Dell Powerconnect W-ClearPass Virtual Appliances User Manual

Download

Page 1

Dell Networking W-ClearPass

Guest 6.4

User Guide

Page 2

© 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.

Originated in the USA. All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox, Inc. All rights reserved.This product includes software developed by Lars Fenneberg, et al. The Open Source code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.

2 | Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 3

Contents

About this Guide 17

Audience 17

Conventions 17

Contacting Support 18

W-ClearPass Guest Overview 19

About Dell Networking W-ClearPass Guest 19

Visitor Access Scenarios 20

Reference Network Diagram 21

Key Interactions 22

AAA Framework 23

Key Features 24

Visitor Management Terminology 25

W-ClearPass Guest Deployment Process 26

Operational Concerns 26

Network Provisioning 26

Site Preparation Checklist 27

Security Policy Considerations 27

AirGroup Deployment Process 28

Documentation and User Assistance 29

User Guide and Online Help 29

Context-Sensitive Help 29

Field Help 29

Quick Help 30

If You Need More Assistance 30

Use of Cookies 30

W-ClearPass Guest Manager 31

Accessing Guest Manager 31

About Guest Management Processes 32

About this Guide

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access.

Audience

This User Guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.

Conventions

The following conventions are used throughout this guide to emphasize important concepts:

Table 1: Typographical Conventions

Type Style Description

Italics

System items

Commands

Arguments

[Optional]

{Item A | Item B}

> In the command examples, italicized text within angle brackets represents items that

This style is used to emphasize important terms and to mark the titles of books.

This fixed-width font depicts the following:

l Sample screen output l System prompts l Filenames, software devices, and specific commands when mentioned in the text

In the command examples, this bold font depicts text that you must type exactly as shown.

you should replace with information appropriate to your specific situation. For example:

# send <text message>

In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets.

Command examples enclosed in brackets are optional. Do not type the brackets.

In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.

Dell Networking W-ClearPass Guest 6.4 | User Guide About this Guide | 17

Page 18

The following informational icons are used throughout this guide:

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

Indicates a risk of personal injury or death.

Contacting Support

Web Site Support

Main Website dell.com

Support Website

Documentation Website

dell.com/support

dell.com/support/manuals

18 | About this Guide Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 19

Chapter 2

W-ClearPass Guest Overview

This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.

This chapter includes the following sections:

l "About Dell Networking W-ClearPass Guest" on page 19

l "Visitor Access Scenarios" on page 20

l "Reference Network Diagram" on page 21

l "Key Interactions" on page 22

l "AAA Framework" on page 23

l "Key Features" on page 24

l "Visitor Management Terminology" on page 25

l "W-ClearPass Guest Deployment Process" on page 26

l "AirGroup Deployment Process" on page 28

l "Documentation and User Assistance" on page 29

l "Use of Cookies" on page 30

About Dell Networking W-ClearPass Guest

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. It gives your non-technical staff controlled access to a dedicated visitor management user database. Through a customizable Web portal, your staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to WClearPass Guest functions are controlled through an operator profile that can beintegrated with an LDAP server or Active Directory login.

Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in a corporate environment or sold in public access scenarios.

You can use the customization features to define settings that allow your visitors to self-provision their own guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and professional experience. Surveys can also be presented during the self-registration process and the data stored for later analysis and reporting, providing additional insight to your visitors and their network usage.

W-ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, WClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 19

Page 20

Visitor Access Scenarios

The following figure shows a high-level representation of a typical visitor access scenario.

Figure 1 Visitor access using W-ClearPass Guest

In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.

When visitors use self-registration, as might be the case for a network offering public access, the process is broadly similar but does not require a corporate operator to create the guest account. The username and password for a self-provisioned guest account may be delivered directly to the visitor’s Web browser, or sent via SMS or email.

20 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 21

Reference Network Diagram

The following figure shows the network connections and protocols used by W-ClearPass Guest.

Figure 2 Reference network diagram for visitor access

The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 21

Page 22

Key Interactions

The following figure shows the key interactions between W-ClearPass Guest and the people and other components involved in providing guest access.

Figure 3 Interactions involved in guest access

W-ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.

NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask W-ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.

Roles are assigned to a guest as part of the context W-ClearPass Policy Manager uses to apply its policies. RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement Profile. Additional features such as role mapping for W-ClearPass Guest can be performed in W-ClearPass Policy Manager.

The network usage of authorized guests is monitored by the NAS and reported in summary form to WClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports in W-ClearPass Insight.

22 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 23

AAA Framework

W-ClearPass Guest is built on the industry standard AAA framework, which consists of authentication, authorization, and accounting components.

The following figure shows how the different components of this framework are employed in a guest access scenario.

Figure 4 Sequence diagram for network access using AAA

In the standard AAA framework, network access is provided to a user according to the following process:

l The user connects to the network by associating with a local access point [1].

l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login

name and password of their guest account.

l The NAS authenticates the user with the RADIUS protocol [5].

l W-ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific

attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].

l If the user’s access is granted, the NAS permits the guest access to the network based on the settings

provided by the W-ClearPass Policy Manager server.

l The NAS reports details about the user’s session to the W-ClearPass Policy Manager server using RADIUS

accounting messages [8].

l After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the

details of the user’s session with an accounting update [10].

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 23

Page 24

Key Features

Refer to the table below for a list of key features and a cross-reference to the relevant section of this User Guide.

Table 2: List of Key features

Feature Reference

Visitor Access

Web server providing content delivery for guests "Managing Content: Private

Files and Public Files" on page 189

Guest self-registration "Customizing Guest Self-

Registration" on page 235

Visitor Management

Create and manage visitor accounts, individually or in groups "Using Standard Guest

Management Features" on page 38

Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions

Management" on page 33

Import and export visitor accounts "Importing Guest Accounts"

on page 52

Create guest self-registration forms "Creating a Self-Registration

Page" on page 241

Configure a self-service portal for guests "Self-Service Portal

Properties" on page 257

Local printer, SMS or email delivery of account receipts "Editing Guest Receipt Page

Properties" on page 248

Visitor Account Features

Independent activation time, expiration time, and maximum usage time "Business Logic for Account

Creation" on page 198

Define unlimited custom fields "Customizing Fields" on page

206

Username up to 64 characters "GuestManager Standard

Fields" on page 504

Customization F eatures

Create new fields and forms for visitor management "Customizing Forms and

Views" on page 212

Use built-in data validation to implement visitor survey forms "Form Validation Properties"

on page 227

Create print templates for visitor account receipts "Editing Guest Receipt Page

Properties" on page 248

24 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 25

Feature Reference

Administrative Management Feat ures

Operators defined and authenticated locally "Local Operator

Authentication" on page 464

Operators authenticated via LDAP "External Operator

Authentication" on page 465

Role based access control for operators "Operator Profiles" on page

458

Plugin-based application features, automatically updated by W-ClearPass Policy Manager

User Interface Features

Context-sensitive help with searchable online documentation "Documentation and User

"Plugin Manager" on page 444

Assistance" on page 29

Visitor Management Terminology

The following table describes the common terms used in W-ClearPass Guest and this guide.

Table 3: Common Terms

Term Explanation

Accounting Process of recording summary information about network access by users and

devices.

Authentication Verification of a user’s credentials; typically a username and password.

Authorization Controls the type of access that an authenticated user is permitted to have.

Captive Portal Implemented by a Network Access Server to restrict network access to authorized

users only.

Field In a user interface or database, a single item of information about a user account.

Form In a user interface, a collection of editable fields displayed to an operator.

Network Access Server Device that provides network access to users, such as a wireless access point,

network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.

Operator Profile Characteristics assigned to a class of operators, such as the permissions granted

to those operators.

Operator/Operator Login User of W-ClearPass Guest to create guest accounts or perform system

configuration.

Print Template Formatted template used to generate guest account receipts.

Role Type of access being granted to visitors. You can define multiple roles. Such roles

could include employee, guest, team member, or press.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 25

Page 26

Term Explanation

Sponsor Operator

User Database Database listing the guest accounts in W-ClearPass Guest.

View In a user interface, a table displaying data, such as visitor account information, to

operators.

Visitor/Guest Someone who is permitted to access the Internet through your Network Access

Server.

Visitor Account Settings for a visitor stored in the user database, including username, password

and other fields.

Web Login/NAS Login Login page displayed to a guest user.

W-ClearPass Guest Deployment Process

As part of your preparations for deploying a visitor management solution, you should consider the following areas:

l Management decisions about security policy

l Decisions about the day-to-day operation of visitor management

l Technical decisions related to network provisioning

Operational Concerns

When deploying a visitor management solution, you should consider these operational concerns:

l Who is going to be responsible for managing guest accounts? What privileges will the guest account

manager have? Will this person only create guest accounts or will this person also be permitted access to reports?

l Do you want guests to be able to self-provision their own network access? What settings should be applied

to self-provisioned visitor accounts?

l How will operator logins be provisioned? Should operators be authenticated against an LDAP server?

l Who will manage reporting of guest access? What are the reports of interest? Are any custom reports

needed?

Network Provisioning

W-ClearPass Guest requires provisioning the following:

l Physical location – rack space, power and cooling requirements; or deployment using virtualization

l Network connectivity – VLAN selection, IP address, and hostname

l Security infrastructure – SSL certificate

26 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 27

Site Preparation Checklist

The following is a checklist of the items that should be considered when setting up W-ClearPass Guest.

Table 4: Site Preparation Checklist

Security Policy

Operational Concerns

Policy Decision

Segregated guest accounts?

Type of network access?

Time of day access?

Bandwidth allocation to guests?

Prioritization of traffic?

Different guest roles?

IP address ranges for operators?

Enforce access via HTTPS?

Who will manage guest accounts?

Guest account self provisioning?

What privileges will the guest managers have?

Who will be responsible for printing reports?

Network Management Policy

Password format for guest accounts?

Shared secret format?

Operator provisioning?

Network Provisioning

Physical location?

Network connectivity?

Security infrastructure?

Security Policy Considerations

To ensure that your network remains secure, decisions have to be made regarding guest access:

l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network

infrastructure to be used by your guests?

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 27

Page 28

l What resources are you going to make available to guests (for example, type of network access; permitted

times of day; bandwidth allocation)?

l Will guest access be separated into different roles? If so, what roles are needed?

l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-

guest accounts?

l What will be the password format for guest accounts? Will you be changing this format on a regular basis?

l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure

network security is not compromised?

l What IP address ranges will operators be using to access the server?

l Should HTTPS be required in order to access the visitor management server?

AirGroup Deployment Process

AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. You use W-ClearPass Guest to define AirGroup administrators and operators. AirGroup administrators can then use W-ClearPass Guest to register and manage an organization’s shared devices and configure access according to username, role, location, or time. AirGroup operators (end users) can use W-ClearPass Guest to register their personal devices and define the group who can share them.

Table 5 summarizes the steps for configuring AirGroup functionality in W-ClearPass Guest. Details for these

steps areprovided in the relevant sections of this Guide. This table does not include the configuration steps performed in W-ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the WClearPass Policy Manager documentation.

