All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject
to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source
Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved.This product includes software developed by Lars Fenneberg, et al. The Open Source
code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
2 |Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 3
Contents
About this Guide17
Audience17
Conventions17
Contacting Support18
W-ClearPass Guest Overview19
About Dell Networking W-ClearPass Guest19
Visitor Access Scenarios20
Reference Network Diagram21
Key Interactions22
AAA Framework23
Key Features24
Visitor Management Terminology25
W-ClearPass Guest Deployment Process26
Operational Concerns26
Network Provisioning26
Site Preparation Checklist27
Security Policy Considerations27
AirGroup Deployment Process28
Documentation and User Assistance29
User Guide and Online Help29
Context-Sensitive Help29
Field Help29
Quick Help30
If You Need More Assistance30
Use of Cookies30
W-ClearPass Guest Manager31
Accessing Guest Manager31
About Guest Management Processes32
Sponsored Guest Access32
Self Provisioned Guest Access32
Active Sessions Management33
Session States35
RFC 3576 Dynamic Authorization35
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 3
Page 4
Filtering the List of Active Sessions36
Disconnecting Multiple Active Sessions37
Sending Multiple SMS Alerts37
About SMS Guest Account Receipts38
Using Standard Guest Management Features38
Creating a Guest Account39
Creating a Guest Account Receipt41
Creating a Device41
Creating Devices Manually in W-ClearPass Guest42
Creating Devices During Self-Registration - MAC Only44
Creating Devices During Self-Registration - Paired Accounts44
Creating Multiple Guest Accounts45
Creating Multiple Guest Account Receipts47
Creating a Single Password for Multiple Accounts48
Exporting Guest Account Information50
About CSV and TSV Exports51
About XML Exports51
Importing Guest Accounts52
Managing Single Guest Accounts55
Managing Devices59
Changing a Device’s Expiration Date60
Disabling and Deleting Devices61
Activating a Device61
Editing a Device62
Viewing Current Sessions for a Device63
Printing Device Details64
Viewing Device Details64
Managing Multiple Guest Accounts64
AirGroup Device Registration66
Registering Groups of Devices or Services67
Registering Personal Devices69
AirGroup Time-Based Sharing Syntax Examples71
Time-Based Syntax Reference73
About AirGroup Time-Based Sharing75
Basics of Time-Based Sharing Setup75
MAC Authentication in W-ClearPass Guest76
MAC Address Formats76
Automatically Registering MAC Devices in W-ClearPass Policy Manager76
4 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 5
Importing MAC Devices77
Advanced MAC Features77
User Detection on Landing Pages77
Click-Through Login Pages78
Onboard79
Accessing Onboard79
About W-ClearPass Onboard80
Onboard Deployment Checklist81
Onboard Feature List83
Supported Platforms84
Public Key Infrastructure for Onboard85
Certificate Hierarchy85
Certificate Configuration in a Cluster86
Revoking Unique Device Credentials86
Revoking Credentials to Prevent Network Access86
Re-Provisioning a Device87
Network Requirements for Onboard87
Using Same SSID for Provisioning and Provisioned Networks87
Using Different SSID for Provisioning and Provisioned Networks88
Configuring Online Certificate Status Protocol88
Configuring Certificate Revocation List (CRL)88
Network Architecture for Onboard89
Network Architecture for Onboard when Using W-ClearPass Guest90
The W-ClearPass Onboard Process91
Devices Supporting Over-the-Air Provisioning91
Devices Supporting Onboard Provisioning93
Configuring the User Interface for Device Provisioning95
Using the {nwa_mdps_config} Template Function95
Onboard Troubleshooting96
iOS Device Provisioning Failures96
Hostname-to-Certificate Match Failures97
Onboard Interface Not Displayed97
Certificate Renewal through OS X Mavericks97
Certificate Authorities97
Creating a New Certificate Authority98
Editing Certificate Authority Settings101
Requesting a Certificate for the Certificate Authority105
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 5
Page 6
Installing a Certificate Authority’s Certificate105
Using Microsoft Active Directory Certificate Services107
Management and Control109
Device Management (View by Device)110
Device Management (View by Username)113
Certificate Management (View by Certificate)115
Searching for Certificates in the List116
Working with Certificates in the List116
Working with Certificate Signing Requests119
Importing a Code-Signing Certificate122
Importing a Trusted Certificate123
Creating a Certificate123
Requesting a Certificate126
The Trust Chain and Uploading Certificates for the CA128
Considerations for iOS Devices130
Onboard Configuration130
Network Settings130
Configuring Basic Network Access Settings131
Configuring Enterprise Protocol Settings134
Configuring Device Authentication Settings135
Configuring Certificate Trust Settings136
Configuring Windows-Specific Network Settings138
Configuring Proxy Settings139
iOS Settings140
Configuring ActiveSync Settings141
Configuring AirPlay Settings143
Configuring AirPrint Settings144
Configuring APN Settings145
Configuring Calendar Settings145
Configuring Contacts Settings147
Configuring Email Settings148
Configuring Global HTTP Proxy Settings151
Configuring an iOS Device Passcode Policy152
Configuring Single Sign-On Settings154
Configuring Calendar Subscription Settings155
Configuring an iOS Device VPN Connection156
Configuring Web Clips160
Configuring Web Content Filter Settings161
6 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 7
Windows Applications163
Configuring App Sets163
Deployment and Provisioning164
Configuration Profiles165
Creating and Editing Configuration Profiles165
Provisioning Settings168
About Configuring Provisioning Settings169
Configuring Basic Provisioning Settings170
Configuring Provisioning Settings for the Web Login Page174
Configuring Provisioning Settings for iOS and OS X176
Configuring Provisioning Settings for Legacy OS X Devices178
Configuring Provisioning Settings for Windows Devices179
Configuring Provisioning Settings for Android Devices180
Configuring Provisioning Settings for Ubuntu181
Configuring Provisioning Settings for Chromebook182
Configuring Options for Onboard Client Devices184
About the Self-Service Portal185
Configuration187
Accessing Configuration187
Configuring W-ClearPass Guest Authentication188
Content Manager189
Managing Content: Private Files and Public Files189
Uploading Content190
Downloading Content191
Creating a New Content Directory191
Configuring Guest Manager192
Default Settings for Account Creation192
About Fields, Forms, and Views198
Business Logic for Account Creation198
Verification Properties198
Basic User Properties198
Visitor Account Activation Properties199
Visitor Account Expiration Properties200
Other Properties200
Standard Forms and Views201
Configuring Access Code Logins202
Customize Random Username and Passwords202
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 7
Page 8
Create the Print Template202
Customize the Guest Accounts Form204
Create the Access Code Guest Accounts204
Pages206
Customizing Fields206
Creating a Custom Field206
Duplicating a Field208
Editing a Field208
Deleting a Field208
Displaying Forms that Use a Field209
Displaying Views that Use a Field209
Customizing AirGroup Registration Forms209
Customizing Forms and Views212
Editing Forms and Views213
Duplicating Forms and Views213
Editing Forms214
Form Field Editor215
Form Display Properties215
Form Validation Properties227
Examples of Form field Validation228
Advanced Form Field Properties230
Form Field Validation Processing Sequence231
Editing Views233
View Field Editor234
Customizing Guest Self-Registration235
Accessing the Guest Self-Registration Customization Forms236
Self-Registration Sequence Diagram239
Editing Self-Registration Pages240
Creating a Self-Registration Page241
Configuring Basic Properties for Self-Registration243
Editing Registration Page Properties245
Editing the Default Self-Registration Form Settings245
Creating a Single Password for Multiple Accounts247
Editing Guest Receipt Page Properties248
Editing Receipt Actions248
Enabling and Editing NAS Login Properties253
Editing Login Page Properties254
Self-Service Portal Properties257
8 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 9
Resetting Passwords with the Self-Service Portal258
Managing Web Logins260
Creating and Editing Web Login Pages261
Receipts270
Digital Passes271
About Digital Passes271
Viewing Digital Pass Certificates274
Installing Digital Pass Certificates275
Managing Digital Passes276
Creating and Editing a Digital Pass Template277
Example Template Code Variables283
Images in Digital Passes283
Email Receipts and SMTP Services284
About Email Receipts284
Configuring Email Receipts285
Email Receipt Options286
About Customizing SMTP Email Receipt Fields288
Customizing SMS Receipt290
SMS Receipt Fields290
Customizing Print Templates291
Creating New Print Templates292
Print Template Wizard293
Modifying Wizard-Generated Templates294
Setting Print Template Permissions294
SMS Services296
Viewing SMS Gateways296
Creating a New SMS Gateway297
Editing an SMS Gateway301
Sending an SMS303
About SMS Credits303
About SMS Guest Account Receipts304
SMS Receipt Options305
Working with the MobileCarriers List305
About Translations307
Translation Packs308
Creating and Editing Translation Packs308
Translation Assistant310
Customizing Translated User Interface Text311
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 9
Page 10
Advertising Services313
About Advertising Services313
Materials313
Promotions313
Campaigns314
Spaces314
Pages314
Advertising Services Process Overview314
About the Tutorial314
Navigating the Tutorial315
Advertising Pages315
Editing Advertising Pages316
The nwa_adspace Smarty Template Tag320
Advertising Spaces323
Creating and Editing Advertising Spaces324
"Other Location" Example326
"Maximum Height" Example327
"Maximum Width" Example328
Advertising Campaigns329
Creating and Editing Advertising Campaigns329
Campaign Rank and Weight332
Advertising Promotions332
Creating and Editing Advertising Promotions333
Using Labels in Advertising Services336
Advertising Materials337
Creating and Editing Advertising Materials338
Hotspot Manager341
Accessing Hotspot Manager341
About Hotspot Management342
Managing the Hotspot Sign-up Interface342
Captive Portal Integration343
Web Site Look-and-Feel344
SMS Services344
Managing Hotspot Plans344
Editing or Creating a Hotspot Plan345
Managing Transaction Processors346
Creating a New Transaction Processor347
10 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 11
Managing Existing Transaction Processors348
Managing Customer Information348
Managing Hotspot Invoices348
Customizing the User Interface349
Customizing Visitor Sign-Up Page One349
Customizing Visitor Sign-Up Page Two351
Customizing Visitor Sign-Up Page Three354
Viewing the Hotspot User Interface355
Administration357
Accessing Administration357
AirGroup Services358
AirGroup Controllers358
Creating and Editing AirGroup Controllers359
Configuring AirGroup Services361
AirGroup Diagnostics362
Creating AirGroup Administrators363
Creating AirGroup Operators364
Authenticating AirGroup Users via LDAP364
Configuring LDAP User Search for AirGroup364
LDAP User Search Architecture364
User Search Workflow364
Configuration Summary365
Basic LDAP Server Settings365
User Search Settings366
Configuring the AirGroup Shared User Field367
Select2 Options Details368
Select2 Hook Details369
MACTrac Services370
Creating MACTrac Operators371
Managing MACTrac Devices371
Registering MACTrac Devices373
About MAC Addresses374
Automatically Supplying the MACTrac Device Address374
API Services375
API Clients375
Creating and Editing API Clients376
Configuring the API Framework Plugin378
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 11
Page 12
Setting API Privileges in Operator Profiles379
About OAuth380
OAuth Basics380
OAuth2 Client or App381
Client ID and Secret381
Redirect URI381
Authorization Grant Types for OAuth381
Application Service Accounts for OAuth383
SOAP Web Services and API383
Viewing Available Web Services384
Configuring Web Services385
SOAPAPIIntroduction385
Audience386
API Documentation Overview386
Disclaimer386
About the SOAPAPI386
Using the SOAPAPI388
Integration Example391
API Documentation395
The XML-RPC Interface and API408
About the XML-RPC API408
Accessing the API411
Invoking the API413
Method Summary414
API Documentation414
Data Retention431
3.9 Configuration Import432
Creating a Customized Configuration Backup432
Uploading the 3.9 Backup File433
Restoring Configuration Items434
Viewing Imported Item Details435
Import Information for Specific Import Items437
Import Information: Advertising Services438
Import Information: AirGroup Services438
Import Information: Cisco IP Phones438
Import Information: Guest Manager438
Import Information: High Availability (HA)439
Import Information: Hotspot Manager439
12 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Role-Based Access Control for Multiple Operator Profiles456
Operator Logins Configuration456
Custom Login Message457
Advanced Operator Login Options458
Automatic Logout458
Operator Profiles458
Creating an Operator Profile458
Configuring the User Interface461
Customizing Forms and Views462
Operator Profile Privileges462
Managing Operator Profiles463
Configuring AirGroup Operator Device Limit464
Local Operator Authentication464
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 13
Page 14
Creating a New Operator464
External Operator Authentication465
Manage LDAP Operator Authentication Servers465
Viewing the LDAP Server List466
Creating an LDAP Server467
Advanced LDAP URL Syntax469
LDAP Operator Server Troubleshooting469
Testing Connectivity470
Testing Operator Login Authentication470
Looking Up Sponsor Names470
Troubleshooting Error Messages471
LDAP Translation Rules472
Custom LDAP Translation Processing474
Reference477
Basic HTML Syntax477
Standard HTML Styles478
Smarty Template Syntax480
Basic Template Syntax480
Text Substitution480
Template File Inclusion480
Comments480
Variable Assignment480
Conditional Text Blocks481
Script Blocks481
Repeated Text Blocks481
Foreach Text Blocks481
Modifiers482
Predefined Template Functions482
dump483
nwa_commandlink483
nwa_iconlink484
nwa_icontext484
nwa_quotejs485
nwa_radius_query485
Advanced Developer Reference491
nwa_assign492
nwa_bling492
14 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 15
nwa_makeid492
nwa_nav493
nwa_plugin494
nwa_privilege494
nwa_replace495
nwa_text495
nwa_userpref495
nwa_youtube495
Date/Time Format Syntax496
nwadateformat Modifier496
nwatimeformat Modifier497
Date/Time Format String Reference497
Programmer’s Reference498
NwaAlnumPassword499
NwaBoolFormat499
NwaByteFormat499
NwaByteFormatBase10499
NwaComplexPassword500
NwaCsvCache500
NwaDigitsPassword($len)500
NwaDynamicLoad500
NwaGeneratePictureString500
NwaGenerateRandomPasswordMix500
NwaLettersDigitsPassword501
NwaLettersPassword501
NwaMoneyFormat501
NwaParseCsv501
NwaParseXml502
NwaPasswordByComplexity502
NwaSmsIsValidPhoneNumber503
NwaStrongPassword503
NwaVLookup503
NwaWordsPassword504
Field, Form, and View Reference504
GuestManager Standard Fields504
Hotspot Standard Fields512
SMS Services Standard Fields513
SMTP Services Standard Fields513
Dell Networking W-ClearPass Guest 6.4 | User GuideContents | 15
Page 16
Format Picture String Symbols515
Form Field Validation Functions516
Form Field Conversion Functions521
Form Field Display Formatting Functions522
View Display Expression Technical Reference523
LDAP Standard Attributes for User Class525
Regular Expressions526
Chromebook in Onboard527
About Chromebook in Onboard527
Caveats and Recommendations528
Google Admin Chromebook License is Required528
Managed Chromebook Deployment is Required528
Chrome Extension is Required528
Chromebook Release 37 or Later is Required528
Chromebook Supports Only “Created by Device” Certificates528
A Separate Provisioning SSID is Required529
Directory-Based Authentication Source is Recommended530
Onboard Configuration for Chromebook530
Google Admin Configuration for Chromebook531
Configuring the Chrome extension531
Configuring Network Settings533
Glossary535
Index545
16 | ContentsDell Networking W-ClearPass Guest 6.4 | User Guide
Page 17
Chapter 1
About this Guide
Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which
operational staff can quickly and securely manager visitor network access.
