Dell Powerconnect W-ClearPass Virtual Appliances Deployment Guide

Dell Networking W-

ClearPass Guest 6.0

Deployment Guide

© 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open

Source code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.

2 | Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Contents

About this Guide 13

Audience 13 Conventions 13

Contacting Support 14

Dell Networking W-ClearPass Guest Overview 15

About Dell Networking W-ClearPass Guest 15 Visitor Access Scenarios 16 Reference Network Diagram 16 Key Interactions 17 AAA Framework 18 Key Features 19 Visitor Management Terminology 20 ClearPass Guest Deployment Process 21

Operational Concerns 21 Network Provisioning 21 Site Preparation Checklist 22

Security Policy Considerations 23 AirGroup Deployment Process 23 Documentation and User Assistance 24

Deployment Guide and Online Help 24

Context-Sensitive Help 24

Field Help 25

Quick Help 25

If You Need More Assistance 25 Use of Cookies 25

Guest Manager 27

Accessing Guest Manager 27 About Guest Management Processes 28

Sponsored Guest Access 28

Self Provisioned Guest Access 28 Using Standard Guest Management Features 29

Creating a Guest Account 29

Creating a Guest Account Receipt 30

Creating Multiple Guest Accounts 30

Creating Multiple Guest Account Receipts 31

Creating a Single Password for Multiple Accounts 32

Managing Guest Accounts 34

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide | 3

Managing Multiple Guest Accounts 38

Importing Guest Accounts 40

Exporting Guest Account Information 43

About CSV and TSV Exports 43 About XML Exports 43

MAC Authentication in ClearPass Guest 44

MAC Address Formats 44

Managing Devices 44

Changing a Device’s Expiration Date 46 Disabling and Deleting Devices 47 Activating a Device 47 Editing a Device 47 Viewing Current Sessions for a Device 49 Viewing and Printing Device Details 49

MAC Creation Modes 49

Creating Devices Manually in ClearPass Guest 50 Creating Devices During Self-Registration - MAC Only 51 Creating Devices During Self-Registration - Paired Accounts 52

AirGroup Device Registration 53

Registering Groups of Devices or Services 53

Registering Personal Devices 55 Automatically Registering MAC Devices in ClearPass Policy Manager 56 Importing MAC Devices 57 Advanced MAC Features 57

2-Factor Authentication 57

MAC-Based Derivation of Role 57

User Detection on Landing Pages 58

Click-Through Login Pages 58

Active Sessions Management 59

Session States 60 RFC 3576 Dynamic Authorization 61 Filtering the List of Active Sessions 61 Disconnecting Multiple Active Sessions 62 Sending Multiple SMS Alerts 63 About SMS Guest Account Receipts 63

Onboard 65

Accessing Onboard 65 About ClearPass Onboard 65

Onboard Deployment Checklist 66 Onboard Feature List 67 Supported Platforms 68 Public Key Infrastructure for Onboard 68

Certificate Hierarchy 69

Certificate Configuration in a Cluster 70 Revoking Unique Device Credentials 70

4 | Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Revoking Credentials to Prevent Network Access 70

Re-Provisioning a Device 71 Network Requirements for Onboard 71

Using Same SSID for Provisioning and Provisioned Networks 71

Using Different SSID for Provisioning and Provisioned Networks 71

Configuring Online Certificate Status Protocol 72

Configuring Certificate Revocation List (CRL) 72 Network Architecture for Onboard 72

Network Architecture for Onboard when Using ClearPass Guest 74 The ClearPass Onboard Process 75

Devices Supporting Over-the-Air Provisioning 75

Devices Supporting Onboard Provisioning 76

Managing Provisioned Applications 78 Configuring the User Interface for Device Provisioning 79

Customizing the Device Provisioning Web Login Page 79 Using the {nwa_mdps_config} Template Function 80

Configuring the Certificate Authority 81

Setting Up the Certificate Authority 81 Setting Up a Root Certificate Authority 82 Setting Up an Intermediate Certificate Authority 84 Obtaining a Certificate for the Certificate Authority 86 Using Microsoft Active Directory Certificate Services 86 Installing a Certificate Authority’s Certificate 88 Renewing the Certificate Authority’s Certificate 90 Configuring Data Retention Policy for Certificates 90

Uploading Certificates for the Certificate Authority 91 Creating a Certificate 93

