Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

351

352

353

354

355

356

357

358

359

360

358 | Posture Dell Networking W-ClearPass Policy Manager 6.6 | User Guide

Parameter Action/Description

Audit

Server

Select a server profile from the list:

l Nessus Server: Performs vulnerability scanning and returns a Healthy/Quarantine

result.

l Nmap Audit: Performs network port scans. The health evaluation always returns a

Healthy result. The port scan gathers attributes that allow determination of role(s)

through post-audit rules.

You can click the View Details button to view the Policy Manager Entity Details

dialog with the summary of audit server details.

To view the Summary tab with audit server details, click the Modify button.

For Policy Manager to trigger an audit on an end-host, it needs to get the IP address of

the end-host. The IP address of the end-host is not available at the time of initial

authentication for 802.1X and MAC authentication requests. Policy Manager's DHCP

snooping service examines the DHCP request and response packets to derive the IP

address of the end-host.

For this to work, you need to use this service, Policy Manager must be configured as a

DHCP “IP Helper” on your router/switch in addition to your main DHCP server. Refer to

your switch documentation for “IP Helper” configuration.

To audit devices that have a static IP address assigned, it is recommended that you

create a static binding between the MAC address and IP address of the endpoint in your

DHCP server. Refer to your DHCP server documentation for configuring static bindings.

NOTE: Policy Manager does not issue the IP address; it only examines the DHCP traffic

to derive the IP address of the end-host.

Audit

Trigger

Conditions

Select from the following audit trigger conditions:

l Always: Always perform an audit.

l When posture is not available: Perform audit only when posture credentials are

not available in the request.

l For MAC Authentication Request: If you select this option, then Policy Manager

presents the following three additional settings:

n For known end-hosts only: Select this option when you want to reject unknown

end-hosts and to audit known clients. Known end-hosts are defined as clients

that are found in the authentication source(s) associated with this service.

n For unknown end-hosts only: Select this option when known end-hosts are

assumed to be healthy, but you want to establish the identity of unknown end-

hosts and assign roles. Unknown end-hosts are end-hosts that are not found in

any of the authentication sources associated with this service.

n For all end-hosts: For both known and unknown end-hosts.

Action after

audit

Select an Action after audit.

Performing an audit on a client is an asynchronous task, which means the audit can be

performed only after the MAC authentication request is completed and the client has

acquired an IP address through DHCP. Once the audit results are available, there

should be a way for Policy Manager to re-apply policies on the network device. This can

be accomplished in one of the following ways:

l No Action: The audit will not apply policies on the network device after this audit.

l Do SNMP bounce: This option will bounce the switch port or force an 802.1X

reauthentication (both done using SNMP). Bouncing the port triggers a new

802.1X/MAC authentication request by the client.

Table 180: Add Services > Audit Dialog Parameters