Audience
This User Guide is intended for system administrators and people who are installing and configuring Dell
Networking W-ClearPass Guest as their visitor management solution. It describes the installation and
configuration process.
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Table 1: Typographical Conventions
Type StyleDescription
Italics
System items
Commands
<
Arguments
[Optional]
{Item A |
Item B}
>In the command examples, italicized text within angle brackets represents items that
This style is used to emphasize important terms and to mark the titles of books.
This fixed-width font depicts the following:
l Sample screen output
l System prompts
l Filenames, software devices, and specific commands when mentioned in the text
In the command examples, this bold font depicts text that you must type exactly as
shown.
you should replace with information appropriate to your specific situation. For example:
# send <text message>
In this example, you would type “send” at the system prompt exactly as shown, followed
by the text of the message you wish to send. Do not type the angle brackets.
Command examples enclosed in brackets are optional. Do not type the brackets.
In the command examples, items within curled braces and separated by a vertical bar
represent the available choices. Enter only one choice. Do not type the braces or bars.
Dell Networking W-ClearPass Guest 6.4 | User GuideAbout this Guide | 17
Page 18
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Contacting Support
Web Site Support
Main Websitedell.com
Support Website
Documentation Website
dell.com/support
dell.com/support/manuals
18 | About this GuideDell Networking W-ClearPass Guest 6.4 | User Guide
Page 19
Chapter 2
W-ClearPass Guest Overview
This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a
network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated
into your network infrastructure. It is intended for network architects, IT administrators, and security
consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor
access solution.
This chapter includes the following sections:
l "About Dell Networking W-ClearPass Guest" on page 19
l "Visitor Access Scenarios" on page 20
l "Reference Network Diagram" on page 21
l "Key Interactions" on page 22
l "AAA Framework" on page 23
l "Key Features" on page 24
l "Visitor Management Terminology" on page 25
l "W-ClearPass Guest Deployment Process" on page 26
l "AirGroup Deployment Process" on page 28
l "Documentation and User Assistance" on page 29
l "Use of Cookies" on page 30
About Dell Networking W-ClearPass Guest
Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which
operational staff can quickly and securely manage visitor network access. It gives your non-technical staff
controlled access to a dedicated visitor management user database. Through a customizable Web portal, your
staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to WClearPass Guest functions are controlled through an operator profile that can beintegrated with an LDAP
server or Active Directory login.
Visitors can be registered at reception and provisioned with an individual guest account that defines their
visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account
details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to
pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in
a corporate environment or sold in public access scenarios.
You can use the customization features to define settings that allow your visitors to self-provision their own
guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and
professional experience. Surveys can also be presented during the self-registration process and the data stored
for later analysis and reporting, providing additional insight to your visitors and their network usage.
W-ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, WClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network
security framework, but gives operational staff the user interface they require.
The following figure shows a high-level representation of a typical visitor access scenario.
Figure 1 Visitor access using W-ClearPass Guest
In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because
access to the network is restricted, visitors must first obtain a username and password. A guest account may
be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that
shows their username and password for the network.
When visitors use self-registration, as might be the case for a network offering public access, the process is
broadly similar but does not require a corporate operator to create the guest account. The username and
password for a self-provisioned guest account may be delivered directly to the visitor’s Web browser, or sent
via SMS or email.
The following figure shows the network connections and protocols used by W-ClearPass Guest.
Figure 2 Reference network diagram for visitor access
The network administrator, operators, and visitors may use different network interfaces to access the visitor
management features. The exact topology of the network and the connections made to it will depend on the
type of network access offered to visitors and the geographical layout of the access points.
The following figure shows the key interactions between W-ClearPass Guest and the people and other
components involved in providing guest access.
Figure 3 Interactions involved in guest access
W-ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.
NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS
protocol to ask W-ClearPass Policy Manager to authenticate the username and password provided by a guest
logging in to the network. If authentication is successful, the guest is then authorized to access the network.
Roles are assigned to a guest as part of the context W-ClearPass Policy Manager uses to apply its policies.
RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement
Profile. Additional features such as role mapping for W-ClearPass Guest can be performed in W-ClearPass
Policy Manager.
The network usage of authorized guests is monitored by the NAS and reported in summary form to WClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports
in W-ClearPass Insight.
l What resources are you going to make available to guests (for example, type of network access; permitted
times of day; bandwidth allocation)?
l Will guest access be separated into different roles? If so, what roles are needed?
l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-
guest accounts?
l What will be the password format for guest accounts? Will you be changing this format on a regular basis?
l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure
network security is not compromised?
l What IP address ranges will operators be using to access the server?
l Should HTTPS be required in order to access the visitor management server?
AirGroup Deployment Process
AirGroup allows users to register their personal mobile devices on the local network and define a group of
friends or associates who are allowed to share them. You use W-ClearPass Guest to define AirGroup
administrators and operators. AirGroup administrators can then use W-ClearPass Guest to register and
manage an organization’s shared devices and configure access according to username, role, location, or time.
AirGroup operators (end users) can use W-ClearPass Guest to register their personal devices and define the
group who can share them.
Table 5 summarizes the steps for configuring AirGroup functionality in W-ClearPass Guest. Details for these
steps areprovided in the relevant sections of this Guide. This table does not include the configuration steps
performed in W-ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment
information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the WClearPass Policy Manager documentation.
Table 5: Summary of AirGroup Configuration Steps in W-ClearPass Guest
StepSection in this Guide
Create AirGroup administrators"Creating a New Operator" on page 464
Create AirGroup operators
Configure an operator’s device limit"Configuring AirGroup Operator Device Limit" on page 464
Configure an AirGroup controller"AirGroup Controllers" on page 358
Enable support for dynamic notifications"Configuring AirGroup Services" on page 361
To authenticate AirGroup users via LDAP:
Define the LDAP server
Define appropriate translation rules
AirGroup administrator: Register devices or groups
of devices
"External Operator Authentication" on page 465
"LDAP Translation Rules" on page 472
"AirGroup Device Registration" on page 66
AirGroup operator: Register personal devices
(Optional) Configure device registration form with
drop-down lists for existing locations and roles
Set up time-based sharing"About AirGroup Time-Based Sharing" on page 75
"Customizing AirGroup Registration Forms" on page 209
Page 29
Documentation and User Assistance
This section describes the variety of user assistance available for W-ClearPass Guest.
User Guide and Online Help
This User Guide provides complete information for all W-ClearPass Guest features. The following quick links
may be useful in getting started.
Table 6: Quick Links
For information about...Refer to...
What visitor management is and how it works"About Dell Networking W-ClearPass Guest" on page
19
Using the guest management features"Using Standard Guest Management Features" on
page 38
Role-based access control for operators"Operator Profiles" on page 458
Setting up LDAP authentication for operators"External Operator Authentication" on page 465
Guest self-provisioning features"Self Provisioned Guest Access" on page 32
Dynamic authorization extensions"RFC 3576 Dynamic Authorization" on page 35
SMS receipts for guest accounts"SMS Services" on page 296
Email receipts for guest accounts"Email Receipts and SMTP Services" on page 284
Network administration of the appliance"Administration" on page 357
Context-Sensitive Help
For more detailed information about the area of the application you areusing, click the context-sensitive Help
link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this
User Guide.
The User Guide may besearched using the Search box in the top right corner.
Type in keywords related to your search and click the Search button to display a list of matches. Themost
relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly
before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing
the phrase in double quotes (for example, “word phrase”).
Field Help
The W-ClearPass Guest user interface has field help built into every form. The field help provides a short
summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the
application without further assistance or training.
Quick Help
In list views, click theQuick Help tab located at the top left of the list to display additional information
about the list you are viewing and the actions that areavailable within the list.
On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.
If You Need More Assistance
If you encounter a problem using W-ClearPass Guest, your first step should be to consult the appropriate
section in this User Guide.
If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you
with the answer or obtain a solution to your problem.
If you still need information, you can refer to the Contact Support command available under Support
Services in the user interface, or see "Contacting Support" on page 18.
Use of Cookies
Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely
used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners
of a site. Session cookies are temporary cookies that last only for the duration of one user session.
When a user registers or logs in via a Dell captive portal, Dell uses session cookies solely to remember between
clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific
information, and does not make any attempt to find out the identities of those using its W-Series ClearPass
products. Dell does not associate any data gathered by the cookie with any personally identifiable information
(PII) from any source. Dell uses session cookies only during the user’s active session and does not store any
permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web
browser.
The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass
Guest. The Guest Manager moduleprovides complete control over the user account creation process.
Guest Manager features for managing guest accounts let you:
l View and manage active sessions
l Create single or multiple guest accounts and receipts
l Create new MAC devices
l Bulk edit accounts
l Export a list of accounts
l Import new accounts from a text file
l View guest accounts and edit individual or multiple guest accounts
l View MAC devices and edit individual or multiple devices
Many features can also be customized. For information on customizing Guest Manager settings, forms and
views, guest self-registration, and print templates, see "Configuration" on page 187.
Accessing Guest Manager
To access Dell Networking W-ClearPass Guest’s guest management features, click the Guest link in the left
navigation.
There are two major ways to manage guest access – either by your operators provisioning guest accounts, or
by the guests self-provisioning their own accounts. Both of these processes are described in this chapter.
Sponsored Guest Access
The following figure shows the process of sponsored guest access.
Figure 5 Sponsored guest access with guest created by operator
The operator creates the guest accounts and generates a receipt for the account.
The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS
authenticates and authorizes the guest’s login in W-ClearPass Guest. After authorization, the guest is able to
access the network.
Self Provisioned Guest Access
Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the
account or to print the receipt. The following figure shows the process of self-provisioned guest access.
Figure 6 Guest access when guest is self-provisioned
The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive
portal login page. From the login page, guests without an account can browse to the guest self-registration
page, where the guest creates a new account. At the conclusion of the registration process, the guest is
automatically redirected to the NAS to log in.
The guest can print or download a receipt, or have the receipt information delivered by SMS or email.
The NAS performs authentication and authorization for the guest in W-ClearPass Guest. After authorization,
the guest is able to access the network.
See "Customizing Guest Self-Registration" on page 235 for details on creating and managing self-registration
pages.
Active Sessions Management
The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the
RADIUS dynamic authorization extensions allow you to disconnect or modify an active session.
To view and manage active sessions for the RADIUS server, go to Guest > Active Sessions. The Active
Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for
active visitor sessions; manage multiplesessions; or customize the list to include additional fields.
l To view details for an active session, click the session’s row in the list, then click its Show Details link. The
l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions.