Table 5: Summary of AirGroup Configuration Steps in W-ClearPass Guest

Step Section in this Guide

Create AirGroup administrators "Creating a New Operator" on page 464

Create AirGroup operators

Configure an operator’s device limit "Configuring AirGroup Operator Device Limit" on page 464

Configure an AirGroup controller "AirGroup Controllers" on page 358

Enable support for dynamic notifications "Configuring AirGroup Services" on page 361

To authenticate AirGroup users via LDAP: Define the LDAP server Define appropriate translation rules

AirGroup administrator: Register devices or groups of devices

"External Operator Authentication" on page 465 "LDAP Translation Rules" on page 472

"AirGroup Device Registration" on page 66

AirGroup operator: Register personal devices

(Optional) Configure device registration form with drop-down lists for existing locations and roles

Set up time-based sharing "About AirGroup Time-Based Sharing" on page 75

28 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

"Customizing AirGroup Registration Forms" on page 209

Page 29

Documentation and User Assistance

This section describes the variety of user assistance available for W-ClearPass Guest.

User Guide and Online Help

This User Guide provides complete information for all W-ClearPass Guest features. The following quick links may be useful in getting started.

Table 6: Quick Links

For information about... Refer to...

What visitor management is and how it works "About Dell Networking W-ClearPass Guest" on page

Using the guest management features "Using Standard Guest Management Features" on

page 38

Role-based access control for operators "Operator Profiles" on page 458

Setting up LDAP authentication for operators "External Operator Authentication" on page 465

Guest self-provisioning features "Self Provisioned Guest Access" on page 32

Dynamic authorization extensions "RFC 3576 Dynamic Authorization" on page 35

SMS receipts for guest accounts "SMS Services" on page 296

Email receipts for guest accounts "Email Receipts and SMTP Services" on page 284

Network administration of the appliance "Administration" on page 357

Context-Sensitive Help

For more detailed information about the area of the application you areusing, click the context-sensitive Help link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this User Guide.

The User Guide may besearched using the Search box in the top right corner.

Type in keywords related to your search and click the Search button to display a list of matches. Themost relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”).

Field Help

The W-ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 29

Page 30

application without further assistance or training.

Quick Help

In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that areavailable within the list.

On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.

If You Need More Assistance

If you encounter a problem using W-ClearPass Guest, your first step should be to consult the appropriate section in this User Guide.

If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.

If you still need information, you can refer to the Contact Support command available under Support

Services in the user interface, or see "Contacting Support" on page 18.

Use of Cookies

Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners of a site. Session cookies are temporary cookies that last only for the duration of one user session.

When a user registers or logs in via a Dell captive portal, Dell uses session cookies solely to remember between clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific information, and does not make any attempt to find out the identities of those using its W-Series ClearPass products. Dell does not associate any data gathered by the cookie with any personally identifiable information (PII) from any source. Dell uses session cookies only during the user’s active session and does not store any permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web browser.

30 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 31

Chapter 3

W-ClearPass Guest Manager

The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager moduleprovides complete control over the user account creation process.

Guest Manager features for managing guest accounts let you:

l View and manage active sessions

l Create single or multiple guest accounts and receipts

l Create new MAC devices

l Bulk edit accounts

l Export a list of accounts

l Import new accounts from a text file

l View guest accounts and edit individual or multiple guest accounts

l View MAC devices and edit individual or multiple devices

Many features can also be customized. For information on customizing Guest Manager settings, forms and views, guest self-registration, and print templates, see "Configuration" on page 187.

Accessing Guest Manager

To access Dell Networking W-ClearPass Guest’s guest management features, click the Guest link in the left navigation.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 31

Page 32

About Guest Management Processes

There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in this chapter.

Self Provisioned Guest Access

Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the account or to print the receipt. The following figure shows the process of self-provisioned guest access.

32 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 33

Figure 6 Guest access when guest is self-provisioned

The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self-registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in.

The guest can print or download a receipt, or have the receipt information delivered by SMS or email.

The NAS performs authentication and authorization for the guest in W-ClearPass Guest. After authorization, the guest is able to access the network.

See "Customizing Guest Self-Registration" on page 235 for details on creating and managing self-registration pages.

Active Sessions Management

The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session.

To view and manage active sessions for the RADIUS server, go to Guest > Active Sessions. The Active Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for active visitor sessions; manage multiplesessions; or customize the list to include additional fields.

l To view details for an active session, click the session’s row in the list, then click its Show Details link. The

form expands to include the Session Details view.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 33

Page 34

l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions.

See "RFC 3576 Dynamic Authorization" on page 35 for more information.

n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A

message is displayed to show that the disconnect is in progress and acknowledge when it is complete.

n To reauthorize a session that was disconnected, click the session’s row in the list, then click its

Reauthorize link. The Reauthorize Session form opens. Click Reauthorize Session. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete.

n To disconnect multiple sessions, click the Manage Multiple tab. The form expands to include the

Manage Multiple Sessions form. For more information, see "Disconnecting Multiple Active Sessions " on

page37.

l To view and work with the guest accounts associated with a session, click the session’s row in the list, then

click its List Accounts link. The Guest Manager Accounts view opens. See "Managing Single Guest Accounts

" on page 55 for more information.

l To display only sessions that meet certain criteria, click the Filter tab. For more information, see"Filtering

the List of Active Sessions" on page 36.

l To send SMS notifications to visitors, click the SMS tab. For more information, see "Sending Multiple SMS

Alerts " on page 37.

34 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 35

l To include additional fields in the Active Sessions list, or delete fields from it, click the More Options tab.

The Customize View Fields page opens. For more information, see "Editing Forms " on page 214.

l You can use the paging control at the bottom of the list to jump forwards orbackwards by one page, or to

the first or last page of the list. You can also click an individual page number to jump directly to that page.

Session States

A session may be in one of three possible states:

l Active—An active session is one for which the RADIUS server has received an accounting start message

and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client.

While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server. This maintains up-to-date traffic statistics and keeps the session active. The frequency of the accounting update messages is configurable in the RADIUS server.

l Stale—If an accounting stop message is never sent for a session—for example, if the visitor does not log

out— that session will remain open. After 24 hours without an accounting update indicating session traffic, the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To ensure that accounting statistics are correct, you should check the list for stale sessions and close them.

l Closed—A session ends when the visitor logs out or if the session is disconnected. When a session is

explicitly ended in either of these ways, the NAS sends an accounting stop message to the RADIUS server. This closes the session. No further accounting updates are possible for a closed session.

RFC 3576 Dynamic Authorization

Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization for the session.

The Active Sessions page provides two dynamic authorization capabilities that apply to currently active sessions:

l Disconnect causes a Disconnect-Request message to be sent to the NAS for an active session,

requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-ACK message if the session was terminated or Disconnect-NAK if the session was not terminated.

l Reauthorize causes a Disconnect-Request message to be sent to the NAS for an active session. This

message will contain a Service-Type attribute with the value ‘Authorize Only’. The NAS should respond with a Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request message to the RADIUS server. The RADIUS server’s response will contain the current authorization details for the visitor account, which will then update the corresponding properties in the NAS session.

If the NAS does not support RFC 3576, attempts to perform dynamic authorization will time out and result in a ‘No response from NAS’ error message.

Refer to RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 35

Page 36

Filtering the List of Active Sessions

On the Guest >Active Sessions list, you can use the Filter tab to narrow the search parameters and quickly find all matching sessions:

Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this

option, use the Choose Columns command link on the More Options tab.

You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:

Table 7: Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the

equality (=) or inequality !=) operators. To specify multiple

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular

expression

values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

To restore the default view, click the Clear Filter link.

Click the Apply Filter button to save your changes and update the view, or click the Reset button to remove the filter and return to the default view.

36 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 37

Disconnecting Multiple Active Sessions

To disconnect multiple sessions, click the Manage Multiple tab. The Manage Multiple Sessions form opens.

l To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All

active sessions are closed and are removed from the Active Sessions list.

You can specify sessions in a time range.

1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started after the specified date and time will be disconnected.

2. To close all sessions that started before a particular time, click the button in the End Time row. Thecalendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started before the specified date and time will be disconnected.

3. Click Make Changes. The specified sessions are closed and are removed from the Active Sessions list.

Sending Multiple SMS Alerts

The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number. An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately—for example, a special offer that will only be availablefor an hour, a change in a meeting’s schedule or location, or a public safety announcement.

To create an SMS message:

1. Click the SMS tab on the Active Sessions page. The Send SMS Notification form opens.

2. Use the filter to specify the group of addresses that should receive the message. See "Filtering the List of

Active Sessions" on page 36. Only accounts with valid phone numbers can be sent SMS alerts.

3. Enter the message in the Message text box. Messages may contain up to 160 characters.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 37

Page 38

4. Click Send.

About SMS Guest Account Receipts

You can send SMS receipts for guest accounts that are created using either sponsored guest access or selfprovisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt.

Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand.

To manually send an SMS receipt:

1. Go to the Guest > Manage Accounts and click to expand the row of the guest to whom you want to send a receipt.

2. Click Print to display the Updated Account Details view, and then click the Send SMS receipt link. The SMS Receipt form opens. Use the fields on this form to enter the service to use, the recipient’s mobile phone number, and the message text.

When using guest self-registration, SMS Delivery options areavailable for the receipt page actions; See "Editing

Receipt Actions" on page 248 for full details. For more information on SMS services, see "SMS Services" on page

296.

Using Standard Guest Management Features

This section describes:

l "Creating a Guest Account " on page 39

l "Creating a Guest Account Receipt " on page 41

l "Creating a Device" on page 41

l "Creating Multiple Guest Accounts" on page 45

l "Creating Multiple Guest Account Receipts" on page 47

l "Creating a Single Password for Multiple Accounts " on page 48

38 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 39

l "Managing Single Guest Accounts " on page 55

l "Managing Multiple Guest Accounts " on page 64

l "Exporting Guest Account Information " on page 50

l "Importing Guest Accounts" on page 52

l "Managing Single Guest Accounts " on page 55

l "Managing Devices " on page 59

l "Managing Multiple Guest Accounts " on page 64

To customize guest self-registration, please see Configuration on page 187.

Creating a Guest Account

To create a new account, go to Guest > Create Account, or click the Create New Guest Account command link on the Guest Manager page. The Create New Guest Account form opens.

The Create New Guest Account form (create_user) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the customization process. The default settings for this form are described below.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 39

Page 40

Table 8: The Create New Guest Account Form

Field Description

Guest's Name

Company Name

Email Address

Account Activation

Activation Time

Account Expiration

(Required) Name of the guest user for this account.

(Required) Name of the organization the guest user belongs to.

(Required) The guest user's email address. This email address will be the guest's username.

You can select an activation time from this drop-down list. The guest's account cannot be used before the activation time. Options include:

l Now l Disable account l Tomorrow l Next Monday l 1 hour from now l 1 day from now l 1 week from now l Activate at specified time...

If you selected "Activate at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will be enabled immediately.

You can select an expiration time from this drop-down list. The guest's account cannot be used after the expiration time. Options include:

l Account will not expire l Now l Tonight l Friday night l 1 hour from now l 1 day from now l 1 week from now l 30 days from now l 90 days from now l 180 days from now l 1 year from now l Account expires after... l Account expires at specified time...

