Dell Powerconnect W-ClearPass Virtual Appliances User Manual

Page 1
Dell Networking W-ClearPass
Guest 6.4
User Guide
Page 2
Copyright
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox, Inc. All rights reserved.This product includes software developed by Lars Fenneberg, et al. The Open Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.
2 | Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 3
Contents
About this Guide 17
Audience 17
Conventions 17
Contacting Support 18
W-ClearPass Guest Overview 19
About Dell Networking W-ClearPass Guest 19
Visitor Access Scenarios 20
Reference Network Diagram 21
Key Interactions 22
AAA Framework 23
Key Features 24
Visitor Management Terminology 25
W-ClearPass Guest Deployment Process 26
Operational Concerns 26
Network Provisioning 26
Site Preparation Checklist 27
Security Policy Considerations 27
AirGroup Deployment Process 28
Documentation and User Assistance 29
User Guide and Online Help 29
Context-Sensitive Help 29
Field Help 29
Quick Help 30
If You Need More Assistance 30
Use of Cookies 30
W-ClearPass Guest Manager 31
Accessing Guest Manager 31
About Guest Management Processes 32
Sponsored Guest Access 32
Self Provisioned Guest Access 32
Active Sessions Management 33
Session States 35
RFC 3576 Dynamic Authorization 35
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 3
Page 4
Filtering the List of Active Sessions 36
Disconnecting Multiple Active Sessions 37
Sending Multiple SMS Alerts 37
About SMS Guest Account Receipts 38
Using Standard Guest Management Features 38
Creating a Guest Account 39
Creating a Guest Account Receipt 41
Creating a Device 41
Creating Devices Manually in W-ClearPass Guest 42
Creating Devices During Self-Registration - MAC Only 44
Creating Devices During Self-Registration - Paired Accounts 44
Creating Multiple Guest Accounts 45
Creating Multiple Guest Account Receipts 47
Creating a Single Password for Multiple Accounts 48
Exporting Guest Account Information 50
About CSV and TSV Exports 51
About XML Exports 51
Importing Guest Accounts 52
Managing Single Guest Accounts 55
Managing Devices 59
Changing a Device’s Expiration Date 60
Disabling and Deleting Devices 61
Activating a Device 61
Editing a Device 62
Viewing Current Sessions for a Device 63
Printing Device Details 64
Viewing Device Details 64
Managing Multiple Guest Accounts 64
AirGroup Device Registration 66
Registering Groups of Devices or Services 67
Registering Personal Devices 69
AirGroup Time-Based Sharing Syntax Examples 71
Time-Based Syntax Reference 73
About AirGroup Time-Based Sharing 75
Basics of Time-Based Sharing Setup 75
MAC Authentication in W-ClearPass Guest 76
MAC Address Formats 76
Automatically Registering MAC Devices in W-ClearPass Policy Manager 76
4 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 5
Importing MAC Devices 77
Advanced MAC Features 77
User Detection on Landing Pages 77
Click-Through Login Pages 78
Onboard 79
Accessing Onboard 79
About W-ClearPass Onboard 80
Onboard Deployment Checklist 81
Onboard Feature List 83
Supported Platforms 84
Public Key Infrastructure for Onboard 85
Certificate Hierarchy 85
Certificate Configuration in a Cluster 86
Revoking Unique Device Credentials 86
Revoking Credentials to Prevent Network Access 86
Re-Provisioning a Device 87
Network Requirements for Onboard 87
Using Same SSID for Provisioning and Provisioned Networks 87
Using Different SSID for Provisioning and Provisioned Networks 88
Configuring Online Certificate Status Protocol 88
Configuring Certificate Revocation List (CRL) 88
Network Architecture for Onboard 89
Network Architecture for Onboard when Using W-ClearPass Guest 90
The W-ClearPass Onboard Process 91
Devices Supporting Over-the-Air Provisioning 91
Devices Supporting Onboard Provisioning 93
Configuring the User Interface for Device Provisioning 95
Using the {nwa_mdps_config} Template Function 95
Onboard Troubleshooting 96
iOS Device Provisioning Failures 96
Hostname-to-Certificate Match Failures 97
Onboard Interface Not Displayed 97
Certificate Renewal through OS X Mavericks 97
Certificate Authorities 97
Creating a New Certificate Authority 98
Editing Certificate Authority Settings 101
Requesting a Certificate for the Certificate Authority 105
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 5
Page 6
Installing a Certificate Authority’s Certificate 105
Using Microsoft Active Directory Certificate Services 107
Management and Control 109
Device Management (View by Device) 110
Device Management (View by Username) 113
Certificate Management (View by Certificate) 115
Searching for Certificates in the List 116
Working with Certificates in the List 116
Working with Certificate Signing Requests 119
Importing a Code-Signing Certificate 122
Importing a Trusted Certificate 123
Creating a Certificate 123
Requesting a Certificate 126
The Trust Chain and Uploading Certificates for the CA 128
Considerations for iOS Devices 130
Onboard Configuration 130
Network Settings 130
Configuring Basic Network Access Settings 131
Configuring Enterprise Protocol Settings 134
Configuring Device Authentication Settings 135
Configuring Certificate Trust Settings 136
Configuring Windows-Specific Network Settings 138
Configuring Proxy Settings 139
iOS Settings 140
Configuring ActiveSync Settings 141
Configuring AirPlay Settings 143
Configuring AirPrint Settings 144
Configuring APN Settings 145
Configuring Calendar Settings 145
Configuring Contacts Settings 147
Configuring Email Settings 148
Configuring Global HTTP Proxy Settings 151
Configuring an iOS Device Passcode Policy 152
Configuring Single Sign-On Settings 154
Configuring Calendar Subscription Settings 155
Configuring an iOS Device VPN Connection 156
Configuring Web Clips 160
Configuring Web Content Filter Settings 161
6 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 7
Windows Applications 163
Configuring App Sets 163
Deployment and Provisioning 164
Configuration Profiles 165
Creating and Editing Configuration Profiles 165
Provisioning Settings 168
About Configuring Provisioning Settings 169
Configuring Basic Provisioning Settings 170
Configuring Provisioning Settings for the Web Login Page 174
Configuring Provisioning Settings for iOS and OS X 176
Configuring Provisioning Settings for Legacy OS X Devices 178
Configuring Provisioning Settings for Windows Devices 179
Configuring Provisioning Settings for Android Devices 180
Configuring Provisioning Settings for Ubuntu 181
Configuring Provisioning Settings for Chromebook 182
Configuring Options for Onboard Client Devices 184
About the Self-Service Portal 185
Configuration 187
Accessing Configuration 187
Configuring W-ClearPass Guest Authentication 188
Content Manager 189
Managing Content: Private Files and Public Files 189
Uploading Content 190
Downloading Content 191
Creating a New Content Directory 191
Configuring Guest Manager 192
Default Settings for Account Creation 192
About Fields, Forms, and Views 198
Business Logic for Account Creation 198
Verification Properties 198
Basic User Properties 198
Visitor Account Activation Properties 199
Visitor Account Expiration Properties 200
Other Properties 200
Standard Forms and Views 201
Configuring Access Code Logins 202
Customize Random Username and Passwords 202
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 7
Page 8
Create the Print Template 202
Customize the Guest Accounts Form 204
Create the Access Code Guest Accounts 204
Pages 206
Customizing Fields 206
Creating a Custom Field 206
Duplicating a Field 208
Editing a Field 208
Deleting a Field 208
Displaying Forms that Use a Field 209
Displaying Views that Use a Field 209
Customizing AirGroup Registration Forms 209
Customizing Forms and Views 212
Editing Forms and Views 213
Duplicating Forms and Views 213
Editing Forms 214
Form Field Editor 215
Form Display Properties 215
Form Validation Properties 227
Examples of Form field Validation 228
Advanced Form Field Properties 230
Form Field Validation Processing Sequence 231
Editing Views 233
View Field Editor 234
Customizing Guest Self-Registration 235
Accessing the Guest Self-Registration Customization Forms 236
Self-Registration Sequence Diagram 239
Editing Self-Registration Pages 240
Creating a Self-Registration Page 241
Configuring Basic Properties for Self-Registration 243
Editing Registration Page Properties 245
Editing the Default Self-Registration Form Settings 245
Creating a Single Password for Multiple Accounts 247
Editing Guest Receipt Page Properties 248
Editing Receipt Actions 248
Enabling and Editing NAS Login Properties 253
Editing Login Page Properties 254
Self-Service Portal Properties 257
8 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 9
Resetting Passwords with the Self-Service Portal 258
Managing Web Logins 260
Creating and Editing Web Login Pages 261
Receipts 270
Digital Passes 271
About Digital Passes 271
Viewing Digital Pass Certificates 274