See "RFC 3576 Dynamic Authorization" on page 35 for more information.
n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A
message is displayed to show that the disconnect is in progress and acknowledge when it is complete.
n To reauthorize a session that was disconnected, click the session’s row in the list, then click its
Reauthorize link. The Reauthorize Session form opens. Click Reauthorize Session. A message is
displayed to show that the disconnect is in progress and acknowledge when it is complete.
n To disconnect multiple sessions, click the Manage Multiple tab. The form expands to include the
Manage Multiple Sessions form. For more information, see "Disconnecting Multiple Active Sessions " on
page37.
l To view and work with the guest accounts associated with a session, click the session’s row in the list, then
click its List Accounts link. The Guest Manager Accounts view opens. See "Managing Single Guest Accounts
" on page 55 for more information.
l To display only sessions that meet certain criteria, click the Filter tab. For more information, see"Filtering
the List of Active Sessions" on page 36.
l To send SMS notifications to visitors, click the SMS tab. For more information, see "Sending Multiple SMS
l To include additional fields in the Active Sessions list, or delete fields from it, click theMore Options tab.
The Customize View Fields page opens. For more information, see "Editing Forms " on page 214.
l You can use the paging control at the bottom of the list to jump forwards orbackwards by one page, or to
the first or last page of the list. You can also click an individual page number to jump directly to that page.
Session States
A session may be in one of three possible states:
lActive—An active session is one for which the RADIUS server has received an accounting start message
and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an
authorized client.
While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server.
This maintains up-to-date traffic statistics and keeps the session active. The frequency of the accounting
update messages is configurable in the RADIUS server.
lStale—If an accounting stop message is never sent for a session—for example, if the visitor does not log
out— that session will remain open. After 24 hours without an accounting update indicating session traffic,
the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To
ensure that accounting statistics are correct, you should check the list for stale sessions and close them.
lClosed—A session ends when the visitor logs out or if the session is disconnected. When a session is
explicitly ended in either of these ways, the NAS sends an accounting stop message to the RADIUS server.
This closes the session. No further accounting updates are possible for a closed session.
RFC 3576 Dynamic Authorization
Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in
progress. This includes disconnecting a session, or updating some aspect of the authorization for the session.
The Active Sessions page provides two dynamic authorization capabilities that apply to currently active
sessions:
lDisconnect causes a Disconnect-Request message to be sent to the NAS for an active session,
requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-ACK
message if the session was terminated or Disconnect-NAK if the session was not terminated.
lReauthorize causes a Disconnect-Request message to be sent to the NAS for an active session. This
message will contain a Service-Type attribute with the value ‘Authorize Only’. The NAS should respond with a
Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request message
to the RADIUS server. The RADIUS server’s response will contain the current authorization details for the
visitor account, which will then update the corresponding properties in the NAS session.
If the NAS does not support RFC 3576, attempts to perform dynamic authorization will time out and result in a
‘No response from NAS’ error message.
Refer to RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol.
On the Guest >Active Sessions list, you can use theFilter tab to narrow the search parameters and
quickly find all matching sessions:
Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include
values when performing a quick search” option was selected for the field within the view. To control this
option, use the Choose Columns command link on theMore Options tab.
You may enter a simple substring to match a portion of the username or any other fields that are configured
for search, and you can include the following operators:
Table 7: Operators supported in filters
OperatorMeaningAdditional Information
=is equal toYou may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!=is not equal to
>is greater than
>=is greater than or equal to
<is less than
<=is less than or equal to
~matches the regular expression
!~does not match the regular
expression
values, list them separated by the pipe character ( | ).
For example, specifying the filter "role_id=2|3, custom_
field=Value" restricts the accounts displayed to those with
role IDs 2 and 3 (Guest and Employee), and with the field
named "custom_field" set to "Value".
To restore the default view, click theClear Filter link.
Click theApply Filter button to save your changes and update the view, or click theReset button to
remove the filter and return to the default view.
To disconnect multiple sessions, click theManage Multiple tab. The Manage Multiple Sessions form opens.
l To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All
active sessions are closed and are removed from the Active Sessions list.
You can specify sessions in a time range.
1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar
picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields
to increment the hours and minutes. All sessions that started after the specified date and time will be
disconnected.
2. To close all sessions that started before a particular time, click the button in the End Time row. Thecalendar
picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields
to increment the hours and minutes. All sessions that started before the specified date and time will be
disconnected.
3. Click Make Changes. The specified sessions are closed and are removed from the Active Sessions list.
Sending Multiple SMS Alerts
The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a
valid phone number. An SMS alert during an active session can be used to send a group of visitors information
you might want them to have immediately—for example, a special offer that will only be availablefor an hour,
a change in a meeting’s schedule or location, or a public safety announcement.
To create an SMS message:
1. Click the SMS tab on the Active Sessions page. The Send SMS Notification form opens.
2. Use the filter to specify the group of addresses that should receive the message. See "Filtering the List of
Active Sessions" on page 36. Only accounts with valid phone numbers can be sent SMS alerts.
3. Enter the message in the Message text box. Messages may contain up to 160 characters.
You can send SMS receipts for guest accounts that are created using either sponsored guest access or selfprovisioned guest access. This is convenient in situations where the visitor may not be physically present to
receive a printed receipt.
Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to
send receipts only on demand.
To manually send an SMS receipt:
1. Go to the Guest > Manage Accounts and click to expand the row of the guest to whom you want to send
a receipt.
2. Click Print to display the Updated Account Details view, and then click theSend SMS receipt link. The
SMS Receipt form opens. Use the fields on this form to enter the service to use, the recipient’s mobile
phone number, and the message text.
When using guest self-registration, SMS Delivery options areavailable for the receipt page actions; See "Editing
Receipt Actions" on page 248 for full details. For more information on SMS services, see "SMS Services" on page
296.
Using Standard Guest Management Features
This section describes:
l "Creating a Guest Account " on page 39
l "Creating a Guest Account Receipt " on page 41
l "Creating a Device" on page 41
l "Creating Multiple Guest Accounts" on page 45
l "Creating Multiple Guest Account Receipts" on page 47
l "Creating a Single Password for Multiple Accounts " on page 48
l "Exporting Guest Account Information " on page 50
l "Importing Guest Accounts" on page 52
l "Managing Single Guest Accounts " on page 55
l "Managing Devices " on page 59
l "Managing Multiple Guest Accounts " on page 64
To customize guest self-registration, please see Configuration on page 187.
Creating a Guest Account
To create a new account, go to Guest > Create Account, or click the Create New Guest Account command
link on the Guest Manager page. The Create New Guest Account form opens.
The Create New Guest Account form (create_user) can be customized by adding new fields, or modifying or
removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the
customization process. The default settings for this form are described below.
(Required) Name of the guest user for this account.
(Required) Name of the organization the guest user belongs to.
(Required) The guest user's email address. This email address will be the guest's username.
You can select an activation time from this drop-down list. The guest's account cannot be used
before the activation time. Options include:
l Now
l Disable account
l Tomorrow
l Next Monday
l 1 hour from now
l 1 day from now
l 1 week from now
l Activate at specified time...
If you selected "Activate at specified time", use the calendar picker in this field to specify the date
and time. If no selection is made, the account will be enabled immediately.
You can select an expiration time from this drop-down list. The guest's account cannot be used after
the expiration time. Options include:
l Account will not expire
l Now
l Tonight
l Friday night
l 1 hour from now
l 1 day from now
l 1 week from now
l 30 days from now
l 90 days from now
l 180 days from now
l 1 year from now
l Account expires after...
l Account expires at specified time...
Expires
After
Expiration
Time
Account
Role
If you selected "Account expires after", use this drop-down list to specify a length of time. Options
include several intervals of hours, days, or weeks.
If you selected "Account expires at specified time", use the calendar picker in this field to specify the
date and time. If no selection is made, the account will not expire.
(Required) Specify the type of account the guest should have. Options include:
l Contractor
l Employee
l Guest
PasswordA random password is created for each visitor account. This is displayed on this form, but will also
NotesYou may enter notes about this guest account.
Terms of
Use
CreateWhen your entries on the form are complete, click this button to create the guest's account.
(Required) You must select the check box in in this field in order to create the account.
Creating a Guest Account Receipt
After you click the Create button on the Create New Guest Account form, the details for that account are
displayed.
To print a receipt for the guest, select an appropriate template from theOpen print window usingtemplate… list. A new Web browser window opens and the browser’s Print dialog box is displayed.
Click theSend SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt
form to enter the mobiletelephone number to which the receipt should be sent.
Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and
the visitor’s phone number was typed into the Create New Guest Account form, an SMS message will be
sent automatically. A message is displayed on the account receipt page after an SMS message has been sent.
Click theSend email receipt link to send an email copy of the guest account receipt. Use the Email Receipt
form to enter the email address to which the receipt should be sent. You can also specify the subject line for
the email message. If the administrator has enabled automatic email for guest account receipts, and the
visitor’s email address was typed into the Create New Guest Account form, an email receipt will be sent
automatically. A message is displayed on the account receipt page after an email has been sent.
Creating a Device
Device accounts may be created in three ways:
l Manually in W-ClearPass Guest using the Create New Device form
l During guest self-registration by a MAC parameter passed in the redirect URL, if the process is configured to
create a MAC device account
l During guest self-registration by a MAC parameter passed in the redirect URL, creating a parallel account
If you have the MAC address, you can create a new device manually. To create a new device, go to Guest
>Create Device, or go to Guest > Manage Devices and click the Create link.
The Create New Device form opens.
Table 9: New Device
FieldDescription
MAC Address(Required) Enter the device's MAC address.
Device Name(Required) Enter the name for the device.
If you need to modify the configuration for expected separator format or case, go to
Administration > Plugin Manager > Manage Plugins and click the Configuration link
for the MAC Authentication Plugin.
AirGroupEnables AirGroup for the device. Configuration options are added to the form.
OwnershipSpecifies whether device ownership should be personal or shared. Personal devices are
automatically shared with the owner's other devices.
Shared WithUsernames of people who can share this device. Enter usernames as a comma-separated
list. To make the device available to all users, leave this field blank.
Each username may not exceed 64 characters. A maximum of 100 usernames may be
entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared LocationsLocations where the device can be shared. When you type a location name in the Shared
Locations field and press the Enter key, the location appears as a "tag" and is created in the
system when the form is saved.
Each location name may not exceed 64 characters. A maximum of 100 location names may
be entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared RolesUser roles that can share this device. When you type a role name in the Shared Roles field
and press the Enter key, the role appears as a "tag" and is created in the system when the
form is saved.
Each role name may not exceed 64 characters. A maximum of 100 role names may be
entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared GroupsUser groups that can share this device. These will be available in the Shared Groups field
for users to choose from when they share a device.
When you type a name for the group in the Group Names field and press the Enter key, the
group appears as a "tag" and is created in the system when the form is saved.
Each group name may not exceed 64 characters. A maximum of 32 group names may be
entered. The maximum character limit for the list is 320 characters (including comma
separators).
This feature requires AOS 6.4 or later.
Time SharingTime-based sharing rules for this device. For more information, see "About AirGroup Time-
Based Sharing" on page 75.
SyntaxOpens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71
Account ActivationOptions include: Activate the account immediately, at a preset interval of hours or days, at a
specified time, or leave the account disabled.
If you choose Activate at a specified time, the ActivationTime row is added to the form.
Click the button to open the calendar picker. In the calendar, use the arrows to select the
year and month, click the numbers in the Time fields to increment the hours and minutes,
then click a day to select the date.
Account ExpirationOptions include: Never expire, expire at a preset interval of hours or days, or expire at a
specified time.
l If you choose any time in the future, the Expire Action row is added to the form.
Indicate the expiration action for the account—either delete, delete and log out, disable,
or disable and log out. The action will be applied at the time set in the Account Expiration
row.
l If you choose Account expires after, the ExpiresAfter row is added to the form.
Choose an interval of hours, days, or weeks. The maximum is two weeks.
l If you choose Account Expires at a specified time, the ExpirationTime row is added
to the form. In the calendar picker, use the arrows to select the year and month, click the
numbers in the Time fields to increment the hours and minutes, then click a day to
select the date.
Account RoleAssigns the visitor’s role.
Terms of UseClick the terms of use link and read the agreement, then mark the check box to agree to
the terms.
Create DeviceCommits your changes and creates the device. The Account Details and print options are
displayed. For more information, see "Printing Device Details" on page 64.
Creating Devices During Self-Registration - MAC Only
This section describes how to configure a guest self-registration so that it creates a MAC device account. After
the guest is registered, future authentication can take place without the need for the guest to enter their
credentials. A registration can be converted to create a MAC device instead of standard guest credentials.
This requires a vendor to pass a MAC parameter in the redirect URL. W-ClearPass Guest does not support
querying the controller or DHCP servers for the client's MAC based on IP.
To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row,
click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth in the list,
click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field
form, edit the registration form fields:
l Add or enable mac
n UI: Hidden field
n Field Required: checked
n Validator: IsValidMacAddress
l Add or enable mac_auth
n UI: Hidden field
l Any other expiration options, role choice, surveys, and so on can be entered as usual.