Expires After

Expiration Time

Account Role

If you selected "Account expires after", use this drop-down list to specify a length of time. Options include several intervals of hours, days, or weeks.

If you selected "Account expires at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will not expire.

(Required) Specify the type of account the guest should have. Options include:

l Contractor l Employee l Guest

Password A random password is created for each visitor account. This is displayed on this form, but will also

be available on the guest account receipt.

40 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 41

Field Description

Notes You may enter notes about this guest account.

Create When your entries on the form are complete, click this button to create the guest's account.

(Required) You must select the check box in in this field in order to create the account.

Creating a Guest Account Receipt

After you click the Create button on the Create New Guest Account form, the details for that account are displayed.

To print a receipt for the guest, select an appropriate template from the Open print window using template… list. A new Web browser window opens and the browser’s Print dialog box is displayed.

Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobiletelephone number to which the receipt should be sent.

Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and the visitor’s phone number was typed into the Create New Guest Account form, an SMS message will be sent automatically. A message is displayed on the account receipt page after an SMS message has been sent.

Click the Send email receipt link to send an email copy of the guest account receipt. Use the Email Receipt form to enter the email address to which the receipt should be sent. You can also specify the subject line for the email message. If the administrator has enabled automatic email for guest account receipts, and the visitor’s email address was typed into the Create New Guest Account form, an email receipt will be sent automatically. A message is displayed on the account receipt page after an email has been sent.

Creating a Device

Device accounts may be created in three ways:

l Manually in W-ClearPass Guest using the Create New Device form

l During guest self-registration by a MAC parameter passed in the redirect URL, if the process is configured to

create a MAC device account

l During guest self-registration by a MAC parameter passed in the redirect URL, creating a parallel account

paired with the visitor account

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 41

Page 42

Creating Devices Manually in W-ClearPass Guest

If you have the MAC address, you can create a new device manually. To create a new device, go to Guest >Create Device, or go to Guest > Manage Devices and click the Create link.

The Create New Device form opens.

Table 9: New Device

Field Description

MAC Address (Required) Enter the device's MAC address.

Device Name (Required) Enter the name for the device.

If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin.

AirGroup Enables AirGroup for the device. Configuration options are added to the form.

Ownership Specifies whether device ownership should be personal or shared. Personal devices are

automatically shared with the owner's other devices.

Shared With Usernames of people who can share this device. Enter usernames as a comma-separated

list. To make the device available to all users, leave this field blank. Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

42 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 43

Field Description

Shared Locations Locations where the device can be shared. When you type a location name in the Shared

Locations field and press the Enter key, the location appears as a "tag" and is created in the system when the form is saved. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

Shared Roles User roles that can share this device. When you type a role name in the Shared Roles field

and press the Enter key, the role appears as a "tag" and is created in the system when the form is saved. Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

Shared Groups User groups that can share this device. These will be available in the Shared Groups field

for users to choose from when they share a device. When you type a name for the group in the Group Names field and press the Enter key, the group appears as a "tag" and is created in the system when the form is saved. Each group name may not exceed 64 characters. A maximum of 32 group names may be entered. The maximum character limit for the list is 320 characters (including comma separators). This feature requires AOS 6.4 or later.

Time Sharing Time-based sharing rules for this device. For more information, see "About AirGroup Time-

Based Sharing" on page 75.

Syntax Opens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71

Account Activation Options include: Activate the account immediately, at a preset interval of hours or days, at a

specified time, or leave the account disabled. If you choose Activate at a specified time, the ActivationTime row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.

Account Expiration Options include: Never expire, expire at a preset interval of hours or days, or expire at a

specified time.

l If you choose any time in the future, the Expire Action row is added to the form.

Indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row.

l If you choose Account expires after, the ExpiresAfter row is added to the form.

Choose an interval of hours, days, or weeks. The maximum is two weeks.

l If you choose Account Expires at a specified time, the ExpirationTime row is added

to the form. In the calendar picker, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.

Account Role Assigns the visitor’s role.

the terms.

Create Device Commits your changes and creates the device. The Account Details and print options are

displayed. For more information, see "Printing Device Details" on page 64.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 43

Page 44

Creating Devices During Self-Registration - MAC Only

This section describes how to configure a guest self-registration so that it creates a MAC device account. After the guest is registered, future authentication can take place without the need for the guest to enter their credentials. A registration can be converted to create a MAC device instead of standard guest credentials.

This requires a vendor to pass a MAC parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP.

To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields:

l Add or enable mac

n UI: Hidden field

n Field Required: checked

n Validator: IsValidMacAddress

l Add or enable mac_auth

n UI: Hidden field

l Any other expiration options, role choice, surveys, and so on can be entered as usual.

Figure 7 Modify fields

l Edit the receipt form fields:

n Edit username to be a Hidden field

n Edit password to be a Hidden field

l Adjust any headers or footers as needed.

When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means.

The account will only be visible on the List Devices page.

If the guest logs out and reconnects, they should be immediately logged in without being redirected to the captive portal page.

Creating Devices During Self-Registration - Paired Accounts

Paired accounts is a means to create a standard visitor account with credentials, but to have a MAC account created in parallel that is directly tied to the visitor account. These accounts share the samerole, expiration and

44 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 45

other properties.

This requires a vendor passing a mac parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP.

To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth_pair in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields:

l Add or enable mac

n UI: Hidden field

n Field Required: optional

n Validator: IsValidMacAddress

l Add or enable mac_auth_pair

n UI: Hidden field

n Initial Value: -1

l Any other expiration options, role choice, surveys and so on can be entered as usual.

You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that cross-links the two.

If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be logged out.

Creating Multiple Guest Accounts

The Create Multiple Guest Accounts form is used to create a group of visitor accounts.

To create multiple accounts, go to Guest > Create Multiple, or click the Create Multiple Guest Accounts command link on the Guest Manager >Start Here page. The Create Multiple Guest Accounts form opens.

The Create Multiple Guest Accounts form (create_multi) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the customization process. The default settings for this form are described below.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 45

Page 46

Table 10: The Create New Guest Account Form

Field Description

Number of Accounts

Account Activation

Activation Time

Account Expiration

(Required) Enter the number of accounts to create.

You can select an activation time from this drop-down list. The guests' accounts cannot be used before the activation time. Options include:

l Now l Disable account l Tomorrow l Next Monday l 1 hour from now l 1 day from now l 1 week from now l Activate at specified time...

If you selected "Activate at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will be enabled immediately.

You can select an expiration time from this drop-down list. The guests' accounts cannot be used after the expiration time. Options include:

Expires After

Expiration Time

Expire Action

If you selected "Account expires after", use this drop-down list to specify a length of time. Options include several intervals of hours, days, or weeks.

If you selected "Account expires at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will not expire.

(Required) Specify how the behavior of the expiration. Options include:

l Delete and log out at specified time l Delete at specified time l Disable and log out at specified time l Disable at specified time

Be aware that a logout can only occur if the NAS is RFC-3576 compliant.

Account Role

46 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

(Required) Specify the type of account the guest should have. Options include:

l Contractor l Employee l Guest

Page 47

Field Description

Notes You may enter notes about this guest account.

Create Accounts

(Required) You must select the check box in in this field in order to create the account.

When your entries on the form are complete, click this button to create the guests' accounts.

A random username and password will becreated for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The default password length is six characters.

Creating Multiple Guest Account Receipts

After a group of guest accounts has been created, the details for the accounts are displayed.

To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 47

Page 48

To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file. The fields available in the CSV file are:

l Number – The sequential number of the visitor account, starting at one.

l Username – The username for the visitor account.

l Password – The password for the visitor account. The default password length is six characters.

l Role – The visitor account’s role.

l Activation Time – The date and time at which the account will be activated, or N/A if there is no activation

time.

l Expiration Time – The date and time at which the account will expire, or N/A if there is no activation time.

l Lifetime – The account lifetime in minutes, or N/A if the account does not have a lifetime specified.

l Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the

account.

Creating a Single Password for Multiple Accounts

You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field.

To include the Password field on the Create Multiple Guest Accounts form:

1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions.

At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_ multi) has not yet been customized to include it. You will create it for the form in the next step.

2. Click on any field in the list to expand a row, then click the Insert After link (you can modify this placement later). The Customize Form Field form opens.

3. In the Field Name row, choose password from the drop-down list. The form displays configuration options for this field.

4. In the Field row, mark the Enable this field check box.

5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field.

6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty.

7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited.

48 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 49

To create multiple accounts that all use the same password:

1. Go to Guest > Create Multiple. The Create Guest Accounts form opens, and includes the Visitor Password field.

2. In the Number of Accounts field, enter the number of accounts you wish to create.

3. In the Visitor Password field, enter the password that is to be used by all the accounts. The minimum password length is six characters.

4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens. The password and other account details are displayed for each account.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 49

Page 50

Exporting Guest Account Information

Guest account information may be exported to a file in one of several different formats.

To export a file with the current list of guest accounts, go to Guest >Export Accounts, or go to Guest >Start Here and click the Export Guest Accounts command link. The Export Accounts page opens with three options displayed. Click the appropriate command link to save a list of all guest accounts in commaseparated values (CSV), tab-separated values (TSV), or XML format.

50 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 51

The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process.

About CSV and TSV Exports

In CSV and TSV format, the following default fields are included in the export:

l Number – Sequential number of the guest account in the exported data

l User ID – Numeric user ID of the guest account

l Username – Username for the guest account

l Role – Role for the guest account

l Activation – Date and time at which the guest account will be activated, or “N/A” if there is no activation

time

l Expiration – Date and time at which the guest account will expire, or “N/A” if there is no expiration time

l Lifetime – The guest account’s lifetime in minutes after login, or 0 if the account lifetime is not set

l Expire Action – Number specifying the action to take when the guest account expires (0 through 4)

About XML Exports

The default XML format consists of a <GuestUsers> element containing a <GuestUser> element for each exported guest account. Thenumeric ID of the guest account is provided as the “id” attribute of the <GuestUser> element. This format is compatible with the W-ClearPass Policy Manager XML format for guest users.

The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag, where the tag has the same name as the guest account field.

An example XML export is given below:

<?xml version="1.0" encoding="UTF-8" standalone="true"?> <MyContents xmlns="http://www.example.com/myapiDefs/1.0">

<GuestUser guestType="USER" enabled="true" sponsorName="55480025"

expiryTime="2012-12-04 13:39:25" startTime="1969-12-31 16:00:00" password="08654361" name="55480025">

<GuestUserTags tagValue="Hotspot Services self-provisioned guest account

Source IP: 10.11.10.254 MAC: unknown Plan: Free Access x 1 Transaction

Amount: $0.00 Invoice Number: P-15 Transaction ID: " tagName="notes"/> <GuestUserTags tagValue="2" tagName="[Role ID]"/> <GuestUserTags tagValue="1" tagName="do_expire"/> <GuestUserTags tagValue="1" tagName="simultaneous_use"/>

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 51

Page 52

</GuestUser>

Importing Guest Accounts

Guest accounts may be created from an existing list by uploading the list to W-ClearPass Guest.

