Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
21222324252627282930
30 | About Dell Networking W-ClearPass Policy Manager DellNetworking W-ClearPass Policy Manager 6.5 | User Guide
l Children of Policy Manager, which test requests against their rules to find a matching service for each
request.
The flow-of-control for requests follows this hierarchy:
l Policy Manager tests for the first request-to-service-rule match.
l The matching service coordinates execution of its policy components.
l Those policy components process the request to return enforcement profiles to the network access device
and, optionally, posture results to the client.
There are two approaches to creating a new service in Policy Manager:
l Bottom-Up: Create all policy components (authentication method, authentication source, role mapping
policy, posture policy, posture servers, audit servers, enforcement profiles, and enforcement policy) first, as
needed, and then create the service using the Service creation wizard.
l Top-Down: Start with the Service creation wizard and create the associated policy components as and
when required, all in the same flow.
To help you get started, Policy Manager provides 14 service types or templates. If these service types do not
suit your needs, you can create a service using custom rules.
Authentication and Authorization Architecture and Flow
Policy Manager divides the architecture of authentication and authorization into the following three
components:
l Authentication method
l Authentication source
l Authorization source
Authentication Method
Policy Manager initiates the authentication handshake by sending available methods in a priority order until
the client accepts a method or until the client rejects the last method (with NAKs) with the following possible
outcomes:
n Successful negotiation returns a method, which is used to authenticate the client against the
authentication source.
n Where no method is specified (for example, for unmanageable devices), Policy Manager passes the
request to the next configured policy component for this service.
n Policy Manager rejects the connection.
An authentication method is configurable only for some service types. For more information, see Policy Manager
Service Types on page 122. All 802.1X wired and wireless services have an associated authentication method. For
example, the MAC_AUTH authentication method can be associated with the MAC authentication service type.
Authentication Source
In Policy Manager, an authentication source is the identity store (Active Directory, LDAP directory, SQL DB,
token server) against which users and devices are authenticated. Policy Manager first tests whether the
connecting entity (the device or user) is present in the ordered list of configured authentication sources. Policy
Manager looks for the device or user by executing the first filter associated with the authentication source.
After the device or user is found, Policy Manager then authenticates this entity against this authentication
source. The flow is outlined below:
l On successful authentication, Policy Manager moves on to the next stage of policy evaluation, which
collects role mapping attributes from the authorization sources.