Figure 7 Modify fields
l Edit the receipt form fields:
n Edit username to be a Hidden field
n Edit password to be a Hidden field
l Adjust any headers or footers as needed.
When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as
their username and password via standard captive portal means.
The account will only be visible on the List Devices page.
If the guest logs out and reconnects, they should be immediately logged in without being redirected to the
captive portal page.
Creating Devices During Self-Registration - Paired Accounts
Paired accounts is a means to create a standard visitor account with credentials, but to have a MAC account
created in parallel that is directly tied to the visitor account. These accounts share the samerole, expiration and
This requires a vendor passing a mac parameter in the redirect URL. W-ClearPass Guest does not support
querying the controller or DHCP servers for the client's MAC based on IP.
To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row,
click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth_pair in the
list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom
Field form, edit the registration form fields:
l Add or enable mac
n UI: Hidden field
n Field Required: optional
n Validator: IsValidMacAddress
l Add or enable mac_auth_pair
n UI: Hidden field
n Initial Value: -1
l Any other expiration options, role choice, surveys and so on can be entered as usual.
You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that
cross-links the two.
If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be
logged out.
Creating Multiple Guest Accounts
The Create Multiple Guest Accounts form is used to create a group of visitor accounts.
To create multiple accounts, go to Guest > Create Multiple, or click the Create Multiple Guest Accounts
command link on the Guest Manager >Start Here page. The Create Multiple Guest Accounts form opens.
The Create Multiple Guest Accounts form (create_multi) can be customized by adding new fields, or modifying or
removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the
customization process. The default settings for this form are described below.
(Required) Enter the number of accounts to create.
You can select an activation time from this drop-down list. The guests' accounts cannot be used
before the activation time. Options include:
l Now
l Disable account
l Tomorrow
l Next Monday
l 1 hour from now
l 1 day from now
l 1 week from now
l Activate at specified time...
If you selected "Activate at specified time", use the calendar picker in this field to specify the date
and time. If no selection is made, the account will be enabled immediately.
You can select an expiration time from this drop-down list. The guests' accounts cannot be used
after the expiration time. Options include:
l Account will not expire
l Now
l Tonight
l Friday night
l 1 hour from now
l 1 day from now
l 1 week from now
l 30 days from now
l 90 days from now
l 180 days from now
l 1 year from now
l Account expires after...
l Account expires at specified time...
Expires
After
Expiration
Time
Expire
Action
If you selected "Account expires after", use this drop-down list to specify a length of time. Options
include several intervals of hours, days, or weeks.
If you selected "Account expires at specified time", use the calendar picker in this field to specify the
date and time. If no selection is made, the account will not expire.
(Required) Specify how the behavior of the expiration. Options include:
l Delete and log out at specified time
l Delete at specified time
l Disable and log out at specified time
l Disable at specified time
Be aware that a logout can only occur if the NAS is RFC-3576 compliant.
(Required) Specify the type of account the guest should have. Options include:
l Contractor
l Employee
l Guest
Page 47
FieldDescription
NotesYou may enter notes about this guest account.
Terms of
Use
Create
Accounts
(Required) You must select the check box in in this field in order to create the account.
When your entries on the form are complete, click this button to create the guests' accounts.
A random username and password will becreated for each visitor account. This is not displayed on this form,
but will be available on the guest account receipt. The default password length is six characters.
Creating Multiple Guest Account Receipts
After a group of guest accounts has been created, the details for the accounts are displayed.
To print the receipts, select an appropriate template from theOpen print window using template…
drop-down list. A new browser window opens with the Print dialog displayed.
To download a copy of the receipt information in CSV format, click theSave list for scratch cards (CSVfile) link. You will be prompted to either open or save the spreadsheet (CSV) file. The fields available in the CSV
file are:
l Number – The sequential number of the visitor account, starting at one.
l Username – The username for the visitor account.
l Password – The password for the visitor account. The default password length is six characters.
l Role – The visitor account’s role.
l Activation Time – The date and time at which the account will be activated, or N/A if there is no activation
time.
l Expiration Time – The date and time at which the account will expire, or N/A if there is no activation time.
l Lifetime – The account lifetime in minutes, or N/A if the account does not have a lifetime specified.
l Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the
account.
Creating a Single Password for Multiple Accounts
You can create multiple accounts that have the same password. In order to do this, you first customize the
Create Multiple Guest Accounts form to include the Password field.
To include the Password field on the Create Multiple Guest Accounts form:
1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The
Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest
Accounts form and their descriptions.
At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_
multi) has not yet been customized to include it. You will create it for the form in the next step.
2. Click on any field in the list to expand a row, then click the Insert After link (you can modify this placement
later). The Customize Form Field form opens.
3. In the Field Name row, choose password from the drop-down list. The form displays configuration
options for this field.
4. In the Field row, mark the Enable this field check box.
5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change
the number in the Rank field.
6. In the User Interface row, choose Password text field from the drop-down list. The Field Required
check box should now be automatically marked, and the Validator field should be set to IsNonEmpty.
7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included
and can be edited.
To create multiple accounts that all use the same password:
1. Go to Guest > Create Multiple. The Create Guest Accounts form opens, and includes the Visitor
Password field.
2. In the Number of Accounts field, enter the number of accounts you wish to create.
3. In the Visitor Password field, enter the password that is to be used by all the accounts. The minimum
password length is six characters.
4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished
Creating Guest Accounts view opens. The password and other account details are displayed for each
account.
Guest account information may be exported to a file in one of several different formats.
To export a file with the current list of guest accounts, go to Guest >Export Accounts, or go to Guest>Start Here and click the Export Guest Accounts command link. The Export Accounts page opens with
three options displayed. Click the appropriate command link to save a list of all guest accounts in commaseparated values (CSV), tab-separated values (TSV), or XML format.
The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or
removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this
customization process.
About CSV and TSV Exports
In CSV and TSV format, the following default fields are included in the export:
l Number – Sequential number of the guest account in the exported data
l User ID – Numeric user ID of the guest account
l Username – Username for the guest account
l Role – Role for the guest account
l Activation – Date and time at which the guest account will be activated, or “N/A” if there is no activation
time
l Expiration – Date and time at which the guest account will expire, or “N/A” if there is no expiration time
l Lifetime – The guest account’s lifetime in minutes after login, or 0 if the account lifetime is not set
l Expire Action – Number specifying the action to take when the guest account expires (0 through 4)
About XML Exports
The default XML format consists of a <GuestUsers> element containing a <GuestUser> element for each
exported guest account. Thenumeric ID of the guest account is provided as the “id” attribute of the
<GuestUser> element. This format is compatible with the W-ClearPass Policy Manager XML format for guest
users.
The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag,
where the tag has the same name as the guest account field.
Guest accounts may be created from an existing list by uploading the list to W-ClearPass Guest.
To import a file with the current list of guest accounts, go to Guest >Import Accounts, or go to Guest>Start Here and click the Import Guest Accounts command link. The Import Accounts page opens with the
first part of the form displayed, Upload User List.
The Upload User List form provides you with different options for importing guest account data.
To complete the form, you must either specify a file containing account information, or type or paste in the
account information to the Accounts Text area.
Select the Show additional import options check box to display the following advanced import options:
l Character Set: W-ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account
information. If your accounts file is not encoded in UTF-8, the import may fail or produce unexpected
results if non-ASCII characters are used. To avoid this, you should specify what character set encoding you
areusing.
l Import format: The format of the accounts file is automatically detected. You may specify a different
encoding type if automatic detection is not suitable for your data. The Import Format drop-down list
includes the following options:
n Automatically detect format (This default option recognizes guest accounts exported from W-
l Select the Force first row as header row check box if your data contains a header row that specifies the
field names. This option is only required if the header row is not automatically detected.
ClickNext Step to upload the account data.
In step 2 of 3, W-ClearPass Guest determines the format of the uploaded account data and matches the
appropriate fields to the data. The first few records in the data are displayed, together with any automatically
detected field names.
Because this data includes a header row that contains field names, the corresponding fields were automatically
detected in the data:
Use the Match Fields form to identify which guest account fields are present in the imported data. You can
also specify the values to be used for fields that are not present in the data.
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column
name to use the values from that column when importing guest accounts, or select one of the other available
options to use a fixed value for each imported guest account.
Click theNext Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens
and shows a preview of the import operation. The values of each guest account field are determined, and any
conflicts with existing user accounts are shown.
The icon displayed for each user account indicates if it is a new entry () or if an existing user account will be
updated ().
By default, this form shows ten entries per page. To view additional entries, click the arrow button at the
bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of
the form and select the number of entries that should appear on each page.
Click the check box by the account entries you want to create, or click one of the following options to select the
desired accounts:
l Click the This Page link to select all entries on the current page.
l Click the All link to select all entries on all pages
l Click theExisting link to select all existing user accounts in the list.
Click theCreate Accounts button to finish the import process. The selected items will be created or
updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating
Multiple Guest Account Receipts" on page 47 in this chapter for more information.
Managing Single Guest Accounts
Use the Manage Guest Accounts list view to work with individual guest accounts. To open the Manage Guest
Accounts list, go to Guest > Manage Accounts.
The Manage Guest Accounts list view opens.This view (guest_users) may be customized by adding new fields or
modifying or removing the existing fields. See "Customizing Fields" on page 206 for details about this
customization process. The default settings for this view are described below.
The Username, Role, State, Activation, and Expiration columns display information about the visitor
accounts that have been created:
l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The
expiration time is additionally highlighted in boldface if the account will expire within the next hour.
l In addition, icons in the Username column indicate the account’s activation status:
n—Visitor account is active
n—Visitor account was created but is not activated yet
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a
portion of the username or any other fields that are configured for search, and you can include the following
operators:
Table 11: Operators supported in filters
OperatorMeaningAdditional Information
=is equal toYou may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!=is not equal to
values, list them separated by the pipe character ( | ).
>is greater than
>=is greater than or equal to
<is less than
<=is less than or equal to
~matches the regular expression
!~does not match the regular
expression
For example, specifying the filter "role_id=2|3, custom_
field=Value" restricts the accounts displayed to those with
role IDs 2 and 3 (Guest and Employee), and with the field
named "custom_field" set to "Value".
To restore the default view, click theClear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or
last page of the list. You can also click an individual page number to jump directly to that page.
When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user
account.
Use theCreate tab to create new visitor accounts using the Create New Guest Account form. See
"Creating a Guest Account " on page 39 for details about this form.
Use theMore Options tab for additional functions, including import and export of guest accounts and the
ability to customize the view.
Click a user account’s row to select it. You can then select from one of these actions:
lReset password – Changes the password for a guest account. A new randomly generated password is
displayed on the Reset Password form. The default password length is six characters.
ClickUpdate Account to reset the guest account’s password. A new account receipt is displayed,
allowing you to print a receipt showing the updated account details.
lChange expiration – Changes the expiration time for a guest account.
This form (change_expiration) can be customized by adding new fields, or modifying or removing the existing fields.
See "Customizing Forms and Views" on page 212 for details about this customization process.
Select an option from the drop-down list to change the expiration time of the guest account.
ClickUpdate Account to set the new expiration time for the guest account. A new account receipt is
displayed, allowing you to print a receipt showing the updated account details.
lRemove – Disables or deletes a guest account.
Select the appropriate Action radio button, and clickMake Changes to disable or delete the account.
If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify
this in the Configuration module. See "Configuring W-ClearPass Guest Authentication " on page 188.
lActivate – Re-enables a disabled guest account, or specifies an activation time for the guest account.
Select an option from the drop-down list to change the activation time of the guest account. To re-enable
an account that has been disabled, choose Now. ClickEnable Account to set the new activation time for
the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated
account details.
lEdit – Changes the properties of a guest account.
This form can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing
Forms and Views" on page 212 for details about this customization process.
ClickUpdate Account to update the properties of the guest account. A new account receipt is displayed,
allowing you to print a receipt showing the updated account details.
lSessions – Displays the active sessions for a guest account. See "Active Sessions Management" on page
33 in this chapter for details about managing active sessions.
lPrint – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons,
the guest’s password is not displayed on this receipt. To recover a forgotten or lost guest account password,
use theReset password link.
l Show Details—The row expands to display all the properties of the guest's account in a table, including
endpoint details. This option is only available to users whose operator profile includes the Show Details
privilege.
To view the list of current MAC devices, go to Guest > Manage Devices.
The Guest Manager Devices page opens.
All devices created by one of methods described in the following section are listed. Options on the form let you
change a device’s account expiration time; activate, remove, or edit the device; view active sessions or details
for the device; or print details, receipts, confirmations, or other information.
The MAC Address, Device Name, Expiration, Sponsor, and Sharing columns display information about the
device accounts that have been created:
l The value in the Expiration column is colored red if the device account will expire within the next 24 hours.
The expiration time is additionally highlighted in boldface if the device account will expire within the next
hour.
l In addition, icons in the MAC Address column indicate the device account’s activation status:
n—Device account is active
n—Device account was created but is not activated yet
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a
portion of any fields that are configured for search, and you can include the following operators:
Table 12: Operators supported in filters
OperatorMeaningAdditional Information
=is equal toYou may search for multiple values when using the
equality (=) or inequality !=) operators. To specify
!=is not equal to
>is greater than
>=is greater than or equal to
<is less than
<=is less than or equal to
~matches the regular expression
!~does not match the regular
expression
multiple values, list them separated by the pipe
character ( | ).