To import a file with the current list of guest accounts, go to Guest >Import Accounts, or go to Guest >Start Here and click the Import Guest Accounts command link. The Import Accounts page opens with the first part of the form displayed, Upload User List.

The Upload User List form provides you with different options for importing guest account data.

To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area.

Select the Show additional import options check box to display the following advanced import options:

l Character Set: W-ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account

information. If your accounts file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used. To avoid this, you should specify what character set encoding you areusing.

l Import format: The format of the accounts file is automatically detected. You may specify a different

encoding type if automatic detection is not suitable for your data. The Import Format drop-down list includes the following options:

n Automatically detect format (This default option recognizes guest accounts exported from W-

ClearPass Policy Manager in XML format)

n XML

n Comma separated values

52 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 53

n Tab separated values

n Pipe ( | ) separated values

n Colon ( : ) separated values

n Semicolon ( ; ) separated values

l Select the Force first row as header row check box if your data contains a header row that specifies the

field names. This option is only required if the header row is not automatically detected.

Click Next Step to upload the account data.

In step 2 of 3, W-ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields to the data. The first few records in the data are displayed, together with any automatically detected field names.

In this example, the following data was used:

username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00

Because this data includes a header row that contains field names, the corresponding fields were automatically detected in the data:

Use the Match Fields form to identify which guest account fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 53

Page 54

To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account.

Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are shown.

The icon displayed for each user account indicates if it is a new entry ( ) or if an existing user account will be updated ( ).

By default, this form shows ten entries per page. To view additional entries, click the arrow button at the bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of the form and select the number of entries that should appear on each page.

Click the check box by the account entries you want to create, or click one of the following options to select the desired accounts:

l Click the This Page link to select all entries on the current page.

l Click the All link to select all entries on all pages

l Click the None link to deselect all entries

l Click the New link to select all new entries

54 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 55

l Click the Existing link to select all existing user accounts in the list.

Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating

Multiple Guest Account Receipts" on page 47 in this chapter for more information.

Managing Single Guest Accounts

Use the Manage Guest Accounts list view to work with individual guest accounts. To open the Manage Guest Accounts list, go to Guest > Manage Accounts.

The Manage Guest Accounts list view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields" on page 206 for details about this customization process. The default settings for this view are described below.

The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created:

l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The

expiration time is additionally highlighted in boldface if the account will expire within the next hour.

l In addition, icons in the Username column indicate the account’s activation status:

n —Visitor account is active

n —Visitor account was created but is not activated yet

n —Visitor account was disabled by Administrator

n —Visitor account has expired

n —Visitor account was deleted

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 55

Page 56

You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:

Table 11: Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the

equality (=) or inequality !=) operators. To specify multiple

!= is not equal to

values, list them separated by the pipe character ( | ).

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular

expression

To restore the default view, click the Clear Filter link.

Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.

When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account.

Use the Create tab to create new visitor accounts using the Create New Guest Account form. See

"Creating a Guest Account " on page 39 for details about this form.

Use the More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view.

Click a user account’s row to select it. You can then select from one of these actions:

l Reset password – Changes the password for a guest account. A new randomly generated password is

displayed on the Reset Password form. The default password length is six characters.

56 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 57

Click Update Account to reset the guest account’s password. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.

l Change expiration – Changes the expiration time for a guest account.

This form (change_expiration) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views" on page 212 for details about this customization process.

Select an option from the drop-down list to change the expiration time of the guest account.

Click Update Account to set the new expiration time for the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.

l Remove – Disables or deletes a guest account.

Select the appropriate Action radio button, and click Make Changes to disable or delete the account.

If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See "Configuring W-ClearPass Guest Authentication " on page 188.

l Activate – Re-enables a disabled guest account, or specifies an activation time for the guest account.

Select an option from the drop-down list to change the activation time of the guest account. To re-enable an account that has been disabled, choose Now. Click Enable Account to set the new activation time for

the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 57

Page 58

l Edit – Changes the properties of a guest account.

This form can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing

Forms and Views" on page 212 for details about this customization process.

Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.

l Sessions – Displays the active sessions for a guest account. See "Active Sessions Management" on page

33 in this chapter for details about managing active sessions.

l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons,

the guest’s password is not displayed on this receipt. To recover a forgotten or lost guest account password, use the Reset password link.

l Show Details—The row expands to display all the properties of the guest's account in a table, including

endpoint details. This option is only available to users whose operator profile includes the Show Details privilege.

58 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 59

Managing Devices

To view the list of current MAC devices, go to Guest > Manage Devices.

The Guest Manager Devices page opens.

All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration time; activate, remove, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.

The MAC Address, Device Name, Expiration, Sponsor, and Sharing columns display information about the device accounts that have been created:

l The value in the Expiration column is colored red if the device account will expire within the next 24 hours.

The expiration time is additionally highlighted in boldface if the device account will expire within the next hour.

l In addition, icons in the MAC Address column indicate the device account’s activation status:

n —Device account is active

n —Device account was created but is not activated yet

n —Device account was disabled by Administrator

n —Device account has expired

n —Device account was deleted

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 59

Page 60

You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of any fields that are configured for search, and you can include the following operators:

Table 12: Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the

equality (=) or inequality !=) operators. To specify

!= is not equal to

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular

expression

multiple values, list them separated by the pipe character ( | ).

For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".

To restore the default view, click the Clear Filter link.

To select a device, click the device you want to work with.

Changing a Device’s Expiration Date

To change a device’s expiration date, click the device’s row in the Guest Manager Devices list, then click its Change expiration link. The row expands to include the Change Expiration form.

1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date:

l If you choose Account expires after, the Expires After row is added to the form. Choose an interval

of hours, days, or weeks from the drop-down list.

60 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 61

l If you choose Account Expires at a specified time, the Expiration Time row is added to the form.

Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.

2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table. Use the drop-down list in this row to specify one of the following actions: delete, delete and log out, disable, or disable and log out.

3. Click Update Account to commit your changes.

Disabling and Deleting Devices

To remove a device’s account by disabling or deleting it, click the device’s row in the Guest Manager Devices list, then click its Remove link. The row expands to include the Remove Account form.

You may choose to either disable or delete the account. If you disable it, it remains in the device list and you may activate it again later. If you delete the account, it is removed from the list permanently.

Activating a Device

To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form.

1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time.

2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.

3. Click Enable Account to commit your changes.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 61

Page 62

Editing a Device

To edit a device’s account, click the device’s row in the Guest Manager Devices list, then click its Edit link. The row expands to include the Edit Device form. You can edit any of the device's properties.

Table 13: New Device

Field Description

MAC Address The device's MAC address.

Device Name The name for the device.

AirGroup Enables AirGroup for the device. Configuration options are added to the form.

Ownership Specifies whether device ownership should be personal or shared. Personal devices are

automatically shared with the owner's other devices.

Shared With Usernames of people who can share this device. Enter usernames as a comma-separated

Shared Locations Locations where the device can be shared. When you type a location name in the Shared

Shared Roles User roles that can share this device. When you type a role name in the Shared Roles field

62 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 63

Field Description

Shared Groups User groups that can share this device. These will be available in the Shared Groups field

Time Sharing Time-based sharing rules for this device. For more information, see "About AirGroup Time-

Based Sharing" on page 75.

Syntax Opens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71.

Account Activation Options include: Activate the account immediately, at a preset interval of hours or days, at a

Account Expiration Options include: Never expire, expire at a preset interval of hours or days, or expire at a

specified time.

l If you choose any time in the future, the Expire Action row is added to the form.

Indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row.

l If you choose Account expires after, the ExpiresAfter row is added to the form.

Choose an interval of hours, days, or weeks. The maximum is two weeks.

l If you choose Account Expires at a specified time, the ExpirationTime row is added

to the form. In the calendar picker, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.

Account Role Assigns the visitor’s role.

Notes Optional additional information.

Update Device Commits your changes and updates the device. The Updated Device Details and print

options are displayed.

Viewing Current Sessions for a Device

To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see "Active Sessions

Management" on page 33.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 63

Page 64

Printing Device Details

To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link. The row expands to include the Account Details form and a drop- down list of information that can be printed for the device.

Choosing an option in the Open print window using template drop-down list opens a print preview window and the printer dialog. Options include account details, receipts in various formats, a session expiration alert, and a sponsorship confirmation notice.

Viewing Device Details

l Show Details—The row expands to display all the properties of the device's account in a table. This option

is only available to users whose operator profile includes the Show Details privilege.

Managing Multiple Guest Accounts

Use the Bulk Edit Accounts list view to work with multiple guest accounts. To open the Bulk Edit Accounts list, go to Guest > Manage Multiple Accounts.

This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. The default settings for this view are described below.

The Username, Role, State, Activation, Expiration, and Lifetime columns display information about the visitor accounts that have been created:

l The value in the Expiration column is colored red if the visitor account will expire within the next 24 hours.

The expiration time is additionally highlighted in boldface if the visitor account will expire within the next

64 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 65

hour.

l In addition, icons in the Username column indicate the account’s activation status:

n —Visitor account is active

n —Visitor account was created but is not activated yet

n —Visitor account was disabled by Administrator

n —Visitor account has expired

Table 14: Operators supported in filters

Operator Meaning Additional Information

= is equal to You may search for multiple values when using the

equality (=) or inequality !=) operators. To specify multiple

!= is not equal to

values, list them separated by the pipe character ( | ).

> is greater than

>= is greater than or equal to

< is less than

<= is less than or equal to

~ matches the regular expression

!~ does not match the regular

expression

To restore the default view, click the Clear Filter link.

To select guest accounts, click the accounts you want to work with. You may click either the check box or the row to select a visitor account. To select or unselect all visible visitor accounts, click the check box in the header row of the table.

Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection.

Use the Create tab to create new visitor accounts using the Create Multiple Guest Accounts form. See

"Managing Multiple Guest Accounts " on page 64 in this chapter for details about this form.

Use the Delete tab to delete the visitor accounts that you have selected. This option is not active if there are no visitor accounts selected.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 65

Page 66

Use the Edit tab to make changes to multiple visitor accounts at once. This option is not active if there are no visitor accounts selected.

The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. This is the guest_multi_form form.

The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See "Creating

Multiple Guest Account Receipts" on page 47 in this chapter for more information.

The More Options tab includes the Choose Columns command link. You can click this link to open the Configuration module’s CustomizeView Fields form, which may be used to customize the Edit Guest Accounts view.

AirGroup Device Registration

AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators can provision their organization’s shared devices and manage access, and AirGroup operators can register and provision a limited number of their own personal devices for sharing. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOSUser Guide and the W-ClearPass Policy Manager documentation.

66 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 67

Registering Groups of Devices or Services

This functionality is only available to AirGroup administrators.

To register and manage an organization’s shared devices and configure device access, log in as the AirGroup administrator and go to Guest > Create Device. The Register Shared Device form opens.

1. In the Device Name field, enter the name used to identify the device.

2. In the Device Type field, use the drop-down list to select the device type.

3. In the MAC Address field, enter the device’s MAC address.

4. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to be shared with all locations, leave this field blank.

Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to the registered device. Use commas to separate the tag=value pairs in the list. Tag=value pair formats are shown in the following table:

Table 15: Tag=Value Pair Formats

AP Type Tag=Value Format

Name-based AP ap-name=<name>

Group-based AP ap-group=<group>

FQLN-based AP fqln=<fqln>

l AP FQLNs should be configured in the format <ap name>.<floor>.<building>.<campus>

l Floor names should be in the format floor <number>

l The <ap-name> should not include periods ( . )

Example:

AP105-1.Floor 1.TowerD.Mycompany

5. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to use the device. Use commas to separate usernames in the list.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 67

Page 68

Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

l If the Share With field is left blank, this device can be accessed by all devices.

l If users are entered in the Shared With field, the device can only be accessed by the specified users.

6. In the Shared Roles field, enter the user roles that areallowed to use the device. Use commas to separate the roles in the list.

Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).

l To make the device available to all roles, leave this field blank.

l If roles are entered in the Shared Roles field, the device can only be accessed by users with matching

roles.

7. Click Register Shared Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.

To view and edit your organization’s shared AirGroup devices:

1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list, or shared roles; print device details; or add a new device.

2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and

Print options.

68 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 69

3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles.

4. When your edits are complete, click Save Changes.

Registering Personal Devices

This functionality is available to AirGroup operators.

To register your personal devices and define a group who can share them:

1. Log in as the AirGroup operator and go to Guest > Create Device. The Register Device form opens.

2. In the Your Name field, enter your username for your organization.

3. In the Device Name field, enter the name used to identify the device.

4. In the Device Type drop-down list, select the device type.

5. In the MAC Address field, enter the device’s MAC address.

6. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the device. Use commas to separate usernames in the list. You may enter up to ten usernames.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 69

Page 70

l If the Shared With field is left blank, this device can only be accessed by devices registered by the same

operator or with a dot1x username that matches the operator’s name.

l If users are entered in the Shared With field, the device can be accessed by the device owner and by the

specified users.

7. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.

To view and edit your personal AirGroup devices, go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The List Device page lets you remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device.

To view and edit your personal AirGroup devices:

1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all your personal AirGroup devices. You can remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device.

2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and Print options.

3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device form. You can modify the device’s name, MAC address, and group of users.

70 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 71

4. When your edits are complete, click Save Changes.

AirGroup Time-Based Sharing Syntax Examples

This section provides examples and discussions of syntax for time-based sharing policies for AirGroup shared devices.

For information on using time-based sharing for AirGroup, see "About AirGroup Time-Based Sharing" on page

75. For supplemental time-based syntax information, see "Time-Based Syntax Reference" on page 73.

Example:

periodic Monday 9am to 10am shared users A, B

The device is shared with users A and B, from 9am to 10am every Monday (relative to the server's current time zone). Outside of this time slot, the device is not shared (except as otherwise controlled by AOS).

Example:

periodic Monday 9:00 to 10:30 shared users A, B periodic Monday 12:00 to 13:30 shared users A, B periodic Monday 15:00 to 16:30 shared users C, D

The device is shared with users A and B, from 9am to 10:30am and from noon to 1:30pm every Monday (relative to the server's current time zone). From 3pm to 4:30pm, the device is shared with users C and D.

Outside of these two time slots, the device is not shared.

With periodic, times may be specified either in 24-hour format (hh:mm, from 0:00 to 24:00), or in 12-hour format (hh:mm and am or pm).

Don't specify overlapping time ranges with periodic rules; this can lead to unexpected results.

The synonyms rep, repeat or repeating may also be used in place of period or periodic. All of these terms are treated identically.

Example:

default allow periodic mon 9am to 10am shared users A, B

As in the first example, the device is shared with users A and B, from 9am to 10am every Monday. Outside of this time slot, the device is shared as specified by the other sharing state fields (shared users, locations, roles and/or groups). This is the meaning of the default allow statement.

If default allow is not specified, the normal behavior is default deny, which is the same as in the first example. Note that with default deny in effect, the AirGroup time sharing policy will override any other sharing rules that are specified, for as long as the time sharing policy is in effect.

Two and three-character shortened forms of weekdays are acceptable (e.g. "Mon" or "Mo" can be used for Monday, "Tue" or "Tu" for Tuesday, etc.) Case is not significant in the time sharing policy, so "Mon", "MON", and "mon" are all equivalent ways to specify "Monday".

Example:

default deny not after 01-Feb-2014 periodic mon 9am to 10am shared users A, B

The device is shared with users A and B, from 9am to 10am every Monday. The not after date sets the end of the time sharing policy. Monday, January 27, 2014 is the last day that this time sharing policy will take effect.

After 10am on this date, the time sharing policy is no longer in effect; any other sharing rules that have been specified will then take effect.

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 71

Page 72

Example:

default deny not before 1/1/14 not after 01-Feb-2014 periodic mon 9am to 10am shared users A, B

The device is shared with users A and B, from 9am to 10am every Monday. The not before date sets the beginning of the time sharing policy. In this case, Monday, January 6, 2014 is the first day that this time sharing policy will take effect.

Prior to 9am 6 January 2014, the device is not shared (due to the default deny).

After 10am on 27 January 2014, the time sharing policy is no longer in effect; any other sharing rules that have been specified will then take effect.

Example:

time zone America/Los_Angeles periodic Monday 9am to 10am shared users A, B

The device is shared with users A and B, from 9am to 10am every Monday (relative to the U.S. Pacific time zone). Daylight savings time rules are observed; the time period 9am to 10am is always relative to that time zone.

Example:

periodic mon tue wed thu fri 9am to 10am shared users A, B

The device is shared with users A and B, from 9am to 10am every weekday (Monday, Tuesday, Wednesday, Thursday and Friday).

Example:

periodic weekdays 9am to 10am shared users A, B

weekday or weekdays can be used as a synonym for "Monday Tuesday Wednesday Thursday Friday". Similarly, weekend or weekends can be used as a synonym for "Saturday Sunday".

Example:

on Sep 16 9:00 to 13:00 shared location AP-Name=1341-ap01 shared group ABC shared role SomeRole shared user user02, user03, "user04", 'user05'

The device is shared with a single access point named 1341-ap01, a single group named ABC, a single role named SomeRole, and 4 users named user02,user03, user04, and user05.

Note the quotes are not considered to be part of the user names user04 and user05. (In this case, the quotes are redundant as there is no space or comma that requires quoting.)

No time zone is specified, so the date and time are determined relative to the server's time zone.

No year is specified, so the server's current year is used. In particular, after September 16 of any year, this rule will have no effect until the following year.

Example:

default allow periodic 0:00 to 24:00 shared roles default_role periodic mon 9am to 5pm shared roles other_role

The device is normally shared ("default allow") with a single role named default_role ("periodic 0:00 to 24:00 shared roles default_role").

On Monday from 9am to 5pm, the device is shared with a different role named other_role.

Note that even though the time ranges overlap, the sharing policies are completely distinct; on Mondays from 9am to 5pm, the role default_role will NOT have access to the device, because a different sharing rule

72 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 73

is in effect. (The rule could instead have been written "periodic mon 9am to 5pm shared roles default_role, other_role" if this was the desired result.)

This example shows how to use an overlapping time range: place the most general time range first, with more specific time ranges later. In particular, reversing the order of the periodic statements will not work.

Example:

default deny periodic 9:00 to 22:00 shared roles default_role no periodic thu 9:00 to 17:00 periodic fri 9:00 to 17:00 not shared

This example shows how to share a device with a basic policy, and demonstrates two ways to disable sharing for a subset of the time period.

The device will be shared with a single role named default_role, from 9:00 to 22:00 each day. ("periodic 9:00 to 22:00 shared roles default_role").

On Thursday, the device is not shared between 9:00 and 17:00.

On Friday, the device is not shared between 9:00 and 17:00.

Example:

default allow periodic 9:00 to 22:00 shared roles default_role no periodic thu 9:00 to 17:00 periodic fri 9:00 to 17:00 not shared

This example is similar to the previous example; the device is not shared on Thursday and Friday between 9:00 and 17:00.

The difference is after 22:00 and before 9:00: in the previous example, the device is not shared during this time period, whereas with default allow the other AirGroup sharing rules will take effect (any shared users, roles, groups or locations that have been defined for the device).

Time-Based Syntax Reference

This reference describes the syntax used for time formats in time-based sharing rules. It supplements the examples for AirGroup time-based sharing by user groups discussed in "AirGroup Time-Based Sharing Syntax

Examples" on page 71. For more information on using time-based sharing with AirGroup, see "About AirGroup Time-Based Sharing" on page 75.

The syntax for AirGroup time-based sharing policies supports all the default time-based ACL rules specified in TimeRangeACL. This ACL is a sequence of rules, one per line, according to the following syntax:

l default allow|deny

Specifies the default behavior for unmatched times; this is 'allow' only if no 'periodic' or 'absolute' rules are specified, otherwise it is 'deny'. Use 'default allow' if the remaining rules exclude times, otherwise use 'default deny' if the remaining rules are to include times. This rule may only be used once.

l [time] zone default|server|...

Specifies the time zone to use for matching times and specifying the time of day. If unset, the current time zone setting is used (note that this may vary due to operator and/or profile settings). If the value "default" or "server" is specified, the system's time zone is used. Otherwise, the named time zone is used. This rule may only be used once, and must be before any rules specifying a time interval.

l [not] period(ic) [day-list] hh:mm to [day] hh:mm

Specifies a periodic or daily interval. Recognized days include Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday and 3-letter abbreviations; the tokens "weekends" and "weekdays" may also be

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 73

Page 74

used. Without a day-list, all days of the week are matched. Time may be specified in 12 or 24 hour format, with the special time 24:00 indicating the end of the day.

Example: periodic monday 8:00 to friday 17:00 matches between 8am and 5pm, Monday through

Friday.

Example: periodic weekdays 8:00 to 17:00 specifies the same thing as the example in the previous line.

Example: periodic wed 11am to 11pm matches between 11:00 and 23:00 on a Wednesday.

Example: periodic weekend 0:00 to 24:00 matches any time on a Saturday or Sunday.

Example: periodic saturday sunday 0:00 to 24:00 specifies the same thing as the example in the

previous line.

The 'not' keyword may be specified to invert the allow/deny decision.

Example: default allow; not period 23:00 to 6:00 (on 2 separate lines) allows access, except between

11pm and 6am.

Example: period 6:00 to 23:00 is equivalent to the example in the previous line.

l not before [date-and-time]

Specifies an absolute time before which access will always be rejected.

Example: not before 2010-07-01 09:00 matches after 9am on 1 July 2010.

l not after [date-and-time]

Specifies an absolute time after which access will always be rejected.

Example: not after 2011-01-01 00:00 matches before midnight on New Year's Day 2011.

l [not] abs(olute) [start-date-and-time] to [end-date-and-time]

Specifies a start and end interval. The date and time is a format recognized by strtotime(). Times between the start and end point are matched. The 'not' keyword may be specified to invert the allow/deny decision.