Installing Digital Pass Certificates 275
Managing Digital Passes 276
Creating and Editing a Digital Pass Template 277
Example Template Code Variables 283
Images in Digital Passes 283
Email Receipts and SMTP Services 284
About Email Receipts 284
Configuring Email Receipts 285
Email Receipt Options 286
About Customizing SMTP Email Receipt Fields 288
Customizing SMS Receipt 290
SMS Receipt Fields 290
Customizing Print Templates 291
Creating New Print Templates 292
Print Template Wizard 293
Modifying Wizard-Generated Templates 294
Setting Print Template Permissions 294
SMS Services 296
Viewing SMS Gateways 296
Creating a New SMS Gateway 297
Editing an SMS Gateway 301
Sending an SMS 303
About SMS Credits 303
About SMS Guest Account Receipts 304
SMS Receipt Options 305
Working with the MobileCarriers List 305
About Translations 307
Translation Packs 308
Creating and Editing Translation Packs 308
Translation Assistant 310
Customizing Translated User Interface Text 311
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 9
Page 10
Advertising Services 313
About Advertising Services 313
Materials 313
Promotions 313
Campaigns 314
Spaces 314
Pages 314
Advertising Services Process Overview 314
About the Tutorial 314
Navigating the Tutorial 315
Advertising Pages 315
Editing Advertising Pages 316
The nwa_adspace Smarty Template Tag 320
Advertising Spaces 323
Creating and Editing Advertising Spaces 324
"Other Location" Example 326
"Maximum Height" Example 327
"Maximum Width" Example 328
Advertising Campaigns 329
Creating and Editing Advertising Campaigns 329
Campaign Rank and Weight 332
Advertising Promotions 332
Creating and Editing Advertising Promotions 333
Using Labels in Advertising Services 336
Advertising Materials 337
Creating and Editing Advertising Materials 338
Hotspot Manager 341
Accessing Hotspot Manager 341
About Hotspot Management 342
Managing the Hotspot Sign-up Interface 342
Captive Portal Integration 343
Web Site Look-and-Feel 344
SMS Services 344
Managing Hotspot Plans 344
Editing or Creating a Hotspot Plan 345
Managing Transaction Processors 346
Creating a New Transaction Processor 347
10 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 11
Managing Existing Transaction Processors 348
Managing Customer Information 348
Managing Hotspot Invoices 348
Customizing the User Interface 349
Customizing Visitor Sign-Up Page One 349
Customizing Visitor Sign-Up Page Two 351
Customizing Visitor Sign-Up Page Three 354
Viewing the Hotspot User Interface 355
Administration 357
Accessing Administration 357
AirGroup Services 358
AirGroup Controllers 358
Creating and Editing AirGroup Controllers 359
Configuring AirGroup Services 361
AirGroup Diagnostics 362
Creating AirGroup Administrators 363
Creating AirGroup Operators 364
Authenticating AirGroup Users via LDAP 364
Configuring LDAP User Search for AirGroup 364
LDAP User Search Architecture 364
User Search Workflow 364
Configuration Summary 365
Basic LDAP Server Settings 365
User Search Settings 366
Configuring the AirGroup Shared User Field 367
Select2 Options Details 368
Select2 Hook Details 369
MACTrac Services 370
Creating MACTrac Operators 371
Managing MACTrac Devices 371
Registering MACTrac Devices 373
About MAC Addresses 374
Automatically Supplying the MACTrac Device Address 374
API Services 375
API Clients 375
Creating and Editing API Clients 376
Configuring the API Framework Plugin 378
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 11
Page 12
Setting API Privileges in Operator Profiles 379
About OAuth 380
OAuth Basics 380
OAuth2 Client or App 381
Client ID and Secret 381
Redirect URI 381
Authorization Grant Types for OAuth 381
Application Service Accounts for OAuth 383
SOAP Web Services and API 383
Viewing Available Web Services 384
Configuring Web Services 385
SOAPAPIIntroduction 385
Audience 386
API Documentation Overview 386
Disclaimer 386
About the SOAPAPI 386
Using the SOAPAPI 388
Integration Example 391
API Documentation 395
The XML-RPC Interface and API 408
About the XML-RPC API 408
Accessing the API 411
Invoking the API 413
Method Summary 414
API Documentation 414
Data Retention 431
3.9 Configuration Import 432
Creating a Customized Configuration Backup 432
Uploading the 3.9 Backup File 433
Restoring Configuration Items 434
Viewing Imported Item Details 435
Import Information for Specific Import Items 437
Import Information: Advertising Services 438
Import Information: AirGroup Services 438
Import Information: Cisco IP Phones 438
Import Information: Guest Manager 438
Import Information: High Availability (HA) 439
Import Information: Hotspot Manager 439
12 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 13
Import Information: Onboard 440
Import Information: Operator Logins 440
Import Information: Palo Alto Network Services 440
Import Information: RADIUSServices 440
Import Information: Reporting Manager Definitions 441
Import Information: Server Configuration 442
Import Information: SMSServices 443
Import Information: SMTP Services 443
Plugin Manager 444
Viewing Available Plugins 444
Configuring Plugins 445
Configuring the Kernel Plugin 446
Configuring the ArubaW-ClearPass Skin Plugin 447
Configuring the SMS Services Plugin 448
Configuring the IP Phone Services Plugin 449
Configuring the Translations Plugin 450
Support Services 450
Viewing the Application Log 451
Exporting the Application Log 452
Viewing Documentation 453
Contacting Support 453
Operator Logins 455
Accessing Operator Logins 455
About Operator Logins 455
Role-Based Access Control for Multiple Operator Profiles 456
Operator Logins Configuration 456
Custom Login Message 457
Advanced Operator Login Options 458
Automatic Logout 458
Operator Profiles 458
Creating an Operator Profile 458
Configuring the User Interface 461
Customizing Forms and Views 462
Operator Profile Privileges 462
Managing Operator Profiles 463
Configuring AirGroup Operator Device Limit 464
Local Operator Authentication 464
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 13
Page 14
Creating a New Operator 464
External Operator Authentication 465
Manage LDAP Operator Authentication Servers 465
Viewing the LDAP Server List 466
Creating an LDAP Server 467
Advanced LDAP URL Syntax 469
LDAP Operator Server Troubleshooting 469
Testing Connectivity 470
Testing Operator Login Authentication 470
Looking Up Sponsor Names 470
Troubleshooting Error Messages 471
LDAP Translation Rules 472
Custom LDAP Translation Processing 474
Reference 477
Basic HTML Syntax 477
Standard HTML Styles 478
Smarty Template Syntax 480
Basic Template Syntax 480
Text Substitution 480
Template File Inclusion 480
Comments 480
Variable Assignment 480
Conditional Text Blocks 481
Script Blocks 481
Repeated Text Blocks 481
Foreach Text Blocks 481
Modifiers 482
Predefined Template Functions 482
dump 483
nwa_commandlink 483
nwa_iconlink 484
nwa_icontext 484
nwa_quotejs 485
nwa_radius_query 485
Advanced Developer Reference 491
nwa_assign 492
nwa_bling 492
14 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 15
nwa_makeid 492
nwa_nav 493
nwa_plugin 494
nwa_privilege 494
nwa_replace 495
nwa_text 495
nwa_userpref 495
nwa_youtube 495
Date/Time Format Syntax 496
nwadateformat Modifier 496
nwatimeformat Modifier 497
Date/Time Format String Reference 497
Programmer’s Reference 498
NwaAlnumPassword 499
NwaBoolFormat 499
NwaByteFormat 499
NwaByteFormatBase10 499
NwaComplexPassword 500
NwaCsvCache 500
NwaDigitsPassword($len) 500
NwaDynamicLoad 500
NwaGeneratePictureString 500
NwaGenerateRandomPasswordMix 500
NwaLettersDigitsPassword 501
NwaLettersPassword 501
NwaMoneyFormat 501
NwaParseCsv 501
NwaParseXml 502
NwaPasswordByComplexity 502
NwaSmsIsValidPhoneNumber 503
NwaStrongPassword 503
NwaVLookup 503
NwaWordsPassword 504
Field, Form, and View Reference 504
GuestManager Standard Fields 504
Hotspot Standard Fields 512
SMS Services Standard Fields 513
SMTP Services Standard Fields 513
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 15
Page 16
Format Picture String Symbols 515
Form Field Validation Functions 516
Form Field Conversion Functions 521
Form Field Display Formatting Functions 522
View Display Expression Technical Reference 523
LDAP Standard Attributes for User Class 525
Regular Expressions 526
Chromebook in Onboard 527
About Chromebook in Onboard 527
Caveats and Recommendations 528
Google Admin Chromebook License is Required 528
Managed Chromebook Deployment is Required 528
Chrome Extension is Required 528
Chromebook Release 37 or Later is Required 528
Chromebook Supports Only “Created by Device” Certificates 528
A Separate Provisioning SSID is Required 529
Directory-Based Authentication Source is Recommended 530
Onboard Configuration for Chromebook 530
Google Admin Configuration for Chromebook 531
Configuring the Chrome extension 531
Configuring Network Settings 533
Glossary 535
Index 545
16 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 17
Chapter 1