For example, specifying the filter "role_id=2|3,
custom_field=Value" restricts the accounts displayed
to those with role IDs 2 and 3 (Guest and Employee),
and with the field named "custom_field" set to
"Value".
To restore the default view, click theClear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or
last page of the list. You can also click an individual page number to jump directly to that page.
To select a device, click the device you want to work with.
Changing a Device’s Expiration Date
To change a device’s expiration date, click the device’s row in the Guest Manager Devices list, then click its
Change expiration link. The row expands to include the Change Expiration form.
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date:
l If you choose Account expires after, the Expires After row is added to the form. Choose an interval
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form.
Click the button to open the calendar picker. In the calendar, use the arrows to select the year and
month, click the numbers in the Time fields to increment the hours and minutes, then click a day to
select the date.
2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the ExpireAction row is added to the table. Use the drop-down list in this row to specify one of the following actions:
delete, delete and log out, disable, or disable and log out.
3. Click Update Account to commit your changes.
Disabling and Deleting Devices
To remove a device’s account by disabling or deleting it, click the device’s row in the Guest Manager Devices list,
then click its Remove link. The row expands to include the Remove Account form.
You may choose to either disable or delete the account. If you disable it, it remains in the device list and you
may activate it again later. If you delete the account, it is removed from the list permanently.
Activating a Device
To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its
Activate link. The row expands to include the Enable Guest Account form.
1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate
the account. You may choose an interval, or you may choose to specify a time.
2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the
button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the
numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
To edit a device’s account, click the device’s row in the Guest Manager Devices list, then click its Edit link. The
row expands to include the Edit Device form. You can edit any of the device's properties.
Table 13: New Device
FieldDescription
MAC AddressThe device's MAC address.
Device NameThe name for the device.
If you need to modify the configuration for expected separator format or case, go to
Administration > Plugin Manager > Manage Plugins and click the Configuration link
for the MAC Authentication Plugin.
AirGroupEnables AirGroup for the device. Configuration options are added to the form.
OwnershipSpecifies whether device ownership should be personal or shared. Personal devices are
automatically shared with the owner's other devices.
Shared WithUsernames of people who can share this device. Enter usernames as a comma-separated
list. To make the device available to all users, leave this field blank.
Each username may not exceed 64 characters. A maximum of 100 usernames may be
entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared LocationsLocations where the device can be shared. When you type a location name in the Shared
Locations field and press the Enter key, the location appears as a "tag" and is created in the
system when the form is saved.
Each location name may not exceed 64 characters. A maximum of 100 location names may
be entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared RolesUser roles that can share this device. When you type a role name in the Shared Roles field
and press the Enter key, the role appears as a "tag" and is created in the system when the
form is saved.
Each role name may not exceed 64 characters. A maximum of 100 role names may be
entered. The maximum character limit for the list is 1000 characters (including comma
separators).
Shared GroupsUser groups that can share this device. These will be available in the Shared Groups field
for users to choose from when they share a device.
When you type a name for the group in the Group Names field and press the Enter key, the
group appears as a "tag" and is created in the system when the form is saved.
Each group name may not exceed 64 characters. A maximum of 32 group names may be
entered. The maximum character limit for the list is 320 characters (including comma
separators).
Time SharingTime-based sharing rules for this device. For more information, see "About AirGroup Time-
Based Sharing" on page 75.
SyntaxOpens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71.
Account ActivationOptions include: Activate the account immediately, at a preset interval of hours or days, at a
specified time, or leave the account disabled.
If you choose Activate at a specified time, the ActivationTime row is added to the form.
Click the button to open the calendar picker. In the calendar, use the arrows to select the
year and month, click the numbers in the Time fields to increment the hours and minutes,
then click a day to select the date.
Account ExpirationOptions include: Never expire, expire at a preset interval of hours or days, or expire at a
specified time.
l If you choose any time in the future, the Expire Action row is added to the form.
Indicate the expiration action for the account—either delete, delete and log out, disable,
or disable and log out. The action will be applied at the time set in the Account Expiration
row.
l If you choose Account expires after, the ExpiresAfter row is added to the form.
Choose an interval of hours, days, or weeks. The maximum is two weeks.
l If you choose Account Expires at a specified time, the ExpirationTime row is added
to the form. In the calendar picker, use the arrows to select the year and month, click the
numbers in the Time fields to increment the hours and minutes, then click a day to
select the date.
Account RoleAssigns the visitor’s role.
NotesOptional additional information.
Update DeviceCommits your changes and updates the device. The Updated Device Details and print
options are displayed.
Viewing Current Sessions for a Device
To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the
Guest Manager Devices form. The Active Sessions list opens. For more information, see "Active Sessions
To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest
Manager Devices list, then click its Print link. The row expands to include the Account Details form and a drop-
down list of information that can be printed for the device.
Choosing an option in the Open print window using template drop-down list opens a print preview
window and the printer dialog. Options include account details, receipts in various formats, a session expiration
alert, and a sponsorship confirmation notice.
Viewing Device Details
l Show Details—The row expands to display all the properties of the device's account in a table. This option
is only available to users whose operator profile includes the Show Details privilege.
Managing Multiple Guest Accounts
Use the Bulk Edit Accounts list view to work with multiple guest accounts. To open the Bulk Edit Accounts
list, go to Guest > Manage Multiple Accounts.
This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing
fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. The
default settings for this view are described below.
The Username, Role, State, Activation, Expiration, and Lifetime columns display information about the
visitor accounts that have been created:
l The value in the Expiration column is colored red if the visitor account will expire within the next 24 hours.
The expiration time is additionally highlighted in boldface if the visitor account will expire within the next
l In addition, icons in the Username column indicate the account’s activation status:
n—Visitor account is active
n—Visitor account was created but is not activated yet
n—Visitor account was disabled by Administrator
n—Visitor account has expired
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a
portion of the username or any other fields that are configured for search, and you can include the following
operators:
Table 14: Operators supported in filters
OperatorMeaningAdditional Information
=is equal toYou may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!=is not equal to
values, list them separated by the pipe character ( | ).
>is greater than
>=is greater than or equal to
<is less than
<=is less than or equal to
~matches the regular expression
!~does not match the regular
expression
For example, specifying the filter "role_id=2|3, custom_
field=Value" restricts the accounts displayed to those with
role IDs 2 and 3 (Guest and Employee), and with the field
named "custom_field" set to "Value".
To restore the default view, click theClear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or
last page of the list. You can also click an individual page number to jump directly to that page.
To select guest accounts, click the accounts you want to work with. You may click either the check box or the
row to select a visitor account. To select or unselect all visible visitor accounts, click the check box in the header
row of the table.
Use the selection row at the top of the table to work with the current set of selected accounts. The number of
currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all
pages of the filtered result to the selection.
Use theCreate tab to create new visitor accounts using the Create Multiple Guest Accounts form. See
"Managing Multiple Guest Accounts " on page 64 in this chapter for details about this form.
Use theDelete tab to delete the visitor accounts that you have selected. This option is not active if there are
no visitor accounts selected.
Use theEdit tab to make changes to multiple visitor accounts at once. This option is not active if there are
no visitor accounts selected.
The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing
fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. This
is the guest_multi_form form.
TheResults tab will be automatically selected after you have made changes to one or more guest accounts.
You can create new guest account receipts or download the updated guest account information. See "Creating
Multiple Guest Account Receipts" on page 47 in this chapter for more information.
TheMore Options tab includes the Choose Columns command link. You can click this link to open the
Configuration module’s CustomizeView Fields form, which may be used to customize the Edit Guest Accounts
view.
AirGroup Device Registration
AirGroup allows users to register their personal mobile devices on the local network and define a group of
friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators
can provision their organization’s shared devices and manage access, and AirGroup operators can register and
provision a limited number of their own personal devices for sharing. For complete AirGroup deployment
information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOSUser Guide and the
W-ClearPass Policy Manager documentation.
This functionality is only available to AirGroup administrators.
To register and manage an organization’s shared devices and configure device access, log in as the AirGroup
administrator and go to Guest > Create Device. The Register Shared Device form opens.
1. In the Device Name field, enter the name used to identify the device.
2. In the Device Type field, use the drop-down list to select the device type.
3. In the MAC Address field, enter the device’s MAC address.
4. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to
be shared with all locations, leave this field blank.
Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The
maximum character limit for the list is 1000 characters (including comma separators).
Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to
the registered device. Use commas to separate the tag=value pairs in the list. Tag=value pair formats are
shown in the following table:
Table 15: Tag=Value Pair Formats
AP TypeTag=Value Format
Name-based APap-name=<name>
Group-based APap-group=<group>
FQLN-based APfqln=<fqln>
l AP FQLNs should be configured in the format <ap name>.<floor>.<building>.<campus>
l Floor names should be in the format floor <number>
l The <ap-name> should not include periods ( . )
Example:
AP105-1.Floor 1.TowerD.Mycompany
5. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to
use the device. Use commas to separate usernames in the list.
Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The
maximum character limit for the list is 1000 characters (including comma separators).
l If the Share With field is left blank, this device can be accessed by all devices.
l If users are entered in the Shared With field, the device can only be accessed by the specified users.
6. In the Shared Roles field, enter the user roles that areallowed to use the device. Use commas to separate
the roles in the list.
Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The
maximum character limit for the list is 1000 characters (including comma separators).
l To make the device available to all roles, leave this field blank.
l If roles are entered in the Shared Roles field, the device can only be accessed by users with matching
roles.
7. Click Register Shared Device. The Finished Creating Guest Account page opens. This page displays
Account Details and provides printer options.
To view and edit your organization’s shared AirGroup devices:
1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup
Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the
organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list,
or shared roles; print device details; or add a new device.
2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and
3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit
Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and
shared roles.
4. When your edits are complete, click Save Changes.
Registering Personal Devices
This functionality is available to AirGroup operators.
To register your personal devices and define a group who can share them:
1. Log in as the AirGroup operator and go to Guest > Create Device. The Register Device form opens.
2. In the Your Name field, enter your username for your organization.
3. In the Device Name field, enter the name used to identify the device.
4. In the Device Type drop-down list, select the device type.
5. In the MAC Address field, enter the device’s MAC address.
6. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the
device. Use commas to separate usernames in the list. You may enter up to ten usernames.
l If the Shared With field is left blank, this device can only be accessed by devices registered by the same
operator or with a dot1x username that matches the operator’s name.
l If users are entered in the Shared With field, the device can be accessed by the device owner and by the
specified users.
7. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details
and provides printer options.
To view and edit your personal AirGroup devices, go to Guest > List Devices, or click the Manage myAirGroup Devices link on the Create AirGroup Device page. The List Device page lets you remove a device;
edit a device’s name, MAC address, or shared-user list; print device details; or add a new device.
To view and edit your personal AirGroup devices:
1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup
Device page. The AirGroup Devices page opens. This page lists all your personal AirGroup devices. You can
remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new
device.
2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, andPrint options.
3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device
form. You can modify the device’s name, MAC address, and group of users.
4. When your edits are complete, click Save Changes.
AirGroup Time-Based Sharing Syntax Examples
This section provides examples and discussions of syntax for time-based sharing policies for AirGroup shared
devices.
For information on using time-based sharing for AirGroup, see "About AirGroup Time-Based Sharing" on page
75. For supplemental time-based syntax information, see "Time-Based Syntax Reference" on page 73.
Example:
periodic Monday 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday (relative to the server's current
time zone). Outside of this time slot, the device is not shared (except as otherwise controlled by AOS).
Example:
periodic Monday 9:00 to 10:30 shared users A, B
periodic Monday 12:00 to 13:30 shared users A, B
periodic Monday 15:00 to 16:30 shared users C, D
The device is shared with users A and B, from 9am to 10:30am and from noon to 1:30pm every Monday
(relative to the server's current time zone). From 3pm to 4:30pm, the device is shared with users C and D.
Outside of these two time slots, the device is not shared.
With periodic, times may be specified either in 24-hour format (hh:mm, from 0:00 to 24:00), or in 12-hour
format (hh:mm and am or pm).
Don't specify overlapping time ranges with periodic rules; this can lead to unexpected results.
The synonyms rep, repeat or repeating may also be used in place of period or periodic. All of these
terms are treated identically.
Example:
default allow
periodic mon 9am to 10am shared users A, B
As in the first example, the device is shared with users A and B, from 9am to 10am every Monday. Outside
of this time slot, the device is shared as specified by the other sharing state fields (shared users, locations,
roles and/or groups). This is the meaning of the default allow statement.
If default allow is not specified, the normal behavior is default deny, which is the same as in the first
example. Note that with default deny in effect, the AirGroup time sharing policy will override any other
sharing rules that are specified, for as long as the time sharing policy is in effect.
Two and three-character shortened forms of weekdays are acceptable (e.g. "Mon" or "Mo" can be used for
Monday, "Tue" or "Tu" for Tuesday, etc.) Case is not significant in the time sharing policy, so "Mon", "MON",
and "mon" are all equivalent ways to specify "Monday".
