. FQLN Fully Qualified Location Name. A device location identifier in the format: APname.Floor.Building.Campus.
NAD Network Access Device. The device that automatically connects the user to the preferred network; for example, an AP or an Ethernet switch. NAK Negative AcKnowledgement code. Response indicating that a transmitted message was received with errors or corrupted, or that the receiving end is not ready to accept transmissions. NAP Network Access Protection.
PEAP Protected EAP. See EAP-PEAP. persistent agent Functionality within W-ClearPass OnGuard. Provides nonstop monitoring and automatic remediation and control, and supports automatic and manual remediation. When running persistent OnGuard agents, CPPM can centrally send system-wide notifications and alerts, and allow or deny network access. See also dissolvable agent and OnGuard. ping Test network connectivity using an ICMP echo request (“ping”). PKCS#n Public-key cryptography standard N.
QC See QuickConnect. QuickConnect Functionality within ClearPass used to securely provision an Android, Windows, or OS X device and configure it with network settings. QuickConnect's functionality is now incorporated within Onboard. RADIUS Remote Access Dial-In User Server. Network access-control protocol for verifying and authenticating users; provides AAA management. A RADIUS transaction might be 802.1X, MAC-Auth, or generic RADIUS.
SSID Service Set Identifier. Unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the basic service set (BSS). SSO Single Sign-On. Access-control property that lets a user log in once to access multiple related but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.
XML-RPC XML Remote Procedure Call. Protocol that uses XML to encode its calls and HTTP as a transport mechanism. The XML-RPC interface is available to third-party applications that will integrate with the WClearPass Guest Visitor Management Appliance. The W-ClearPass Guest XML-RPC API provides direct access to the underlying functionality of the W-ClearPass Guest Visitor Management Appliance.
| Glossary Dell Networking W-ClearPass Guest 6.
Index 1 AirGroup 1024-bit RSA 171 authenticating users via LDAP 364 configuration summary 28 2 2048-bit RSA 171 configuring fields 209 configuring operator device limit 464 A creating groups 67 AAA 23 creating users 464 access control, print templates 294 defining controller 361 account filters, creating 460 enabling dynamic notifications 361 accounting 22-23, 25 LDAP user search, configuring 364 accounts personal devices 69 passwords, multiple 247 registering devices 66 visitor account
viewing 451 authentication 22-23, 25, 33, 76 authorization 23, 25, 33 access, role-based 22 dynamic 35 authorization servers 380 trust chain 128 character set encoding 52 Chromebook 527 configuring for Onboard 530 configuring Google Admin 531 network architecture 527 B Base-64 encoded 117 binary certificate 117 requirements 528 client applications 380 client credentials grant type 382 C client ID, OAuth 381 caching, CSV 500 client secret, OAuth 381 CalDAV 145 closed session 35 calendar 145 closin
LDAP user search for AirGroup 364 device accounts 41 legacy OS X provisioning 178 field 206 Onboard deployment and provisioning 164 guest account 39 operator logins 456 hotspot plan 345 pages 206 LDAP server 467 passcode policy 152 LDAP translation rule 472 plugins 445 multiple guest accounts 45, 50 provisioning settings 168-169 operator 464 receipts 270, 305 operator profile 458 self-service portal, display functions 522 operator profiles 458 shared_location field 209 print template 29
databases, user 26 documentation, viewing 453 default skin 447 duplicating deleting certificate 118 forms and views 213 field 208 SMS gateways 296 SMS gateways 296 SMTP carrier 305 deployment network provisioning 26 operational issues 26 overview 26 security policy 27 site checklist 27 device management 110, 113 device type 115 devices 59 creating accounts 41 editing 70 filtering 60 importing 77 list 110, 113 paired accounts 44 personal, AirGroup 69 provisioning configuration 169 shared 67 viewing 7