About this Guide

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access.

Audience

This User Guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process.

Conventions

The following conventions are used throughout this guide to emphasize important concepts:
Table 1: Typographical Conventions
Type Style Description
Italics
System items
Commands
<
Arguments
[Optional]
{Item A | Item B}
> In the command examples, italicized text within angle brackets represents items that
This style is used to emphasize important terms and to mark the titles of books.
This fixed-width font depicts the following:
l Sample screen output l System prompts l Filenames, software devices, and specific commands when mentioned in the text
In the command examples, this bold font depicts text that you must type exactly as shown.
you should replace with information appropriate to your specific situation. For example:
# send <text message>
In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets.
Command examples enclosed in brackets are optional. Do not type the brackets.
In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.
Dell Networking W-ClearPass Guest 6.4 | User Guide About this Guide | 17
Page 18
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.

Contacting Support

Web Site Support
Main Website dell.com
Support Website
Documentation Website
dell.com/support
dell.com/support/manuals
18 | About this Guide Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 19
Chapter 2

W-ClearPass Guest Overview

This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
This chapter includes the following sections:
l "About Dell Networking W-ClearPass Guest" on page 19
l "Visitor Access Scenarios" on page 20
l "Reference Network Diagram" on page 21
l "Key Interactions" on page 22
l "AAA Framework" on page 23
l "Key Features" on page 24
l "Visitor Management Terminology" on page 25
l "W-ClearPass Guest Deployment Process" on page 26
l "AirGroup Deployment Process" on page 28
l "Documentation and User Assistance" on page 29
l "Use of Cookies" on page 30

About Dell Networking W-ClearPass Guest

Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. It gives your non-technical staff controlled access to a dedicated visitor management user database. Through a customizable Web portal, your staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to W­ClearPass Guest functions are controlled through an operator profile that can beintegrated with an LDAP server or Active Directory login.
Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in a corporate environment or sold in public access scenarios.
You can use the customization features to define settings that allow your visitors to self-provision their own guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and professional experience. Surveys can also be presented during the self-registration process and the data stored for later analysis and reporting, providing additional insight to your visitors and their network usage.
W-ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, W­ClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 19
Page 20