Example:
default deny
not after 01-Feb-2014
periodic mon 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday. The not after date sets the end
of the time sharing policy. Monday, January 27, 2014 is the last day that this time sharing policy will take
effect.
After 10am on this date, the time sharing policy is no longer in effect; any other sharing rules that have
been specified will then take effect.
default deny
not before 1/1/14
not after 01-Feb-2014
periodic mon 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday. The not before date sets the
beginning of the time sharing policy. In this case, Monday, January 6, 2014 is the first day that this time
sharing policy will take effect.
Prior to 9am 6 January 2014, the device is not shared (due to the default deny).
After 10am on 27 January 2014, the time sharing policy is no longer in effect; any other sharing rules that
have been specified will then take effect.
Example:
time zone America/Los_Angeles
periodic Monday 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday (relative to the U.S. Pacific time
zone). Daylight savings time rules are observed; the time period 9am to 10am is always relative to that
time zone.
Example:
periodic mon tue wed thu fri 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every weekday (Monday, Tuesday, Wednesday,
Thursday and Friday).
Example:
periodic weekdays 9am to 10am shared users A, B
weekday or weekdays can be used as a synonym for "Monday Tuesday Wednesday Thursday Friday".
Similarly, weekend or weekends can be used as a synonym for "Saturday Sunday".
Example:
on Sep 16 9:00 to 13:00 shared location AP-Name=1341-ap01 shared group ABC shared role
SomeRole shared user user02, user03, "user04", 'user05'
The device is shared with a single access point named 1341-ap01, a single group named ABC, a single role
named SomeRole, and 4 users named user02,user03, user04, and user05.
Note the quotes are not considered to be part of the user names user04 and user05. (In this case, the
quotes are redundant as there is no space or comma that requires quoting.)
No time zone is specified, so the date and time are determined relative to the server's time zone.
No year is specified, so the server's current year is used. In particular, after September 16 of any year, this
rule will have no effect until the following year.
Example:
default allow
periodic 0:00 to 24:00 shared roles default_role
periodic mon 9am to 5pm shared roles other_role
The device is normally shared ("default allow") with a single role named default_role ("periodic 0:00 to
24:00 shared roles default_role").
On Monday from 9am to 5pm, the device is shared with a different role named other_role.
Note that even though the time ranges overlap, the sharing policies are completely distinct; on Mondays
from 9am to 5pm, the role default_role will NOT have access to the device, because a different sharing rule
is in effect. (The rule could instead have been written "periodic mon 9am to 5pm shared roles default_role,
other_role" if this was the desired result.)
This example shows how to use an overlapping time range: place the most general time range first, with
more specific time ranges later. In particular, reversing the order of the periodic statements will not work.
Example:
default deny
periodic 9:00 to 22:00 shared roles default_role
no periodic thu 9:00 to 17:00
periodic fri 9:00 to 17:00 not shared
This example shows how to share a device with a basic policy, and demonstrates two ways to disable
sharing for a subset of the time period.
The device will be shared with a single role named default_role, from 9:00 to 22:00 each day. ("periodic
9:00 to 22:00 shared roles default_role").
On Thursday, the device is not shared between 9:00 and 17:00.
On Friday, the device is not shared between 9:00 and 17:00.
Example:
default allow
periodic 9:00 to 22:00 shared roles default_role
no periodic thu 9:00 to 17:00
periodic fri 9:00 to 17:00 not shared
This example is similar to the previous example; the device is not shared on Thursday and Friday between
9:00 and 17:00.
The difference is after 22:00 and before 9:00: in the previous example, the device is not shared during this
time period, whereas with default allow the other AirGroup sharing rules will take effect (any shared users,
roles, groups or locations that have been defined for the device).
Time-Based Syntax Reference
This reference describes the syntax used for time formats in time-based sharing rules. It supplements the
examples for AirGroup time-based sharing by user groups discussed in "AirGroup Time-Based Sharing Syntax
Examples" on page 71. For more information on using time-based sharing with AirGroup, see "About AirGroup
Time-Based Sharing" on page 75.
The syntax for AirGroup time-based sharing policies supports all the default time-based ACL rules specified in
TimeRangeACL. This ACL is a sequence of rules, one per line, according to the following syntax:
l default allow|deny
Specifies the default behavior for unmatched times; this is 'allow' only if no 'periodic' or 'absolute' rules are
specified, otherwise it is 'deny'. Use 'default allow' if the remaining rules exclude times, otherwise use
'default deny' if the remaining rules are to include times. This rule may only be used once.
l[time] zone default|server|...
Specifies the time zone to use for matching times and specifying the time of day. If unset, the current time
zone setting is used (note that this may vary due to operator and/or profile settings). If the value "default"
or "server" is specified, the system's time zone is used. Otherwise, the named time zone is used. This rule
may only be used once, and must be before any rules specifying a time interval.
l [not] period(ic) [day-list] hh:mm to [day] hh:mm
Specifies a periodic or daily interval. Recognized days include Sunday, Monday, Tuesday, Wednesday,
Thursday, Friday, Saturday and 3-letter abbreviations; the tokens "weekends" and "weekdays" may also be
used. Without a day-list, all days of the week are matched. Time may be specified in 12 or 24 hour format,
with the special time 24:00 indicating the end of the day.
Example: periodic monday 8:00 to friday 17:00 matches between 8am and 5pm, Monday through
Friday.
Example: periodic weekdays 8:00 to 17:00 specifies the same thing as the example in the previous line.
Example: periodic wed 11am to 11pm matches between 11:00 and 23:00 on a Wednesday.
Example: periodic weekend 0:00 to 24:00 matches any time on a Saturday or Sunday.
Example: periodic saturday sunday 0:00 to 24:00 specifies the same thing as the example in the
previous line.
The 'not' keyword may be specified to invert the allow/deny decision.
Example: default allow; not period 23:00 to 6:00 (on 2 separate lines) allows access, except between
11pm and 6am.
Example: period 6:00 to 23:00 is equivalent to the example in the previous line.
l not before [date-and-time]
Specifies an absolute time before which access will always be rejected.
Example: not before 2010-07-01 09:00 matches after 9am on 1 July 2010.
l not after [date-and-time]
Specifies an absolute time after which access will always be rejected.
Example: not after 2011-01-01 00:00 matches before midnight on New Year's Day 2011.
l[not] abs(olute) [start-date-and-time] to [end-date-and-time]
Specifies a start and end interval. The date and time is a format recognized by strtotime(). Times between
the start and end point are matched. The 'not' keyword may be specified to invert the allow/deny decision.
Example: absolute December 25 to December 26 matches all day on Christmas Day each year. (This does
not match on December 26 as midnight on this date is the endpoint of the interval.)
A blank time ACL means "all times are allowed".
The following examples give common usage:
l 8:00 to 18:00 - allows access 8am to 6pm, every day, but not outside those times
l weekdays 9am to 5pm - allows access 9am to 5pm, Monday through Friday, but not outside those times
l weekdays 9am to 5pm
weekends 10am to 4pm - allows access 9am to 5pm, Monday through Friday, with reduced hours on
Saturday and Sunday
Annual recurrences may be specified:
l weekdays 9am to 5pm
not absolute December 25 to December 26 - allows access 9am to 5pm, Monday through Friday, but not
on Christmas Day
Less common cases:
l default allow
not 23:00 to 6:00 - allows access, except between 11pm and 6am daily
l 9:00 to 18:00
not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010
9:00 to 18:00
not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010, in the
GMT time zone (useful if server is in a different time zone)
About AirGroup Time-Based Sharing
This section discusses time-based sharing policies for an AirGroup shared device.
For information on the syntax for time-based sharing policies for a AirGroup shared devices, see "AirGroup
Time-Based Sharing Syntax Examples" on page 71
Time-based sharing is used in settings where an organization's shared devices are madeavailable to groups of
users according to a regular schedule, and device access is configured by group at the user level—for example:
l A university classroom or laboratory is used by a first-year physics class on Mondays, Wednesdays, and
Fridays, by a group of researchers on Tuesdays and Thursdays, and for visiting speakers every other
Saturday.
l A convention center has several major exhibitors who each hold an annual event, and who reserve their
customary section of the convention center several years in advance.
In cases like this, you can enter rules to define the schedule on which shared devices in an area will be available
to certain groups. You can also specify times when a device will not be available. This is a time-based sharing
policy.
Device association is dynamic: When a shared device is available to a group, any user with that group attribute
can access the device. When the user is no longer a member of the group (for example, at the end of the
semester), they no longer have access, but the time-based sharing policy remains in effect and new users who
areassigned the group attribute can access the shared device.
Basics of Time-Based Sharing Setup
When you create a device, enable it for AirGroup Services, and configure it as a shared device, you also have the
option to specify time-based sharing (time fencing) for the device.
You first use the Administration > AirGroup Services >Configure form to create the groups who can
share devices. When you type a name for the group in the Group Name field, press the Enter key, and click
Save, the group is created in the system and appears as a "tag".
On the Guest > Create Device or Guest > List Devices >Edit forms, the shared user groups you created
arethen available for selection when you click in the Shared Groups field. (This feature requires AOS 6.4 or
later)
On the same screen, the next step is then to enter the rules for the time-based sharing policy, using the group
names you created. For more information, see"AirGroup Time-Based Sharing Syntax Examples" on page 71
MAC Authentication in W-ClearPass Guest
W-ClearPass Guest supports a number of options for MAC Authentication and the ability to authenticate
devices.
The advanced features described in this section generally require a WLAN capable of MAC authentication with
captive portal fallback. Please refer to your WLAN documentation for setting up the controller appropriately.
To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure
these advanced features, go to Administration > Plugin Manager . For information on plugin management,
see "Plugin Manager" on page 444.
MAC Address Formats
Different vendors format the client MAC address in different ways—for example:
l 112233AABBCC
l 11:22:33:aa:bb:cc
l 11-22-33-AA-BB-CC
W-ClearPass Guest supports adjusting the expected format of a MAC address. To configure formatting of
separators and case in the address, as well as user detection and device filtering for views, go to
Administration > Plugin Manager and click the Configuration link for the MAC Authentication plugin.
The MAC Authentication Configuration page opens.
Figure 8 MAC Authentication Plugin—Configuration
On the controller, the fields look as follows:
Figure 9 MAC Authentication Profile
Automatically Registering MAC Devices in W-ClearPass Policy Manager
If W-ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically
registered as an endpoint record in W-ClearPass Policy Manager when the guest uses a Web login page or a
guest self-registration workflow. This customization option is available if a valid Local or RADIUS preauthentication check was performed.
To configure auto-registration for an address through a Web login page:
1. Go to Configuration > Pages > Web Logins, click the row of the page you wish to configure, then click itsEdit link. The RADIUS Web Login Editor form opens.
2. Scroll down to the Post-Authentication area.
3. In the Policy Manager row, mark the check box to register the guest’s MAC address with W-ClearPass
Policy Manager. The Advanced row is added to the form.
4. In the Advanced row, mark the check box to enable advanced options in W-ClearPass Policy Manager. The
Endpoint Attributes row is added to the form.
5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be
passed.
6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and
Reload to proceed to Policy Manager and apply the network settings.
Importing MAC Devices
The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following
two columns are required: mac and mac_auth.
mac_auth,mac,notes
1,aa:aa:aa:aa:aa:aa,Device A
1,bb:bb:bb:bb:bb:bb,Device B
1,cc:cc:cc:cc:cc:cc,Device C
Any of the other standard fields can be added similar to importing regular guests.
Advanced MAC Features
This section describes some advanced features for MAC authentication.
User Detection on Landing Pages
When mac is passed in the redirect URL, the user is detected and a customized message displays on the
landing page.
To use this feature:
1. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MACDetect.
2. Edit the header of your redirect landing page (login or registration) and include the following:
<p>{if $guest_receipt.u.visitor_name}
Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}!
3. For debugging purposes, include the following to see all the fields available:
{dump var=$guest_receipt export=html}
Click-Through Login Pages
A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style
seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet
still have them click the terms and conditions on every new connection.
To use this feature:
1. Disable MAC authentication on the controller.
2. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MACDetect.
3. Create a Web Login. Include the following settings:
l Authentication: Anonymous
l Anonymous User: _mac (_mac is a special secret value)
l Pre-Auth Check: Local
l Terms: Require a Terms and Conditions confirmation
4. Set the Web login as your landing page and test. Using a registered device the 'Log In' button should be
enabled, otherwise it will be disabled.
5. You might also want to add a message so visitors get some direction:
Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate
access credentials and setting up the network connection parameters. W-ClearPass Onboard automates
802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across
wired, wireless, and virtual private networks (VPNs).
W-ClearPass Onboard includes the following key features:
l Automatic configuration of network settings for wired and wireless endpoints
l Provisioning of unique device credentials for BYOD and IT-managed devices
l Support for Windows, Mac OS X, iOS, and Android devices
l Ability to revoke unique credentials on a specific user's device
l W-ClearPass Profile for identifying device type, manufacturer, and model
Accessing Onboard
To access the device provisioning features of W-ClearPass Onboard, click the Onboard link in the left
navigation.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 79
Page 80
About W-ClearPass Onboard
Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own
device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and
virtual private networks (VPNs).