Specifying the Identity of the Certificate Subject 93 Issuing the Certificate Request 95

Managing Certificates 95

Searching for Certificates in the List 96 Working with Certificates in the List 97 Working with Certificate Signing Requests 99 Importing a Code-Signing Certificate 101 Importing a Trusted Certificate 103

Requesting a Certificate 104

Providing a Certificate Signing Request in Text Format 104 Providing a Certificate Signing Request File 105 Specifying Certificate Properties 106

Configuring Provisioning Settings 106

Configuring Basic Provisioning Settings 107

Configuring Certificate Properties for Device Provisioning 107

Configuring Revocation Checks and Authorization 109 Configuring Provisioning Settings for iOS and OS X 110

Configuring Instructions for iOS and OS X 111

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide | 5

Configuring Reconnect Behavior for iOS and OS X 111 Configuring Provisioning Settings for Legacy OS X Devices 112 Configuring Provisioning Settings for Windows Devices 113 Configuring Provisioning Settings for Android Devices 114 Configuring Options for Legacy OS X, Windows, and Android Devices 116

Configuring Network Settings for Device Provisioning 117

Configuring Basic Network Access Settings 118 Configuring 802.1X Authentication Network Settings 120 Configuring Device Authentication Settings 121 Configuring Mutual Authentication Settings 122

Configuring Trust Settings Automatically 122

Configuring Trust Settings Manually 123 Configuring Windows-Specific Network Settings 124 Configuring Proxy Settings 125

Configuring an iOS Device VPN Connection 125 Configuring an iOS Device Email Account 127 Configuring an iOS Device Passcode Policy 129 Resetting Onboard Certificates and Configuration 130 Onboard Troubleshooting 131

Configuration 133

Accessing Configuration 133 Configuring ClearPass Guest Authentication 134 Content Manager 134

Uploading Content 135 Downloading Content 135 Additional Content Actions 136

Customizing Guest Manager 137

Default Settings for Account Creation 137 About Fields, Forms, and Views 141 Business Logic for Account Creation 141

Verification Properties 141

Basic User Properties 141

Visitor Account Activation Properties 142

Visitor Account Expiration Properties 142

Other Properties 143 Standard Forms and Views 143

Customizing Fields 145

Creating a Custom Field 145 Duplicating a Field 147 Editing a Field 147 Deleting a Field 147 Displaying Forms that Use a Field 147 Displaying Views that Use a Field 147

Customizing AirGroup Registration Forms 147

Configuring the Shared Locations and Shared Role Fields 147

6 | Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Example: 149

Customizing Forms and Views 150

Editing Forms and Views 151 Duplicating Forms and Views 151 Editing Forms 152 Form Field Editor 152 Form Validation Properties 162 Examples of Form field Validation 163 Advanced Form Field Properties 165 Form Field Validation Processing Sequence 166 Editing Views 169 View Field Editor 169

Customizing Self-Provisioned Access 171

Self-Registration Sequence Diagram 171 Creating a Self-Registration Page 172 Editing Self-Registration Pages 173 Configuring Basic Properties for Self-Registration 174

Using a Parent Page 174

Paying for Access 175

Requiring Operator Credentials 175 Editing Registration Page Properties 176 Editing the Default Self-Registration Form Settings 177 Creating a Single Password for Multiple Accounts 177 Editing Guest Receipt Page Properties 178 Editing Receipt Actions 178

Enabling Sponsor Confirmation for Role Selection 179

Editing Download and Print Actions for Guest Receipt Delivery 181

Editing Email Delivery of Guest Receipts 181

Editing SMS Delivery of Guest Receipts 182 Enabling and Editing NAS Login Properties 183 Editing Login Page Properties 184 Self-Service Portal Properties 186 Resetting Passwords with the Self-Service Portal 187

Email Receipts and SMTP Services 189

About Email Receipts 189 Configuring Email Receipts 190 Email Receipt Options 190 About Customizing SMTP Email Receipt Fields 192

Customizing Print Templates 194

Creating New Print Templates 194 Print Template Wizard 196 Modifying Wizard-Generated Templates 196 Setting Print Template Permissions 197

Customize SMS Receipt 198

SMS Receipt Fields 199

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide | 7

Configuring Access Code Logins 199

Customize Random Username and Passwords 199 Create the Print Template 199 Customize the Guest Accounts Form 201 Create the Access Code Guest Accounts 201