guest accounts 50 expire_usage 200, 506 first_name 512 F fields 25, 198 account_activation 504 address 512 auto_send_sms 513 auto_send_smtp 514 auto_update_account 198, 504 captcha 505 card_code 512 card_expiry 512 card_name 512 card_number 512 change_of_authorization 505 city 512 country 512 create_time 505 creating 206 creator_accept_terms 198, 505 creator_name 505 customizing 206 Delete 208 deleting 208 do_expire 200, 505 do_schedule 199, 505 duplicating 208 dynamic_expire_time 505 dynamic_is_authorize
rank ordering 214 visitor_carrier 513 remote_addr 511 visitor_company 512 role_id 199, 511 visitor_fax 513 role_name 199, 294, 511 visitor_name 260, 512 schedule_after 199, 511 visitor_phone 512 schedule_time 199, 511 warn_before_from 290, 515 secret_answer 259, 511 warn_before_from_sponsor 290, 515 secret_question 259, 511 zip 513 Show forms 209 show views 209 application log 451 simultaneous_use 198-199, 511 devices 60 sms_auto_send_field 291, 513 guest accounts 56, 65 sms_enabled 29
text field 226 disable 57 validation errors 227 editing expiration 57 validation properties 227 email receipt 41 validator functions 516 export 50 value conversion 231 exporting 50 value format functions 521 filtering 56, 65 value formatter 232 importing 52 visible if 232 list 55 formats, certificates 117 paging 56 forms 25, 198, 201 print 58 change_expiration 202 receipts 41 create_multi 201 reset password 56 create_user 201 selection row 65 guest_edit 202 SMS receipt 41 guest_m
searching 29 matching rules 472 hotspot management 341 operator logins 465 captive portal 343 POSIX-compliant servers 465 creating plan 345 server, creating 467 customer information 348 standard attributes 525 customizing invoice 348 translation rules 465 customizing receipt 354 translation rules, creating 472 customizing selection interface 350, 352, URL syntax 469 354 user search for AirGroup, configuring 364 editing plan 345 local operators 464 invoice 348 locations, AirGroup 67 pla
O passcode policy 152 OAuth 380 provisioning settings 168-169 authorization servers 380 single sign-on (SSO) 154 client applications 380 subscribed calendar 155 client ID 381 VPN 156 client secret 381 VPN IPSec connection 158 grant types 381 VPN VIA connection 156 redirect URI 381 Web clips and bookmarks 160 registering app 381 Web content filter 161 resource owners 380 Windows applications (app sets) 163 resource servers 380 Onboard module 79 service accounts 383 Open SSL text format
recovery 185 disconnecting session 34-35 resetting 56 reauthorizing session 34-35 picture string 515 reauthorizing PKCS#12 117 PKCS#7 117 session 34-35 receipt page 236 plugin management 444 plugins editing 248 receipts 38, 304 configuring 445, 447 configuring 270, 305 configuring, API Framework 378 email 284 configuring, Kernel 446 redirect URI 381 configuring, skin 447 reference 477 IP Phone Services 449 time-based sharing syntax 73 Plugin Manager 444 Register page 235 SMS Services 4
editing 245 self-service portal 185, 257 foreach block 481 if block 481 accessing 257 include 480 auto login 258 literal block 481 password generation 258 modifiers 482 resetting passwords 258 nwa_adspace tag 320 secret question 259 Onboard 95 sending SMS alert 37 SMS message 303 sequence diagram section block 481 variables 480 SMS alert for session 37 AAA 23 alerts 37 guest self-registration 240 character limit 292 servers LDAP, creating 467 credits 303 guest account receipts 41 service
subject line documentation 453 email receipt 284 plugins 444 subscribed calendar 155 sessions, device 63 support 453 SMS gateways 296 support services 450 SMTP carriers 305 syntax users 113 time-based sharing, examples 71 views 26, 198, 202 time-based sharing, reference 73 column format 235 customization 212 T duplicating 213 tab-separated values 50, 52 editing 213, 233 tag=value pair 67 field editor 234 template guest_export 51, 202 predefined template functions 482 guest_multi 64,
API Symmetry 409 architecture overview 408 data representation 410 data types 410 faults 410 field customization 410 invoking the API 413 method amigopod.guest.change.expiration 415 method amigopod.guest.create 416 method amigopod.guest.delete 417 method amigopod.guest.edit 419 method amigopod.guest.enable 421 method amigopod.guest.get 422 method amigopod.guest.list 424 method amigopod.guest.reset.password 425 method amigopod.mac.create 426 method amigopod.mac.edit 428 method amigopod.mac.
| Index Dell Networking W-ClearPass Guest 6.