Visitor Access Scenarios

The following figure shows a high-level representation of a typical visitor access scenario.
Figure 1 Visitor access using W-ClearPass Guest
In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network.
When visitors use self-registration, as might be the case for a network offering public access, the process is broadly similar but does not require a corporate operator to create the guest account. The username and password for a self-provisioned guest account may be delivered directly to the visitor’s Web browser, or sent via SMS or email.
20 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 21

Reference Network Diagram

The following figure shows the network connections and protocols used by W-ClearPass Guest.
Figure 2 Reference network diagram for visitor access
The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 21
Page 22

Key Interactions

The following figure shows the key interactions between W-ClearPass Guest and the people and other components involved in providing guest access.
Figure 3 Interactions involved in guest access
W-ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.
NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask W-ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network.
Roles are assigned to a guest as part of the context W-ClearPass Policy Manager uses to apply its policies. RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement Profile. Additional features such as role mapping for W-ClearPass Guest can be performed in W-ClearPass Policy Manager.
The network usage of authorized guests is monitored by the NAS and reported in summary form to W­ClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports in W-ClearPass Insight.
22 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 23

AAA Framework

W-ClearPass Guest is built on the industry standard AAA framework, which consists of authentication, authorization, and accounting components.
The following figure shows how the different components of this framework are employed in a guest access scenario.
Figure 4 Sequence diagram for network access using AAA
In the standard AAA framework, network access is provided to a user according to the following process:
l The user connects to the network by associating with a local access point [1].
l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login
name and password of their guest account.
l The NAS authenticates the user with the RADIUS protocol [5].
l W-ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific
attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].
l If the user’s access is granted, the NAS permits the guest access to the network based on the settings
provided by the W-ClearPass Policy Manager server.
l The NAS reports details about the user’s session to the W-ClearPass Policy Manager server using RADIUS
accounting messages [8].
l After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the
details of the user’s session with an accounting update [10].
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 23
Page 24

Key Features

Refer to the table below for a list of key features and a cross-reference to the relevant section of this User Guide.
Table 2: List of Key features
Feature Reference
Visitor Access
Web server providing content delivery for guests "Managing Content: Private
Files and Public Files" on page 189
Guest self-registration "Customizing Guest Self-
Registration" on page 235
Visitor Management
Create and manage visitor accounts, individually or in groups "Using Standard Guest
Management Features" on page 38
Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions
Management" on page 33
Import and export visitor accounts "Importing Guest Accounts"
on page 52
Create guest self-registration forms "Creating a Self-Registration
Page" on page 241
Configure a self-service portal for guests "Self-Service Portal
Properties" on page 257
Local printer, SMS or email delivery of account receipts "Editing Guest Receipt Page
Properties" on page 248
Visitor Account Features
Independent activation time, expiration time, and maximum usage time "Business Logic for Account
Creation" on page 198
Define unlimited custom fields "Customizing Fields" on page
206
Username up to 64 characters "GuestManager Standard
Fields" on page 504
Customization F eatures
Create new fields and forms for visitor management "Customizing Forms and
Views" on page 212
Use built-in data validation to implement visitor survey forms "Form Validation Properties"
on page 227
Create print templates for visitor account receipts "Editing Guest Receipt Page
Properties" on page 248
24 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 25
Feature Reference
Administrative Management Feat ures
Operators defined and authenticated locally "Local Operator
Authentication" on page 464
Operators authenticated via LDAP "External Operator
Authentication" on page 465
Role based access control for operators "Operator Profiles" on page
458
Plugin-based application features, automatically updated by W-ClearPass Policy Manager
User Interface Features
Context-sensitive help with searchable online documentation "Documentation and User
"Plugin Manager" on page 444
Assistance" on page 29

Visitor Management Terminology

The following table describes the common terms used in W-ClearPass Guest and this guide.
Table 3: Common Terms
Term Explanation
Accounting Process of recording summary information about network access by users and
devices.
Authentication Verification of a user’s credentials; typically a username and password.
Authorization Controls the type of access that an authenticated user is permitted to have.
Captive Portal Implemented by a Network Access Server to restrict network access to authorized
users only.
Field In a user interface or database, a single item of information about a user account.
Form In a user interface, a collection of editable fields displayed to an operator.
Network Access Server Device that provides network access to users, such as a wireless access point,
network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS.
Operator Profile Characteristics assigned to a class of operators, such as the permissions granted
to those operators.
Operator/Operator Login User of W-ClearPass Guest to create guest accounts or perform system
configuration.
Print Template Formatted template used to generate guest account receipts.
Role Type of access being granted to visitors. You can define multiple roles. Such roles
could include employee, guest, team member, or press.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 25
Page 26
Term Explanation
Sponsor Operator
User Database Database listing the guest accounts in W-ClearPass Guest.
View In a user interface, a table displaying data, such as visitor account information, to
operators.
Visitor/Guest Someone who is permitted to access the Internet through your Network Access
Server.
Visitor Account Settings for a visitor stored in the user database, including username, password
and other fields.
Web Login/NAS Login Login page displayed to a guest user.

W-ClearPass Guest Deployment Process

As part of your preparations for deploying a visitor management solution, you should consider the following areas:
l Management decisions about security policy
l Decisions about the day-to-day operation of visitor management
l Technical decisions related to network provisioning

Operational Concerns

When deploying a visitor management solution, you should consider these operational concerns:
l Who is going to be responsible for managing guest accounts? What privileges will the guest account
manager have? Will this person only create guest accounts or will this person also be permitted access to reports?
l Do you want guests to be able to self-provision their own network access? What settings should be applied
to self-provisioned visitor accounts?
l How will operator logins be provisioned? Should operators be authenticated against an LDAP server?
l Who will manage reporting of guest access? What are the reports of interest? Are any custom reports
needed?

Network Provisioning

W-ClearPass Guest requires provisioning the following:
l Physical location – rack space, power and cooling requirements; or deployment using virtualization
l Network connectivity – VLAN selection, IP address, and hostname
l Security infrastructure – SSL certificate
26 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 27

Site Preparation Checklist

The following is a checklist of the items that should be considered when setting up W-ClearPass Guest.
Table 4: Site Preparation Checklist
ü
Security Policy
Operational Concerns
Policy Decision
Segregated guest accounts?
Type of network access?
Time of day access?
Bandwidth allocation to guests?
Prioritization of traffic?
Different guest roles?
IP address ranges for operators?
Enforce access via HTTPS?
Who will manage guest accounts?
Guest account self provisioning?
What privileges will the guest managers have?
Who will be responsible for printing reports?
Network Management Policy
Password format for guest accounts?
Shared secret format?
Operator provisioning?
Network Provisioning
Physical location?
Network connectivity?
Security infrastructure?