Example: absolute December 25 to December 26 matches all day on Christmas Day each year. (This does

not match on December 26 as midnight on this date is the endpoint of the interval.)

A blank time ACL means "all times are allowed".

The following examples give common usage:

l 8:00 to 18:00 - allows access 8am to 6pm, every day, but not outside those times

l weekdays 9am to 5pm - allows access 9am to 5pm, Monday through Friday, but not outside those times

l weekdays 9am to 5pm

weekends 10am to 4pm - allows access 9am to 5pm, Monday through Friday, with reduced hours on

Saturday and Sunday

Annual recurrences may be specified:

l weekdays 9am to 5pm

not absolute December 25 to December 26 - allows access 9am to 5pm, Monday through Friday, but not

on Christmas Day

Less common cases:

l default allow

not 23:00 to 6:00 - allows access, except between 11pm and 6am daily

l 9:00 to 18:00

not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010

74 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 75

l time zone Etc/GMT

9:00 to 18:00 not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010, in the

GMT time zone (useful if server is in a different time zone)

About AirGroup Time-Based Sharing

This section discusses time-based sharing policies for an AirGroup shared device.

For information on the syntax for time-based sharing policies for a AirGroup shared devices, see "AirGroup

Time-Based Sharing Syntax Examples" on page 71

Time-based sharing is used in settings where an organization's shared devices are madeavailable to groups of users according to a regular schedule, and device access is configured by group at the user level—for example:

l A university classroom or laboratory is used by a first-year physics class on Mondays, Wednesdays, and

Fridays, by a group of researchers on Tuesdays and Thursdays, and for visiting speakers every other Saturday.

l A convention center has several major exhibitors who each hold an annual event, and who reserve their

customary section of the convention center several years in advance.

In cases like this, you can enter rules to define the schedule on which shared devices in an area will be available to certain groups. You can also specify times when a device will not be available. This is a time-based sharing policy.

Device association is dynamic: When a shared device is available to a group, any user with that group attribute can access the device. When the user is no longer a member of the group (for example, at the end of the semester), they no longer have access, but the time-based sharing policy remains in effect and new users who areassigned the group attribute can access the shared device.

Basics of Time-Based Sharing Setup

When you create a device, enable it for AirGroup Services, and configure it as a shared device, you also have the option to specify time-based sharing (time fencing) for the device.

You first use the Administration > AirGroup Services >Configure form to create the groups who can share devices. When you type a name for the group in the Group Name field, press the Enter key, and click Save, the group is created in the system and appears as a "tag".

On the Guest > Create Device or Guest > List Devices >Edit forms, the shared user groups you created arethen available for selection when you click in the Shared Groups field. (This feature requires AOS 6.4 or later)

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 75

Page 76

On the same screen, the next step is then to enter the rules for the time-based sharing policy, using the group names you created. For more information, see"AirGroup Time-Based Sharing Syntax Examples" on page 71

MAC Authentication in W-ClearPass Guest

W-ClearPass Guest supports a number of options for MAC Authentication and the ability to authenticate devices.

The advanced features described in this section generally require a WLAN capable of MAC authentication with captive portal fallback. Please refer to your WLAN documentation for setting up the controller appropriately.

To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features, go to Administration > Plugin Manager . For information on plugin management, see "Plugin Manager" on page 444.

MAC Address Formats

Different vendors format the client MAC address in different ways—for example:

l 112233AABBCC

l 11:22:33:aa:bb:cc

l 11-22-33-AA-BB-CC

W-ClearPass Guest supports adjusting the expected format of a MAC address. To configure formatting of separators and case in the address, as well as user detection and device filtering for views, go to Administration > Plugin Manager and click the Configuration link for the MAC Authentication plugin. The MAC Authentication Configuration page opens.

Figure 8 MAC Authentication Plugin—Configuration

On the controller, the fields look as follows:

Figure 9 MAC Authentication Profile

Automatically Registering MAC Devices in W-ClearPass Policy Manager

If W-ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in W-ClearPass Policy Manager when the guest uses a Web login page or a

76 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 77

guest self-registration workflow. This customization option is available if a valid Local or RADIUS preauthentication check was performed.

To configure auto-registration for an address through a Web login page:

1. Go to Configuration > Pages > Web Logins, click the row of the page you wish to configure, then click its Edit link. The RADIUS Web Login Editor form opens.

2. Scroll down to the Post-Authentication area.

3. In the Policy Manager row, mark the check box to register the guest’s MAC address with W-ClearPass Policy Manager. The Advanced row is added to the form.

4. In the Advanced row, mark the check box to enable advanced options in W-ClearPass Policy Manager. The Endpoint Attributes row is added to the form.

5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed.

6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and

Reload to proceed to Policy Manager and apply the network settings.

Importing MAC Devices

The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth.

mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C

Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

This section describes some advanced features for MAC authentication.

User Detection on Landing Pages

When mac is passed in the redirect URL, the user is detected and a customized message displays on the landing page.

To use this feature:

1. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MAC Detect.

2. Edit the header of your redirect landing page (login or registration) and include the following:

<p>{if $guest_receipt.u.visitor_name} Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}!

Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 77

Page 78

{else} Welcome to the show! {/if}</p>

3. For debugging purposes, include the following to see all the fields available:

{dump var=$guest_receipt export=html}

Click-Through Login Pages

A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection.

To use this feature:

1. Disable MAC authentication on the controller.

2. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MAC Detect.

3. Create a Web Login. Include the following settings:

l Authentication: Anonymous

l Anonymous User: _mac (_mac is a special secret value)

l Pre-Auth Check: Local

l Terms: Require a Terms and Conditions confirmation

4. Set the Web login as your landing page and test. Using a registered device the 'Log In' button should be enabled, otherwise it will be disabled.

5. You might also want to add a message so visitors get some direction:

<p>{if $guest_receipt.u.username} {if $guest_receipt.u.visitor_name} Welcome back, {$guest_receipt.u.visitor_name|htmlspecialchars}! {else} Welcome back. {/if}

Please accept the terms before proceeding. {else} You need to register... {/if}</p>

6. You can hide the login form by having the final line of the header be:

{if!$guest_receipt.u.username}<div style="display:none">{/if}

and the first line of the footer be:

{if!$guest_receipt.u.username}</div>{/if}

78 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 79

Chapter 4

Onboard

Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. W-ClearPass Onboard automates

802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs).

W-ClearPass Onboard includes the following key features:

l Automatic configuration of network settings for wired and wireless endpoints

l Provisioning of unique device credentials for BYOD and IT-managed devices

l Support for Windows, Mac OS X, iOS, and Android devices

l Ability to revoke unique credentials on a specific user's device

l W-ClearPass Profile for identifying device type, manufacturer, and model

Accessing Onboard

To access the device provisioning features of W-ClearPass Onboard, click the Onboard link in the left navigation.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 79

Page 80

About W-ClearPass Onboard

Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and virtual private networks (VPNs).

W-ClearPass Onboard includes the following key features:

l Automatic configuration of network settings for wired and wireless endpoints.

l Provisioning of unique device credentials for BYOD and IT-managed devices.

l Support for Windows, Mac OS X, iOS, and Android devices.

l Enables the revocation of unique credentials on a specific user’s device.

l Leverages W-ClearPass Profile to identify device type, manufacturer, and model.

This section provides the following important information about Dell Networking W-ClearPass Onboard:

l "Onboard Deployment Checklist " on page 81

l "Onboard Feature List " on page 83

l "Supported Platforms" on page 84

l "Public Key Infrastructure for Onboard" on page 85

l "Revoking Unique Device Credentials" on page 86

l "Network Requirements for Onboard" on page 87

80 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 81

l "Network Architecture for Onboard" on page 89

l "TheW-ClearPass Onboard Process" on page 91

l "Configuring the User Interface for Device Provisioning" on page 95

l "Onboard Troubleshooting" on page 96

Onboard Deployment Checklist

Table 16 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard

deployment.

Onboard events are stored in the Application Log for seven days by default. After seven days, significant runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring module. Onboard events that are listed include:

l Changing the CA certificate

l Issuing a new certificate

l Signing a certificate signing request

l Revoking a certificate

l Deleting a certificate

l Importing a trusted certificate

l Uploading a code-signing or other certificate

Table 16: Onboard Deployment Checklist

Deployment Step Reference

Planning and Preparation

Review the Onboard feature list to identify the major areas of interest for your deployment.

Review the list of platforms supported by Onboard, and identify the platforms of interest for your deployment.

Review the Onboard public key infrastructure, and identify any certificate authorities that will be needed during the deployment.

Review the network requirements and the network architecture diagrams to determine how and where to deploy the Onboard solution.

Configuration

Configure the hostname and networking properties of the Onboard provisioning server.

l DNS is required for SSL. l Ensure that hostname resolution will work for devices being

provisioned.

"Onboard Feature List " on page 83

"Supported Platforms" on page 84

"Public Key Infrastructure for Onboard" on page 85

Refer to the W-ClearPass Policy Manager documentation, and "Network Architecture

for Onboard" on page 89 in this chapter

Refer to the W-ClearPass Policy Manager documentation

Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device

Refer to the W-ClearPass Policy Manager documentation

provisioning for iOS devices.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 81

Page 82

Deployment Step Reference

Configure the Onboard certificate authority.

l Decide whether to use the Root CA or Intermediate CA mode of

operation.

Create the certificate for the certificate authority.

Configure device provisioning settings.

l Select certificate options for device provisioning.

Select which device types should be supported.

Configure network settings for device provisioning.

l Set network properties. l Upload 802.1X server certificates.

Set device-specific networking settings.

Configure networking equipment for non-provisioned devices.

l Set authentication for the provisioning SSID, if required.

Ensure the captive portal redirects non-provisioned devices to the device provisioning page.

Configure networking equipment to authenticate provisioned devices.

l Ensure 802.1X authentication methods and trust settings are

configured correctly for all EAP types that are required. Configure OCSP or CRL on the authentication server to check for client certificate validity.

Configure the user interface for device provisioning.

l Set display options for iOS devices. l Set user interface options for other W-Onboard devices.

Setup the device provisioning Web login page.

"Certificate Authorities " on page 97

"About Configuring Provisioning Settings " on page 169

"Network Settings " on page 130

"Network Requirements for Onboard" on page 87

"Configuring the User Interface for Device Provisioning" on page 95

Testing and Verification

Test device provisioning.

l Verify that each type of device can be provisioned successfully.

Verify that each type of device can join the provisioned network and is authenticated successfully.

Test device revocation.

l Revoke a device’s certificate. l Verify that the device is no longer able to authenticate.

Verify that re-provisioning the device fails.

82 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 83

Onboard Feature List

The following features are available in Dell Networking W-ClearPass Onboard.

Table 17: OnboardFeatures

Feature Uses

Automatic configuration of network settings for wired and wireless endpoints.

Secure provisioning of unique device credentials for BYOD and IT-managed devices.

Support for Windows, Mac OS X, iOS, and Android devices.

Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.

l Configure wired networks using 802.1X l Configure Wi-Fi networks using either 802.1X or pre-shared key

(PSK)

l Configure trusted server certificates for 802.1X l Configure Windows-specific networking settings l Configure HTTP proxy settings for client devices (Android, OS X

only)

l Configure EAP-TLS and PEAP-MSCHAPv2 without user

interaction

l Revoke unique device credentials to prevent network access

l Leverage ClearPass Profiling to identify device type,

manufacturer, and model

l Control the user interface displayed during device provisioning

l Root and intermediate CA modes of operation l Supports SCEP enrollment of certificates l Supports CRL generation to list revoked certificates l Supports OCSP responder to query for certificate status l Approve certificate signing request l Reject certificate signing request l Sign certificate from uploaded certificate signing request (CSR) l Issue certificate l Revoke certificate l Display certificates l Export certificate l Renew root certificate

Provision additional settings specific to iOS devices

l Exchange ActiveSync l Passcode policy l VPN settings

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 83

Page 84

Supported Platforms

The platforms supported by Dell Networking W-ClearPass Onboard and the version requirements for each platform are summarized in the following table.

Table 18: Platforms Supported by W-ClearPass Onboard

Platform Example Devices Version Required for Onboard Support Notes

Apple iOS iPhone

iPad iPod Touch

Apple Mac OS X MacBook Pro

MacBook Air

Android Samsung Galaxy S

Samsung Galaxy Tab Motorola Droid

Microsoft Windows Laptop

Netbook

Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method. Note 3: Onboard may also be used to provision VPN settings, Exchange ActiveSync settings, and passcode policy on these

devices.

iOS 4 iOS 5

Mac OS X 10.8 “Mountain Lion” Mac OS X 10.7 “Lion”

Mac OS X 10.6 “Snow Leopard” Mac OS X 10.5 “Leopard”

Android 2.2 (or higher) 2

Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 Windows 8 Windows 8.1

1, 3

84 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 85

Public Key Infrastructure for Onboard

During the device provisioning process, one or more digital certificates are issued to the device. These are used as the unique credentials for a device. To issue the certificate, Dell Networking W-ClearPass Onboard must operate as a certificate authority (CA). The following sections explain how the certificate authority works, and which certificates are used in this process.

Certificate Hierarchy

In a public key infrastructure (PKI) system, certificates are related to each other in a tree-like structure.

Figure 10 Relationship of Certificates in the Onboard Public Key Infrastructure

The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate CAs used to issue certificates within the enterprise.

Onboardmay operate as a root CA directly, or as an intermediate CA. See "Certificate Authorities " on page 97. For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a

Cluster " on page 86.

The Onboard CA issues certificates for several purposes:

l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.

n The identity information in the profile signing certificate is displayed during device provisioning.

l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s

authentication server.

n The identity information in the server certificate may be displayed during network authentication.

l One or more Device Certificates may beissued – typically, one or two per provisioned device.

n The identity information in the devicecertificate uniquely identifies the device and the user that

provisioned the device.

You do not need to manually create the profile signing certificate; it is created when it is needed See

"Configuring Provisioning Settings for iOS and OS X" on page 176 to control the contents of this certificate.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 85

Page 86

You may revoke the profile signing certificate. It will be recreated when it is needed for the next device provisioning attempt.

Certificate Configuration in a Cluster

When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication.

In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration, these are self-signed certificates—that is, they are not issued by a root CA. This configuration of multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed certificates are not.

There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:

l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the

certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster.

l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at

the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard. Provisioning and authentication will then work across the entire cluster.

Revoking Unique Device Credentials

Because each provisioned device uses unique credentials to access the network, it is possible to disable network access for an individual device. This offers a greater degree of control than traditional user-based authentication — disabling a user’s account would impact all devices using those credentials.

To disable network access for a device, revoke the TLS client certificate provisioned to the device. See"Working

with Certificates in the List" on page 116.

Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability.

Revoking Credentials to Prevent Network Access

Revoking a device's certificate will cause the device to be unable to authenticate. It will not prevent it from being reprovisioned. If you wish to deny access to a device, use the Manage Access link in the device's row on the Onboard >Management and Control > View by Device form.

If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access.

When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the device will be denied access.

OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onboard server automatically updates the status of the username when the device's client certificate is revoked.

86 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 87

Re-Provisioning a Device

Because “bring your own” devices arenot under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device.

For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device.

When these events occur, the user will not be able to access the provisioned network and will need to reprovision their device.

The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process and re-provision the device.

Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials are still valid.

If the TLS client certificate has expired then the device will be issued a new certificate. This enables reprovisioning to occur on a regular basis.

If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked certificate must be deleted before the device is able to be provisioned.

Network Requirements for Onboard

To achieve complete functionality, Dell Networking W-ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network:

l The provisioning network must use a captive portal or other method to redirect a new device to the device

provisioning page.

l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be

provisioned. In practice, this means a commercial SSL certificate is required.

l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.

l The provisioned network must support either OCSP or CRL checks to detect when a device has been

revoked and deny access to the network.

Using Same SSID for Provisioning and Provisioned Networks

To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:

l Configure the network to use both PEAP and EAP-TLS authentication methods.

l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.

l The provisioning role should have limited network access and a captive portal that redirects users to the

device provisioning page.

l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.

l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned

role.

For provisioned devices, additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 87

Page 88

Using Different SSID for Provisioning and Provisioned Networks

To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate network, use the following guidelines:

l Configure the provisioning SSID to use PEAP, or another suitable authentication method.

l When a user connects to the provisioning SSID, place them into a provisioning role.

n The provisioning role should have limited network access and a captive portal that redirects users to the

device provisioning page.

l When a user connects to the provisioned SSID, authenticate based on the type of credentials presented.

n For PEAP authentication with unique device credentials, place them into a provisioned role.

n For EAP-TLS authentication using an Onboard client certificate, place them into the provisioned role.

n In all other cases, deny access.

As for the single-SSID case, additional authorization steps may be taken after authentication has completed to determine the appropriate provisioned role.

Configuring Online Certificate Status Protocol

Onboard supports the Online Certificate Status Protocol (OCSP) to provide a real-time check on the validity of a certificate.

To configure OCSP for your network, you will need to provide the URL of an OCSP service to your network equipment. This URL can be constructed by using the relative path mdps_ocsp.php/1.

For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is: http://onboard.example.com/guest/mdps_ocsp.php/1.

OCSP does not require the use of HTTPS and can be configured to use HTTP.

Configuring Certificate Revocation List (CRL)

Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that have been revoked.

To configure a CRL, you will need to provide its URL to your network equipment. This URL can be constructed by using the relative path mdps_crl.php?id=1.

For example, if the Onboard server’s hostname is onboard.example.com, the location of the CRL is: http://onboard.example.com/guest/mdps_crl.php?id=1.

A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP.

88 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 89

Network Architecture for Onboard

The high-level network architecture for the Onboard solution is shown in the following figure.

Figure 11 ClearPass Onboard Network Architecture

The sequence of events shown in Figure11 is:

1. Users bring their own device to the enterprise.

2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction.

3. After it is provisioned, the device re-authenticates to the network using a set of unique device credentials. These credentials uniquely identify the device and user and enable management of provisioned devices.

4. Administrators can configure all aspects of the provisioning workflow – including the devices that have been provisioned, policies to apply to devices and the overall user experience for BYOD.

A more detailed view of the network architecture is shown in Figure 12. This diagram shows different types of client devices using the Onboard workflow to gain access to the network. Some of the components that may be configured by the network administrator are also shown.

Figure 12 Detailed View of the W-ClearPass Onboard Network Architecture

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 89

Page 90

The components shown in Figure 12 are:

1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks.

2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device.

a. Newer versions of Mac OS X (10.7 and later) and iOS devices use the “over-the-air” provisioning method.

b. Other supported platforms use the “Onboard provisioning” method.

3. After it is provisioned, a client device uses a secure authentication method based on 802.1X and the capabilities best supported by the device.

a. The unique device credentials issued during provisioning are in the form of an EAP-TLS client certificate

for iOS devices and OS X (10.7+) devices.

b. Other supported devices are also issued a client certificate, but will use the PEAP-MSCHAPv2

authentication method with a uniqueusername and strong password.

4. Administrators can manage all Onboard devices using the certificate issued to that device.

Network Architecture for Onboard when Using W-ClearPass Guest

W-ClearPass Guest supports the provisioning, authentication, and management aspects of the complete Onboard solution. Figure 13 shows the high-level network architecture for the Onboard solution when using ClearPass Guest as the provisioning and authentication server.

Figure 13 W-ClearPass Onboard Network Architecture when Using W-ClearPass Guest

90 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 91

The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are implementation differences between these approaches.

The W-ClearPass Onboard Process

Devices Supporting Over-the-Air Provisioning

Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14.

Figure 14 Onboard Process for iOS Devices

The W-Onboard process is divided into three stages:

1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device.

2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a device-specific certificate.

3. Authentication. After configuration is complete, the user switches to the secure network and is authenticated using an EAP-TLS client certificate.

A sequence diagram showing the interactions between each component of this workflow is shown in Figure 15.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 91

Page 92

Figure 15 Sequence Diagram for the W-Onboard Workflow on iOS Platform

1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page.

2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate. Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning.

3. The user then authenticates with their provisioning credentials – these are typically the user’s enterprise credentials from Active Directory. If the user is authorized to provision a mobile device, the over-the-air provisioning workflow is then triggered (see Figure 16, below).

4. After provisioning has completed, the device switches to EAP-TLS authentication using the newly provisioned client certificate. Mutual authentication is performed (the authentication server verifies the client certificate, and the client verifies the authentication server’s certificate).

5. The device is now onboard and is able to securely access the provisioned network.

Over-the-air provisioning is used to securely provision a device and configure it with network settings. Figure

16 shows a sequencediagram that explains the steps involved in this workflow.

Figure 16 Over-the-Air Provisioning Workflow for iOS Platform

92 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 93

1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity.

2. An iOS device will have two certificates after over-the-air provisioning is complete:

a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning

process. This certificate identifies the device uniquely, and is used to encrypt the device configuration profileso that only this device can read its unique settings.

b. A Transport Layer Security (TLS) client certificate is issued to the device. This certificate identifies the

device and the user that provisioned the device. It is used as the device’s network identity during EAPTLS authentication.

Devices Supporting Onboard Provisioning

Dell Networking W-ClearPass Onboard supports secure device provisioning for Microsoft Windows XP (service pack 3 and later), Microsoft Windows Vista, Microsoft Windows 7, Apple Mac OS X 10.5 and 10.6, and Android devices (smartphones and tablets). These are collectively referred to as “Onboard-capable devices”. The Onboard process for these devices is shown in Figure 17.

Figure 17 W-ClearPass Onboard Process for Onboard-Capable Devices

The Onboard process is divided into three stages:

1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device.

2. Provisioning. The device provisioning page detects the devicetype and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device. See Figure 18 for details.

3. Authentication. After configuration is complete, the user switches to the secure network and is authenticated using PEAP-MSCHAPv2 unique device credentials.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 93

Page 94

Figure 18 Sequence Diagram for the Onboard Workflow on Android Platform

1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page.

2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type:

a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this

file will launch the QuickConnect app on the device.

b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes

both the QuickConnect app and the Onboard configuration settings.

