Deployment Guide ClearPass Guest 3.
Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
Contents Chapter 1 ClearPass Guest .................................................................................... 19 About this Manual................................................................................................19 Documentation Conventions.........................................................................19 Documentation Overview..............................................................................20 Getting Support ...................................................
Configuring the ClearPass Guest Subscription ID ........................................45 Installing Subscription Updates ....................................................................46 Setup Completion .........................................................................................47 Chapter 4 Onboard.................................................................................................. 49 About ClearPass Onboard.................................................................
Configuring Provisioning Settings .......................................................................89 Configuring Basic Provisioning Settings.......................................................90 Configuring Certificate Properties for Device Provisioning...........................90 Configuring Provisioning Settings for iOS and OS X ....................................93 Configuring Provisioning Settings for Mac OS X, Windows, and Android Devices ....................................................
NAS Login Parameters................................................................................135 Using Web Login Parameters .....................................................................135 Apple Captive Network Assistant Bypass with ClearPass Guest .....................136 Solution Implementation .............................................................................138 Captive Portal Profile Configuration .....................................................139 Database Lists .........
Chapter 6 Operator Logins ................................................................................... 179 Accessing Operator Logins ...............................................................................179 About Operator Logins ......................................................................................179 Role-Based Access Control for Multiple Operator Profiles ........................179 Operator Profiles .........................................................................
Visitor Account Expiration Properties...................................................227 Other Properties ...................................................................................227 Account Expiration Types ...........................................................................227 Standard Fields ...........................................................................................228 Standard Forms and Views.........................................................................
MAC Authentication in ClearPass Guest...........................................................279 MAC Address Formats................................................................................279 Managing Devices ......................................................................................280 Changing a Device’s Expiration Date ...................................................281 Disabling and Deleting Devices ............................................................
Delete a Report ...........................................................................................320 Duplicate a Report ......................................................................................320 Permissions.................................................................................................320 Exporting Report Definitions .............................................................................322 Importing report Definitions .........................................
Network Diagnostics – Packet Capturing ...................................................372 Network Hosts ............................................................................................374 HTTP Proxy Configuration ..........................................................................375 SNMP Configuration ...................................................................................375 Supported MIBs ....................................................................................
Chapter 10 Hotspot Manager ................................................................................. 415 Manage Hotspot Sign-up ..................................................................................416 Captive Portal Integration ...........................................................................417 Look and Feel .............................................................................................417 SMS Services............................................................
Comments...................................................................................................444 Variable Assignment ...................................................................................444 Conditional Text Blocks ..............................................................................444 Script Blocks...............................................................................................444 Repeated Text Blocks........................................................
Form Field Conversion Functions ...............................................................475 Form Field Display Formatting Functions ...................................................476 View Display Expression Technical Reference ...........................................478 Standard RADIUS Request Functions...............................................................479 Variables Available in Execution Context....................................................479 AccessReject().................
Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 ClearPass Guest 3.
Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 16 | Reporting – Bin statistics with groups...............................................................327 Components of the Report Editor .....................................................................328 Network diagram showing IP addressing for a GRE tunnel ..............................366 Data Retention Policy page ...............................................................................405 Guest self-provisioning.............
Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 ClearPass Guest 3.9 | Deployment Guide Quick Links ..................................................................................
Table 43 Table 44 Table 45 Table 46 Table 47 Table 48 Table 49 Table 50 Table 51 Table 52 Table 53 Table 54 Table 55 Table 56 Table 57 Table 58 Table 59 Table 60 Table 61 Table 62 Table 63 Table 64 Table 65 18 | Date and Time Format Strings...........................................................................456 Parsing Options .................................................................................................459 NwaVLookup Options........................................................
Chapter 1 ClearPass Guest Collaboration between companies and mobility of staff has never been greater. Distributed workforces, traveling sales staff and a dependence on outsourced contractors and consultants requires efficient management, which can pose problems for network security and operational staff.
Documentation Overview Click the context-sensitive Help link displayed at the top right of each page to go directly to the relevant section of the deployment guide. The following quick links may be useful in getting started. Table 1Quick Links For information about... Refer to...
Chapter 11, “High Availability Services” describes the optional high availability services that may be used to deploy a cluster of appliances in a fault-tolerant configuration. Chapter 12, “Reference” contains technical reference information about many of the built-in features of the appliance. Getting Support Field Help The ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of each field at the point you need it most.
Words may be excluded from the search by typing a minus sign directly before the word to exclude (for exampleexclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”). If You Need More Assistance If you encounter a problem using ClearPass Guest, your first step should be to consult the appropriate section in this Deployment Guide. If you cannot find an answer here, the next step is to contact your reseller.
Chapter 2 Management Overview This section explains the terms, concepts, processes, and equipment involved in managing visitor access to a network. The content here is intended for network architects, IT administrators and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Reference Network Diagram The following figure shows the network connections and protocols used by ClearPass Guest. See Figure 2. Figure 2 Reference network diagram for visitor access The network administrator, operators and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.
Figure 3 Interactions involved in guest access ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Guest to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network. Authorized access uses the concept of roles.
Figure 4 Sequence diagram for network access using AAA In the standard AAA framework, network access is provided to a user according to the following process: The user connects to the network by associating with a local access point [1]. A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account. The NAS authenticates the user with the RADIUS protocol [5].
Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide. Table 2 List of Key features Feature Refer to… Visitor Access RADIUS server providing authentication, authorization, and accounting (AAA) features “RADIUS Services” Support for 802.1X authentication “EAP and 802.
Table 2 List of Key features (Continued) Visitor Account Features Independent activation time, expiration time, and maximum usage time “Business Logic for Account Creation” Disable or delete at account expiration “Account Expiration Types” Logout at account expiration “Account Expiration Types” Define unlimited custom fields “Customization of Fields” Username up to 64 characters “GuestManager Standard Fields” Customization Features Create new fields and forms for visitor management “Customization
Table 2 List of Key features (Continued) Advanced RADIUS modules for custom configuration “Server Configuration” Customize RADIUS dictionary “Dictionary” User Interface Features Context-sensitive help with searchable online documentation Documentation Overview Visitor Management Terminology The following tables describes the common terms used in this guide. See Table 3.
Table 3 Common Terms (Continued) Web Login/NAS Login Login page displayed to a guest user.
Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest.
| Management Overview ClearPass Guest 3.
Chapter 3 Setup Guide This section covers the initial deployment and configuration of ClearPass Guest. If you have a hardware appliance, See “Hardware Appliance Setup” in this chapter. If you are using ClearPass Guest in a virtual machine, See “Setting Up the Virtual Appliance” in this chapter. Hardware Appliance Setup Refer to the Hardware Setup Guide sheet included in the box with the appliance for detailed installation information for the chassis and rack assembly.
Setting Up the Virtual Appliance VMware Workstation or VMware Player The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine. To install the virtual appliance: 1. Extract the contents of the zip file to a new directory. 2. Double-click the .vmx file to start the appliance. The configuration for the VMware Player virtual machine includes two virtual Ethernet adapters.
The configuration for the virtual machine includes one virtual Ethernet adapter. The initial network configuration of this adapter is: Table 7 Virtual ethernet adapter configuration Item Network Adapter Configuration Method DHCP IP Address – Netmask – Gateway – DNS – Adapter Name eth0 Hostname clearpass-guest.
When the administrator password is set during the setup wizard, the root password for the system will also be set to this password. However, once you have set the initial root password, future changes to the administrator password will not change the appliance’s root password. The username to access the console user interface is always admin and cannot be changed. Console User Interface Functions When you log in to the console user interface, the following menu options are presented.
Accessing the Graphical User Interface After you start ClearPass Guest, the initial startup screen is displayed in the console. To open the ClearPass Guest graphical user interface (GUI): Either type or copy and paste the displayed URL into your Web browser. The default login settings for new installations require https: to access the graphical user interface.
Accepting the ClearPass Guest License Agreement The first time you log in, you are prompted to accept the license agreement. To accept the agreement and continue the insatallation: 1. Review the software license agreement. 2. Mark the Accept check box, then click Continue. If you have any questions about the license agreement, contact Aruba support using the Web site http:// support.arubanetworks.com.
To create a new password for the administrator account: 1. (Optional) For enhanced security, you may choose to change the Operator Username of the administrative account. Changing the username of the administrator account does not change the username for logging in to the console user interface. 2. In the Operator Password field, enter the new password. Passwords must be at least eight characters long and must include at least one uppercase letter, one lowercase letter, one digit, and one symbol. 3.
2. In the Hostname field, enter the new name. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are: Each component of the hostname must not exceed 63 characters The total length of the hostname must not exceed 255 characters Only letters, numbers, and the hyphen (-) and period (.
ClearPass Guest must be configured appropriately for your organization’s relevant network infrastructure. For details on how to configure your network interface, see Changing Network Interface Settings in the Administrator Tasks chapter. Configuring HTTP Proxy Settings If you do not need to configure an HTTP proxy, click Skip to Mail Settings to continue with setup. To configure HTTP proxy settings: 1. Go to Administrator > Network Setup > HTTP Proxy. 2.
Configuring SMTP Mail Settings To configure SMTP settings: 1. Go to Administrator > Network Setup > SMTP Configuration. 2. For details on how to complete the SMTP configuration, see “SNMP Configuration” in the Administrator Tasks chapter. 3. When you have completed the fields on this form, click the Send Test Message button to send an email to a test email address. The test email is in the selected format, and is used to verify the SMTP configuration and check the delivery of HTML formatted emails. 4.
2. For details on how to complete the SNMP configuration, see “SNMP Configuration” in the Administrator Tasks chapter. 3. Click the Save Changes button to apply the SNMP configuration. Configuring Server Time and Time Zone To ensure that authentication, authorization and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. To configure the server’s time and time zone: 1. Go to Administrator > Server Time. 2.
To use a public NTP server, enter the following hostnames: 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org You can also use NTP pool servers located in your region. For more information, refer to the NTP Pool Project Web site: http://www.pool.ntp.org. NTP can interfere with timekeeping in virtual machines. The default virtual machine configuration will automatically synchronize its time with the host server, so you should not configure NTP within the virtual machine.
To define the RADIUS network access servers: 1. In the Name field, enter a descriptive name to identify the first NAS server. 2. For details on how to complete the rest of the fields for defining the NAS entry, see “Creating a Network Access Server Entry” in the RADIUS Services chapter. 3. Click Create NAS Device. To define additional NAS entries for the RADIUS server, you can click the Create tab above the form.
To provide your subscription information: 1. In the Subscription ID field, enter your subscription ID or IDs. A subscription ID consists of number and letter groups separated with hyphens. A typical subscription ID might look like this: xn2ncr-gyjyd4-mxlx2s-fv9gcy-rwy7n6 Incorrectly-formatted subscription IDs cannot be entered in this form. A form validation error is displayed if an incorrect value is entered. 2. You can also attach a description to each subscription ID.
To install the default selections: You do not need to make any selections; the system has already determined what you need. Simply click the Finish button to download and install the selected plugins. Setup Completion After downloading and installing the available plugin updates, the setup process is complete. and the Welcome screen is displayed. You may begin using ClearPass Guest. Context-sensitive help is available throughout the application.
Operator logins are the login accounts used for administration and management of ClearPass Guest. The default administrative operator account is configured during the setup process. See “About Operator Logins” in the Operator Logins chapter for more details on configuring operator logins. Visitor accounts are the user accounts for which ClearPass Guest performs authentication, authorization and accounting (AAA) functions.
Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless and VPNs.
Table 10 Onboard Deployment Checklist Deployment Step Reference Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device provisioning for iOS devices. See “SSL Certificate”in the Administrator Tasks chapter Configure the Onboard certificate authority. Decide whether to use the Root CA or Intermediate CA mode of operation. Create the certificate for the certificate authority.
Onboard Feature List The following features are available in ClearPass Onboard. Table 11 Onboard Features Feature Uses Automatic configuration of network settings for wired and wireless endpoints. Secure provisioning of unique device credentials for BYOD and IT-managed devices. Support for Windows, Mac OS X, iOS, and Android devices. Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
Table 12 Platforms Supported by ClearPass Onboard Platform Example Devices Version Required for Onboard Support Apple Mac OS X MacBook Pro MacBook Air Mac OS X 10.8 “Mountain Lion” Mac OS X 10.7 “Lion” 1 Mac OS X 10.6 “Snow Leopard” Mac OS X 10.5 “Leopard” 2 Notes Android Samsung Galaxy S Samsung Galaxy Tab Motorola Droid Android 2.
Figure 6 Relationship of Certificates in the Onboard Public Key Infrastructure The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate CAs used to issue certificates within the enterprise. Onboard may operate as a root CA directly, or as an intermediate CA. See “Configuring the Certificate Authority ”.
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See “Working with Certificates”. Note: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability. Revoking Credentials to Prevent Network Access Revoking a device’s certificate will also prevent the device from being re-provisioned. This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate.
Network Requirements for Onboard For complete functionality to be achieved, ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network: The provisioning network must use a captive portal or other method to redirect a new device to the device provisioning page. The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be provisioned.
For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is: http:// onboard.example.com/mdps_ocsp.php/1. Note: OCSP does not require the use of HTTPS and can be configured to use HTTP. Configuring a Certificate Revocation List (CRL) for the Provisioned Network Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that have been revoked. To configure a CRL, you will need to provide its URL to your network equipment.
Figure 8 Detailed View of the ClearPass Onboard Network Architecture The components shown in Figure 8 are: 1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2.
Figure 9 ClearPass Onboard Network Architecture when Using ClearPass Guest The user experience for device provisioning is the same in Figure 9 and Figure 7 on page 56, however there are implementation differences between these approaches: When using the ClearPass Guest RADIUS server for provisioning and authentication, EAP-TLS and PEAP authentication must be configured. Navigate to RADIUS > Authentication > EAP & 802.
Figure 10 ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device. 2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a devicespecific certificate. 3. Authentication.
Figure 11 Sequence Diagram for the Onboard Workflow on iOS Platform 1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate.
Figure 12 Over-the-Air Provisioning Workflow for iOS Platform 1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity. 2. An iOS device will have two certificates after over-the-air provisioning is complete: a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning process.
Figure 13 ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the Aruba Networks QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server.
Figure 14 Sequence Diagram for the Onboard Workflow on Android Platform 1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type: a.
Figure 15 Onboard Provisioning Workflow in the QuickConnect App Accessing Onboard To access ClearPass Onboard: From the Home page, click the ClearPass Onboard command link. Alternatively, use the Onboard link at the top level of the left navigation to go directly to any of the features within Onboard. Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways: Customizing the Web login page used for device provisioning.
After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration profile. See “Configuring Provisioning Settings for iOS and OS X”to make changes to the content of this profile. Customizing the user interface of the QuickConnect app for Windows, Mac OS X and Android devices. The provisioning process for Windows, Mac OS X and Android devices uses a separate app, which has a customizable user interface.
1. {nwa_iconlink icon="images/iconcertificate22.png" text="Install root certificate (click here)"}{nwa_mdps_config name=root_cert}{/nwa_iconlink}
2. Login below using your {nwa_mdps_config name=organization_name} credentials
3. Install the certificate when prompted
4.
The first part of the form is used to specify the connection details for the ClearPass Policy Manager. Mark the Send device information to ClearPass Policy Manager check box when you will use Policy Manager as the authentication server for devices provisioned with Onboard. Specify the hostname or IP address of the Policy Manager publisher node in the Host text field. You must provide a valid username and password for the Policy Manager. This account should have “Super Administrator” privileges.
Mark the Send device information to ClearPass Profiler check box when you will use Profiler to collect device information. Select the events of interest in the Profiling Events checklist: When client requests a guest-facing page – Device information is sent to Profiler as soon as a guestfacing page (such as a Web login page, guest self-registration page, or device provisioning captive portal page) is requested.
Determine the OCSP URL for the certificate authority View the trust chain for the certificate authority (See “Viewing the Certificate Authority’s Trust Chain”) Renew the certificate authority’s certificate (See “Renewing the Certificate Authority’s Certificate”) Configure the data retention policy applied to certificates issued by the authority (See “Configuring Data Retention Policy for Certificates”) Setting Up the Certificate Authority The Certificate Authority Settings form is used to se
Select the appropriate mode for the certificate authority: Root CA – The Onboard certificate authority issues its own root certificate. The certificate authority issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate. Use this option when you do not have an existing public-key infrastructure (PKI), or if you want to completely separate the certificates issued for Onboard devices from your existing PKI.