Security Policy Considerations

To ensure that your network remains secure, decisions have to be made regarding guest access:
l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network
infrastructure to be used by your guests?
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 27
Page 28
l What resources are you going to make available to guests (for example, type of network access; permitted
times of day; bandwidth allocation)?
l Will guest access be separated into different roles? If so, what roles are needed?
l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-
guest accounts?
l What will be the password format for guest accounts? Will you be changing this format on a regular basis?
l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure
network security is not compromised?
l What IP address ranges will operators be using to access the server?
l Should HTTPS be required in order to access the visitor management server?

AirGroup Deployment Process

AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. You use W-ClearPass Guest to define AirGroup administrators and operators. AirGroup administrators can then use W-ClearPass Guest to register and manage an organization’s shared devices and configure access according to username, role, location, or time. AirGroup operators (end users) can use W-ClearPass Guest to register their personal devices and define the group who can share them.
Table 5 summarizes the steps for configuring AirGroup functionality in W-ClearPass Guest. Details for these
steps areprovided in the relevant sections of this Guide. This table does not include the configuration steps performed in W-ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the W­ClearPass Policy Manager documentation.
Table 5: Summary of AirGroup Configuration Steps in W-ClearPass Guest
Step Section in this Guide
Create AirGroup administrators "Creating a New Operator" on page 464
Create AirGroup operators
Configure an operator’s device limit "Configuring AirGroup Operator Device Limit" on page 464
Configure an AirGroup controller "AirGroup Controllers" on page 358
Enable support for dynamic notifications "Configuring AirGroup Services" on page 361
To authenticate AirGroup users via LDAP: Define the LDAP server Define appropriate translation rules
AirGroup administrator: Register devices or groups of devices
"External Operator Authentication" on page 465 "LDAP Translation Rules" on page 472
"AirGroup Device Registration" on page 66
AirGroup operator: Register personal devices
(Optional) Configure device registration form with drop-down lists for existing locations and roles
Set up time-based sharing "About AirGroup Time-Based Sharing" on page 75
28 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
"Customizing AirGroup Registration Forms" on page 209
Page 29

Documentation and User Assistance

This section describes the variety of user assistance available for W-ClearPass Guest.

User Guide and Online Help

This User Guide provides complete information for all W-ClearPass Guest features. The following quick links may be useful in getting started.
Table 6: Quick Links
For information about... Refer to...
What visitor management is and how it works "About Dell Networking W-ClearPass Guest" on page
19
Using the guest management features "Using Standard Guest Management Features" on
page 38
Role-based access control for operators "Operator Profiles" on page 458
Setting up LDAP authentication for operators "External Operator Authentication" on page 465
Guest self-provisioning features "Self Provisioned Guest Access" on page 32
Dynamic authorization extensions "RFC 3576 Dynamic Authorization" on page 35
SMS receipts for guest accounts "SMS Services" on page 296
Email receipts for guest accounts "Email Receipts and SMTP Services" on page 284
Network administration of the appliance "Administration" on page 357

Context-Sensitive Help

For more detailed information about the area of the application you areusing, click the context-sensitive Help link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this User Guide.
The User Guide may besearched using the Search box in the top right corner.
Type in keywords related to your search and click the Search button to display a list of matches. Themost relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”).

Field Help

The W-ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 29
Page 30
application without further assistance or training.

Quick Help

In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that areavailable within the list.
On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.

If You Need More Assistance

If you encounter a problem using W-ClearPass Guest, your first step should be to consult the appropriate section in this User Guide.
If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem.
If you still need information, you can refer to the Contact Support command available under Support
Services in the user interface, or see "Contacting Support" on page 18.

Use of Cookies

Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners of a site. Session cookies are temporary cookies that last only for the duration of one user session.
When a user registers or logs in via a Dell captive portal, Dell uses session cookies solely to remember between clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific information, and does not make any attempt to find out the identities of those using its W-Series ClearPass products. Dell does not associate any data gathered by the cookie with any personally identifiable information (PII) from any source. Dell uses session cookies only during the user’s active session and does not store any permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web browser.
30 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 31
Chapter 3

W-ClearPass Guest Manager

The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager moduleprovides complete control over the user account creation process.
Guest Manager features for managing guest accounts let you:
l View and manage active sessions
l Create single or multiple guest accounts and receipts
l Create new MAC devices
l Bulk edit accounts
l Export a list of accounts
l Import new accounts from a text file
l View guest accounts and edit individual or multiple guest accounts
l View MAC devices and edit individual or multiple devices
Many features can also be customized. For information on customizing Guest Manager settings, forms and views, guest self-registration, and print templates, see "Configuration" on page 187.

Accessing Guest Manager

To access Dell Networking W-ClearPass Guest’s guest management features, click the Guest link in the left navigation.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 31
Page 32

About Guest Management Processes

There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in this chapter.

Sponsored Guest Access

The following figure shows the process of sponsored guest access.
Figure 5 Sponsored guest access with guest created by operator
The operator creates the guest accounts and generates a receipt for the account.
The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login in W-ClearPass Guest. After authorization, the guest is able to access the network.

Self Provisioned Guest Access

Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the account or to print the receipt. The following figure shows the process of self-provisioned guest access.
32 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 33
Figure 6 Guest access when guest is self-provisioned
The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self-registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in.
The guest can print or download a receipt, or have the receipt information delivered by SMS or email.
The NAS performs authentication and authorization for the guest in W-ClearPass Guest. After authorization, the guest is able to access the network.
See "Customizing Guest Self-Registration" on page 235 for details on creating and managing self-registration pages.

Active Sessions Management

The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session.
To view and manage active sessions for the RADIUS server, go to Guest > Active Sessions. The Active Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for active visitor sessions; manage multiplesessions; or customize the list to include additional fields.
l To view details for an active session, click the session’s row in the list, then click its Show Details link. The
form expands to include the Session Details view.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 33
Page 34
l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions.
See "RFC 3576 Dynamic Authorization" on page 35 for more information.
n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A
message is displayed to show that the disconnect is in progress and acknowledge when it is complete.
n To reauthorize a session that was disconnected, click the session’s row in the list, then click its
Reauthorize link. The Reauthorize Session form opens. Click Reauthorize Session. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete.
n To disconnect multiple sessions, click the Manage Multiple tab. The form expands to include the
Manage Multiple Sessions form. For more information, see "Disconnecting Multiple Active Sessions " on
page37.
l To view and work with the guest accounts associated with a session, click the session’s row in the list, then
click its List Accounts link. The Guest Manager Accounts view opens. See "Managing Single Guest Accounts
" on page 55 for more information.
l To display only sessions that meet certain criteria, click the Filter tab. For more information, see"Filtering
the List of Active Sessions" on page 36.
l To send SMS notifications to visitors, click the SMS tab. For more information, see "Sending Multiple SMS
Alerts " on page 37.
34 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 35
l To include additional fields in the Active Sessions list, or delete fields from it, click the More Options tab.
The Customize View Fields page opens. For more information, see "Editing Forms " on page 214.
l You can use the paging control at the bottom of the list to jump forwards orbackwards by one page, or to
the first or last page of the list. You can also click an individual page number to jump directly to that page.