3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device.

4. After provisioning has completed, the app switches the device to PEAP authentication using the newly provisioned unique device credentials. Mutual authentication is performed (the authentication server verifies the client’s username and password, and the client verifies the authentication server’s certificate).

5. The device is now onboard and is able to securely access the network.

94 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 95

The Onboard provisioning workflow is used to securely provision a device and configure it with network settings. Figure 19 shows a sequence diagram that explains the steps involved in this workflow.

Figure 19 Onboard Provisioning Workflow in the QuickConnect App

Configuring the User Interface for Device Provisioning

The user interface for device provisioning can be customized in three different ways:

l Customizing the Web login page used for device provisioning.

All devices will reach the device provisioning Web login page as the first step of the provisioning process. See

"Configuring Provisioning Settings for the Web Login Page" on page 174 to make changes to the content or

formatting of this page.

l Customizing the properties of the device provisioning profile for iOS and OS X devices.

After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration profile. See "Configuring Provisioning Settings for iOS and OS X" on page 176 to make changes to the content of this profile.

l Customizing the user interface of the QuickConnect app for Windows, Mac OS X, and Android devices.

The provisioning process for Windows, Mac OS X, and Android devices uses a separate app, which has a customizable user interface. See "Configuring Options for Onboard Client Devices" on page 184 to make changes to the user interface.

Using the {nwa_mdps_config} Template Function

Certain properties can be extracted from the Onboard configuration and used in the device provisioning page.

To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter specifies which property should be returned, as described in Table 19.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 95

Page 96

Table 19: Properties Available with the (nwa_mdps_config Smarty Template Function

Name Description

root_cert URL of the Onboard certificate authority’s root certificate.

Browsing to this URL will install the root certificate on the device, which is required as part of the pre-provisioning step. Example:

<a href="{nwa_mdps_config name=root_cert}"> Install Onboard root

certificate</a>

wifi_ssid Name of the wireless network. See "Configuring Basic Network Access Settings "

on page 131.

Example: Connect to the network named {nwa_mdps_config name=wifi_ssid}

organization_name The organization name. See "Configuring Basic Provisioning Settings" on page

170.

Example:

<h2> Welcome to {nwa_mdps_config name=organization_name}</h2>

Onboard Troubleshooting

If you encounter a problem that is not listed here, refer to the "Onboard Deployment Checklist " on page 81 and check each of the configuration steps listed there.

iOS Device Provisioning Failures

Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”.

Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.

Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”.

96 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 97

A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices.

Hostname-to-Certificate Match Failures

Symptom: Device provisioning fails with the message "Onboard provisioning cannot be performed at this

address. If your were directed here, please contact a network administrator."

This occurs if the hostname used to access CPPM does not match the hostname configured in the CPPM server certificate. These items must match or device provisioning will fail. This error is detected by Onboard and results in the above message.

Resolution: To correct the problem, ensure that the DNS is correctly configured for the server, ensure that the hostname is correctly set, and ensure that the server's certificate contains the correct hostname.

Onboard Interface Not Displayed

If Onboard is not visible in the ClearPass Guest user interface, verify whether Public Facing Enterprise (PFE) mode is set in ClearPass Policy Manager. If PFE mode is enabled, Onboard is not permitted and Onboard licenses cannot be added. The PFE mode is enabled or disabled in CPPM on the Mode tab at Administration

> Server Manager > Server Configuration > Cluster-Wide Parameters.

Certificate Renewal through OS X Mavericks

OS X Mavericks allows users to renew certificates automatically, and provides a notice and an Update link in the Mavericks Profile fifteen days before a certificate expires. Onboard supports certificate renewal through OS X Mavericks. However, only local certificates can be renewed; ADCS is not supported. Also, certificates that have been revoked cannot be renewed.

Certificate Authorities

You can create and manage multiple certificate authorities for Onboard. To view and work with the list of certificate authorities and to configure new certificate authorities, go to Onboard >Certificate Authorities. The Certificate Authorities list view opens. All certificate authorities that have been set up are included in the list. Information shown for each certificate authority includes its name, mode, status, expiration time, and OCSP URL.

You can click a certificate authority's row in the list for additional options:

l To view details for a certificate authority, click its Show Details link. The form expands to show a summary

of the settings defined for it, including information for certificate issuing, retention policy, identity, private key, and self-signed certificate.

l To edit any of a certificate authority's attributes and configure certificate issuing options, click its Edit link.

The Certificate Authority Settings form opens. See "Editing Certificate Authority Settings" on page 101.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 97

Page 98

l To create a copy of a certificate authority configuration to use as a basis for a new certificate authority, click

its Duplicate link. The first page of the Certificate Authority Settings form opens with the identity, private key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename the new certificate authority and edit any of its attributes.

l To delete a certificate authority, you can click its Delete link. You will be asked to confirm the deletion

before it commits.

l To see if the certificate authority is currently used, click its Show Usage link. The form expands to show a

list of provisioning sets that use the certificate authority.

l To view the trust chain for the certificate authority, click its Trust Chain link. The Certificate Authority Trust

Chain page opens. See "The Trust Chain and Uploading Certificates for the CA " on page 128.

l To view a list of certificates associated with the certificate authority, click its Certificates link. The Certificate

Management page opens. See "Certificate Management (View by Certificate) " on page 115.

l To renew the certificate authority, click its Renew link. If it is an intermediate certificate authority, the

Intermediate Certificate Renewal page opens, where you can send a certificate signing request; see

"Requesting a Certificate for the Certificate Authority" on page 105. If it is a root certificate authority, the

row expands to include the Root Certificate Renewal option. Click the Renew Root Certificate button.

Renewing the certificate uses the same private key for the root certificate, but reissues the root CA certificate with an updated validity period. This will maintain the validity of all certificates issued by the CA. When you renew a certificate, you should distribute a new copy of the root certificate to all users of that certificate.

l To delete a certificate authority's client certificates, click its Delete Client Certificates link. The row

expands to include the Delete Client Certificates form. To confirm the deletion, you must mark the Reset the specified items check box in the Confirm Reset field, and then click the Delete Client Certificates

button. Doing so will permanently delete all client certificates for the certificate authority. This action cannot be reversed.

l To create a new certificate authority, click the Create new certificate authority link in the upper right

corner. The initial setup page of the Certificate Authority Settings form opens. See the next section,

"Creating a New Certificate Authority" on page 98.

Creating a New Certificate Authority

The first page of the Certificate Authority Settings form is used to create the Onboard certificate authority (CA) and to configure some basic properties:

l Give it a name and description

l Specify root CA, intermediate CA, or local CA mode

98 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Page 99

l Configure the identity, private key, and self-signed certificate attributes

To create an Onboard certificate authority:

1. Go to Onboard >Certificate Authorities, and then either click the Duplicate link for a certificate authority in the Certificate Authorities list or click the Create new certificate authority link. The initial setup page of the Certificate Authority Settings form opens.

2. In the Name field, give the CA a short name that identifies it clearly. Certificate authority names can include spaces. If you are duplicating a CA, the original name has "Copy" appended to it. You may highlight the name and replace it with a new name.

3. In the Description field, briefly describe the CA. This description is shown in the Certificate Authorities list.

The Name and Description fields are used internally to identify this certificate authority for the network administrator. These values are never displayed to the user during device provisioning.

4. The mode is used to set up the mode of operation for the certificate authority. In the Mode area, click one of the descriptions to specify the type of certificate authority:

l Root CA—The Onboard certificate authority issues its own root certificate. The certificate authority

issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate. Use this option when you do not have an existing public-key infrastructure (PKI), or if you want to completely separate the certificates issued for Onboard devices from your existing PKI.

Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 99

Page 100

l Intermediate CA—The Onboard certificate authority is issued a certificate by an external certificate

authority. The Onboard certificate authority issues client and server certificates using this certificate. Use this option when you already have a public-key infrastructure (PKI), and would like to include the certificate issued for Onboard devices in that infrastructure.

l Imported CA— If you choose Imported CA, the following fields are removed from the form. If you

choose Root or Intermediate, complete the following fields.

5. In the Identity area, enter values in the Country, State, Locality, Organization, and Organizational Unit fields that correspond to your organization. These values form part of the distinguished name for the certificate.

6. Enter a descriptive name for the certificate in the Common Name field. This value is used to identify the certificate as the issuer of other certificates, notably the signing certificate.

7. For a root certificate, the Signing Common Name field is included on the form. Enter a descriptive name for the signing certificate in the Signing Common Name field. This value is used to identify the signing certificate as the issuer of client and server certificates from this certificate authority. The other identity information in the signing certificate will be the same as for the root certificate.

8. Enter a contact email address in the Email Address field. This email address is included in the root and signing certificates, and provides a way for users of the certificate authority to contact your organization.

9. In the Private Key area, use the Key Type drop-down list to specify the type of private key that should be created for the certificate:

100 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide

Dell Powerconnect W-ClearPass Virtual Appliances User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About this Guide

Audience

Conventions

Contacting Support

W-ClearPass Guest Overview

About Dell Networking W-ClearPass Guest

Visitor Access Scenarios

Reference Network Diagram

Key Interactions

AAA Framework

Key Features

Visitor Management Terminology

W-ClearPass Guest Deployment Process

Operational Concerns

Network Provisioning

Site Preparation Checklist

Security Policy Considerations

AirGroup Deployment Process

Documentation and User Assistance

User Guide and Online Help

Context-Sensitive Help

Field Help

Quick Help

If You Need More Assistance

Use of Cookies

W-ClearPass Guest Manager

Accessing Guest Manager

About Guest Management Processes

Sponsored Guest Access

Self Provisioned Guest Access

Active Sessions Management

Session States

RFC 3576 Dynamic Authorization

Filtering the List of Active Sessions

Disconnecting Multiple Active Sessions

Sending Multiple SMS Alerts

About SMS Guest Account Receipts

Using Standard Guest Management Features

Creating a Guest Account

Creating a Guest Account Receipt

Creating a Device

Creating Devices Manually in W-ClearPass Guest

Creating Devices During Self-Registration - MAC Only

Creating Devices During Self-Registration - Paired Accounts

Creating Multiple Guest Accounts

Creating Multiple Guest Account Receipts

Creating a Single Password for Multiple Accounts

Exporting Guest Account Information

About CSV and TSV Exports

About XML Exports

Importing Guest Accounts

Managing Single Guest Accounts

Managing Devices

Changing a Device’s Expiration Date

Disabling and Deleting Devices

Activating a Device

Editing a Device

Viewing Current Sessions for a Device

Printing Device Details

Viewing Device Details

Managing Multiple Guest Accounts

AirGroup Device Registration

Registering Groups of Devices or Services

Registering Personal Devices

AirGroup Time-Based Sharing Syntax Examples

Time-Based Syntax Reference

About AirGroup Time-Based Sharing

Basics of Time-Based Sharing Setup

MAC Authentication in W-ClearPass Guest

MAC Address Formats

Automatically Registering MAC Devices in W-ClearPass Policy Manager

Importing MAC Devices

Advanced MAC Features

User Detection on Landing Pages

Click-Through Login Pages

Onboard