In the Identity section of the form: Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that correspond to your organization. These values form part of the distinguished name for the root certificate. Enter a descriptive name for the root certificate in the Common Name text field. This value will be used to identify the root certificate as the issuer of other certificates, notably the signing certificate.
In the Private Key section: Mark the Generate a new private key check box to create a new private key for the root certificate. This is only necessary if you are recreating the entire certificate authority from the beginning. Note: If you have previously created any client or server certificates or performed device provisioning using the existing root certificate, these certificates will be invalidated when changing the root certificate’s private key.
In the Identity section of the form: Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that correspond to your organization. These values form part of the distinguished name for the certificate authority. Enter a descriptive name for the certificate authority in the Common Name text field. This value will be used to identify the intermediate certificate as the issuer of client and server certificates from this certificate authority.
The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: 1024-bit RSA – not recommended for a certificate authority 2048-bit RSA – recommended for general use 4096-bit RSA – higher security In the Intermediate Certificate section: The Digest Algorithm drop-down list allows you to specify which hash algorithm should be used. Note: MD5 is not recommended for use with certificate authority certificates.
Click the Request a Certificate link on this page. The Request a Certificate page is displayed. Click the link to submit an advanced certificate request. The Submit a Certificate Request or Renewal Request page is displayed. ClearPass Guest 3.
Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate. The Certificate Issued page is displayed. Select the Base 64 encoded option and then click the Download certificate chain link.
Installing a Certificate Authority’s Certificate The CA Certificate Import page may be used to: Upload a certificate that has been issued by another certificate authority. This process is required when configuring an intermediate certificate authority. A private key is not required, as the certificate authority has already generated one and used it to create the certificate signing request. Upload a certificate and private key to be used as the certificate authority’s certificate.
Choose the file to upload in the Certificate field. To upload a single certificate, choose a certificate file in PEM (base-64 encoded) or binary format (.crt or PKCS#7). Leave the passphrase fields blank. To upload a certificate’s private key as a separate file, choose the private key file in PEM (base-64 encoded) format. If the private key has a passphrase, enter it in the Private Key Passphrase and Confirm Passphrase fields.
Replacement Renewal – Generates a new private key for the root certificate, and reissues the root CA certificate with an updated validity period. Use this option if the root certificate has been compromised, or if you want to invalidate all certificate that were previously issued by the CA. Whether you renew or replace the root certificate, you should distribute a new copy of the root certificate to all users of that certificate. Click the Renew Root Certificate button to perform the renewal action.
Click the Show certificate link to view the properties of a certificate in the trust chain. Creating a Certificate From the Certificate Management page, click the access the Certificate Request form.
Specifying the Identity of the Certificate Subject In the first part of the form, provide the identity of the person or device for which the certificate is to be issued (the “subject” of the certificate). Together, these fields are collectively known as a distinguished name, or “DN”.
Table 14 Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Desctiption Device Type Type of device, such as “iOS”, “Android”, etc. Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32 or 40 characters, respectively). Device IMEI International Mobile Equipment Identity (IMEI) number allocated to this device.
Table 15 Types of Certificate Supported by Onboard Certificate Management Certificate Type “Type” Column Notes Root certificate ca Self-signed certificate for the certificate authority Intermediate certificate ca Issued by the root CA or another intermediate CA Profile signing certificate profile-signing Issued by the certificate authority Certificate signing request tls-client or tls-server The type shown depends on the kind of certificate requested Rejected certificate signing request tls-
Use the Format drop-down list to select the format in which the certificate should be exported. The following formats are supported: PKCS#7 Certificates (.p7b) – Exports the certificate, and optionally the other certificates forming the trust chain for the certificate, as a PKCS#7 container. Base-64 Encoded (.pem) – Exports the certificate as a base-64 encoded text file. This is also known as “PEM format”. Binary Certificate (.crt) – Exports the certificate as a binary file.
Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. Note: Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error. Note: Revoking a device’s certificate will also prevent the device from being re-provisioned.
Use the Format drop-down list to select the format in which the certificate signing request should be exported. The following formats are supported: PKCS#10 Certificate Request (.p10) – Exports the certificate signing request in binary format. Base-64 Encoded (.pem) – Exports the certificate signing request as a base-64 encoded text file. This is also known as “PEM format”. If you choose Base-64 Encoded, the form expands to include the Trust Chain row.
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. See “Configuring Data Retention Policy for Certificates”. The Delete Request form is displayed.
Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines.
Use the Certificate Signing Request field to select the appropriate file for upload. Note: The file should be a base-64 encoded (PEM format) PKCS#10 certificate signing request. Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device.
This page is used to configure the settings for ClearPass Onboard device provisioning, including: The organization name displayed during device provisioning Properties for the certificates issued to devices when they are provisioned Which operating systems should be supported Authorization properties – the number of devices that a user may provision Configuring Basic Provisioning Settings The first part of the Device Provisioning Settings form is used to specify basic information about the O
The Certificate Authority drop-down list can be used to select a different certificate authority. By default, there is only a single certificate authority. Use the Validity Period text field to specify the maximum length of time for which a client certificate issued during device provisioning will remain valid. The Clock Skew Allowance text field adds a small amount of time to the start and end of the client certificate’s validity period.
Mark the Include device information in TLS client certificates check box to include additional fields in the TLS client certificate issued for a device. These fields are stored in the subject alternative name (subjectAltName) of the certificate. Refer to Table 16 on page 92 for a list of the fields that are stored in the certificate when this option is enabled.
Configuring Provisioning Settings for iOS and OS X The third part of the Device Provisioning Settings form is used to specify provisioning settings related to iOS devices. Mark the Enable iOS and OS X 10.7+ (Lion or later) device provisioning check box to enable provisioning for these devices. Mark the Enable device authentication check box to enable an additional authorization step to be performed during device provisioning.
Select one of the following options in the Profile Security drop-down list to control how a device provisioning profile may be removed: Always allow removal – The user may remove the device provisioning profile at any time, which will also remove the associated device configuration and unique device credentials. Remove only with authorization – The user may remove the device provisioning profile if they also provide a password.
Mark the appropriate check boxes here to enable device provisioning on the respective platforms: Enable OS X 10.5 (Leopard) and 10.
The Provisioning Access warning message is displayed when HTTPS is not required for guest access. HTTPS is recommended for all deployments as it secures the unique device credentials that will be issued to the device. Note: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.
Enter a number in the Maximum Devices field to limit the maximum number of devices that each user may provision. Devices are recognized as unique when they have a different MAC address, or a different device identifier (when the MAC address is not available). Configuring Network Settings for Device Provisioning To configure the network settings that will be sent to a provisioned device, go to Onboard > Network Settings, or click the Network Settings command link. The Network Settings page opens.
The options available in the Network Type drop-down list are: Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use this option when you have 802.1X configured for all types of network access. Wireless only – Configures only wireless network adapters. Wired only – Configures only wired (Ethernet) network adapters. The options available in the Security Type drop-down list are: Enterprise (802.
Configuring 802.1X Authentication Network Settings Click the Protocols tab to display the Enterprise Protocols form. Use this form to specify the authentication methods required by your network infrastructure. The Legacy OS X EAP option supports only PEAP with MSCHAPv2. The Windows EAP option supports only PEAP with MSCHAPv2. These best practices are recommended when choosing the 802.
Click the Previous button to return to the Access tab. Click the Next button to continue to the Authentication tab. Click the Save Changes button to make the new network configuration settings take effect. Click the Cancel button to discard your changes and return to the main Onboard configuration user interface. Configuring Device Authentication Settings Click the Authentication tab to display the Enterprise Authentication form.
In the Trusted Certificates row, mark the check box for each server certificate that the client should trust. Use the Upload Certificate field to upload additional server certificates. These certificates will be displayed in the certificate management list view with the type “tls-server”. These best practices are recommended for enterprise trust options: Provide the certificate for each authentication server that a provisioned device will use, and select it in the Trusted Certificates list.
take effect. Click the Cancel button to discard your changes and return to the main Onboard configuration user interface. Configuring Windows-Specific Network Settings Click the Windows tab to display the Windows Network Settings form. Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy.
Select one of these options in the Proxy Type drop-down list: None – No proxy server will be configured. Manual – A proxy server will be configured, if the device supports it. Specify the proxy server settings in the Server and Server Port fields. Automatic – The device will configure its own proxy server, if the device supports it. Specify the location of a proxy auto-config file in the PAC URL text field. Click the Previous button to return to the Windows tab.
The Instructions text field can be used to provide more information or instructions to an iOS or OS X user immediately after device provisioning has completed. For example, if you have provisioned Wi-Fi network settings for an SSID that is separate from the initial provisioning SSID, you could add a message requesting that the user now switch to the new SSID in order to complete setup. Click the Previous button to return to the Proxy tab.
Mark the Add this VPN to the device profile check box to enable provisioning of VPN settings. The Display Name text field specifies the name for this VPN connection. This will be displayed on the device in the Settings app. To help the user identify the connection easily, include your organization’s name in the Display Name field. For example, use “ACME Sprockets VPN”. Select the appropriate Connection Type from the drop-down list: L2TP – Connection uses the Layer 2 Tunneling Protocol.
Shared Secret / Group Name – An optional group name may be specified. A shared secret (preshared key) is used to establish the IPSec VPN. Authentication is performed with a username and password. The Proxy Settings section of the form specifies a proxy server that is used when the VPN connection is active. Select one of these options in the Proxy Setup drop-down list: None – No proxy server will be configured with this VPN profile. Manual – A proxy server will be configured with this VPN profile.
Mark the Add this ActiveSync configuration to the device profile check box to enable email account provisioning. The Account Name text field specifies the name for this email account. This will be displayed on the device in the Settings app, and also within the Mail app to identify the mailbox. To help the user identify this mailbox easily, include your organization’s name in the Account Name field. For example, use “ACME Sprockets Mail”.
In the Sync Settings group, choose one of the following options from the Days of Mail drop-down list: No Limit 1 day 3 days 1 week 2 weeks 1 month Click the Save Changes button to save the Exchange ActiveSync profile and return to the main Onboard configuration user interface. Configuring an iOS Device Passcode Policy To make changes to the Passcode Policy configuration that will be sent to a device, go to Onboard > Passcode Policy, or click the Passcode Policy command link.
To enable the passcode policy on all iOS devices, mark the Enable passcode policy check box and configure the remaining options according to your enterprise’s security requirements. Click the Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface. ClearPass Guest 3.
Resetting Onboard Certificates and Configuration To delete certificates, re-create the Onboard Web login page, or reset configuration to factory default settings, go to Onboard > Reset to Factory Defaults, or click the Reset to Factory Defaults command link. The Reset to Factory Defaults page opens. This page is used to delete certificates, or restore the default configuration for Onboard. These options are useful while trialing the Onboard workflow with a set of test devices.
Table 17 RADIUS Attributes Included with a Device Authentication Request. RADIUS Attribute Value User-Name (1) The username for the current device provisioning process. User-Password (2) Password credentials supplied by the user during device provisioning. Calling-Station-Id (31) MAC address of the device being provisioned. This attribute is omitted if the MAC address information is unavailable.
iOS Device Provisioning Failures Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”. Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”.
Chapter 5 RADIUS Services RADIUS is a network access-control protocol that verifies and authenticates users. The framework around which RADIUS is built is known as the AAA process, consisting of authentication, authorization, and accounting. RADIUS authenticates a guest user’s session by checking that the guest’s password matches the guest’s login details stored in the RADIUS database. Guest access is authorized by assigning a user role to the guest account.
Log entries that are displayed include both successful and unsuccessful authentication attempts, the details about any authentication or authorization failures, and server configuration messages when the RADIUS server is started. Debug RADIUS Server The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is “No debugging.
Each row in the table groups together authentication attempts based on the username (that is, the UserName attribute provided to the RADIUS server in the Access-Request). The Status column displays one of the following messages for each authentication record, explaining the current state of the user account in the system: Does not exist – The user account could not be found. Deleted – The user account no longer exists. Disabled – The user account is disabled.
The NAS Type list may be used to select a default type for network access servers. Use this option if you have a deployment that uses only one type of NAS. The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets. The default setting is “No debugging.” This option might be of use when setting up or troubleshooting advanced authorization methods, and you can refer to the application log to view the AAA debug messages.
Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form ‘@domain.com’ to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server. It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module. Use the following Server Configuration entries to perform this modification: module.attr_rewrite.consentry.attribute = User-Name module.attr_rewrite.consentry.searchin = packet module.attr_rewrite.
User roles can be used to apply different security policies to different classes of guest user accounts. For example, guest users, employees, and contractors might all have differing network security policies. The RADIUS attributes defined by a user role can then specify what each class of user is authorized to do. To create and configure user roles for the server to use for RADIUS authorization: Go to RADIUS > User Roles.
2. In the Role Name field, enter a brief descriptive name for the role—for example, if you are creating a role for the guest users in your network, you might choose ‘Guest’ or “Visitor” as the role name. 3. (Optional) You may enter a description of the role in the Description field. This can be useful, as it appears in the list of user roles. 4. If you wish to prevent users within this role from receiving any session warnings, mark the check box in the Session Warnings row.
Enter a value for this attribute in the Value field. For integer enumerated attributes, choose an appropriate value from the Value drop-down list. To calculate the value of the attribute using an expression, See “Dictionary” in this chapter. Additional attributes can be added by clicking the Add Attribute button at the bottom of the window. When all the attributes have been added, click the Save Changes button to create this user role.
Example: Time of Day Conditions In this example, the Reply-Message attribute will be modified to provide a greeting to the guest that changes depending on the time of day. 1. Create a new role named Sample role. 2. Click the Add Attribute tab. 3. Select the Reply-Message attribute from the drop-down list and enter the string value Good morning, guest. 4.
2. Click the Add Attribute tab. 3. Select the Reply-Message attribute from the drop-down list. Any attribute can be used for this example, because the attribute will never be included in the response. 4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return GetUserTraffic(86400) > 10485760 && AccessReject(); 5. Click the Add Attribute tab. 6. Click the Save Changes button to apply the new settings to the role.
Example: Location-Specific VLAN Assignment In this example, the value of a vendor-specific VLAN attribute will be modified based on the NAS to which visitors are connecting. The network has an Aruba wireless controller at 192.168.30.2 which should be configured to place all visitor traffic into VLAN ID 100. There is another Aruba wireless controller at 192.168.40.2 which should be configured to place visitor traffic into VLAN ID 200. 1. Create a new role named Sample role 2. Click the Add Attribute tab.
3. Complete the Role Override, Expiration, Device Limit, account Limit, and Limit Action fields with the appropriate information, then click Save Changes. Network Access Servers A Network Access Server (NAS) is a device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS user authentication request (Access-Request packet) is generated by the NAS.
Creating a Network Access Server Entry A new NAS device is added by clicking on the Create tab. The NAS name is used in the RADIUS server log to identify access requests from NAS servers. This name must be unique.
Motorola (RFC 3576 support) Ruckus Networks Trapeze Networks (RFC 3576 support) Trendnet Xirrus RFC 3576 is used by the RADIUS server to request that a NAS disconnect or reauthorize a session that was previously authorized by the RADIUS server. If your NAS vendor is not listed, select the “Other NAS” option. If the NAS is known to support RFC 3576, select the “RFC 3576 Dynamic Authorization Extensions Compatible” option.
Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected. Click the Next Step button to upload the data. In step 2 of 3, the format of the uploaded data is determined and the appropriate fields are matched to the data. The first few records in the data will be displayed, together with any automatically detected field names.
. Select the NAS entries to be created or updated with the imported data. The icon displayed in each row indicates if it is a new entry ( ) or if an existing NAS entry will be updated ( ). Click the Update existing entries check box to select or unselect all existing NAS entries in the list. Click the Create Network Access Servers button to finish the import process. The selected items will be created or updated. A completion screen is then displayed, showing the results of the import operation.