W-ClearPass Onboard includes the following key features:
l Automatic configuration of network settings for wired and wireless endpoints.
l Provisioning of unique device credentials for BYOD and IT-managed devices.
l Support for Windows, Mac OS X, iOS, and Android devices.
l Enables the revocation of unique credentials on a specific user’s device.
l Leverages W-ClearPass Profile to identify device type, manufacturer, and model.
This section provides the following important information about Dell Networking W-ClearPass Onboard:
l "Onboard Deployment Checklist " on page 81
l "Onboard Feature List " on page 83
l "Supported Platforms" on page 84
l "Public Key Infrastructure for Onboard" on page 85
l "Revoking Unique Device Credentials" on page 86
l "Network Requirements for Onboard" on page 87
80 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 81
l "Network Architecture for Onboard" on page 89
l "TheW-ClearPass Onboard Process" on page 91
l "Configuring the User Interface for Device Provisioning" on page 95
l "Onboard Troubleshooting" on page 96
Onboard Deployment Checklist
Table 16 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard
deployment.
Onboard events are stored in the Application Log for seven days by default. After seven days, significant
runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring
module. Onboard events that are listed include:
l Changing the CA certificate
l Issuing a new certificate
l Signing a certificate signing request
l Revoking a certificate
l Deleting a certificate
l Importing a trusted certificate
l Uploading a code-signing or other certificate
Table 16: Onboard Deployment Checklist
Deployment StepReference
Planning and Preparation
Review the Onboard feature list to identify the major areas of
interest for your deployment.
Review the list of platforms supported by Onboard, and identify the
platforms of interest for your deployment.
Review the Onboard public key infrastructure, and identify any
certificate authorities that will be needed during the deployment.
Review the network requirements and the network architecture
diagrams to determine how and where to deploy the Onboard
solution.
Configuration
Configure the hostname and networking properties of the Onboard
provisioning server.
l DNS is required for SSL.
l Ensure that hostname resolution will work for devices being
provisioned.
"Onboard Feature List " on page 83
"Supported Platforms" on page 84
"Public Key Infrastructure for Onboard" on
page 85
Refer to the W-ClearPass Policy Manager
documentation, and "Network Architecture
for Onboard" on page 89 in this chapter
Refer to the W-ClearPass Policy Manager
documentation
Configure SSL certificate for the Onboard provisioning server.
A commercial SSL certificate is required to enable secure device
Refer to the W-ClearPass Policy Manager
documentation
provisioning for iOS devices.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 81
Page 82
Deployment StepReference
Configure the Onboard certificate authority.
l Decide whether to use the Root CA or Intermediate CA mode of
operation.
Create the certificate for the certificate authority.
Configure device provisioning settings.
l Select certificate options for device provisioning.
Select which device types should be supported.
Configure network settings for device provisioning.
l Set network properties.
l Upload 802.1X server certificates.
Set device-specific networking settings.
Configure networking equipment for non-provisioned devices.
l Set authentication for the provisioning SSID, if required.
Ensure the captive portal redirects non-provisioned devices to the
device provisioning page.
Configure networking equipment to authenticate provisioned
devices.
l Ensure 802.1X authentication methods and trust settings are
configured correctly for all EAP types that are required.
Configure OCSP or CRL on the authentication server to check for
client certificate validity.
Configure the user interface for device provisioning.
l Set display options for iOS devices.
l Set user interface options for other W-Onboard devices.
Setup the device provisioning Web login page.
"Certificate Authorities " on page 97
"About Configuring Provisioning Settings " on
page 169
"Network Settings " on page 130
"Network Requirements for Onboard" on
page 87
"Network Requirements for Onboard" on
page 87
"Configuring the User Interface for Device
Provisioning" on page 95
Testing and Verification
Test device provisioning.
l Verify that each type of device can be provisioned successfully.
Verify that each type of device can join the provisioned network
and is authenticated successfully.
Test device revocation.
l Revoke a device’s certificate.
l Verify that the device is no longer able to authenticate.
Verify that re-provisioning the device fails.
82 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 83
Onboard Feature List
The following features are available in Dell Networking W-ClearPass Onboard.
Table 17: OnboardFeatures
FeatureUses
Automatic configuration of network settings
for wired and wireless endpoints.
Secure provisioning of unique device
credentials for BYOD and IT-managed
devices.
Support for Windows, Mac OS X, iOS, and
Android devices.
Certificate authority enables the creation
and revocation of unique credentials on a
specific user’s device.
l Configure wired networks using 802.1X
l Configure Wi-Fi networks using either 802.1X or pre-shared key
(PSK)
l Configure trusted server certificates for 802.1X
l Configure Windows-specific networking settings
l Configure HTTP proxy settings for client devices (Android, OS X
only)
l Configure EAP-TLS and PEAP-MSCHAPv2 without user
interaction
l Revoke unique device credentials to prevent network access
l Leverage ClearPass Profiling to identify device type,
manufacturer, and model
l Control the user interface displayed during device provisioning
l Root and intermediate CA modes of operation
l Supports SCEP enrollment of certificates
l Supports CRL generation to list revoked certificates
l Supports OCSP responder to query for certificate status
l Approve certificate signing request
l Reject certificate signing request
l Sign certificate from uploaded certificate signing request (CSR)
l Issue certificate
l Revoke certificate
l Display certificates
l Export certificate
l Renew root certificate
Provision additional settings specific to iOS
devices
l Exchange ActiveSync
l Passcode policy
l VPN settings
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 83
Page 84
Supported Platforms
The platforms supported by Dell Networking W-ClearPass Onboard and the version requirements for each
platform are summarized in the following table.
Table 18: Platforms Supported by W-ClearPass Onboard
PlatformExample DevicesVersion Required for Onboard SupportNotes
Apple iOSiPhone
iPad
iPod Touch
Apple Mac OS XMacBook Pro
MacBook Air
AndroidSamsung Galaxy S
Samsung Galaxy Tab
Motorola Droid
Microsoft WindowsLaptop
Netbook
Note 1: Uses the “Over-the-air provisioning” method.
Note 2: Uses the “Onboard provisioning” method.
Note 3: Onboard may also be used to provision VPN settings, Exchange ActiveSync settings, and passcode policy on these
devices.
iOS 4
iOS 5
Mac OS X 10.8 “Mountain Lion”
Mac OS X 10.7 “Lion”
Mac OS X 10.6 “Snow Leopard”
Mac OS X 10.5 “Leopard”
Android 2.2 (or higher)2
Windows XP with Service Pack 3
Windows Vista with Service Pack 3
Windows 7
Windows 8
Windows 8.1
1, 3
1
2
2
84 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 85
Public Key Infrastructure for Onboard
During the device provisioning process, one or more digital certificates are issued to the device. These are used
as the unique credentials for a device. To issue the certificate, Dell Networking W-ClearPass Onboard must
operate as a certificate authority (CA). The following sections explain how the certificate authority works, and
which certificates are used in this process.
Certificate Hierarchy
In a public key infrastructure (PKI) system, certificates are related to each other in a tree-like structure.
Figure 10 Relationship of Certificates in the Onboard Public Key Infrastructure
The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate
CAs used to issue certificates within the enterprise.
Onboardmay operate as a root CA directly, or as an intermediate CA. See "Certificate Authorities " on page 97.
For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a
Cluster " on page 86.
The Onboard CA issues certificates for several purposes:
l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.
n The identity information in the profile signing certificate is displayed during device provisioning.
l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s
authentication server.
n The identity information in the server certificate may be displayed during network authentication.
l One or more Device Certificates may beissued – typically, one or two per provisioned device.
n The identity information in the devicecertificate uniquely identifies the device and the user that
provisioned the device.
You do not need to manually create the profile signing certificate; it is created when it is needed See
"Configuring Provisioning Settings for iOS and OS X" on page 176 to control the contents of this certificate.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 85
Page 86
You may revoke the profile signing certificate. It will be recreated when it is needed for the next device
provisioning attempt.
Certificate Configuration in a Cluster
When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM
server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM
server certificate is valid during EAP-PEAP or EAP-TLS authentication.
In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node.
Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default
configuration, these are self-signed certificates—that is, they are not issued by a root CA. This configuration of
multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be
trusted, multiple self-signed certificates are not.
There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:
l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the
certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the
cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster.
l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at
the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard.
Provisioning and authentication will then work across the entire cluster.
Revoking Unique Device Credentials
Because each provisioned device uses unique credentials to access the network, it is possible to disable
network access for an individual device. This offers a greater degree of control than traditional user-based
authentication — disabling a user’s account would impact all devices using those credentials.
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See"Working
with Certificates in the List" on page 116.
Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not
support this capability.
Revoking Credentials to Prevent Network Access
Revoking a device's certificate will cause the device to be unable to authenticate. It will not prevent it from being reprovisioned. If you wish to deny access to a device, use the Manage Access link in the device's row on the Onboard>Management and Control > View by Device form.
If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate
authority to update the certificate’s state. When the certificate is next used for authentication, it will be
recognized as a revoked certificate and the device will be denied access.
When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to
check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for
certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will
automatically delete the unique username and password associated with the device. When this username is next
used for authentication, it will not be recognized as valid and the device will be denied access.
OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onboard server
automatically updates the status of the username when the device's client certificate is revoked.
86 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 87
Re-Provisioning a Device
Because “bring your own” devices arenot under the complete control of the network administrator, it is
possible for unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network,
instruct the device to forget the provisioned network settings, or reset the device to factory defaults and
destroy all the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to reprovision their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action
(such as connecting to the appropriate network). If this is not possible, the user may choose to restart the
provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these
credentials are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables reprovisioning to occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked
certificate must be deleted before the device is able to be provisioned.
Network Requirements for Onboard
To achieve complete functionality, Dell Networking W-ClearPass Onboard has certain requirements that must
be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been
revoked and deny access to the network.
Using Same SSID for Provisioning and Provisioned Networks
To configure a single SSID to support both provisioned and non-provisioned devices, use the following
guidelines:
l Configure the network to use both PEAP and EAP-TLS authentication methods.
l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.
l The provisioning role should have limited network access and a captive portal that redirects users to the
device provisioning page.
l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned
role.
For provisioned devices, additional authorization steps can be taken after authentication has completed to
determine the appropriate provisioned role.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 87
Page 88
Using Different SSID for Provisioning and Provisioned Networks
To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a
separate network, use the following guidelines:
l Configure the provisioning SSID to use PEAP, or another suitable authentication method.
l When a user connects to the provisioning SSID, place them into a provisioning role.
n The provisioning role should have limited network access and a captive portal that redirects users to the
device provisioning page.
l When a user connects to the provisioned SSID, authenticate based on the type of credentials presented.
n For PEAP authentication with unique device credentials, place them into a provisioned role.
n For EAP-TLS authentication using an Onboard client certificate, place them into the provisioned role.
n In all other cases, deny access.
As for the single-SSID case, additional authorization steps may be taken after authentication has completed to
determine the appropriate provisioned role.
Configuring Online Certificate Status Protocol
Onboard supports the Online Certificate Status Protocol (OCSP) to provide a real-time check on the validity of a
certificate.
To configure OCSP for your network, you will need to provide the URL of an OCSP service to your network
equipment. This URL can be constructed by using the relative path mdps_ocsp.php/1.
For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is:
http://onboard.example.com/guest/mdps_ocsp.php/1.
OCSP does not require the use of HTTPS and can be configured to use HTTP.
Configuring Certificate Revocation List (CRL)
Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that
have been revoked.
To configure a CRL, you will need to provide its URL to your network equipment. This URL can be constructed
by using the relative path mdps_crl.php?id=1.
For example, if the Onboard server’s hostname is onboard.example.com, the location of the CRL is:
http://onboard.example.com/guest/mdps_crl.php?id=1.
A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP.
88 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 89
Network Architecture for Onboard
The high-level network architecture for the Onboard solution is shown in the following figure.
Figure 11 ClearPass Onboard Network Architecture
The sequence of events shown in Figure11 is:
1. Users bring their own device to the enterprise.
2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with
a minimum of user interaction.
3. After it is provisioned, the device re-authenticates to the network using a set of unique device credentials.
These credentials uniquely identify the device and user and enable management of provisioned devices.
4. Administrators can configure all aspects of the provisioning workflow – including the devices that have been
provisioned, policies to apply to devices and the overall user experience for BYOD.
A more detailed view of the network architecture is shown in Figure 12. This diagram shows different types of
client devices using the Onboard workflow to gain access to the network. Some of the components that may
be configured by the network administrator are also shown.
Figure 12 Detailed View of the W-ClearPass Onboard Network Architecture
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 89
Page 90
The components shown in Figure 12 are:
1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or
Android operating systems, such as smartphones and personal tablets. Onboard also supports the most
common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and
netbooks.
2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user
interaction. The provisioning method used depends on the type of device.
a. Newer versions of Mac OS X (10.7 and later) and iOS devices use the “over-the-air” provisioning method.
b. Other supported platforms use the “Onboard provisioning” method.
