Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

281

282

283

284

285

286

287

288

289

290

Parameter Description

Audit

Server

Select a built-in server profile from the list:

l The [Nessus Server] performs vulnerability scanning and returns a

Healthy/Quarantine result.

l The [Nmap Audit] performs network port scans. The health evaluation always

returns a Healthy result. The port scan gathers attributes that allow determination

of role(s) through post-audit rules.

For Policy Manager to trigger an audit on an end-host, it needs to get the IP address of

the end-host. The IP address of the end-host is not available at the time of initial

authentication for 802.1X and MAC authentication requests. Policy Manager has a built-

in DHCP snooping service that can examine DHCP request and response packets to

derive the IP address of the end-host. For this to work, you need to use this service,

Policy Manager must be configured as a DHCP “IP Helper” on your router/switch in

addition to your main DHCP server. Refer to your switch documentation for “IP Helper”

configuration.

To audit devices that have a static IP address assigned, it is recommended to create a

static binding between the MAC and IP address of the endpoint in your DHCP server.

Refer to your DHCP server documentation for configuring such static bindings.

NOTE: Policy Manager does not issue the IP address; it only examines the DHCP traffic

to derive the IP address of the end-host.

Audit

Trigger

Conditions

Select from the following audit trigger conditions:

l Always: Always perform an audit.

l When posture is not available: Perform audit only when posture credentials are

not available in the request.

l For MAC Authentication Request: If you select this option, then Policy Manager

presents the following three additional settings:

n For known end-hosts only: For example, select this option when you want to

reject unknown end-hosts and to audit known clients. Known end-hosts are

defined as clients that are found in the authentication source(s) associated with

this service.

n For unknown end-hosts only: For example, select this option when known end-

hosts are assumed to be healthy, but you want to establish the identity of

unknown end-hosts and assign roles. Unknown end-hosts are end-hosts that are

not found in any of the authentication sources associated with this service.

n For all end-hosts: For both known and unknown end-hosts.

Action after

audit

Select an Action after audit. Performing audit on a client is an asynchronous task,

which means the audit can be performed only after the MAC authentication request is

completed and the client has acquired an IP address through DHCP. Once the audit

results are available, there should be a way for Policy Manager to re-apply policies on

the network device. This can be accomplished in one of the following ways:

l No Action: The audit will not apply policies on the network device after this audit.

l Do SNMP bounce: This option will bounce the switch port or force an 802.1X

reauthentication (both done using SNMP). Bouncing the port triggers a new

802.1X/MAC authentication request by the client. If the audit server already has the

posture token and attributes associated with this client in its cache, it returns the

token and the attributes to Policy Manager.

l Trigger RADIUS CoA action: This option sends a RADIUS CoA command to the

network device.

Table 152:

Audit tab

Dell Networking W-ClearPass Policy Manager 6.5 | User Guide Posture | 287