Figure 17 Sequence diagram for guest captive portal and Web login In a typical configuration, you would enable the captive portal functionality of your NAS [1], and use the URL of your custom Web login page as the default portal landing page [2] for unauthorized guests. When the login form is submitted [3], the Login Message page is displayed to the visitor [4]. A subsequent automatic redirect to the NAS will perform the actual login [5], which invokes the AAA process.
The first section requires that you enter a name for this login page, as well as an optional page name. You can also provide an optional description of the login page. To use predefined network settings for NAS equipment, select the appropriate vendor in the Vendor Settings drop-down list. If your NAS vendor is not listed, or if you would prefer to customize all aspects of the Web login page, choose Custom Settings .
When using this option, the guest’s username and password credentials will be sent to a value provided in the URL. As this is a potential security hazard, enter the known IP addresses of the controllers in your network in the Allowed Dynamic and Denied Dynamic fields, to prevent an information leak vulnerability that could be exploited by guest users on your network. The second section requires you to specify the behavior of the Web login form.
When the Web login form is submitted, the username and password are submitted to the NAS using the field names specified in Username Field and Password Field: The visitor’s username is submitted to the NAS, with any suffix provided in Username Suffix appended to the username. If the username suffix is blank, the username is not modified. The visitor’s password will be submitted to the NAS unmodified if the Password Encryption option No encryption (plaintext password) is selected.
The fifth section allows you to control the look and feel of the login page. Use the Insert self-registration link… drop-down list to insert HTML code that creates a link to an existing guest self-registration page. This may be of use when you are creating a landing page suitable for both registered and unregistered visitors. You are able to optionally create a login message in this section. This could be used to welcome the guest and outline the terms of usage.
The ‘Allowed Access’ and ‘Denied Access’ fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax: 1.2.3.4 – IP address 1.2.3.4/24 – IP address with network prefix length 1.2.3.4/255.255.255.0 – IP address with explicit network mask The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied.
This will in turn result in a hidden field included in the Web login form. The field will be named wlan and will be set to the value ClearPass Guest. NAS Login Parameters Extra fields in the NAS login form may be defined using name=value pairs in the Web login form configuration. This allows you to specify values required by a particular NAS to log in, or to override values supplied by a NAS. You can also remove a NAS-supplied field from the form.
To access the value of a remembered field called “wlan”, use the syntax: {$extra_fields.wlan} To display all the remembered fields for the current visitor session, use the syntax: {dump var=$extra_fields export=html} Apple Captive Network Assistant Bypass with ClearPass Guest This section describes the process for leveraging the captive portal to bypass the Captive Network Assistant (Web sheet) that is displayed on iOS devices such as iPhones, iPad, and more recently Mac OS X machines running Lion (10.7).
Also if the user chooses to cancel the Web sheet, the Wi-Fi connection to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications. The following are examples of these Web sheet sessions from a Mac OS X Lion (10.7) laptop, iPad and an iPhone. Figure 18 Captive Network Assistant on MacOS X Figure 19 Captive Network Assistant on iPad \ ClearPass Guest 3.
Figure 20 Captive Network Assistant on iPhone The Web sheet can be easily identified by the lack of a URL bar at the top of the screen and typical menu bar items. For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community. There are, however, particular guest access or public access designs where the use of this Web sheet and the lack of ability to control the entire Web authentication user experience is not desirable.
The following CLI and WebUI examples show a typical configuration of the Captive Portal profile. The login page is set to point directly to the hosted Web Login page.: http://10.169.130.50/Aruba_Login.php Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest direct-pause 3 no logout-popup-window login-page http://10.169.130.50/Aruba_Login.php welcome-page http://10.169.130.50/Aruba_welcome.
Figure 22 Configuring the Web Login page For example, a Captive Portal profile login page configuration like the following sample would link to a hosted Web login page called Aruba_Login: http:///landing.php/Aruba_Login.php. Database Lists This is a list of databases on the NAS server. The ClearPass Guest RADIUS server uses a database to store the user accounts for authentication and other settings for the server.
Database Maintenance Tasks Database optimization and other maintenance tasks can be performed using this form. These tasks are normally carried out automatically and do not require administrative intervention. Some system updates may require a database schema upgrade. If this is required, it is indicated on the database list with the schema upgrade icon. To upgrade the database schema, select the “Upgrade an existing database schema” operation.
The dictionary can be sorted by clicking on a column heading. Import Dictionary You are able to import RADIUS dictionary entries from a text file using the Import Dictionary command located under the More Options tab. These text files can be created by you or you can download them from a manufacturer who is not in the standard list. Export Dictionary You are able to export the dictionary by clicking on the More Options tab and choosing the Export Dictionary command.
3. Click the Reset Dictionary button to have the dictionary reset. This action cannot be undone. Vendors Vendors are manufacturers of NAS equipment. ClearPass Guest provides a list of manufacturers but you are able to add to this list. Vendor-specific attributes as defined in RFC 2865 can be used to configure specific options related to a particular vendor’s equipment. Creating a New Vendor A new vendor may be added to the dictionary by clicking the Dictionary list view.
Vendor-Specific Attributes Vendor-specific attributes identify configuration items specific to that vendor’s equipment Add a Vendor-Specific Attribute (VSA) A Vendor Specific Attribute (VSA) is a RADIUS attribute defined for a specific vendor. You are able to add vendor-specific attributes to a vendor by clicking the vendor in the RADIUS dictionary list view and then clicking the Add VSA icon link. Each attribute has a name and a unique number specific to that vendor.
Once an attribute has been edited, click the Update Attribute button to save your changes. Delete Vendor-Specific Attribute Attributes can only be deleted from vendors that you have added to the dictionary. Vendor-specific attributes with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted. To delete a vendor-specific attribute, click it in the RADIUS dictionary list view and then click the Attribute icon link.
You are required to enter the name of the value to be added as well as its value. Values can only be added to attributes that are of integer type. Deleting Attribute Value Values that have been added to a vendor-specific attribute can be deleted using the Delete Value button. Attribute values with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted. EAP and 802.
To specify supported EAP types and the default type, and to configure OCSP options, see “Specifying Supported EAP Types”. To create a server certificate and self-signed certificate authority, see “Creating a Server Certificate and Self-Signed Certificate Authority”. To request a certificate from another certificate authority, see “Requesting a Certificate from a Certificate Authority”. To import a certificate and its private key, see “Importing a Server Certificate”.
2. In the Supported EAP Types row, mark the check box for each type the RADIUS server should support. The available types are EAP-MD5, EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, and PEAP. If you select EAP-TLS, the EAP-TLS Configuration area is added at the bottom of the form. 3. In the Default EAP Type row, use the drop-down list to select the EAP type to use as the default when the server receives an EAP-Identity response. 4.
RADIUS Server Certificate form is displayed. The unique set of identifying details you enter on this form creates the Distinguished Name (DN) for the new certificate. Creating a new server certificate and self-signed CA is a three-step process: In step 1, a certificate signing request is created with the identifying details of the Distinguished Name for the RADIUS server’s digital certificate.
The “Common Name” of the CA certificate will be used to identify it to clients installing it as a trusted CA root. Make sure to choose a sensible name. Signing RADIUS Server Certificate For a client to verify that the RADIUS server’s identity is valid, the server’s certificate must be issued by a certificate authority (CA) that is trusted by the client. This authority may be either a trusted third party CA, or a private certificate authority for which the root certificate has been distributed to clients.
Complete the details for the certificate, and click the signing request. Download Request button to save the certificate This signing request should be submitted to your certificate authority (CA). The CA signs the request to create the server’s digital certificate. Once you have the certificate, you need to import it to set it up for use with EAP. See “Importing a Server Certificate”.
A digital certificate may be imported from either the PKCS#12 format, which is a single file containing one or more certificates and an encrypted private key, or from three individual files for the certificate, private key (optionally encrypted with a passphrase), and the root certificate authority. Complete the form with the details for your certificate, and click Continue to proceed to Step 2.
2. Select the appropriate PEAP options in the EAP Configuration form, as shown below: 3. Click the Save Changes button, and restart the RADIUS Server to apply the configuration. 4. You may verify that the EAP configuration is loaded by checking for a certain startup message on the RADIUS Server Control screen: Tue Nov 17 01:04:05 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain 5. The certificate authority used to issue the server’s certificate must be exported.
1. Open the .p7b file from Windows Explorer: 2. Select the certificate in the list. Right-click it and choose Open. The Certificate Information dialog opens. 3. Click the Install Certificate button. The Certificate Import Wizard opens. 4. Click Next. The Certificate Store form opens. 154 | RADIUS Services ClearPass Guest 3.
5. Click the Browse button to select the Trusted Root Certification Authorities store. 6. Click OK, and then click Next. The last page of the Certificate Import Wizard is displayed. ClearPass Guest 3.
7. Click Finish. A security warning reminds you that if you install the certificate, all future certificates from this certificate authority will automatically be trusted. 8. To make use of the imported root certificate, make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP. Click Yes to confirm and accept the certificate. 156 | RADIUS Services ClearPass Guest 3.
. Active Directory Domain Services To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain. For information on Proxy RADIUS, LDAP, and local certifiacate authority external authentication servers, see External Authentication Servers (EAS).
Joining an Active Directory Domain To start the two-step process to join the domain, click the Join Domain command link on the RADIUS > Authentication > Active Directory Services page. The Join Active Directory Domain form is displayed, and includes troubleshooting tips. When the server’s DNS and network settings are correctly configured, all the necessary domain-related information is automatically detected. 158 | RADIUS Services ClearPass Guest 3.
Use the Edit Settings link at the top of this page if any of the automatically detected settings need to be modified. Joining the server to the Active Directory domain then requires entering the username and password for a domain administrator account. Click the Join Domain button to complete the process. Once the domain has been joined, the status is available on the Active Directory Services page.
The following options are available in the Authentication drop-down list: MS-CHAPv2 – Encrypted password – Use this option to encrypt the user’s password using the MSCHAPv2 authentication method and verify it with the server. A successful authentication using this method can only be performed when the ClearPass Guest server has joined the domain. Plain text password – Use this option to perform a plain-text verification of the user’s password.
Provide these credentials in the Leave Active Directory Domain form and click the button. Leave Domain External Authentication Servers (EAS) Many networks have more than one place where user credentials are stored. Networks that have different types of users, geographically separate systems, or networks created by integrating different types of systems are all situations where user account information can be spread across several places.
Managing External Authentication Servers To view the list of external RADIUS authentication servers and create, edit, enable or disable, delete, test, view user roles or configure EAP for them, go to RADIUS > Authentication > Authentication Servers. The RADIUS Authentication Servers page lists all available sources that may be used for authentication. Changing the properties of an authentication server requires restarting the RADIUS server.
The top part of the form contains basic properties for the external authentication server.
. NetBIOS Domain – automatically detected when joining the domain. LDAP Server and Port Number – the hostname or IP address of the domain controller, with the corresponding port number of the LDAP service. Bind Identity and Bind Password – credentials used to bind to the directory. Base DN – the LDAP distinguished name of the root of the search tree.
The default settings for the “access_attr” and “access_attr_used_for_allow” settings mean that only users with the Remote Access Permission selected above will be authorized.
timelimit = 3 The number of seconds the LDAP server has to process the query (server-side time limit). net_timeout = 1 The number of seconds to wait for a response from the LDAP server (network failures). use_mppe = yes If this option is set to ‘yes’, MS-CHAP authentication will return the RADIUS attribute MS-CHAP-MPPEKeys for MS-CHAPv1, and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. require_encryption = yes If ‘use_mppe’ is enabled, ‘require_encryption’ makes encryption moderate.
LDAP Server and Port Number – the hostname or IP address of the LDAP server, with the corresponding port number of the LDAP service. Security – select from one of these options: Automatic – based on port number – LDAP connections to port 636 are encrypted using TLS, while all other port numbers use an unencrypted LDAP connection.
Base DN – the LDAP distinguished name of the root of the search tree. This is typically a user’s container within the directory, but may be different depending on the directory’s schema. Username Attribute – the LDAP attribute that corresponds to the username. A filter expression is built that matches the value of the RADIUS Access-Request’s User-Name attribute with this attribute value in the directory.
To configure the authorization method for a Proxy RADIUS external authentication server, see “Configuring Authorization for External Authentication Servers.” Configuring a Local Certificate Authority EAS For Local Certificate Authority authentication servers, the following fields are displayed in the Edit Authentication Server form. 1. In the Name field, enter a name to uniquely identify this server. 2. (Optional) You can use the Description field to include additional information. 3.
Configuring Authorization for External Authentication Servers The level of authorized access an authenticated user can have is controlled by the external authentication server’s authorization method. To configure a server’s authorization method, use the options under the Authorization heading of the RADIUS server’s Edit Authentication form. For more information about authorization methods, including examples, see “About Authorization Methods in External Authentication Servers” in this chapter.
Use PHP code to assign a user role (Advanced) may be used to control the mapping between the user account returned by an external authentication server and the RADIUS user role. The RADIUS server will return an Access-Reject message if the user authentication fails. If the authentication is successful, the authorization code is evaluated. The user object returned from the external authentication server is available as the variable $user.
Use role assigned to local user is the only authorization method available for the local user database. If the user’s authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the user’s role. Use the common name of the client certificate to match a local user account may be specified for users authenticated via EAP-TLS on a client’s local certificate server.
With authorization method Assign a fixed user role: Sending Access-Request of id 122 to 127.0.0.1 port 1812 User-Name = "demouser" User-Password = "XXXXXXXX" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=122, length=27 Reply-Message = "Guest" Note that in this case, the RADIUS attribute returned (Reply-Message) corresponds to the user role selected.
For example, to implement the following configuration: Members of the Domain Admins group should be mapped to RADIUS role ID 4 Members of the Users group should be mapped to RADIUS role ID 5 All other users should be rejected Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code: if (in_array('CN=Domain Admins,CN=Users,DC=server,DC=local', $user['memberof'])) return 4; if (in_array('CN=Users,CN=Builtin,DC=server,DC=local', $user['memberof'])) re
Testing a Local Certificate Authority EAS For Local Certificate Authority external authentication servers, additional testing options are included to simulate EAP-TLS authentication with a client certificate. 1. To specify the network layer to test against, mark the radio button in the Mode row for either the local RADIUS server or a remote RADIUS server. 2.
If you selected Separate certificate and key files (.pem, .cer, .crt ) for the TLS identity: 1. In the PKCS#12 row, browse to the file in your system that contains both the client certificate and the client’s private key. When this file is uploaded, if a CA certificate is also included, it is used to verify the server’s identity. 2. In the Client Certificate row, browse to the file containing the client certificate. This must be a base-64 encoded (PEM) or binary encoded (DER) certificate. 3.
The list displays the certificates that have been installed. By default, the list is empty. After selecting a certificate in the list, the following actions are available: Show Details – display information about the certificate, including its unique “fingerprint” identifier and technical information about the certificate. Export Certificate – download the certificate in one of several different formats (PKCS#7, base-64 encoded, binary X.509, or plain text).
| RADIUS Services ClearPass Guest 3.
Chapter 6 Operator Logins An operator is a company’s staff member who is able to log in to ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports. Operators may be defined locally in ClearPass Guest, or externally in an LDAP directory server.
Figure 23 Operator profiles and visitor access control See “About Operator Logins” in this chapter for details on configuring different forms and views for operator profiles. Operator Profiles An operator profile determines what actions an operator is permitted to take when using ClearPass Guest. Some of the settings in an operator profile may be overridden in a specific operator’s account settings. These customized settings will take precedence over the default values defined in the operator profile.
The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the second area of the form define permissions for the operator profile: 1. To disable a profile, unmark the Allow Operator Logins check box in the Enabled row.
For each permission, you may grant No Access, Read Only Access, Full Access, or Custom access. The default in all cases is No Access. This means that you must select the appropriate privileges in order for the profile to work. See “Operator Profile Privileges” in this chapter for details about the available access levels for each privilege. If you choose the Custom setting for an item, the form expands to include additional privileges specific to that item. 4.
If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available. This is the default option. 5. The Operator Filter may be set to limit the types of accounts that can be viewed by operators.