Session States

A session may be in one of three possible states:
l Active—An active session is one for which the RADIUS server has received an accounting start message
and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client.
While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server. This maintains up-to-date traffic statistics and keeps the session active. The frequency of the accounting update messages is configurable in the RADIUS server.
l Stale—If an accounting stop message is never sent for a session—for example, if the visitor does not log
out— that session will remain open. After 24 hours without an accounting update indicating session traffic, the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To ensure that accounting statistics are correct, you should check the list for stale sessions and close them.
l Closed—A session ends when the visitor logs out or if the session is disconnected. When a session is
explicitly ended in either of these ways, the NAS sends an accounting stop message to the RADIUS server. This closes the session. No further accounting updates are possible for a closed session.

RFC 3576 Dynamic Authorization

Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization for the session.
The Active Sessions page provides two dynamic authorization capabilities that apply to currently active sessions:
l Disconnect causes a Disconnect-Request message to be sent to the NAS for an active session,
requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-ACK message if the session was terminated or Disconnect-NAK if the session was not terminated.
l Reauthorize causes a Disconnect-Request message to be sent to the NAS for an active session. This
message will contain a Service-Type attribute with the value ‘Authorize Only’. The NAS should respond with a Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request message to the RADIUS server. The RADIUS server’s response will contain the current authorization details for the visitor account, which will then update the corresponding properties in the NAS session.
If the NAS does not support RFC 3576, attempts to perform dynamic authorization will time out and result in a ‘No response from NAS’ error message.
Refer to RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 35
Page 36

Filtering the List of Active Sessions

On the Guest >Active Sessions list, you can use the Filter tab to narrow the search parameters and quickly find all matching sessions:
Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this
option, use the Choose Columns command link on the More Options tab.
You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:
Table 7: Operators supported in filters
Operator Meaning Additional Information
= is equal to You may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!= is not equal to
> is greater than
>= is greater than or equal to
< is less than
<= is less than or equal to
~ matches the regular expression
!~ does not match the regular
expression
values, list them separated by the pipe character ( | ).
For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".
To restore the default view, click the Clear Filter link.
Click the Apply Filter button to save your changes and update the view, or click the Reset button to remove the filter and return to the default view.
36 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 37

Disconnecting Multiple Active Sessions

To disconnect multiple sessions, click the Manage Multiple tab. The Manage Multiple Sessions form opens.
l To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All
active sessions are closed and are removed from the Active Sessions list.
You can specify sessions in a time range.
1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started after the specified date and time will be disconnected.
2. To close all sessions that started before a particular time, click the button in the End Time row. Thecalendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started before the specified date and time will be disconnected.
3. Click Make Changes. The specified sessions are closed and are removed from the Active Sessions list.

Sending Multiple SMS Alerts

The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number. An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately—for example, a special offer that will only be availablefor an hour, a change in a meeting’s schedule or location, or a public safety announcement.
To create an SMS message:
1. Click the SMS tab on the Active Sessions page. The Send SMS Notification form opens.
2. Use the filter to specify the group of addresses that should receive the message. See "Filtering the List of
Active Sessions" on page 36. Only accounts with valid phone numbers can be sent SMS alerts.
3. Enter the message in the Message text box. Messages may contain up to 160 characters.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 37
Page 38
4. Click Send.

About SMS Guest Account Receipts

You can send SMS receipts for guest accounts that are created using either sponsored guest access or self­provisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt.
Dell Networking W-ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand.
To manually send an SMS receipt:
1. Go to the Guest > Manage Accounts and click to expand the row of the guest to whom you want to send a receipt.
2. Click Print to display the Updated Account Details view, and then click the Send SMS receipt link. The SMS Receipt form opens. Use the fields on this form to enter the service to use, the recipient’s mobile phone number, and the message text.
When using guest self-registration, SMS Delivery options areavailable for the receipt page actions; See "Editing
Receipt Actions" on page 248 for full details. For more information on SMS services, see "SMS Services" on page
296.

Using Standard Guest Management Features

This section describes:
l "Creating a Guest Account " on page 39
l "Creating a Guest Account Receipt " on page 41
l "Creating a Device" on page 41
l "Creating Multiple Guest Accounts" on page 45
l "Creating Multiple Guest Account Receipts" on page 47
l "Creating a Single Password for Multiple Accounts " on page 48
38 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 39
l "Managing Single Guest Accounts " on page 55
l "Managing Multiple Guest Accounts " on page 64
l "Exporting Guest Account Information " on page 50
l "Importing Guest Accounts" on page 52
l "Managing Single Guest Accounts " on page 55
l "Managing Devices " on page 59
l "Managing Multiple Guest Accounts " on page 64
To customize guest self-registration, please see Configuration on page 187.

Creating a Guest Account

To create a new account, go to Guest > Create Account, or click the Create New Guest Account command link on the Guest Manager page. The Create New Guest Account form opens.
The Create New Guest Account form (create_user) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the customization process. The default settings for this form are described below.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 39
Page 40
Table 8: The Create New Guest Account Form
Field Description
Guest's Name
Company Name
Email Address
Account Activation
Activation Time
Account Expiration
(Required) Name of the guest user for this account.
(Required) Name of the organization the guest user belongs to.
(Required) The guest user's email address. This email address will be the guest's username.
You can select an activation time from this drop-down list. The guest's account cannot be used before the activation time. Options include:
l Now l Disable account l Tomorrow l Next Monday l 1 hour from now l 1 day from now l 1 week from now l Activate at specified time...
If you selected "Activate at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will be enabled immediately.
You can select an expiration time from this drop-down list. The guest's account cannot be used after the expiration time. Options include:
l Account will not expire l Now l Tonight l Friday night l 1 hour from now l 1 day from now l 1 week from now l 30 days from now l 90 days from now l 180 days from now l 1 year from now l Account expires after... l Account expires at specified time...
Expires After
Expiration Time
Account Role
If you selected "Account expires after", use this drop-down list to specify a length of time. Options include several intervals of hours, days, or weeks.
If you selected "Account expires at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will not expire.
(Required) Specify the type of account the guest should have. Options include:
l Contractor l Employee l Guest
Password A random password is created for each visitor account. This is displayed on this form, but will also
be available on the guest account receipt.
40 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 41
Field Description
Notes You may enter notes about this guest account.
Terms of Use
Create When your entries on the form are complete, click this button to create the guest's account.
(Required) You must select the check box in in this field in order to create the account.