3. After it is provisioned, a client device uses a secure authentication method based on 802.1X and the
capabilities best supported by the device.
a. The unique device credentials issued during provisioning are in the form of an EAP-TLS client certificate
for iOS devices and OS X (10.7+) devices.
b. Other supported devices are also issued a client certificate, but will use the PEAP-MSCHAPv2
authentication method with a uniqueusername and strong password.
4. Administrators can manage all Onboard devices using the certificate issued to that device.
Network Architecture for Onboard when Using W-ClearPass Guest
W-ClearPass Guest supports the provisioning, authentication, and management aspects of the complete
Onboard solution. Figure 13 shows the high-level network architecture for the Onboard solution when using
ClearPass Guest as the provisioning and authentication server.
Figure 13 W-ClearPass Onboard Network Architecture when Using W-ClearPass Guest
90 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 91
The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are
implementation differences between these approaches.
The W-ClearPass Onboard Process
Devices Supporting Over-the-Air Provisioning
Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions
of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for
iOS devices is shown in Figure 14.
Figure 14 Onboard Process for iOS Devices
The W-Onboard process is divided into three stages:
1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device.
2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device
with the Onboard server. The device is configured with appropriate network settings and a device-specific
certificate.
3. Authentication. After configuration is complete, the user switches to the secure network and is
authenticated using an EAP-TLS client certificate.
A sequence diagram showing the interactions between each component of this workflow is shown in Figure 15.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 91
Page 92
Figure 15 Sequence Diagram for the W-Onboard Workflow on iOS Platform
1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials.
This will trigger the captive portal for that device, which brings the user to the mobile device provisioning
page.
2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate.
Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning
server during device provisioning.
3. The user then authenticates with their provisioning credentials – these are typically the user’s enterprise
credentials from Active Directory. If the user is authorized to provision a mobile device, the over-the-air
provisioning workflow is then triggered (see Figure 16, below).
4. After provisioning has completed, the device switches to EAP-TLS authentication using the newly
provisioned client certificate. Mutual authentication is performed (the authentication server verifies the
client certificate, and the client verifies the authentication server’s certificate).
5. The device is now onboard and is able to securely access the provisioned network.
Over-the-air provisioning is used to securely provision a device and configure it with network settings. Figure
16 shows a sequencediagram that explains the steps involved in this workflow.
Figure 16 Over-the-Air Provisioning Workflow for iOS Platform
92 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 93
1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard
server, so that the user can be assured of its authenticity.
2. An iOS device will have two certificates after over-the-air provisioning is complete:
a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning
process. This certificate identifies the device uniquely, and is used to encrypt the device configuration
profileso that only this device can read its unique settings.
b. A Transport Layer Security (TLS) client certificate is issued to the device. This certificate identifies the
device and the user that provisioned the device. It is used as the device’s network identity during EAPTLS authentication.
Devices Supporting Onboard Provisioning
Dell Networking W-ClearPass Onboard supports secure device provisioning for Microsoft Windows XP (service
pack 3 and later), Microsoft Windows Vista, Microsoft Windows 7, Apple Mac OS X 10.5 and 10.6, and Android
devices (smartphones and tablets). These are collectively referred to as “Onboard-capable devices”. The
Onboard process for these devices is shown in Figure 17.
Figure 17 W-ClearPass Onboard Process for Onboard-Capable Devices
The Onboard process is divided into three stages:
1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be
installed for secure provisioning of the device.
2. Provisioning. The device provisioning page detects the devicetype and downloads or starts the
QuickConnect app. The app authenticates the user and then provisions their device with the Onboard
server. The device is configured with appropriate network settings and credentials that are unique to the
device. See Figure 18 for details.
3. Authentication. After configuration is complete, the user switches to the secure network and is
authenticated using PEAP-MSCHAPv2 unique device credentials.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 93
Page 94
Figure 18 Sequence Diagram for the Onboard Workflow on Android Platform
1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will
trigger the captive portal for that device, which brings the user to the mobile device provisioning page.
2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the
device type:
a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this
file will launch the QuickConnect app on the device.
b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes
both the QuickConnect app and the Onboard configuration settings.
3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision
their device with the Onboard server. The device is configured with appropriate network settings and
credentials that are unique to the device.
4. After provisioning has completed, the app switches the device to PEAP authentication using the newly
provisioned unique device credentials. Mutual authentication is performed (the authentication server
verifies the client’s username and password, and the client verifies the authentication server’s certificate).
5. The device is now onboard and is able to securely access the network.
94 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 95
The Onboard provisioning workflow is used to securely provision a device and configure it with network
settings. Figure 19 shows a sequence diagram that explains the steps involved in this workflow.
Figure 19 Onboard Provisioning Workflow in the QuickConnect App
Configuring the User Interface for Device Provisioning
The user interface for device provisioning can be customized in three different ways:
l Customizing the Web login page used for device provisioning.
All devices will reach the device provisioning Web login page as the first step of the provisioning process. See
"Configuring Provisioning Settings for the Web Login Page" on page 174 to make changes to the content or
formatting of this page.
l Customizing the properties of the device provisioning profile for iOS and OS X devices.
After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration
profile. See "Configuring Provisioning Settings for iOS and OS X" on page 176 to make changes to the
content of this profile.
l Customizing the user interface of the QuickConnect app for Windows, Mac OS X, and Android devices.
The provisioning process for Windows, Mac OS X, and Android devices uses a separate app, which has a
customizable user interface. See "Configuring Options for Onboard Client Devices" on page 184 to make
changes to the user interface.
Using the {nwa_mdps_config} Template Function
Certain properties can be extracted from the Onboard configuration and used in the device provisioning page.
To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter
specifies which property should be returned, as described in Table 19.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 95
Page 96
Table 19: Properties Available with the (nwa_mdps_config Smarty Template Function
NameDescription
root_certURL of the Onboard certificate authority’s root certificate.
Browsing to this URL will install the root certificate on the device, which is required
as part of the pre-provisioning step.
Example:
wifi_ssidName of the wireless network. See "Configuring Basic Network Access Settings "
on page 131.
Example:
Connect to the network named {nwa_mdps_config name=wifi_ssid}
organization_nameThe organization name. See "Configuring Basic Provisioning Settings" on page
170.
Example:
<h2> Welcome to {nwa_mdps_config name=organization_name}</h2>
Onboard Troubleshooting
If you encounter a problem that is not listed here, refer to the "Onboard Deployment Checklist " on page 81
and check each of the configuration steps listed there.
iOS Device Provisioning Failures
Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”.
Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.
Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root
certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is
invalid”.
96 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 97
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate
must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued
the SSL certificate. This is not recommended for production deployments as it increases the complexity of
deployment for users with iOS devices.
Hostname-to-Certificate Match Failures
Symptom: Device provisioning fails with the message "Onboard provisioning cannot be performed at this
address. If your were directed here, please contact a network administrator."
This occurs if the hostname used to access CPPM does not match the hostname configured in the CPPM server
certificate. These items must match or device provisioning will fail. This error is detected by Onboard and
results in the above message.
Resolution: To correct the problem, ensure that the DNS is correctly configured for the server, ensure that the
hostname is correctly set, and ensure that the server's certificate contains the correct hostname.
Onboard Interface Not Displayed
If Onboard is not visible in the ClearPass Guest user interface, verify whether Public Facing Enterprise (PFE)
mode is set in ClearPass Policy Manager. If PFE mode is enabled, Onboard is not permitted and Onboard
licenses cannot be added. The PFE mode is enabled or disabled in CPPM on the Mode tab at Administration
> Server Manager > Server Configuration > Cluster-Wide Parameters.
Certificate Renewal through OS X Mavericks
OS X Mavericks allows users to renew certificates automatically, and provides a notice and an Update link in the
Mavericks Profile fifteen days before a certificate expires. Onboard supports certificate renewal through OS X
Mavericks. However, only local certificates can be renewed; ADCS is not supported. Also, certificates that have
been revoked cannot be renewed.
Certificate Authorities
You can create and manage multiple certificate authorities for Onboard. To view and work with the list of
certificate authorities and to configure new certificate authorities, go to Onboard >Certificate Authorities.
The Certificate Authorities list view opens. All certificate authorities that have been set up are included in the
list. Information shown for each certificate authority includes its name, mode, status, expiration time, and
OCSP URL.
You can click a certificate authority's row in the list for additional options:
l To view details for a certificate authority, click its Show Details link. The form expands to show a summary
of the settings defined for it, including information for certificate issuing, retention policy, identity, private
key, and self-signed certificate.
l To edit any of a certificate authority's attributes and configure certificate issuing options, click its Edit link.
The Certificate Authority Settings form opens. See "Editing Certificate Authority Settings" on page 101.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 97
Page 98
l To create a copy of a certificate authority configuration to use as a basis for a new certificate authority, click
its Duplicate link. The first page of the Certificate Authority Settings form opens with the identity, private
key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename
the new certificate authority and edit any of its attributes.
l To delete a certificate authority, you can click its Delete link. You will be asked to confirm the deletion
before it commits.
l To see if the certificate authority is currently used, click its Show Usage link. The form expands to show a
list of provisioning sets that use the certificate authority.
l To view the trust chain for the certificate authority, click its Trust Chain link. The Certificate Authority Trust
Chain page opens. See "The Trust Chain and Uploading Certificates for the CA " on page 128.
l To view a list of certificates associated with the certificate authority, click its Certificates link. The Certificate
Management page opens. See "Certificate Management (View by Certificate) " on page 115.
l To renew the certificate authority, click its Renew link. If it is an intermediate certificate authority, the
Intermediate Certificate Renewal page opens, where you can send a certificate signing request; see
"Requesting a Certificate for the Certificate Authority" on page 105. If it is a root certificate authority, the
row expands to include the Root Certificate Renewal option. Click the Renew Root Certificate button.
Renewing the certificate uses the same private key for the root certificate, but reissues the root CA
certificate with an updated validity period. This will maintain the validity of all certificates issued by the CA.
When you renew a certificate, you should distribute a new copy of the root certificate to all users of that
certificate.
l To delete a certificate authority's client certificates, click its Delete Client Certificates link. The row
expands to include the Delete Client Certificates form. To confirm the deletion, you must mark the Reset
the specified items check box in the Confirm Reset field, and then click the Delete Client Certificates
button. Doing so will permanently delete all client certificates for the certificate authority. This action
cannot be reversed.
l To create a new certificate authority, click the Create new certificate authority link in the upper right
corner. The initial setup page of the Certificate Authority Settings form opens. See the next section,
"Creating a New Certificate Authority" on page 98.
Creating a New Certificate Authority
The first page of the Certificate Authority Settings form is used to create the Onboard certificate authority (CA)
and to configure some basic properties:
l Give it a name and description
l Specify root CA, intermediate CA, or local CA mode
98 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Page 99
l Configure the identity, private key, and self-signed certificate attributes
To create an Onboard certificate authority:
1. Go to Onboard >Certificate Authorities, and then either click the Duplicate link for a certificate
authority in the Certificate Authorities list or click the Create new certificate authority link. The initial
setup page of the Certificate Authority Settings form opens.
2. In the Name field, give the CA a short name that identifies it clearly. Certificate authority names can include
spaces. If you are duplicating a CA, the original name has "Copy" appended to it. You may highlight the
name and replace it with a new name.
3. In the Description field, briefly describe the CA. This description is shown in the Certificate Authorities list.
The Name and Description fields are used internally to identify this certificate authority for the network
administrator. These values are never displayed to the user during device provisioning.
4. The mode is used to set up the mode of operation for the certificate authority. In the Mode area, click one
of the descriptions to specify the type of certificate authority:
l Root CA—The Onboard certificate authority issues its own root certificate. The certificate authority
issues client and server certificates using a local signing certificate, which is an intermediate CA that is
subordinate to the root certificate. Use this option when you do not have an existing public-key
infrastructure (PKI), or if you want to completely separate the certificates issued for Onboard devices
from your existing PKI.
Dell Networking W-ClearPass Guest 6.4 | User GuideOnboard | 99
Page 100
l Intermediate CA—The Onboard certificate authority is issued a certificate by an external certificate
authority. The Onboard certificate authority issues client and server certificates using this certificate. Use
this option when you already have a public-key infrastructure (PKI), and would like to include the
certificate issued for Onboard devices in that infrastructure.
l Imported CA— If you choose Imported CA, the following fields are removed from the form. If you
choose Root or Intermediate, complete the following fields.
5. In the Identity area, enter values in the Country, State, Locality, Organization, and OrganizationalUnit fields that correspond to your organization. These values form part of the distinguished name for the
certificate.
6. Enter a descriptive name for the certificate in the Common Name field. This value is used to identify the
certificate as the issuer of other certificates, notably the signing certificate.
7. For a root certificate, the Signing Common Name field is included on the form. Enter a descriptive name for
the signing certificate in the Signing Common Name field. This value is used to identify the signing
certificate as the issuer of client and server certificates from this certificate authority. The other identity
information in the signing certificate will be the same as for the root certificate.
8. Enter a contact email address in the Email Address field. This email address is included in the root and
signing certificates, and provides a way for users of the certificate authority to contact your organization.
9. In the Private Key area, use the Key Type drop-down list to specify the type of private key that should be
created for the certificate:
100 | OnboardDell Networking W-ClearPass Guest 6.4 | User Guide
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.