The user can enter a simple substring to match a portion of the username or any other fields that are configured for search, and may include the following operators: Table 19 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
operator profile, choose a page from the drop-down list. For example, if a profile is designed for users who do only certain tasks, you might want the application to open at the module where those tasks are performed. 3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operator’s language preference from their local system settings. To specify a particular language to use in the application, choose the language from the drop-down list. 4.
Operator Profile Privileges The privilege selections available for an operator profile provide you with control over the functionality that is available to operators. No Access means that the operator will have no access to the particular area of functionality. Options for that functionality will not appear for that operator in the menus. Read Only Access means that the operator can see the options available but is unable to make any changes to them.
Local Operator Authentication Local operators are those defined in ClearPass Guest. Creating a New Operator After you create a profile, you can create an operator to use that profile. ClearPass Guest 3.
Any properties for the operator login that are set to (Default) are taken from the operator profile. The Operator Filter field lets you select from three other options besides Default: No operator filter—All guest accounts display. Only show accounts created by the operator—Only guest accounts created by the operator display. Only show accounts by operators created within their profile—Only guest accounts created by all operators within a profile display.
The Operator Logins list opens. When you click an operator login entry in the Operator Logins list, the row expands to provide links that allow you to perform various operations.
Changing Operator Passwords To change the password for an operator, edit the operator login and type a new password in the “Operator Password” and “Confirm Password” password fields. You may also want to select “Force a password change on their next login” under Password Options to allow the operator to select a new password.
To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See “Advanced LDAP URL Syntax” in this chapter for more details about the types of LDAP URL you may specify. Select the Enabled option if you want this server to authenticate operator logins. ClearPass Guest 3.
This form allows you to specify the type of LDAP server your system will use. Click the Server Type dropdown list and select one of the following options: Table 21 Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory POSIX Compliant: Custom RADIUS Server URL: The URL of the LDAP server Bind DN: The password to use when binding to the LDAP server, or empty for an anonymous bind.
Once you have completed the form, check your settings by clicking the Test Settings button. Use the Test Username and Test Password fields to supply a username and password for the authentication check. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed.
Ping—Sends a ping message (echo request) to the LDAP server to verify connectivity between the LDAP server and the ClearPass Guest server. Test Auth—Adds a Test Operator Login area in the LDAP servers form that allows you to test authentication of operator login values. Test Lookup—Adds a Test Operator Lookup form in the LDAP servers list that allows you to look up sponsor names.
You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form ( See “Creating an LDAP Server” in this chapter for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page. 1. To look up a sponsor, select a server name in the LDAP Server table, then click the link.
Verify that the Bind DN is correct – the correct DN will depend on the structure of your directory, and is only required if the directory does not permit anonymous bind. Verify that the Base DN is correct – the Base DN for user searches is fixed and must be specified as part of the Server URL.
greater than – numerical value is greater than the match value starts with – case-insensitive substring match at start of string ends with – case-insensitive substring match at end of string 4. Select a Value. The Value field states what is to be matched, in this case CN=Administrators to look for a specific group of which the user is a member. 5. Click the On Match drop-down list and select the action the system should take when there is a match.
To edit the matching rule list, select an entry in the table to display a menu that lets you perform the following actions: Edit – changes the configuration of matching rule Delete – removes matching rule from the list Duplicate – creates a duplicate copy of an existing rule Disable – temporarily disables the rule without deleting it from the rule list Enable – reenables a disabled operator login Move Up – moves the rule up to a higher priority on the rule list Move Down – moves t
For example, to permit non-administrator users to access the system only between the hours of 8:00 am and 6:00 pm, you could define the following LDAP translation rule: The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} 1 {elseif date('H') >= 8 && date('H') < 18} 1 {else} 0 {/if} {/strip} Explanation: The rule will always match on the “memberof” attribute that contains the user’s list of groups.
Operator Logins Configuration You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen. Options related to operator passwords may also be specified, including the complexity requirements to enforce for operator passwords.
contactando con Aruba Networks.
{else} The ClearPass Guest demo site
requires a username and password.
If you don’t have a login,
contact Aruba Networks to obtain one.
{/if}
In the Login Footer field, enter any HTML information that you want displayed in the Operator Login form. Select the login skin from the Login Skin drop-down menu.Advanced Operator Login Options The following options are available in the Logging drop-down list: No logging Log only failed operator login attempts Log only Web logins Log only XMLRPC access Log all access Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended.
Chapter 7 Guest Management The ability to easily create and manage guest accounts is the primary function of ClearPass Guest. Guest Manager provides complete control over the user account creation process. Using the built-in customization editor you can customize fields, forms and views as well as the forms for guest selfregistration. Accessing Guest Manager Use the Guest Manager command on the home page to access the guest management features.
Sponsored Guest Access The following figure shows the process of sponsored guest access. See Figure 24. Figure 24 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login in ClearPass Guest. Once authorized, the guest is able to access the network.
registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in. The guest can print or download a receipt, or have the receipt information sent to her by SMS or email. The NAS performs authentication and authorization for the guest in ClearPass Guest. Once authorized, the guest is then able to access the network.
To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network. You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of account the visitor should have. A random password is created for each visitor account.
To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent. Sending SMS receipts requires the SMS Services plugin.
To complete the form, you must enter the number of visitor accounts you want to create. A random password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. You can specify the account activation and expiration times. The visitor accounts cannot be used before the activation time, or after the expiration time. To create temporary “scratch c ard” accounts, you may specify a value for the Account Lifetime.
Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the account Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field.
2. In the Number of Accounts field, enter the number of accounts you wish to create. 3. In the Visitor Password field, enter the password that is to be used by all the accounts. 4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens. The password and other account details are displayed for each account. 210 | Guest Management ClearPass Guest 3.
Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guests > List Guest Accounts. This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See “Customization of Fields” in this chapter for details about this customization process. The default settings for this view are described below.
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 24 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
Click the Update Account button to reset the guest account’s password. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details. Change expiration – Changes the expiration time for a guest account. . This form (change_expiration) may be customized by adding new fields, or modifying or removing the existing fields.
This form may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process. This is the guest_edit form. Click the Update Account button to update the properties of the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details. Sessions – Displays the active sessions for a guest account.
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 25 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection. Use the Create tab to create new visitor accounts using the Create Guest Accounts form. See “Managing Multiple Guest Accounts” in this chapter for details about this form.
. To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options: Character Set: ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account information. If your accounts file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used.
In this example, the following data was used: username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00 Because this data includes a header row that contains field names, the corresponding fields have been aut
Click the Next Step button to preview the final result. Step 3 of 3 displays a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are displayed. The icon displayed for each user account indicates if it is a new entry ( be updated ( ). ) or if an existing user account will By default, this form shows ten entries per page.
Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tab-separated values (TSV), or XML format. This view (guest_export) may be customized by adding new fields, modifying or removing the existing fields. See “Customizing Self Provisioned Access” in this chapter for details about this customization process.
SMS and email receipts – Include a short text message with your guest’s username and password, or send HTML emails containing images. Advanced customization – ClearPass Guest is flexible and can be used to provide location sensitive content and advertising. Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation. These settings can be modified by navigating to Customize Guest Manager within the Guest Manager Customization screen.
Username Length –This field is displayed if the Username Type is set to “Random digits”, “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field. Username Format – This field is displayed if the Username Type is set to “Format picture”. It sets the format of the username to be created.
Figure 27 Customize Guest Manager page (part 2)—continued Expire Action – Default action to take when the expiration time is reached. There are four options. A logout can only occur if the NAS is RFC-3576 compliant. Account Retention – Deleted user accounts are available for reporting purposes. The default value is 1 year after the user account is deleted. If you do not want to retain any data, set the value to 0.
Figure 28 Customize Guest Manager page (part 3)—continued Lifetime Options – Default values for account lifetimes. These options are displayed as the values of the “Account Lifetime” field when creating a user account. Terms of Use URL – URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager ( See “Content Manager” in the Administrator Tasks chapter). If this file is called terms.
Password Display – Select the “View guest account passwords” to enable the display of visitor account passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege. Initial Sequence – This field contains the next available sequence number for each username prefix that has been used.
modify_password: This field controls password modification for the visitor account.
Visitor Account Expiration Properties do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire. If modify_expire_time is “none”, then the account has no expiration time set. If modify_expire_time is “now”, then the account is disabled and has no expiration time set.
“Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See “RFC 3576 Dynamic Authorization” in this chapter for more information. Standard Fields See “Field, Form and View Reference” in the Reference chapter for a listing of the standard fields shipped with ClearPass Guest.
Table 27 Visitor Management Forms and Views (Continued) guest_register Form Guest Self-Registration Yes guest_register_receipt Form Guest Self-Registration Receipt Yes guest_sessions View Active Sessions Yes guest_users View List Accounts Yes remove_account Form Remove Account No reset_password Form Reset Password No These forms are accessed directly: create_multi form – multiple account creation create_user form – sponsored account creation guest_register form – guest sel
A complete list of fields is displayed when you click the Fields command link on the Customize Guest Manager page. To display only the fields that you have been created, click the row of the list view. To return to displaying all fields, click the Custom Fields Only link in the bottom All Fields link. Creating a Custom Field To create a custom field click the Create tab at the top of the window or the at the bottom of the window. The Create Field form is displayed.
You can specify the default properties to use when adding the field to a form. See “View Field Editor” in this chapter for a list of the available user interface types. You can specify the default validation rules that should be applied to this field when it is added to a form. See “Form Validation Properties” in this chapter for further information about form validation properties.
Displaying Views that Use a Field You are able to click the Show Views link to see a list of views that use the selected field. The list displays the views that use the selected field. It also allows you to edit the view’s fields by clicking on the Edit Fields link. Clicking on the Use link displays the view. If the field is used on multiple views, you are able to select which view you would like to see. Customization of Forms and Views You are able to view a list of forms and views.
Duplicating Forms and Views Click the Duplicate link to make a copy of a form or view. Use the Duplicate link to provide different forms and views to different operator profiles. See “Role-Based Access Control for Multiple Operator Profiles” in the Operator Logins chapter for a description. This enables you to provide different views of the underlying visitor accounts in the database depending on the operator’s profile.
Form fields have a rank number, which specifies the relative ordering of the fields when displaying the form. The Customize Form Fields editor always shows the fields in order by rank. The type of each form field is displayed. This controls what kind of user interface element is used to interact with the user. The label and description displayed on the form is also shown in the list view. Click a form field in the list view to select it.
Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: Form Display Properties Form Validation Properties Advanced Properties Each of these sections is described in more detail below. Form Display Properties The form display properties control the user interface that this field will have.
Check box – A check box is displayed for the field. The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1). If the check box is not selected, the field is not submitted with the form. Checklist – A list of check boxes is displayed. The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected.
Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type. To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma” for Conversion, select “NwaExplodeComma” for Display Function and enter the field’s name for Display Param.
How this works: Suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
File upload – Displays a file selection text field and dialog box (the exact appearance differs from browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields. Hidden field – If Hidden Field is selected in the User Interface drop-down list, the field is not displayed to the user, but is submitted with the form.
Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. 240 | Guest Management ClearPass Guest 3.
The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-tobottom or left-to-right order. The default is “Vertical” if not specified. Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted.
Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. To set the value of this field, use the Initial Value option in the form field editor.
Static group heading – The label and description of the field is used to display a group heading on the form. The field’s value is not used, and the field is not submitted with the form. When using this user interface element, it is recommended that you use the “nwaImportant” CSS class to visually distinguish the group heading’s title. Submit button – The field is displayed as a clickable form submit button, with the label of the field the label of the button. The description is not used.
Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field. It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area). Text field – The field is displayed as a single-line text box.
Form Validation Properties The form va lidation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.
Validation errors are displayed to the user by highlighting the field(s) that are in error and displaying the validation error message with the field: All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See “Form Field Validation Functions” in the Reference chapter for a description of the built-in validators.
With these validator settings, users that enter an invalid value will now receive a validation error message: Furthermore, note that blank values, or non-numeric values, will result in a different error message: The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer.
Note that the regular expression used here includes beginning and ending delimiters (in this case the / character), and ensures that the whole string matches by the start-of-string marker ^ and the end-of-string marker $. The construct \d is used to match a single digit. Many equivalent regular expressions could be written to perform this validation task. See “Regular Expressions” in the Reference chapter for more information about regular expressions.
For pre-registered guest accounts, some fields may be completed during pre-registration and some fields may be left for the guest to complete at registration. You can use the Pre-Registration field to specify whether the guest’s entry must match the preliminary value provided for a field during pre-registration. If a value was not provided for a field when the account was created, choose Field was not preregistered from the drop-down list.
The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field. For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form. The user interface is displayed as a text field, but the value that is required for the form processing is a UNIX time (integer value).
A comparison of these two approaches is shown below to illustrate the difference: When using a Conversion or Value Format function, you will almost always have to set up a Display Function for the form field. This function is used to perform the conversion in the reverse direction – between the internal stored value and the value displayed in the form field.
Because of the scoping rules of JavaScript, all of the user interface elements that make up the form are available as variables in the local scope with the same name as the form field. Thus, to access the current value of a text field named sample_field in a JavaScript expression, you would use the code sample_field.value. Most user interface elements support the value property to retrieve the current value.
column are also shown in the list view. Values displayed in italics are default values defined for the field being displayed. Click a view field in the list view to select it. Use the Edit link to make changes to an existing column using the view field editor. Any changes made to the field using this editor will apply only to this field on this view. Use the Edit Base Field link to make changes to an existing field definition.
The Column Format may be used to specify how the field’s value should be displayed. You may choose from one of the following: Field Value – The value of the field is displayed as plain text. Field Value (Un-Escaped) – The value of the field is displayed as HTML. Boolean – Yes/No – The value of the field is converted to Boolean and displayed as “Yes” or “No”. Boolean – Enabled/Disabled – The value of the field is converted to Boolean and displayed as “Enabled” or “Disabled”.
This process is shown as follows. See Figure 30. Figure 30 Sequence diagram for guest self-registration . The captive portal redirects unauthorized users [1] to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account. If NAS login is enabled, submitting the form on this page will display a login message [5] and automatically redirect the guest to the NAS login [6].
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_register” page is accessed using the URL guest_register.php. Click the Save Changes button to save the self registration page. A diagram of the self registration process is displayed. Click the Save and Continue button to proceed to the next step of the setup.
Figure 31 Guest self-registration process . A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.
Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu. This is useful if you need to configure multiple registrations. You can always override parent page vaules by editing field values yourself. To create a self-registration page with new values, select the Guest Self-Registration (guest_register) option from the Parent field drop-down menu.
The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: 1.2.3.4 – IP address 1.2.3.4/24 – IP address with network prefix length 1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied.
Template code for the title, header, and footer may be specified. See “Smarty Template Syntax” in the Reference chapter for details on the template code that may be inserted. Select the Do not include guest registration form contents check box to override the normal behavior of the registration page, which is to display the registration form between the header and footer templates.
Editing Guest Receipt Page Properties Click the Receipt Page link or one of the Title, Header or Footer fields for the Receipt Page to edit the properties of the receipt page. This page is shown to guests after their visitor account has been created. Click the Save Changes button to return to the process diagram for self-registration. ClearPass Guest 3.
Editing Receipt Actions Click the Actions link to edit the actions that are available once a visitor account has been created. . Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the selfregistered account. To enable role selection by the sponsor: 1. Go to Customization > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens.
The Receipt Actions form opens. 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6.
The Guest Registration login page is displayed as the guest would see it. When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form. 9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button.
When email delivery is enabled, the following options are available to control email delivery: Disable sending guest receipts by email – Email receipts are never sent for a guest registration. Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address.
These options under Enabled are available to control delivery of SMS receipts: Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration. Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected options, and will be sent to the visitor’s phone number.
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Many of the properties on this page are the same as for a RADIUS Web Login page. For details about specifying NAS login settings, extra fields, or URL redirection parameters, See “Creating a Web Login Page” in the RADIUS Services chapter.
The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections.
The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest selfregistration pages, and may be used to determine the URL that guests should use to access the portal.
session (that is, the guest’s HTTP client address is the same as the RADIUS Framed-IP-Address attribute for an active session). The Password Generation drop-down list controls what kind of password reset method is used in the portal. The default option is “Passwords will be randomly generated”, but the alternative option “Manually enter passwords” may be selected to enable guests to select their own password through the portal.