Creating a Guest Account Receipt

After you click the Create button on the Create New Guest Account form, the details for that account are displayed.
To print a receipt for the guest, select an appropriate template from the Open print window using template… list. A new Web browser window opens and the browser’s Print dialog box is displayed.
Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobiletelephone number to which the receipt should be sent.
Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and the visitor’s phone number was typed into the Create New Guest Account form, an SMS message will be sent automatically. A message is displayed on the account receipt page after an SMS message has been sent.
Click the Send email receipt link to send an email copy of the guest account receipt. Use the Email Receipt form to enter the email address to which the receipt should be sent. You can also specify the subject line for the email message. If the administrator has enabled automatic email for guest account receipts, and the visitor’s email address was typed into the Create New Guest Account form, an email receipt will be sent automatically. A message is displayed on the account receipt page after an email has been sent.

Creating a Device

Device accounts may be created in three ways:
l Manually in W-ClearPass Guest using the Create New Device form
l During guest self-registration by a MAC parameter passed in the redirect URL, if the process is configured to
create a MAC device account
l During guest self-registration by a MAC parameter passed in the redirect URL, creating a parallel account
paired with the visitor account
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 41
Page 42
Creating Devices Manually in W-ClearPass Guest
If you have the MAC address, you can create a new device manually. To create a new device, go to Guest >Create Device, or go to Guest > Manage Devices and click the Create link.
The Create New Device form opens.
Table 9: New Device
Field Description
MAC Address (Required) Enter the device's MAC address.
Device Name (Required) Enter the name for the device.
If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin.
AirGroup Enables AirGroup for the device. Configuration options are added to the form.
Ownership Specifies whether device ownership should be personal or shared. Personal devices are
automatically shared with the owner's other devices.
Shared With Usernames of people who can share this device. Enter usernames as a comma-separated
list. To make the device available to all users, leave this field blank. Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
42 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 43
Field Description
Shared Locations Locations where the device can be shared. When you type a location name in the Shared
Locations field and press the Enter key, the location appears as a "tag" and is created in the system when the form is saved. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Shared Roles User roles that can share this device. When you type a role name in the Shared Roles field
and press the Enter key, the role appears as a "tag" and is created in the system when the form is saved. Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Shared Groups User groups that can share this device. These will be available in the Shared Groups field
for users to choose from when they share a device. When you type a name for the group in the Group Names field and press the Enter key, the group appears as a "tag" and is created in the system when the form is saved. Each group name may not exceed 64 characters. A maximum of 32 group names may be entered. The maximum character limit for the list is 320 characters (including comma separators). This feature requires AOS 6.4 or later.
Time Sharing Time-based sharing rules for this device. For more information, see "About AirGroup Time-
Based Sharing" on page 75.
Syntax Opens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71
Account Activation Options include: Activate the account immediately, at a preset interval of hours or days, at a
specified time, or leave the account disabled. If you choose Activate at a specified time, the ActivationTime row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Account Expiration Options include: Never expire, expire at a preset interval of hours or days, or expire at a
specified time.
l If you choose any time in the future, the Expire Action row is added to the form.
Indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row.
l If you choose Account expires after, the ExpiresAfter row is added to the form.
Choose an interval of hours, days, or weeks. The maximum is two weeks.
l If you choose Account Expires at a specified time, the ExpirationTime row is added
to the form. In the calendar picker, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Account Role Assigns the visitor’s role.
Terms of Use Click the terms of use link and read the agreement, then mark the check box to agree to
the terms.
Create Device Commits your changes and creates the device. The Account Details and print options are
displayed. For more information, see "Printing Device Details" on page 64.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 43
Page 44
Creating Devices During Self-Registration - MAC Only
This section describes how to configure a guest self-registration so that it creates a MAC device account. After the guest is registered, future authentication can take place without the need for the guest to enter their credentials. A registration can be converted to create a MAC device instead of standard guest credentials.
This requires a vendor to pass a MAC parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP.
To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields:
l Add or enable mac
n UI: Hidden field
n Field Required: checked
n Validator: IsValidMacAddress
l Add or enable mac_auth
n UI: Hidden field
l Any other expiration options, role choice, surveys, and so on can be entered as usual.
Figure 7 Modify fields
l Edit the receipt form fields:
n Edit username to be a Hidden field
n Edit password to be a Hidden field
l Adjust any headers or footers as needed.
When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means.
The account will only be visible on the List Devices page.
If the guest logs out and reconnects, they should be immediately logged in without being redirected to the captive portal page.
Creating Devices During Self-Registration - Paired Accounts
Paired accounts is a means to create a standard visitor account with credentials, but to have a MAC account created in parallel that is directly tied to the visitor account. These accounts share the samerole, expiration and
44 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 45
other properties.
This requires a vendor passing a mac parameter in the redirect URL. W-ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP.
To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth_pair in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields:
l Add or enable mac
n UI: Hidden field
n Field Required: optional
n Validator: IsValidMacAddress
l Add or enable mac_auth_pair
n UI: Hidden field
n Initial Value: -1
l Any other expiration options, role choice, surveys and so on can be entered as usual.
You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that cross-links the two.
If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be logged out.

Creating Multiple Guest Accounts

The Create Multiple Guest Accounts form is used to create a group of visitor accounts.
To create multiple accounts, go to Guest > Create Multiple, or click the Create Multiple Guest Accounts command link on the Guest Manager >Start Here page. The Create Multiple Guest Accounts form opens.
The Create Multiple Guest Accounts form (create_multi) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about the customization process. The default settings for this form are described below.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 45
Page 46
Table 10: The Create New Guest Account Form
Field Description
Number of Accounts
Account Activation
Activation Time
Account Expiration
(Required) Enter the number of accounts to create.
You can select an activation time from this drop-down list. The guests' accounts cannot be used before the activation time. Options include:
l Now l Disable account l Tomorrow l Next Monday l 1 hour from now l 1 day from now l 1 week from now l Activate at specified time...
If you selected "Activate at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will be enabled immediately.
You can select an expiration time from this drop-down list. The guests' accounts cannot be used after the expiration time. Options include:
l Account will not expire l Now l Tonight l Friday night l 1 hour from now l 1 day from now l 1 week from now l 30 days from now l 90 days from now l 180 days from now l 1 year from now l Account expires after... l Account expires at specified time...
Expires After
Expiration Time
Expire Action
If you selected "Account expires after", use this drop-down list to specify a length of time. Options include several intervals of hours, days, or weeks.
If you selected "Account expires at specified time", use the calendar picker in this field to specify the date and time. If no selection is made, the account will not expire.
(Required) Specify how the behavior of the expiration. Options include:
l Delete and log out at specified time l Delete at specified time l Disable and log out at specified time l Disable at specified time
Be aware that a logout can only occur if the NAS is RFC-3576 compliant.
Account Role
46 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
(Required) Specify the type of account the guest should have. Options include:
l Contractor l Employee l Guest
Page 47
Field Description
Notes You may enter notes about this guest account.
Terms of Use
Create Accounts
(Required) You must select the check box in in this field in order to create the account.
When your entries on the form are complete, click this button to create the guests' accounts.
A random username and password will becreated for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The default password length is six characters.