Hotspot Manager 203

Accessing Hotspot Manager 203 About Hotspot Management 203 Managing the Hotspot Sign-up Interface 204

Captive Portal Integration 205 Web Site Look-and-Feel 206 SMS Services 206

Managing Hotspot Plans 206

Editing or Creating a Hotspot Plan 207

Managing Transaction Processors 209

Creating a New Transaction Processor 209 Managing Existing Transaction Processors 210

Managing Customer Information 210 Managing Hotspot Invoices 210 Customizing the User Interface 211

Customizing Visitor Sign-Up Page One 212 Customizing Visitor Sign-Up Page Two 212 Customizing Visitor Sign-Up Page Three 215

Viewing the Hotspot User Interface 217

Administration 219

AirGroup Services 220

Configuring the AirGroup Services Plugin 220 Creating AirGroup Administrators 221 Creating AirGroup Operators 221 Authenticating AirGroup Users via LDAP 221

Data Retention 221 Import Configuration 222 Plugin Manager 223

Viewing Available Plugins 223 Configuring Plugins 224

Configuring the Kernel Plugin 225

Configuring the Dell W-ClearPass Skin Plugin 226

Configuring the SMS Services Plugin 227

SMS Services 228

Viewing SMS Gateways 228 Creating a New SMS Gateway 229 Editing an SMS Gateway 231 Sending an SMS 232 About SMS Credits 233

8 | Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

About SMS Guest Account Receipts 233 SMS Receipt Options 234 Working with the SMTP Carrier List 234

Support Services 236

Viewing the Application Log 237 Exporting the Application Log 238 Contacting Support 239 Viewing Documentation 239

Operator Logins 241

Accessing Operator Logins 241 About Operator Logins 241

Role-Based Access Control for Multiple Operator Profiles 242

Operator Profiles 242

Creating an Operator Profile 242

Configuring the User Interface 245

Customizing Forms and Views 245 Operator Profile Privileges 246 Managing Operator Profiles 247 Configuring AirGroup Operator Device Limit 247

Local Operator Authentication 247

Creating a New Operator 248

External Operator Authentication 248

Manage LDAP Operator Authentication Servers 249 Creating an LDAP Server 249 Advanced LDAP URL Syntax 251 Viewing the LDAP Server List 251 LDAP Operator Server Troubleshooting 252

Testing Connectivity 252

Testing Operator Login Authentication 252

Looking Up Sponsor Names 253

Troubleshooting Error Messages 253 LDAP Translation Rules 254 Custom LDAP Translation Processing 256

Operator Logins Configuration 257

Custom Login Message 258 Advanced Operator Login Options 259

Automatic Logout 259

Reference 261

Basic HTML Syntax 261

Standard HTML Styles 262

Smarty Template Syntax 264

Basic Template Syntax 264 Text Substitution 264 Template File Inclusion 264

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide | 9

Comments 264 Variable Assignment 264 Conditional Text Blocks 264 Script Blocks 265 Repeated Text Blocks 265 Foreach Text Blocks 265 Modifiers 266 Predefined Template Functions 266

dump 266

nwa_commandlink 267

nwa_iconlink 267

nwa_icontext 268

nwa_quotejs 269

nwa_radius_query 269

ChangeToRole() 270

GetCallingStationCurrentSession() 270

GetCallingStationSessions() 270

GetCallingStationTime() 270

GetCallingStationTraffic() 271

GetCurrentSession() 271

GetIpAddressCurrentSession() 272

GetIpAddressSessions() 272

GetIpAddressTime() 272

GetIpAddressTraffic() 272

GetSessions() 273

GetSessionTimeRemaining() 273

GetTime() 273

GetTraffic() 274

GetUserActiveSessions() 274

GetUserActiveSessionCount() 274

GetUserCumulativeUsage() 274

GetUserCurrentSession() 274

GetUserFirstLoginTime() 274

GetUserSessions() 275

GetUserTraffic() 275 Advanced Developer Reference 275

nwa_assign 275

nwa_bling 275

nwa_makeid 276

nwa_nav 276

nwa_plugin 277

nwa_privilege 278

nwa_replace 278

nwa_text 278

nwa_userpref 279

10 | DellNetworking W-ClearPass Guest 6.0 | Deployment Guide

nwa_youtube 279

Date/Time Format Syntax 279

nwadateformat Modifier 279 nwatimeformat Modifier 280 Date/Time Format String Reference 281