Next, enable the “Required Field” option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value.
Plain text print templates may be used with SMS services to send guest account receipts; See “About SMS Guest Account Receipts” in this chapter for details. Because SMS has a 160 character limit, the number of character used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb).
Your guest account has been updated.
{elseif $action == "delete"} {/if} {if $u.guest_name} | guest name | {$u.guest_name} |
{/if} If this code is placed in the User Account HTML section it will cater for the create, edit and delete options.Use the Remove, Move Up, Move Down, Insert Before, and adjust the fields that are to be included on the print template. Click the Insert After links to Create Template button to save your newly created print template and return to the list. Modifying Wizard-Generated Templates Once you have created a print template using the print template wizard, you can return to the wizard to modify it. Click the Edit print template code (Advanced) link to use the standard print template editor.
Select one of the following entities in the Entity drop-down list: Operator Profiles – a specific operator profile may be selected. The corresponding permissions will apply to all operators with that operator profile. Other Entities Authenticated operators – the permissions for all operators (other than the owner profile) may be set using this item. Permissions for an individual operator profile will take precedence over this item.
Customize Random Username and Passwords In this example we will set the random usernames and passwords to be a mix of letters and digits. 1. Navigate to Customization > Guest Manager. The Customize Guest Manager field appears. 2. In the Username Type field, select Random Letters and digits. Note that the generator matching the complexity will also include a mix of upper and lower case letters. 3. In the Username Length field, select 8 characters. 4. Configure other settings.
| Error | {$u.create_result.message} | {/if}
6. Click Save Changes to save your settings. 7. To preview the new template, select the template in the Guest Manager Print Templates list, then click Preview. The template created in this example appears as shown below. Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1.4. Click Save Changes to save your settings. Once the field is enabled or inserted, you should see it bolded in the list of fields. Create Access Code Guest Accounts Once the account fields have been customized, you can create new accounts. 1. Navigate to Guests > Create Multiple. 2. Select the Username Authentication field added in the procedure above. (If you do not select this check box and if the username is entered on the login screen, the authentication will be denied.
4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure. See “Create the Print Template” for a description of this procedure. A new window or tab will open with the cards.
Administrator > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. The MAC Authentication Plugin page opens. Figure 32 MAC Authentication Plugin—Configuration On the controller, the fields look as follows: Figure 33 MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guests > List Devices. The Guest Manager Devices page opens. 280 | Guest Management ClearPass Guest 3.
All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information. You can use the Filter field to narrow the search parameters.
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker.
Activating a Device To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form. 1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time. 2. If you choose Activate at specified time, the Activation Time row is added to the form.
2. If you need to change the activation time, choose one of the options in the Account Activation dropdown list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time. If you choose Activate at a specified time, the Activation Time row is added to the form. Click the button to open the calendar picker.
Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see “Active Sessions Management”. Viewing and Printing Device Details To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link.
1. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 2. Enter the name for the device in the Device Name row. 3. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administrator > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. 4. Choose one of the options in the Account Activation drop-down list.
5. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time. If you choose any time in the future, the Expire Action row is added to the form. Use this dropdown list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out.
Figure 34 Modify fields Edit the receipt form fields: Edit username to be a Hidden field Edit password to be a Hidden field Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page.
UI: Hidden field Field Required: optional Validator: IsValidMacAddress Add or enable mac_auth_pair UI: Hidden field Initial Value: -1 Any other expiration options, role choice, surveys and so on can be entered as usual. You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that cross links the two. Note if you delete the base account, all of its pairings will also be deleted.
&& NwaDynamicLoad('NwaNormalizeMacAddress') // Required call && ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id'))) // All MACs need to be normalized && ((!empty($user['id']) && NwaCreateUser(array(// We are caching the MAC for a local user account 'creator_accept_terms'=>1, 'mac_auth'=>1, // Flag as a MAC so it shows in List Devices 'mac'=>$mac, // The normalized MAC 'mac_auth_pair'=>$user['id'], // Formally pair the two accounts. Cross links and whatnot in the GUI.
Figure 35 RADIUS Role Editor Note that modify_expire_time supports any valid syntax of strtotime. ClearPass Guest 3.
Automatically Registering MAC Devices in ClearPass Policy Manager If ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in ClearPass Policy Manager when the guest uses a Web login page or a guest self-registration workflow. This customization option is available if a valid Local or RADIUS preauthentication check was performed. To configure auto-registration for an address through a Web login page: 1.
Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be included in the account as long as mac is passed in the URL.
For debugging purposes, include the following to see all the fields available: {dump var=$guest_receipt export=html} Click-Through Login Pages A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection. Disable MAC authentication on the controller.
On the Manage Multiple Sessions form, the start time of each session is used to select the sessions to work with. To find relevant sessions easily, sort the list view by the Session Start column before you begin session management tasks. You can use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
traffic, the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To ensure that accounting statistics are correct, you should check the list for stale sessions and close them. For information on configuring RADIUS server options, see “Server Configuration” in the RADIUS Services chapter.
You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 29 Operators supported in filters Operator Meaning Additional Information = is equal to != is not equal to You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ).
1. To close all stale sessions at a certain time, mark the Close Open Sessions radio button on the Manage Multiple Sessions form. The form expands to include rows for calculating the stop time. 2. In the Close Sessions drop-down list, leave the All stale sessions option selected. 3. In the Terminate Cause drop-down list, select the reason for closing the sessions. 4.
To set a specific date and time, choose Specify a fixed end time from the drop-down list. This adds the Session End row to the form, with a calendar option. In the Session End row, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the number s in the Time fields to increment the hours and minutes, then click a day to select the date. 6. When your entries on the form are complete, click Make Changes.
calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. If this End Time field is specified and the Start Time field is left empty, all sessions that started before the specified end time are selected. If this End Time field and the Start Time field are both specified, all sessions that started between the start time and end time are selected. 5.
2. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. If this field is left empty, the earliest available session start time is used.
2. Use the filter to specify the group of addresses that should receive the message. See Filtering the List of Active Sessions. Only accounts with valid phone numbers can be sent SMS alerts. 3. Enter the message in the Message text box. Messages may contain up to 160 characters. 4. Click Send. SMS Services With SMS Services, you can configure ClearPass Guest to send SMS messages to guests. You can use SMS to send a customized guest account receipt to your guest’s mobile phone.
In the SMS Gateway field, if you choose Custom HTTP Handler from the drop-down list, you may specify the HTTP method to use. The form displays the configuration options for that gateway type, and the Service Method row includes the GET and POST options. When you select the POST option, the HTTP Headers and HTTP Post rows are added. You can use the text fields in these rows to override HTTP headers and enter the text to post.
If your country uses a national dialing prefix such as “0”, you may enter this on the form. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead. The second part of the form includes the Connection Settings, Debug, Credits, and Test SMS Settings areas. Complete the fields with the appropriate information, then click either Send Test Message or and Close. The new configuration settings will take effect immediately.
. Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. If multiple services are available, you may also choose the service to use when sending the message. The SMS is limited to a maximum length of 160 characters. The number of remaining characters is displayed on this form. Click the Send Message button to send the SMS. About SMS Credits Each SMS message sent consumes one credit.
ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt, navigate to the Guests > List Accounts window, select the guest to which you want to send a receipt, then click the Send SMS receipt link displayed on the guest account receipt page.
Figure 36 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format. Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. This field is used to determine the SMS recipient address. ClearPass Guest 3.
Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value, will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.
Figure 37 Customize SMS Receipt page SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields. sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true. sms_handler_id – This field specifies the handler ID for the SMS service provider. If blank or unset, the default value from the SMS plugin configuration is used.
values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively. sms_warn_before_message – This field overrides the logout warning message. If blank or unset, the default value from the Customize SMS Receipt page is used. The logic used to send an SMS receipt is: If SMS receipts are disabled, take no action. Otherwise, check the auto-send field. If it is “_Disabled” then no receipt is sent. If it is “_Enabled” then continue processing.
Email receipts may be sent manually by clicking the account receipt page. Send email receipt link displayed on the guest When using guest self-registration, the Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery.
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. Figure 38 Customize Email Receipt page The Subject line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field. See “Smarty Template Syntax” in the Reference chapter for more information on template syntax.
Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available). Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available). Use ‘cc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be copied.
SMTP Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per user basis. smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used.
smtp_warn_before_template_id – This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to use for the receipt.
| Guest Management ClearPass Guest 3.
Chapter 8 Report Management The Reporting Manager provides you with a set of tools to summarize the visitor accounts that have been created and analyze the accounting data collected by the RADIUS server. Through the predefined reports and the custom reports you can create using the report editor, you can get a complete picture of the network usage of your guests. Accessing Reporting Manager Use the Reporting command link on the home page to access the reporting features.
Number of sessions per NAS – This report shows the total number of sessions per NAS in the selected period. Number of sessions per day – This report shows the total number of sessions per day. Number of users per day – This report shows the number of distinct users per day. Top 10 users by total traffic – This report summarizes the total data volume of all users, and displays the top 10 users by total data sent and received.
Run The Run option allows you to change the date range of the report before it is run. Choose a time period for the report from the Date Range drop-down list. If the report definition includes any additional parameters that have a user interface, these will also be displayed as part of the Report Options form. Click the Run Report button to generate the report using the selected parameters. A progress window will appear as the report is generated, and then the report will be displayed automatically.
The Report Type editor allows you to change the defaults for the Date Range and the Formats for the report you have selected. If you want to change the default for another report you must also edit that report. Click the Save Changes button to have these changes become the new default. Delete a Report You can delete any predefined reports by selecting the report and clicking the Delete link. You are asked to confirm the deletion. Once you delete a report, it is permanently deleted.
Visible-only access – the report is visible in the list. It can be viewed in HTML but cannot be edited Read-only access – the report is visible in the list and it may be viewed and duplicated. The report cannot be edited or deleted. Update access – the report is visible in the list and may be duplicated and edited. The report cannot be deleted and the permissions for the report cannot be modified. Update and delete access – the report is visible in the list, and may be edited or deleted.
Exporting Report Definitions Report definitions may be exported to a file and later imported. This provides an easy way to move reports from one appliance to another. Click the More Options tab at the top of the report list to access the Export Reports command link. (This link also appears on the Reporting start page.) Use the check boxes to select the reports to export.
Importing report Definitions Report definitions may be imported from a file that has been generated with the Export Reports command. Click the More Options tab at the top of the report list to access the Import Reports command link. (This link also appears on the Reporting start page.) You may select a file to upload using your Web browser, or alternatively the report definition may be pasted into the text area provided.
About Custom Reports The Report Editor is used to build a custom report. The process used to generate a report is shown in the figure below. In this diagram, the arrows represent the flow of data, while the icons represent the processing stages that the data goes through. Figure 40 Report generation process . Starting from the top left, and working clockwise: The Report Type ( “Report Type”) specifies the basic properties for the report.
Data Sources The available data sources are: Local RADIUS Accounting – Accounting traffic consists of summary information about visitor sessions, reported by NAS devices to the application. In the RADIUS Accounting data source, each data record corresponds to a single visitor session.
Figure 42 Reporting – Bin west of GMT The next diagram is similar but for time zones that are east of GMT Figure 43 Reporting – Bin east of GMT . This process may be automated by entering an expression as the value for the time zone offset. The correct expression to use for the Bin Offset is:
Group classifications may be created using the report editor. See “Groups” in this chapter for a list of the available group classification methods. Statistics from Classification Groups The classification groups that you define in a report will determine what type of statistics that can be derived for that report. This is shown in the following diagrams. The following figure shows how statistics are calculated per bin when bins are present but groups are not present.
Figure 46 Components of the Report Editor Report Type 328 | Report Management ClearPass Guest 3.
The Report Type link opens a window where you type a distinct name or Title for the report. You can add additional information in the Description field. This could be used to explain the purpose of the report. While you are working on creating the report you could leave the Enabled field unchecked. When you want the report to be available for use, mark the Enabled check box. You should set a default Date Range for the report. The available options are listed under the drop down menu.
Properties for classification methods (bin size and offset) Properties for output series (limit and remainder category) Properties for individual fields within an output series (header) Properties for presentation blocks (container CSS style) Properties for table cells within a presentation block (CSS style) Within text presentation blocks In these cases the report editor may simply indicate that a value is required.
Parameter User Interface Editing The Edit Parameter form is used to specify the default value for a parameter as well as the type of user interface to use for this parameter. If No user interface is selected, then the parameter will have a fixed value and cannot be edited before the report is run.
The initial value displayed on this form for a report parameter may be specified as the Value for the parameter. The Run Preview and Run Default icon links will be available for a report if all parameters have an acceptable default value. This is determined by the validation properties for each parameter. If no validation properties are specified, all parameter values are considered to be valid.
Click the Save Changes button to return to the Report Editor. Select Fields If you have not selected fields in the Data Source form, you must select the required source fields here. Fields can be defined one at a time by clicking the Create Source Field tab. Source fields are the basic building blocks from which the rest of the report is constructed.
Each source field has a name that is unique within the report. You can also attach a description to the field for use by the report designer. If you select a field from the Data Source Field drop down list, that field name is automatically placed in the Field Name area. It can be changed if you want. As derived fields do not exist in the Data Source, you will need to give each field a unique name. You are also required to give the field a value.
If you select to calculate a value by summing over source fields, you are required to nominate the fields to be summed. Click the Create Source Field button to create the source or derived field in the report. Source Filters Source filters are applied to the data source fields to determine whether a data record will be included for processing in the report. The statistics, metrics and output data of the report can only be generated from source data that has passed through the source filters.
To add additional filters, click the first source filter. An action row is displayed with Edit and After links. There is also a Set Default Report Range option for the first date/time filter. Insert The Edit link allows you to alter the options for the source filter as well as being able to disable the filter. Click the The Save Changes button to keep any changes you have made. Insert After link allows you to create additional filters.
You must then select the filter from the Filter Type drop down list.
To create a bin or a classification group, click the Groups list view. Create Classifier tab in the Edit Classification You are required to choose the classification method and the Source Field to use for the classification. The Editor.
Time measurement: bin by days – See “Binning Example – Time Measurements” in this chapter for the bin classification method description. The bin classification method uses the specified date/time field to calculate a day number. Times that fall within the same day are assigned the same bin number. The bin offset is used to account for time zones as explained in the . Time measurement: bin by hours – This bin classification method uses the specified date/time field to calculate an hour number.
Like the statistic fields, metrics share a close relationship with the report’s classification groups. When designing a report, consider the metrics that you would like to generate, and work backwards to determine the statistics you will need in order to calculate each metric and the classification groups will be needed to calculate each statistic. Each statistic and metric field has a name that is unique within the report. You can also attach a description to the field for use by the report designer.
Median value – the median (middle) value of the source field over the selected classification group is calculated Minimum value – the minimum value of the source field over the selected classification group is calculated Number of bins – the number of different bin classification groups is calculated Number of distinct values – the number of distinct values that the source field takes over the selected classification group is calculated Number of groups – the total number of classificatio
Number of distinct values – the number of distinct values that the statistic field takes over the selected report dimension is calculated Subtract (value 1 – value 2) – the values are subtracted Sum of values – the sum of all values of the statistic field over the selected report dimension is calculated Use an expression to calculate value – a PHP expression is used to calculate a value for the metric over the selected report dimension from one or more statistic fields Value 1 and Value 2 li
You are required to enter a unique name for this output series. You must also select the Dimension to be used. This could be the source data or one of the classification groups defined in the report. Click the Create Output Series button to add the output series definition to the report. The Edit Output Series form will then be displayed to allow the components of the output series to be defined.
To edit an output series field, click the below. Edit link for the field. The Edit Series field opens, as shown The Header is displayed in tables and charts that use this output series. Use a short description of the values contained in this field. The Value Format specifies how to generate the value for the output series field. You can specify an expression to calculate the value; in the expression, use the variable $_ to obtain the value of the report field for this output series.
Match filters check if a value matches a particular condition, which could be a regular expression or other match value. List filters check to see if a value is found in a list. Click the Create output filter link to create an output filter. Select the output series you want to filter in order to view the remaining filter options. You can select any of the source fields that would be available to the output series, or any of the fields in the output series.
Unconditionally exclude item if filter matches – If the filter matches the item in the output series, the item will never be included in the output. No further filters will be applied to the data once this filter has matched. Click the Create Output Filter button to add the new output filter to the report definition. Presentation Options The Presentation Options provide you with a number of choices regarding the final presentation of your report.
Scatter Polar In general, the first field in the output series is used as the category values for the chart. The second and subsequent fields are used as the values to display on the chart. The Pie and Pie 3-D charts support only a single data point for each category value. A pie chart is used to compare the relative proportions of different values in a single data series. The Floating Column and Floating Bar charts require two data points for each category value.
This standard header includes the report title, the time at which the report was run, and the date range included in the report.
Creating the Report – Step 1 The following form will be displayed when the Create New Report link is clicked. This is the same form that you would obtain if you clicked the Report Type option in the Report Editor. See “Report Type” in this chapter for more details about this form. Click the Continue button to move to Step 2. Creating the Report – Step 2 In step 2, the Select Data Source form is displayed.
Creating Sample Reports Report Based on Modifying an Existing Report This sample involves modifying the predefined Number of users per day report to report on the number of users per week. 1. Select the “Number of users per day” report. 2. Click the Edit link. This opens the Report Editor. 3. Click Report Type in the Report Editor, as you need to change the title of the report to “Number of users per week”.
Report Created from Report Manager using Create New Report To create a report that lists today’s user sessions, follow this process. 1. To create a new report without it being based on an existing report, click Create New Report. 2. You must give the report a Title. For this report, Today’s Sessions would be an appropriate name. 3. Enable the report by marking the Enabled check box. 4. Ensure that the Date Range is Today and select an Output Format. These changes are shown in the screen below. 5.
6. Select the required fields in Step 2. For this report the fields are shown in the screen below. These are the fields of interest for the report. 7. Click the Save Changes button to have the report created. The Report Editor screen is displayed. 8. If you click the Final Report option in the Report Editor you can see the report as it is after these two steps. 352 | Report Management ClearPass Guest 3.
9. You can continue to further enhance this report using the Report Editor. To change the formatting of the table you would use the Presentation Options; to remove a column you would use the Output Series option; to restrict the data in the table you would use a filter, for example, a source filter to limit by NAS IP address; a classification group would enable you to carry out statistical analysis, for example, grouping by NAS IP address.
11. The Source Field will be changed to nas_ip_address, as this report is to calculate the average traffic by NAS rather than the average traffic by user. The field will also be renamed to total_nas to reflect the new value it will contain. These changes are shown in the screen below. 12. Click the Save Changes button. 13. Because the total_users field is no longer available in the report, the average_bytes field must be updated to refer to the total_nas field instead.
20. Click the Back to report editor link to return to the Report Editor. 21. As there are no further changes required, click the Final Report icon to preview your new report. Report Troubleshooting Report Preview with Debugging If you are experiencing problems with your report, you can receive help with the Report Diagnostics. The diagnostics run the report and show you the internal data that is being used to generate the contents of the final report.
0 => /* group 0 */ array ( 'a' => /* group value: 'a' */ array ( 0 => first data record 1 => second data record ... ), ), ), 234 => /* bin value: 234 */ array ( /* bin items organized by group */ ) ), 1 => /* bin 1 */ ... ) Troubleshooting Tips The following tips may be useful to you when developing new reports. Draw a diagram – Make a sketch of any charts or tables you want to include in the report.
Chapter 9 Administrator Tasks The Administrator module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of ClearPass Guest. Accessing Administrator Use the Administrator command link on the home page to access the system administration features. Alternatively, use the Administrator navigation menu to jump directly to any of the system administration features.
Configuring Integration with Other ClearPass Servers The Administrator module lets you configure integration with ClearPass Profiler and Policy Manager servers. To configure integration with ClearPass servers: 1. Go to Administrator > Network Setup > ClearPass. The Manage ClearPass Servers form opens. 2. To configure integration with ClearPass Policy Manager, mark the Enable Policy Manager check box. The form expands to include options for specifying the Policy Manager hostname, username, and password.
3. To configure integration with ClearPass Profiler, mark the Enable Profiling check box. The form expands to include options for sending device error, event, and profile interval information, as well as the hostname, username, and password for the primary and secondary Profiler servers. ClearPass Guest 3.
Automatic Network Diagnostics When you view or edit the appliance’s network configuration on the Network Setup, HTTP Proxy, Network Diagnostics, or Network Interfaces page, an automatic network connectivity test determines the current status of the network, and the results of the diagnostic are displayed.
Viewing or Setting System Hostname The system hostname is a fully-qualified domain name. By default, this is set to clearpass-guest.localdomain, but you may specify another valid domain name. The system hostname should match the common name of the installed SSL certificate. If these names do not match, then HTTPS access to the appliance may result in security warnings from your Web browser. A valid hostname is a domain name that contains two or more components separated by a period (.).
Edit – Change the configuration of a network interface, including IP address, DNS settings, or Ethernet settings. See “Changing Network Interface Settings” in the Adminstrator Tasks chapter for details. Delete – Remove a network interface. Manually created network interfaces may be deleted—for example, tunnel, VLAN, or secondary interfaces. The standard system network interfaces cannot be deleted. Routes – Define static routes that specify the gateway IP addresses for other networks.
To specify an IP address for the network interface, select Manually configure IP address. The following form is displayed for IP address details. The MTU field allows you to specify the Maximum Transfer Unit size in bytes for the network interface. While standard Ethernet uses a MTU of 1500 bytes, you may find it necessary to reduce the MTU slightly in some network topologies. ClearPass Guest uses a default MTU of 1476 bytes unless otherwise specified in this form.
Click the Save Changes button to update the network interface with the specified settings. The new settings will be tested and the results of the test displayed. If DNS name resolution is not working, the system will be unable to perform many common tasks. To resolve this issue, check the DNS server settings for the network interface. If you are using DHCP, check that your DHCP server provides DNS server information, and enable this option for the network interface.
Managing Static Routes In the Network Interfaces list view, click the network interface to edit, and then click Network Interface Routes list view will be displayed. Routes. The Click the Create tab to add a new static route. You must specify the network address of the destination network as an IP address and netmask, and the gateway for the destination network. The gateway IP address must be reachable directly from the network interface. Click the Create Route button to add the route.
Figure 47 Network diagram showing IP addressing for a GRE tunnel To create a GRE tunnel, navigate to the Network Interfaces page and click the network interface link. The Network Interface Settings form is displayed. Create a tunnel The Interface Name is the system’s internal name for this tunnel interface. A default value is supplied, which may be used without modification. A Display Name may be specified to identify the connection in the list of network interfaces.
Use the Create a VLAN interface link to create a new network interface with a specific VLAN tag. The Create a New VLAN form is displayed. In this form, select the physical interface through which the VLAN traffic will be routed, and enter a name for the VLAN and the corresponding VLAN ID. Use a descriptive name for the VLAN Name field, as this is only used by administrators to identify the network interface.
VLAN interfaces are distinguished from other network interfaces with blue icons. The possible states for the system’s network interfaces are summarized in the table below Table 34 Network Interface States Interface State Physical VLAN Active (up) Active with default gateway Inactive (down) The actions available when selecting a VLAN interface are: Show Details – Displays detailed information and statistics about the network interface.
Secondary network interfaces have the same name as the underlying physical interface, with a suffix such as “:1”, “:2” and so on for each subsequent IP address created. All secondary interfaces will be brought down if the corresponding physical interface is brought down. Login Access Control Authentication and role based access control is used to identify operators and their level of access to the system. The default login access settings require HTTPS for both operators and guests.
The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied. The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0. As another example, the network address 192.168.2.
Select a diagnostic from the drop-down list. Depending on the diagnostic you have selected, additional parameters will also be available: DHCP Leases – Select a network interface to view the DHCP lease information for that interface. DNS Lookup – Enter a hostname to perform a domain name lookup and display the results. Firewall Rules – Displays the iptables firewall rules that are currently in effect. Interface Addresses– Displays all active IP addresses and interface details.
form. Additional RADIUS attributes may also be included by adding Attribute-Name = Value pairs in the Extra Arguments field; see the example below. Routing Table – Displays the current IPv4 routing table. The list shows the static, network addresses and default routes configured for the system. Traceroute – Enter a hostname or IP address to determine the route that packets traverse to that host. The test may take a considerable amount of time (30 seconds or more), depending on network conditions.
Select the network interface and, if required, enter filtering parameters to restrict the type and number of packets to be captured. The maximum size of a packet capture is 100,000 packets. You can enter network addresses in the Source IP and Destination IP fields by using an IP address and a network address length; for example, 192.168.2.0/24. Click the Capture button to begin the packet capture operation.
Once the packet capture has completed, the status is updated, and a link to Download packet capture file is available. Click this link to download a packet capture file, which may be analyzed using the Wireshark utility or another tool capable of reading the “pcap” file format. To delete the saved file, select the Delete current packet capture file check box and click the button. To start another packet capture, modify the filtering parameters if required and click the button.
The fields on each line are separated by any number of blanks or tab characters. Any text from a # character to the end of the line is a comment, and is ignored. Hostnames may contain only alphanumeric characters, minus signs (“-”), and periods (“.”). A hostname must begin with an alphabetic character and end with an alphanumeric character. After making changes in the Hosts field, click the file.
The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. To enable SNMP access, one of the available modes must be selected. Version 2c, version 3, or both versions may be enabled. The System Contact and System Location parameters are basic SNMP “system” MIB parameters that are frequently used to identify network equipment. See “Supported MIBs” in this chapter for a list of supported MIBs.
SNMP version 2c has only one configuration option, which is the name of the community string. SNMP clients must provide this value in order to access the server. The default community string is public. SNMP version 3 adds authentication and encryption capabilities to the protocol. You must supply a set of credentials to be used for SNMP v3 access. You can also select whether encryption should be used. Traps are notification messages sent when certain conditions are reached.
SNMP-VIEW-BASED-ACM-MIB TCP-MIB UCD-DISKIO-MIB UCD-DLMOD-MIB UCD-SNMP-MIB UDP-MIB SMTP Configuration The SMTP Configuration form is used to provide system default settings used when sending email messages. To manage and view the current SMTP configuration click the SMTP Configuration command link on the Administrator > Network Setup page. See “SMTP Services” in the Guest Management chapter for additional configuration options for SMTP services.
The From Address must be specified. This is the sender of the email and will be visible to all email recipients. It is recommended that you provide a valid email address so that guests receiving email receipts are able to contact you.
A completed sample certificate request is shown below. Click the Create Certificate Request button to generate the certificate signing request. The certificate signing request is displayed in a text field in the browser. This can be used to copy and paste the request directly to a certificate authority that supports this form of request submission. Alternatively, you may click the Download the current CSR link to download a .csr file to your browser.
The process for installing an SSL certificate has been simplified. In the first step, select whether you will be copying and pasting the certificate as plain text, or uploading the certificate from a file. In the second step, you must provide between one and three items of information: The Certificate field must contain the digital certificate. This can be a file containing a base-64 representation of the certificate, or it can be a block of text that contains the certificate.
To resolve this error, first check that you have provided the correct intermediate certificate. If the problem persists, check with your certificate authority for the appropriate root certificate to use. As an optional third step, if you have a private key that corresponds to the SSL certificate, it may be specified separately. This is only required if you did not generate the certificate signing request on the server. Click the Upload Certificate button to install the new SSL certificate.
Backup and Restore Click the Backup & Restore command link on the Administrator start page to make backups of the appliance’s current configuration as well as restore a previous backup. It is recommended that you make a complete configuration backup of the system after completing a deployment and after making configuration changes.
Server Configuration), you can select to back up the entire area or only a particular part of that area. To access the components within an area, click the down arrow . There are five possible states for each area, described below: 1. Complete backup – The tick mark is highlighted: . The components of the area are not displayed, but the entire area and all of its components will be backed up. 2. Partial backup – The down arrow is highlighted: .
You are able to select either a complete or custom backup to run on the schedule. The options available are the same as for the manual backup. You are required to enter a prefix for the backup filename. The backup name is used as the basis for the name of the backup file. The current time and date is used to identify different backups, in the format YYYYMMDD-hhmmss. For example, with the backup name ‘backup’, the backup filename will be backup.20080101-123456.dat.
proxy*: proxy related arguments quote=CMD: send custom command to FTP server require-ssl: require SSL connection for success SMB options kerberos: use Kerberos authentication (Active Directory) domain=NAME or workgroup=NAME: set the workgroup to NAME debug: generate additional debugging messages which are logged to the application log Multiple options should be separated with semicolons.
restore, be sure to select the appropriate items by clicking the tick icon for each configuration item to restore. 4. Mark the Restore settings from backup check box. Be aware that it is possible to overwrite any local configuration changes that have been made since the backup was created. 5. Click the Restore Configuration button for the restore to commence. A progress window is shown for the restore operation. 6. You are presented with a ‘System restore operation completed successfully’ message.
server. To access the Content Manager, click the Content Manager command link on the Customization start page. You can add content items by using your Web browser to upload them. You can also copy a content item stored on another Web server by downloading it. To use a content item, you can insert a reference to it into any custom HTML editor within the application. To do this, select the content item you want to insert from the drop-down list located in the lower right corner of the editor.
Downloading Content To download a file from the Internet for use in ClearPass Guest, click on the tab. The Fetch Content form is displayed. Download New Content After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions The Properties link allows you to view and edit the properties of the item.
Performing a Security Audit Use the Check Security command link on the Administrator > Security Manager page to start a security audit of the system. A security assessment will be performed and a report will be displayed containing the recommendations from the security assessment. Reviewing Security Audit Results For each of the security recommendations presented, you can choose to accept the recommendation, ignore the recommendation, or disable the recommendation.
attention. Use the Disable Check link to prevent the security audit from raising warnings about a specific security condition. Changing Network Security Settings Use the Network Security command link to check the current settings for remote console access. ClearPass Guest has a command line interface(CLI) which may be accessed using the appliance console or SSH.
1. To configure notifications, go to Administrator > Notifications. The Configure Notifications page opens. 2. In the Warning Levels drop-down list, specify the maximum number of alerts to receive. If you do not want to receive notifications, choose 0-Disable warnings. 3. If you enabled warnings, in the Level 1 field, enter the amount of remaining disk space at which the first notification should be sent. 4.
Determining Installed Operating System Packages Use the Advanced view of the System Information page to display a list of the installed operating system packages, together with the corresponding version numbers. Plugin Manager Plugins are the software components that fit together to make your Web application. The Plugin Manager allows you to manage subscriptions, list available plugins, add new plugins, and check for updates to the installed plugins.
clusters after the plugins are updated. Please see Destroying a Cluster and Cluster Setup in the High Availability Services chapter. Managing Subscriptions A subscription ID is a unique number used to identify your software license and any custom software modules that are part of your ClearPass Guest solution. To view current subscription IDs, navigate to Administrator > Plugin Manager, then click Manage Subscriptions. The ClearPass Guest Subscription page opens.
Plugins cannot be disabled or removed if other enabled plugins are dependent on them. An error message will be displayed if an operation is attempted that would leave the application in an inconsistent state. Adding or Updating New Plugins You can add or update plugins either from the Internet or from a file provided to you by email. If your new plugin was emailed to you as a file, navigate to Administrator > Plugin Manager > Add New Plugin.
The default view of the Add New Plugins page lists all available updates and plugins that are not yet installed on your system. You can configure the list to display all plugins (including those already installed on the system) or just new plugins and updates. To change the list, click the Display All Plugins or Display Changed Plugins link.The default selections include all new plugins and any updated plugins that are available.
To undo any changes to the plugin’s configuration, click the plugin’s Restore default configuration link. The plugin’s configuration is restored to the factory default settings. In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.
1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. TheKernel plugin’s Debug Level, Update Base URL and Application URL options should not be modified unless you are instructed to do so by Aruba support. 3. To turn off autocomplete on forms, mark the check box in the Form Auto Complete row. This disables credentials caching. 4.