Programmer’s Reference 282

NwaAlnumPassword 282 NwaBoolFormat 282 NwaByteFormat 283 NwaByteFormatBase10 283 NwaComplexPassword 283 NwaCsvCache 283 NwaDigitsPassword($len) 283 NwaDynamicLoad 283 NwaGeneratePictureString 283 NwaGenerateRandomPasswordMix 284 NwaLettersDigitsPassword 284 NwaLettersPassword 284 NwaMoneyFormat 284 NwaParseCsv 284 NwaParseXml 285 NwaPasswordByComplexity 285 NwaSmsIsValidPhoneNumber 286 NwaStrongPassword 286 NwaVLookup 286 NwaWordsPassword 287

Field, Form, and View Reference 287

GuestManager Standard Fields 287 Hotspot Standard Fields 294 SMS Services Standard Fields 295 SMTP Services Standard Fields 296 Format Picture String Symbols 297 Form Field Validation Functions 298 Form Field Conversion Functions 301 Form Field Display Formatting Functions 301 View Display Expression Technical Reference 303

LDAP Standard Attributes for User Class 304 Regular Expressions 305

Glossary 307 Index 311

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide | 11

12 | DellNetworking W-ClearPass Guest 6.0 | Deployment Guide

Chapter 1

About this Guide

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access.

Audience

This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.

Conventions

The following conventions are used throughout this guide to emphasize important concepts:

Table 1:

Typographical Conventions

Type Style Description

Italics

System items

Commands

Arguments

[Optional]

{Item A | Item B}

This style is used to emphasize important terms and to mark the titles of books.

This fixed-width font depicts the following:

l Sample screen output l System prompts l Filenames, software devices, and specific commands when mentioned in the text

In the command examples, this bold font depicts text that you must type exactly as shown.

In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example:

# send <text message>

In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets.

Command examples enclosed in brackets are optional. Do not type the brackets.

In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide About thisGuide | 13

The following informational icons are used throughout this guide:

NOTE: Indicates helpful suggestions, pertinent information, and important things to remember.

CAUTION: Indicates a risk of damage to your hardware or loss of data.

WARNING: Indicates a risk of personal injury or death.

Contacting Support

Web Site Support

Main Website dell.com

Support Website dell.com/support

Documentation Website dell.com/support/manuals

14 | Contacting Support Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Chapter 2

Dell Networking W-ClearPass Guest Overview

This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.

This chapter includes the following sections:

l "About Dell Networking W-ClearPass Guest" on page 15

l "Visitor Access Scenarios " on page 16

l "Reference Network Diagram " on page 16

l "Key Interactions" on page 17

l "AAA Framework" on page 18

l "Key Features" on page 19

l "Visitor Management Terminology" on page 20

l "ClearPass Guest Deployment Process " on page 21

l "AirGroup Deployment Process " on page 23

l "Documentation and User Assistance " on page 24

l "Use of Cookies " on page 25

About Dell Networking W-ClearPass Guest

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. It gives your non-technical staff controlled access to a dedicated visitor management user database. Through a customizable Web portal, your staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to ClearPass Guest functions are controlled through an operator profile that can be integrated with an LDAP server or Active Directory login.

Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in a corporate environment or sold in public access scenarios.

You can use the customization features to define settings that allow your visitors to self-provision their own guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and professional experience. Surveys can also be presented during the self-registration process and the data stored for later analysis and reporting, providing additional insight to your visitors and their network usage.

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Dell Networking W-ClearPassGuest Overview | 15

ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, ClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require.

Visitor Access Scenarios

The following figure shows a high-level representation of a typical visitor access scenario.

Figure 1: Visitor access using ClearPass Guest

In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.

When visitors use self-registration, as might be the case for a network offering public access, the process is broadly similar but does not require a corporate operator to create the guest account. The username and password for a selfprovisioned guest account may be delivered directly to the visitor’s Web browser, or sent via SMS or email.

Reference Network Diagram

The following figure shows the network connections and protocols used by ClearPass Guest.

16 | Visitor AccessScenarios Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Figure 2: Reference network diagram for visitor access

The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.

Key Interactions

The following figure shows the key interactions between ClearPass Guest and the people and other components involved in providing guest access.

Figure 3: Interactions involved in guest access

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Key Interactions | 17

ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.

NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.

Roles are assigned to a guest as part of the context ClearPass Policy Manager uses to apply its policies. RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement Profile. Additional features such as role mapping for ClearPass Guest can be performed in ClearPass Policy Manager.

The network usage of authorized guests is monitored by the NAS and reported in summary form to ClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports in ClearPass Insight.

AAA Framework

ClearPass Guest is built on the industry standard AAA framework, which consists of authentication, authorization, and accounting components.

The following figure shows how the different components of this framework are employed in a guest access scenario.

Figure 4: Sequence diagram for network access using AAA

In the standard AAA framework, network access is provided to a user according to the following process:

l The user connects to the network by associating with a local access point [1].

18 | AAA Framework Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name

and password of their guest account.

l The NAS authenticates the user with the RADIUS protocol [5].

l ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes

[6] that are used to configure the NAS based on the user’s role and other policies [7].

l If the user’s access is granted, the NAS permits the guest access to the network based on the settings provided by

the ClearPass Policy Manager server.

l The NAS reports details about the user’s session to the ClearPass Policy Manager server using RADIUS

accounting messages [8].

l After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the

details of the user’s session with an accounting update [10].

Key Features

Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide.

Table 2:

List of Key features

Feature Refer to…

Visitor Access

Web server providing content delivery for guests

Guest self-registration

Visitor Management

Create and manage visitor accounts, individually or in groups

Manage active RADIUS sessions using RFC 3576 dynamic authorization support

Import and export visitor accounts

Create guest self-registration forms

"Content Manager " on page 134

"Customizing Self-Provisioned Access " on page 171

"Using Standard Guest Management Features" on page 29

"Active Sessions Management " on page 59

"Importing Guest Accounts " on page 40

"Creating a Self-Registration Page " on page 172

Configure a self-service portal for guests

Local printer, SMS or email delivery of account receipts

Visitor Account Features

Independent activation time, expiration time, and maximum usage time

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Key Features | 19

"Self-Service Portal Properties" on page 186

"Editing Guest Receipt Page Properties" on page 178

"Business Logic for Account

Feature Refer to…

Creation" on page 141

Define unlimited custom fields

Username up to 64 characters

Customization Features

Create new fields and forms for visitor management

Use built-in data validation to implement visitor survey forms

Create print templates for visitor account receipts

Administrat ive Management Features

Operators defined and authenticated locally

Operators authenticated via LDAP

Role based access control for operators

"Customizing Fields " on page 145

"GuestManager Standard Fields" on page 287

"Customizing Forms and Views

" on page 150

"Form Validation Properties" on page 162

"Editing Guest Receipt Page Properties" on page 178

"Local Operator Authentication" on page 247

"External Operator Authentication" on page 248

"Operator Profiles " on page 242

Plugin-based application features, automatically updated by ClearPass Policy Manager

User Interface Features

Context-sensitive help with searchable online documentation

"Plugin Manager " on page 223

"Documentation and User Assistance " on page 24

Visitor Management Terminology

The following table describes the common terms used in ClearPass Guest and this guide.

Table 3:

Common Terms

Term Explanation

Accounting Process of recording summary information about network access by users and devices.

Authentication Verification of a user’s credentials; typically a username and password.

Authorization Controls the type of access that an authenticated user is permitted to have.

Captive Portal

Implemented by a Network Access Server to restrict network access to authorized users only.

20 | Visitor Management Terminology Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Term Explanation

Field In a user interface or database, a single item of information about a user account.

Form In a user interface, a collection of editable fields displayed to an operator.

Device that provides network access to users, such as a wireless access point, network

Network Access Server

switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.

Operator Profile

Operator/Operator Login User of ClearPass Guest to create guest accounts or perform system configuration.

Print Template Formatted template used to generate guest account receipts.

Role

Sponsor Operator

User Database Database listing the guest accounts in ClearPass Guest.

View

Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server.

Visitor Account

Web Login/NAS Login Login page displayed to a guest user.

Characteristics assigned to a class of operators, such as the permissions granted to those operators.

Type of access being granted to visitors. You can define multiple roles. Such roles could include employee, guest, team member, or press.

In a user interface, a table displaying data, such as visitor account information, to operators.

Settings for a visitor stored in the user database, including username, password and other fields.