2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page. The default skin used by the ClearPass Guest application is the one that is enabled in the Plugin Manager.
To ensure that authentication, authorization, and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines.
If the server’s clock is running slow, changing the server’s time may cause your current login to expire. In this case you will need to log in again after clicking the Save Changes button. System Control The System Control commands on the Administrator > System Control page allow you to: Shut down the server immediately. Reboot the system which stops all services while the reboot is taking place. Restart the system services without stopping the server.
5—Notice: normal but significant condition 6—Informational: informational messages 7—Debug: debug-level messages When a syslog server has been defined, messages matching the rules defined here are sent to the syslog server. The syslog protocol uses UDP port 514. Log Rotation: Configuring Data Retention To configure the number of weeks to retain records for data, log files, disabled accounts, and mobile device certificates, click the Configure data retention link in Log Rotation row.
Facility: Redirecting Application Log Messages To redirect log messages from the application log to the syslog, select an option from the Facility field drop-down menu. The default option None – Do not send application log messages to syslog stores all application-generated messages in the separate application log. If you select a specific syslog facility, the minimum priority level for the corresponding syslog facility determines whether the syslog message is forwarded to the remote collector.
For high-traffic sites that are maintaining many weeks of log files, enter a non-zero value for Disk Space to ensure that the log files cannot fill up the system’s disk. If the disk space check is enabled, the server’s free disk space is checked daily at midnight, and if it is below the specified threshold, old log files are deleted to free up space. The syslog protocol is used to send log messages from one system to a syslog server (also known as a ‘collector’). The syslog protocol uses UDP port 514.
Figure 48 Data Retention Policy page Select Enable to enable the the data retention policy opton and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted. You can specify how many weeks a guest account persists after the account is disabled in the Guest Accounts field. For mobile device certificates, select the minimum delay, in weeks, required before an expired certificate or rejected request can be deleted.
Changing Database Configuration Parameters The Database Configuration form allows you to configure the system’s database and manage its maintenance schedule. Access this form by navigating to System Control > Database Config. The Options field is a text field that accepts multiple name = value pairs. You can also add comments by entering lines starting with a # character.
Changing Web Application Configuration Certain performance and security options may be configured that affect the operation of the Web application user interface. Use the Web Application Co nfiguration command link to adjust these configuration parameters. The Memory Limit may be increased to allow larger reports to be run on the system. The File Upload Size may be increased to allow larger content items to be uploaded, or larger backup files to be restored.
Changing Web Server Configuration High-traffic deployments may need to adjust certain performance options related to the system’s Web server. Use the Web Server Configuration command link to adjust these configuration parameters. The Maximum Clients option specifies the maximum number of clients that may simultaneously be making HTTP requests. The default value should only need to be increased for high-traffic sites.
This report can be downloaded for support purposes. Adding Disk Space Storage capacity can be increased on VMware-based deployments. To increase available storage, click the Add Space option on the System Information screen. TheAdding Disk Space screen appears. Follow instructions on this page. ClearPass Guest 3.
. 410 | Administrator Tasks ClearPass Guest 3.
System Log The system log viewer available on the Support > System Logs page displays messages that have been generated from multiple different sources: Application Logs—messages generated by the ClearPass Guest application. HTTP Logs—messages generated by the Apache Web Server. RADIUS Logs—messages generated by the RADIUS server during authentication, authorization or accounting. System Logs—messages generated by the system and various internal processes within it.
Use the Filter tab to control advanced filtering settings, such as which logs to search and the time period to display: Click the Apply Filter button to save your changes and update the view, or click the remove the filter and return to the default view. Reset button to Exporting the System Log Use the Export tab to save a copy of the system logs, in one of several formats. Select one of the following formats from the Format drop-down list: Comma Separated Values (*.
Searching the Application Log You are able to search for particular log records using the form displayed when you click the tab. Click the Search Reset Form button to clear the search and return to displaying all records in the log. Exporting the Application Log Use the Export tab to save the log in other formats, including HTML, text, CSV, TSV and XML. You can select options to print, email or download the data. ClearPass Guest 3.
| Administrator Tasks ClearPass Guest 3.
Chapter 10 Hotspot Manager The Hotspot Manager controls self provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. The following diagram shows how the process of customer self provisioning works.
Manage Hotspot Sign-up You can enable visitor access self provisioning by navigating to Customization > Hotspot Manager and selecting the Manage Hotspot Sign-up command. This allows you to change user interface options and set global preferences for the self-provisioning of visitor accounts. The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. 416 | Hotspot Manager ClearPass Guest 3.
The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format this message. Click the Save Changes button after you have entered all the required data.
You can customize which plans are available for selection, and any of the details of a plan, such as its description, cost to purchase, allocated role and what sort of username will be provided to customers. Above is the list of default plans provided by the application. Plans that you have enabled have their name in bold with the following icon: . Plans that have not been enabled do not have names in bold and their icon is a little different: .
Creating New Plans Custom hotspot plans are added by clicking the displayed. Click the Create Hotspot plan button. The following form is Create Plan button to create this plan for use by your Hotspot visitors. See “Format Picture String Symbols” in the Reference chapter for a list of the special characters that may be used in the Generated Username and Generated Password format strings.
eWAY Netregistry Paypal WorldPay ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor To define a new transaction processor, navigate to Customization > Hotspot Manager, click Manage Transaction Processors, then select New Transaction Processor. In the Name field, enter a name for the transaction processor.
You can customize the title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. The Invoice Title must be written in HTML. See “Basic HTML Syntax” in the Reference chapter for details about basic HTML syntax. You are able to use Smarty functions on this page. See “Smarty Template Syntax” in the Reference chapter for further information on these. You are able to insert content items such as logos or prepared text.
Customize Page One Page one of the guest self-provisioning process requires that the guest selects a plan. You are able to customize how this page is displayed to the guest. You are able to give this page a title, some introductory text and a footer. The Introduction and the Footer are HTML text that may use template syntax, See “Smarty Template Syntax” in the Reference chapter.
ClearPass Guest 3.
See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page. Customize Page Three You can make changes to the content of page 3, where the customer receives an invoice containing confirmation of their transaction and the details of their newly created wireless account. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page.
Chapter 11 High Availability Services The goal of a highly available system is to continue to provide network services even if a hardware failure occurs. High Availability Services provides the tools required to achieve this goal. These tools include service clustering, fault tolerance, database replication, configuration replication, automatic failover and automatic recovery. You must have two ClearPass Guest servers with the High Availability Services plugin installed in order to use these features.
A cluster’s virtual IP address is a unique IP address that will always be assigned to the primary node of the cluster. In order to take advantage of the cluster’s fault tolerance, all clients that use the cluster must use the cluster’s virtual IP address, rather than each node’s IP address. Replication is the process of ensuring that the secondary node maintains an exact copy of the primary node’s database contents and configuration.
There should be no routers, gateways, firewalls, or network address translation (NAT) between the two nodes. Having nodes in different physical locations is not recommended and is not a supported configuration for the cluster. Deploying an SSL Certificate Special consideration needs to be given to deployments that require SSL access to the cluster. The Common Name (CN) of an SSL certificate must match the hostname of the site being visited.
Replicating the database contents ensures that in the event of a primary node failure, the secondary node is up to date and can continue to deliver the same network services to clients. While the primary node is online, the secondary node’s database can only be updated with replication changes from the primary node. No other database changes can take place on the secondary node. Because of this, any form that requires a database update will be disabled and shown as “Read Only Access” on the secondary node.
SNMP server settings ( See “SNMP Configuration” in the Administrator Tasks chapter) The set of currently installed plugins ( See “Plugin Manager” in the Administrator Tasks chapter) Web Login pages ( See “Web Logins” in the RADIUS Services chapter) Certain configuration items are not replicated.
The cluster will continue operating without service interruption. Network services will be unaffected as the cluster’s virtual IP address is assigned to the primary node. While the secondary node is offline, the cluster will no longer be fault-tolerant. A subsequent failure of the primary node will leave the cluster inoperable. To recover the cluster, the secondary node must be brought back online.
Table 36 Cluster Status Descriptions (Continued) The primary node is running, but the secondary node is down or stopped. The secondary is no longer available. Check the Remote Status on the primary node to determine the cause of the problem. To clear the error condition, bring the secondary node back online. The cluster will return to faulttolerant mode automatically. If the secondary node needs to be replaced, the cluster must be rebuilt. See “Recovering From a Hardware Failure” in this chapter.
Prepare Primary Node Use the Cluster Configuration form to enter the basic network and control parameters for the cluster. If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. You can selec a single virtual IP address by entering one IP address in the Virtual IP Address field, or specify more than one virtual IP by entering a comma-separated list of multiple IP addresses.
If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are as follows: Each component of the hostname must not exceed 63 characters The total length of the hostname must not exceed 255 characters Only letters, numbers, and the hyphen (-) and period (.
Each node in the cluster must be able to resolve the other node by using a DNS lookup. This is verified during the cluster initialization. In practice, this means that you must configure your local DNS or DHCP server with appropriate entries for each node. You must enter a shared secret for this cluster. The shared secret is used to authenticate the messages sent between the nodes in the cluster. For an explanation of the downtime threshold parameter. See “Primary Node Failure” in this chaper.
The Cluster Initialization form is displayed. Select the check box and click the Initialize Cluster button to proceed. During the cluster initialization process, the entire contents of the RADIUS database (including guest accounts, user roles, and accounting history) and all configuration settings of the primary node will be replicated to the secondary node. The existing database contents and configuration settings on the secondary node will be destroyed.
Cluster Maintenance Use the Cluster Maintenance command link to access maintenance functions related to the cluster. The maintenance commands that are available on this page will depend on the current state of the cluster as well as which node you are logged into. Some maintenance commands are only available on the secondary node. Other commands may change the active state of the cluster.
5. A progress meter is displayed while the cluster is recovered. The cluster’s virtual IP address will be temporarily unavailable while the recovery takes place. 6. Recovery is complete. The secondary node is now the new primary node for the cluster. The cluster is back in a fault-tolerant mode of operation. The Recover Cluster command will only work if the node that failed is brought back online with the same cluster configuration. This is normally the case in all temporary outages.
A similar procedure can be used to rebuild the cluster in the event of a secondary node suffering a hardware failure. Performing Scheduled Maintenance Routine maintenance tasks such as a server reboot or shutdown may occasionally be required for a server that is part of a cluster. These tasks may be performed by ensuring that the server is the secondary node in the cluster.
Immediately after the cluster is destroyed, both nodes will have the same database and configuration state. However, changes on one node will no longer be replicated to the other node as the cluster is no longer functioning. Cluster Troubleshooting When building a cluster, use the recommended values for the downtime threshold, keep-alive rate and configuration sync rate.
| High Availability Services ClearPass Guest 3.
Chapter 12 Reference Basic HTML Syntax ClearPass Guest allows different parts of the user interface to be customized using the Hypertext Markup Language (HTML). Most customization tasks only require basic HTML knowledge, which is covered in this section. HTML is a markup language that consists primarily of tags that are enclosed inside angle brackets, for example,
.
Table 38 Standard HTML Tags (Continued) Styled text (block)
Uses CSS formatting
Uses predefined style
Hypertext Hyperlink Link text to click on Inline image 
– XHTML equivalent Floating image For more details about HTML syntax and detailed examples of its use, consult a HTML tutorial or reference guide.Table 39 Formatting Classes (Continued) nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at bottom nwaBody Table Cell Style to apply to table cell containing data nwaHighlight Table Cell Highlighted text (used for mouseover) nwaSelected Table Cell Selected text (table row after mouse click) nwaSelectedHighlight Table Cell Selected text with mouseover highlight nwaInfo A
Comments To remove text entirely from the template, comment it out with the Smarty syntax {* commented text *}. Note that this is different from a HTML comment, in that the Smarty template comment will never be included in the page sent to the Web browser.
{/section} Note that the content after a {sectionelse} tag is included only if the {section} block would otherwise be empty.
Table 40 Smarty Modifiers (Continued) Modifier Description nwatimeformat Date/time formatting; see “Date/Time Format String Reference” in this chapter for details about this modifier function nwamoneyformat Formats a monetary amount for display purposes; an optional modifier argument may be used to specify the format string. This modifier is equivalent to the NwaMoneyFormat() function; see “NwaMoneyFormat” in this chapter for details.
The “icon” parameter is the SRC to the image of the icon. This should normally be a relative path. The “command” parameter is the main text of the command link. The “text” parameter is the explanatory text describing the action that lies behind the command link. (This is optional.) The “linkwidth” parameter, if specified, indicates the width of the command link in pixels. This should be at least 250; the recommended value is 400.
The “icon” parameter, if specified, is the SRC to the image of the icon. This should normally be a relative path. The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not specified, this is automatically determined from the image. The “alt” parameter, if specified, provides the alternate text for the icon. The “class” parameter, if specified, is the style name to apply to a containing DIV element wrapped around the content.
Usage example: {nwa_radius_query _method=GetCallingStationTraffic callingstationid=$dhcp_lease.mac_address from_time=86400 in_out=out _assign=total_traffic} This example uses the GetCallingStationTraffic query function. , and passes the “callingstationid”, “from_time” and “in_out” parameters. The result is assigned to a template variable called total_traffic, and will not generate any output. See “GetCallingStationTraffic()” .
GetUserActiveSessions($username, $callingstationid = null) GetCurrentSession($criteria) GetUserCurrentSession($username) GetIpAddressCurrentSession($ip_addr = null) GetCallingStationCurrentSession($callingstationid, $mac_format = null) GetSessionTimeRemaining($username, $format = “relative”) ChangeToRole($username, $role_name) The $criteria array consists of of one or more criteria on which to perform a databased search.
nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation. Usage example: {nwa_makeid var=some_id} The “var” parameter specifies the page variable that will be assigned. Alternative usage: {nwa_makeid var=some_id file=filename} The “file” parameter specifies a file which contains a unique ID. This allows issued IDs to be unique across different page loads.
The “reset” parameter may be specified to clear any existing navigation settings. Usage example: {nwa_nav block=level1_active}
- @a@
{/nwa_nav} {nwa_nav block=level1_inactive}- @a@
{/nwa_nav} ... The ‘output’ parameter specifies the metadata field to return If ‘output’ is not specified, the default is ‘output=id’; that is, the plugin ID is returned. nwa_privilege {nwa_privilege} … {/nwa_privilege} Smarty registered block function. Includes output only if a certain kind of privilege has been granted. Usage examples: {nwa_privilege access=create_user} .. content .. {/nwa_privilege} The “access” parameter specifies the name of a privilege to check for any access.
Usage examples: {nwa_userpref name=prefName} {nwa_userpref name=prefName default=10} {nwa_userpref has=prefName} “name”: return the named user preference “default”: supply a value to be returned if the preference is not set “has”: return 1 if the named preference exists for the current user, 0 if the preference does not exist nwa_youtube {nwa_youtube video=ID width=cx height=cy …} … {/nwa_youtube} Smarty registered block function.
The full list of special formats is: Table 42 Date and Time Formats Preset Name Date/Time Format Example hhmmss %H%M%S 141345 hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z Mon, 07 Apr 2008 14:13:45 EST displaytime %I:%M %p 2:13 PM recent – 2 minutes ago The % items
Date/Time Format String Reference Table 43 Date and Time Format Strings 456 | Reference Format Result %a Abbreviated weekday name for the current locale %A Full weekday name for the current locale %b Abbreviated month name for the current locale %B Full month name for the current locale %c Preferred date and time representation for the current locale %C Century number (2-digit number, 00 to 99) %d Day of the month as a decimal number (01 to 31) %D Same as %m/%d/%y %e Day of the month as
Programmer’s Reference NwaAlnumPassword NwaAlnumPassword($len) Generates an alpha-numeric password (mixed case) of length $len characters. NwaBoolFormat NwaBoolFormat($value, $options = null) Formats a boolean value as a string. If 3 function arguments are supplied, the 2nd and 3rd arguments are the values to return for false and true, respectively. Otherwise, the $options parameter specifies how to do the conversion: If an integer 0 or 1, the string values “0” and “1” are returned.