ClearPass Guest Deployment Process

As part of your preparations for deploying a visitor management solution, you should consider the following areas:

l Management decisions about security policy

l Decisions about the day-to-day operation of visitor management

l Technical decisions related to network provisioning

Operational Concerns

When deploying a visitor management solution, you should consider these operational concerns:

l Who is going to be responsible for managing guest accounts? What privileges will the guest account manager

have? Will this person only create guest accounts or will this person also be permitted access to reports?

l Do you want guests to be able to self-provision their own network access? What settings should be applied to

self-provisioned visitor accounts?

l How will operator logins be provisioned? Should operators be authenticated against an LDAP server?

l Who will manage reporting of guest access? What are the reports of interest? Are any custom reports needed?

Network Provisioning

Deploying ClearPass Guest requires provisioning the following:

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide ClearPass Guest Deployment Process | 21

l Physical location – rack space, power and cooling requirements; or deployment using virtualization

l Network connectivity – VLAN selection, IP address, and hostname

l Security infrastructure – SSL certificate

Site Preparation Checklist

The following is a checklist of the items that should be considered when setting up ClearPass Guest.

Table 4:

Site Preparation Checklist

Security Policy

Operational Concerns

Policy Decision

Segregated guest accounts?

Type of network access?

Time of day access?

Bandwidth allocation to guests?

Prioritization of traffic?

Different guest roles?

IP address ranges for operators?

Enforce access via HTTPS?

Who will manage guest accounts?

Guest account self provisioning?

What privileges will the guest managers have?

Who will be responsible for printing reports?

Network Management Policy

Password format for guest accounts?

Shared secret format?

Operator provisioning?

Network Provisioning

Physical location?

Network connectivity?

Security infrastructure?

22 | Site Preparation Checklist Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Security Policy Considerations

To ensure that your network remains secure, decisions have to be made regarding guest access:

l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network

infrastructure to be used by your guests?

l What resources are you going to make available to guests (for example, type of network access; permitted times

of day; bandwidth allocation)?

l Will guest access be separated into different roles? If so, what roles are needed?

l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-guest

accounts?

l What will be the password format for guest accounts? Will you be changing this format on a regular basis?

l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure network

security is not compromised?

l What IP address ranges will operators be using to access the server?

l Should HTTPS be required in order to access the visitor management server?

AirGroup Deployment Process

AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. You use ClearPass Guest to define AirGroup administrators and operators. AirGroup administrators can then use ClearPass Guest to register and manage an organization’s shared devices and configure access according to username, role, or location. AirGroup operators (end users) can use ClearPass Guest to register their personal devices and define the group who can share them.

Table 5 summarizes the steps for configuring AirGroup functionality in ClearPass Guest. Details for these steps are

provided in the relevant sections of this Guide. This table does not include the configuration steps performed in ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation.

Table 5:

Summary of AirGroup Configuration Steps in ClearPass Guest

Step Section in this Guide

Create AirGroup administrators "Creating a New Operator" on page 248

Create AirGroup operators "Creating a New Operator" on page 248

Configure an operator’s device limit "Configuring AirGroup Operator Device Limit " on page 247

To authenticate AirGroup users via LDAP:

l Define the LDAP server l Define appropriate translation rules

AirGroup administrator: Register devices or groups of devices

AirGroup operator: Register personal devices "AirGroup Device Registration " on page 53

(Optional) Configure device registration form with dropdown lists for existing locations and roles

"External Operator Authentication" on page 248 "LDAP Translation Rules " on page 254

"AirGroup Device Registration " on page 53

"Customizing AirGroup Registration Forms " on page 147

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Security Policy Considerations | 23

Documentation and User Assistance

This section describes the variety of user assistance available for ClearPass Guest.

Deployment Guide and Online Help

This Deployment Guide provides complete information for all ClearPass Guest features. The following quick links may be useful in getting started.

Table 6:

Quick Links

For information about... Refer to...

What visitor management is and how it works

Using the guest management features

Role-based access control for operators "Operator Profiles " on page 242

Setting up LDAP authentication for operators "External Operator Authentication" on page 248

Guest self-provisioning features "Self Provisioned Guest Access" on page 28

Dynamic authorization extensions "RFC 3576 Dynamic Authorization" on page 61

SMS receipts for guest accounts "SMS Services " on page 228

Email receipts for guest accounts "Email Receipts and SMTP Services" on page 189

Network administration of the appliance "Administration " on page 219

"About Dell Networking W-ClearPass Guest" on page 15

"Using Standard Guest Management Features" on page 29

Context-Sensitive Help

For more detailed information about the area of the application you are using, click the context-sensitive Help link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this deployment guide.

The deployment guide may be searched using the Search box in the top right corner.

Type in keywords related to your search and click the Search button to display a list of matches. The most relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”).

24 | Documentation and User Assistance

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Field Help

The ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the application without further assistance or training.

Quick Help

In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list.

On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.

If You Need More Assistance

If you encounter a problem using ClearPass Guest, your first step should be to consult the appropriate section in this Deployment Guide.

If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.

If you still need information, you can refer to the Contact Support command available under Support Services in the user interface, or see "Contacting Support" on page 14.

Use of Cookies

Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners of a site. Session cookies are temporary cookies that last only for the duration of one user session.

When a user registers or logs in via a W-Series captive portal, Dell uses session cookies solely to remember between clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific information, and does not make any attempt to find out the identities of those using its W-Series ClearPass products. Dell does not associate any data gathered by the cookie with any personally identifiable information (PII) from any source. Dell uses session cookies only during the user’s active session and does not store any permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web browser.

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Field Help | 25

26 | Use of Cookies Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

Chapter 3

Guest Manager

The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process.

Guest Manager features for managing guest accounts let you:

l Create single or multiple guest accounts and receipts

l List guest accounts and edit individual or multiple accounts

l View and manage active sessions

l Import new accounts from a text file

l Export a list of accounts

l View MAC devices

l Create new MAC devices

Many features can also be customized. For information on customizing Guest Manager settings, forms and views, guest self-registration, and print templates, see "Configuration " on page 133.

Accessing Guest Manager

To access Dell Networking W-ClearPass Guest’s guest management features, click the Guest link in the left navigation.

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Guest Manager | 27

About Guest Management Processes

There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections.

Self Provisioned Guest Access

Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the account or to print the receipt. The following figure shows the process of self-provisioned guest access.

Figure 6: Guest access when guest is self-provisioned

The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self-registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in.

The guest can print or download a receipt, or have the receipt information delivered by SMS or email.

28 | About Guest Management Processes Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

The NAS performs authentication and authorization for the guest in ClearPass Guest. Once authorized, the guest is then able to access the network.

See"Customizing Self-Provisioned Access " on page 171 for details on creating and managing self-registration pages.

Using Standard Guest Management Features

This section describes:

l How to create a single guest account and a guest account receipt

l How to create multiple guest accounts and multiple guest account receipts

l How to create a single password for multiple accounts

l How to list and edit single and multiple guest accounts

To customize guest self-registration, please see Configuration on page 133.

Creating a Guest Account

To create a new account, go to Guest > Create Account, or click the Create New Guest Account command link on the Guest Manager page. The New Visitor Account form opens.

NOTE: The New Visitor Account form (create_user) may be customized by adding new fields, or modifying or removing the existing fields. See"Customizing Self-Provisioned Access " on page 171 for details about the customization process. The default settings for this form are described below.

To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network.

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide Using Standard Guest Management Features | 29

You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time.

The Account Role specifies what type of account the visitor should have.

A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt.

You must mark the Terms of Use check box in order to create the visitor account.

Click the Create Account button after completing the form.

Creating a Guest Account Receipt

After you click the Create Account button on the New Visitor Account form, the details for that account are displayed.

To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed.

Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent.

Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and the visitor’s phone number was typed into the New Visitor Account form, an SMS message will be sent automatically. A message is displayed on the account receipt page after an SMS message has been sent.

Click the Send email receipt link to send an email copy of the guest account receipt. Use the Email Receipt form to enter the email address to which the receipt should be sent. You can also specify the subject line for the email message. If the administrator has enabled automatic email for guest account receipts, and the visitor’s email address was typed into the New Visitor Account form, an email receipt will be sent automatically. A message is displayed on the account receipt page after an email has been sent.

Creating Multiple Guest Accounts

The Create Guest Accounts form is used to create a group of visitor accounts.

To create multiple accounts, go to Guest > Create Multiple, or click the Create Multiple Guest Accounts command link on the Guest Manager page. The Create Guest Accounts form opens.

30 | Creating a Guest Account Receipt

Dell Networking W-ClearPassGuest 6.0 | Deployment Guide

+ 290 hidden pages