NwaDigitsPassword($len) NwaDigitsPassword($len) Generates digit-only passwords of at least $len characters in length. NwaDynamicLoad NwaDynamicLoad($func) Loads the PHP function $func for use in the current expression or code block. Returns true if the function exists (that is, the function is already present or was loaded successfully), or false if the function does not exist. Attempting to use an undefined function will result in a PHP Fatal Error.
Formats a monetary amount for display purposes. The current page language is used to adjust formatting to the country specified. Returns a result that is guaranteed to be in UTF-8. The $format argument may be null, to specify the default behavior (U.S. English format), or it may be a pattern string containing the following: currency symbol (prefix) thousands separator decimal point number of decimal places The format “€1.000,00” uses the Euro sign as the currency symbol, “.
See “NwaParseCsv” and “NwaVLookup”. NwaParseXml NwaParseXml($xml_text) Parses a string as an XML document and returns the corresponding document structure as an associative array.
NwaVLookup NwaVLookup($value, $table, $column_index, $range_lookup = true, $value_column = 0, $cmp_fn = null) Table lookup function, similar to the Excel function VLOOKUP(). This function searches for a value in the first column of a table and returns a value in the same row from another column in the table. This function supports the values described in the table below.
Table 46 GuestManager Standard Fields 462 | Reference Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms.
Table 46 GuestManager Standard Fields (Continued) Field Description do_expire Integer that specifies the action to take when the expire time of the account is reached. See “expire_time” . 0—Account will not expire 1—Disable 2—Disable and logout 3—Delete 4—Delete and logout “Disable” indicates that the enabled field will be set to 0, which will prevent further authorizations using this account.
Table 46 GuestManager Standard Fields (Continued) 464 | Reference Field Description expire_time Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_expire field; otherwise, the account expiration time will not be used. Set this field to 0 to disable this account expiration timer. expire_usage Integer.
Table 46 GuestManager Standard Fields (Continued) Field Description modify_expire_usage String. Value indicating how to modify the expire_usage field. This field is only of use when editing a visitor account.
Table 46 GuestManager Standard Fields (Continued) 466 | Reference Field Description netmask String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system. However, a RADIUS user role may be configured to assign network masks using this field by adding the Framed-IP-Netmask attribute, and setting the value for the attribute to:
Table 46 GuestManager Standard Fields (Continued) Field Description password_last_change Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the self-service portal. random_password String. This field contains a randomly-generated password. This field is set when modifying an account (guest_edit form). random_password_length String.
Table 46 GuestManager Standard Fields (Continued) 468 | Reference Field Description random_username_method String. Identifier specifying how usernames are to be created. It may be one of the following identifiers: nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.
Table 46 GuestManager Standard Fields (Continued) Field Description simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator. sponsor_name String. Name of the sponsor of the account.
Table 47 Hotspot Standard Fields (Continued) Field Description password2 String. Password for the account (used to confirm a manually typed password). personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing. purchase_details No Type. Field attached to a form label. state String. The visitor’s state or locality name. submit_free No Type. Field attached to a form submit button.
Table 49 SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Table 49 SMPT Services Standard Fields (Continued) Field Description smtp_warn_before_receipt_format String. This field overrides the format in the Email Receipt field under Logout Warnings. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin.
Any other alphanumeric characters in the picture string will be used in the resulting username or password. Some examples of the picture string are shown below: Table 51 Picture String Example Passwords Picture String Sample Password #### 3728 user#### user3728 v^^#__ vQU3nj @@@@@ Bh7Pm Form Field Validation Functions See “Form Validation Properties” in this chapter and “Examples of Form field Validation” in the Guest Management chapter for details about using validation functions for form fields.
'corp-domain.com', 'other-domain.com', ), 'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', ), ) The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively. An ‘allow’ or ‘deny’ value that is a string is converted to a single element array. Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends with the given suffix.
username – specifies the name of the field containing the username. If empty or unset, the password is not checked against this field for a match. minimum_length – specifies the minimum length of the password in characters. disallowed_chars – if set, specifies characters that are not allowed in the password. complexity_mode – specifies the set of rules to use when checking the password. complexity – if set, specifies rules for checking the composition of the password.
NwaConvertOptionalInt – Converts a string representation of an integer to the equivalent integer value. The conversion leaves blank values unmodified. NwaConvertStringToOptions – Converts a multi-line string representation of the form key1 | value1 key2 | value2 to the array representation array ( 'key1' => 'value1', 'key2' => 'value2', ) NwaImplodeComma – Converts an array to a string by joining all of the array values with a comma.
Table 53 Form Field Display Functions (Continued) Function Description NwaDateFormat Format a date like the PHP function strftime(), using the argument as the date format string. Returns a result guaranteed to be in UTF-8 and correct for the current page language.
View Display Expression Technical Reference A page that contains a view is displayed in an operator’s Web browser. The view con tains data that is loaded from the server dynamically. Because of this, both data formatting and display operations for the view are implemented with JavaScript in the Web browser. For each item displayed in the view, a JavaScript object is constructed. Each field of the item is defined as a property of this object.
Table 54 Display Expressions for Data Formatting (Continued) Value Description Nwa_NumberFormat(value[, if_undefined]) Nwa_NumberFormat(value, decimals) Nwa_NumberFormat(value, decimals, dec_point, thousands_sep[, if_undefined]) Converts a numerical value to a string. If the value has an undefined type (in other words, has not been set), and the if_undefined parameter was provided, returns if_undefined.
If the expression evaluates to true, the AccessReject() will cause authorization to be refused. If the expression evaluates to false, the AccessReject() is not called, and authorization process will continue (however, the attribute will not be included in the Access-Accept, as the condition expression has evaluated to false). EnableDebug() EnableDebug($flag = 1) Enables debugging for the remainder of the processing of this request. The flag may also be set to false or 0 to disable debugging.
MacEqual() MacEqual($addr1, $addr2) Compares two MAC addresses for equality, using their canonical forms. Example usage as a condition expression for an attribute: return MacEqual(GetAttr('Calling-Station-Id'), '00-01-02-44-55-66') MacAddrConvert() MacAddrConvert($mac, $mac_format) Converts a MAC address to a specified format. This function accepts anything that can be interpreted as a MAC address using some fairly liberal guidelines and returns the address formatted with the $mac_format string.
If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database.
Another way to limit the past 30 days downloads to 100 MB: return GetUserTraffic($now - 86400*30, $now, 'out') > 100*1024*1024 && AccessReject() Limit by MAC address, 50 MB download in past 24 hours: return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetUserTraffic() GetUserTraffic($from_time, $to_time = null, $in_out = null) Calculate sum of traffic counters in a time interval.
GetCallingStationSessions() GetCallingStationSessions($from_time, $to_time = null, $mac_format = null) Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified.
'acctsessionid' => '4a762dbf00000002', 'acctuniqueid' => 'c199b5a94ebf5184', 'username' => 'demo@example.com', 'realm' => '', 'role_name' => 'Guest', 'nasipaddress' => '192.168.2.
See “GetCurrentSession()” for details of the return value. GetUserStationCount() GetUserStationCount($from_time = null, $to_time = null, $exclude_mac = null) Count the total number of unique MAC addresses used in a time interval, for all sessions with the same User-Name attribute as that specified in the RADIUS Access-Request. If $exclude_mac is set, any sessions matching that MAC address are excluded from the count.
Example: Use the following as a conditional expression for an attribute. If the user's traffic in the past 24 hours exceeds 50 MB, the user is changed to the "Over-Quota" role. return GetUserTraffic(86400) > 50e6 && ChangeToRole("Over-Quota"); RADIUS Server Options These are the advanced server options that may be configured using the RADIUS Server Options text field. Where applicable, the default value for each configuration option is shown.
Table 56 General Configuration Settings (Continued) 488 | Reference Value Description listen.type = not set Type of packets to listen for. Allowed values are “auth” for authentication packets, and “acct” for accounting packets. hostname_lookups = off Log the names of clients or just their IP addresses, for example, www.examle.com (on) or 209.97.207.76 (off).
Security Configuration Table 57 Security Configuration Settings Value Description security.max_attributes = 200 The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. If this number is set too low, then no RADIUS packets will be accepted. If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.
Table 58 Proxy Configuration Settings (Continued) Value Description proxy.dead_time = 120 If the home server does not respond to any of the multiple retries, then the RADIUS server will stop sending it proxy requests, and mark it ‘dead’. If there are multiple entries configured for this realm, then the server will failover to the next one listed. If no more are listed, then no requests will be proxied to that realm.
Table 59 Thread Pool Settings (Continued) Value Description thread.max_requests_per_server = 0 Set the maximum number of requests a server should handle before exiting. Zero is a special value meaning “infinity”, or “the servers never exit”. thread.max_queue_size = 65536 Set the maximum number of incoming requests which may be queued for processing. After the queue reaches this size, new requests are dropped. The default value is recommended for most deployments.
Table 60 Authentication Module Configuration Settings (Continued) Value Description mschap.ntlm_auth The module can perform authentication itself, or use a Windows Domain Controller. This configuration directive tells the module to call the ntlm_auth program, which will do the authentication, and return the NT-Key. Note that you MUST have “winbindd” and “nmbd” running on the local machine for ntlm_auth to work. See the ntlm_auth program documentation for details.
The following EAP module options are usually not required, as EAP configuration can be performed using the WebUI. For EAP documentation, See “EAP and 802.1X Authentication and Certificate Management” in the RADIUS Services chapter for further details. Table 62 Optional EAP Module Options Function Description advanced.eap = 1 Enable additional EAP types in the EAP Configuration form. module.eap = yes Extensible Authentication Protocol authentication. eap.
Table 62 Optional EAP Module Options (Continued) 494 | Reference Function Description module.eap_tls = no Enables EAP-TLS module. The following functions onfigure digital certificates for EAP-TLS. If the private key and certificate are located in the same file, then private_key_file and certificate_file must contain the same filename. eap.tls.private_key_password = not set eap.tls.private_key_file = "${raddbdir}/certs/cert-srv.pem" eap.tls.certificate_file = "${raddbdir}/certs/cert-srv.
Table 62 Optional EAP Module Options (Continued) Function Description module.eap_peap= no PEAP authentication. The PEAP module needs the TLS module to be installed and configured, in order to use the TLS tunnel inside of the EAP packet. You will still need to configure the TLS module, even if you do not want to deploy EAP-TLS in your network. Users will not be able to request EAP-TLS, as it requires them to have a client certificate. EAP-PEAP does not require a client certificate. eap.peap.
Table 63 LDAP Module Settings (Continued) 496 | Reference Setting Description ldap.password_attribute = “nspmPassword” To support Novell eDirectory Universal Password, this option must be set to “nspmPassword”. Retrieves the user’s plain-text password from the directory and uses in the RADIUS server for user authentication. Universal Password requires a secure connection to the LDAP server. Required for Novell eDirectory support.
Table 63 LDAP Module Settings (Continued) Setting Description ldap.tls_certfile = not set The PEM Encoded certificate file that should be presented to clients that connect. ldap.tls_keyfile = not set The PEM Encoded private key that should be used to encrypt the session. ldap.tls_randfile = not set A file containing random data to seed the OpenSSL PRNG. Not needed if your OpenSSL is already properly random. ldap.tls_require_cert = not set Certificate Verification requirements.
Table 63 LDAP Module Settings (Continued) Setting Description ldap.groupmembership_filter = not set The filter to search for group membership of a particular user after we have found the DN for the group. Example filter: (|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn}))) ldap.groupmembership_attribute = not set The attribute in the user entry that states the group the user belongs to.
Table 64 Rewrite Module Configuration Settings (Continued) Value Description module.attr_rewrite.name.searchfor = not set A regular expression to use when determining if the attribute should be matched. See “Regular Expressions” in this chapter for information about the supported syntax for regular expressions. module.attr_rewrite.name.replacewith = not set The replacement value which will be used for the attribute value, if the attribute matches the “searchfor” regular expression.
| Reference Service-Type: This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. Framed-Protocol: This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. Framed-IP-Address: This attribute indicates the address to be configured for the user.
Acct-Terminate-Cause: This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop. RADIUS Server Internal Attributes The Simultaneous-Use attribute is used by the RADIUS server during the processing of a request. This internal attribute is never returned to a NAS. Simultaneous-Use specifies the maximum number of simultaneous logins a given user is permitted to have.
Table 65 Regular Expressions for Pattern Matching Regex Matches a Any string containing the letter “a” ^a Any string starting with “a” ^a$ Only the string “a” a$ Any string ending with “a” . Any single character \. A literal “.
Chapter 13 Glossary 802.1X IEEE standard for port-based network access control. Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. Access-Request RADIUS packet sent to a RADIUS server requesting authorization. Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting summary information.
in the certificate (only the certificate authority can create valid certificates). 504 | Glossary Disconnect-Ack NAS response packet to a Disconnect-Request, indicating that the session was disconnected. Disconnect-Nak NAS response packet to a Disconnect-Request, indicating that the session could not be disconnected. Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected.
operator profile Characteristics assigned to a class of operators, such as the permissions granted to those operators. operator/operator login Person who uses ClearPass Guest to create guest accounts or perform system administration. OS X Operating system from Apple, Inc. for desktop and laptop computers. over-the-air provisioning Process used to securely provision a device and configure it with network settings; applies to iOS and OS X 10.7+ only. PEAP Protected EAP. See EAP-PEAP.
| Glossary sponsor See operator. TLS See EAP-TLS. trust chain Sequence of certificates, starting at a trusted root certificate, that establishes the identity of each certificate in the chain. trusted root See root CA. unique device credentials Network authentication credentials that uniquely identify the device and user and enable management of provisioned devices. May be a username and password or a TLS client certificate, depending on the type of device.
Index Numerics application log......................................................... 412 802.1Q VLAN........................................................... 367 attributes ................................................................. 119 attribute values ................................................. 145 conditions ................................................. 119, 120 deleting values.................................................. 146 editing .........................................
multiple guest accounts ........................... 207, 220 NAS................................................................... 125 notifications, disk space ................................... 391 operator profile ................................................. 180 operator profiles ............................................... 180 output filter ....................................................... 345 output series..................................................... 342 print template .........
expiration time, guest account ......................... 213 external authentication server .......................... 162 field ................................................................... 231 form .................................................................. 232 form fields......................................................... 234 forms................................................................. 233 forms and views ............................................... 232 guest account......
email.......................................................... 225, 463 enabled ..................................................... 226, 463 expiration_time ................................................. 463 expire_after ....................................................... 227 expire_postlogin................................................ 227 expire_time ............................................... 227, 464 expire_usage............................................. 227, 464 first_name .........
Print .................................................................. 214 Receipts............................................................ 207 Reset password................................................ 212 Scratch cards ................................................... 208 Selection row .................................................... 216 SMS receipt ...................................................... 207 View passwords................................................ 225 XML export .....
Network interfaces.............................................. 40 Password............................................................ 37 Setup wizard....................................................... 37 SMTP configuration............................................ 42 SNMP configuration ........................................... 42 Subscription ID ................................................... 45 Time server ......................................................... 43 Update plugins ..........
GRE tunnel........................................................ 366 security settings................................................ 391 setup................................................................. 357 Subtract ............................................................ 342 Sum................................................................... 342 Microsoft Active Directory....................................... 161 MS-CHAPv2 ............................................................
password resetting ............................................................ 212 Password Authentication Protocol (PAP) ................ 134 Password options Operator logins ................................................. 181 PHP authorization.................................................... 171 PHP value expressions............................................ 122 Picture string ........................................................... 472 PKCS #12 .................................................
Report editor Chart presentations .......................................... 346 Classification groups ........................................ 337 Create output filter ............................................ 345 Create output series ......................................... 342 Create parameter .............................................. 330 Create report..................................................... 348 Create statistic .................................................. 340 Data store .....
sequence diagram AAA ..................................................................... 26 guest self-registration ....................................... 255 report generation .............................................. 324 Serial port interface ................................................... 35 Server time .............................................................. 399 servers Active Directory................................................. 161 configuring options ...........................
translation rules ....................................................... 196 troubleshooting ....................................................... 114 application integrity check ................................ 394 cluster ............................................................... 439 packet capture .................................................. 372 reports............................................................... 355 security check...................................................
| Index ClearPass Guest 3.