Creating Multiple Guest Account Receipts

After a group of guest accounts has been created, the details for the accounts are displayed.
To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 47
Page 48
To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file. The fields available in the CSV file are:
l Number – The sequential number of the visitor account, starting at one.
l Username – The username for the visitor account.
l Password – The password for the visitor account. The default password length is six characters.
l Role – The visitor account’s role.
l Activation Time – The date and time at which the account will be activated, or N/A if there is no activation
time.
l Expiration Time – The date and time at which the account will expire, or N/A if there is no activation time.
l Lifetime – The account lifetime in minutes, or N/A if the account does not have a lifetime specified.
l Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the
account.

Creating a Single Password for Multiple Accounts

You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field.
To include the Password field on the Create Multiple Guest Accounts form:
1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions.
At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_ multi) has not yet been customized to include it. You will create it for the form in the next step.
2. Click on any field in the list to expand a row, then click the Insert After link (you can modify this placement later). The Customize Form Field form opens.
3. In the Field Name row, choose password from the drop-down list. The form displays configuration options for this field.
4. In the Field row, mark the Enable this field check box.
5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field.
6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty.
7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited.
48 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 49
To create multiple accounts that all use the same password:
1. Go to Guest > Create Multiple. The Create Guest Accounts form opens, and includes the Visitor Password field.
2. In the Number of Accounts field, enter the number of accounts you wish to create.
3. In the Visitor Password field, enter the password that is to be used by all the accounts. The minimum password length is six characters.
4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens. The password and other account details are displayed for each account.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 49
Page 50

Exporting Guest Account Information

Guest account information may be exported to a file in one of several different formats.
To export a file with the current list of guest accounts, go to Guest >Export Accounts, or go to Guest >Start Here and click the Export Guest Accounts command link. The Export Accounts page opens with three options displayed. Click the appropriate command link to save a list of all guest accounts in comma­separated values (CSV), tab-separated values (TSV), or XML format.
50 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 51
The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process.
About CSV and TSV Exports
In CSV and TSV format, the following default fields are included in the export:
l Number – Sequential number of the guest account in the exported data
l User ID – Numeric user ID of the guest account
l Username – Username for the guest account
l Role – Role for the guest account
l Activation – Date and time at which the guest account will be activated, or “N/A” if there is no activation
time
l Expiration – Date and time at which the guest account will expire, or “N/A” if there is no expiration time
l Lifetime – The guest account’s lifetime in minutes after login, or 0 if the account lifetime is not set
l Expire Action – Number specifying the action to take when the guest account expires (0 through 4)
About XML Exports
The default XML format consists of a <GuestUsers> element containing a <GuestUser> element for each exported guest account. Thenumeric ID of the guest account is provided as the “id” attribute of the <GuestUser> element. This format is compatible with the W-ClearPass Policy Manager XML format for guest users.
The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag, where the tag has the same name as the guest account field.
An example XML export is given below:
<?xml version="1.0" encoding="UTF-8" standalone="true"?> <MyContents xmlns="http://www.example.com/myapiDefs/1.0">
<MyHeader version="6.0" exportTime="Sun, 16 Dec 2012 16:36:03 PST"/> <GuestUsers>
<GuestUser guestType="USER" enabled="true" sponsorName="55480025"
expiryTime="2012-12-04 13:39:25" startTime="1969-12-31 16:00:00" password="08654361" name="55480025">
<GuestUserTags tagValue="Hotspot Services self-provisioned guest account
Source IP: 10.11.10.254 MAC: unknown Plan: Free Access x 1 Transaction
Amount: $0.00 Invoice Number: P-15 Transaction ID: " tagName="notes"/> <GuestUserTags tagValue="2" tagName="[Role ID]"/> <GuestUserTags tagValue="1" tagName="do_expire"/> <GuestUserTags tagValue="1" tagName="simultaneous_use"/>
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 51
Page 52
<GuestUserTags tagValue="ff" tagName="Company Name"/> <GuestUserTags tagValue="2012-12-04 12:39:14" tagName="Create Time"/> <GuestUserTags tagValue="fff@df" tagName="Email"/> <GuestUserTags tagValue="ff" tagName="first_name"/> <GuestUserTags tagValue="plan0" tagName="hotspot_plan_id"/> <GuestUserTags tagValue="Free Access" tagName="hotspot_plan_name"/> <GuestUserTags tagValue="ff" tagName="last_name"/> <GuestUserTags tagValue="ff ff" tagName="Visitor Name"/> <GuestUserTags tagValue="ff" tagName="zip"/>
</GuestUser>

Importing Guest Accounts

Guest accounts may be created from an existing list by uploading the list to W-ClearPass Guest.
To import a file with the current list of guest accounts, go to Guest >Import Accounts, or go to Guest >Start Here and click the Import Guest Accounts command link. The Import Accounts page opens with the first part of the form displayed, Upload User List.
The Upload User List form provides you with different options for importing guest account data.
To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area.
Select the Show additional import options check box to display the following advanced import options:
l Character Set: W-ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account
information. If your accounts file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used. To avoid this, you should specify what character set encoding you areusing.
l Import format: The format of the accounts file is automatically detected. You may specify a different
encoding type if automatic detection is not suitable for your data. The Import Format drop-down list includes the following options:
n Automatically detect format (This default option recognizes guest accounts exported from W-
ClearPass Policy Manager in XML format)
n XML
n Comma separated values
52 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 53
n Tab separated values
n Pipe ( | ) separated values
n Colon ( : ) separated values
n Semicolon ( ; ) separated values
l Select the Force first row as header row check box if your data contains a header row that specifies the
field names. This option is only required if the header row is not automatically detected.
Click Next Step to upload the account data.
In step 2 of 3, W-ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields to the data. The first few records in the data are displayed, together with any automatically detected field names.
In this example, the following data was used:
username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00
Because this data includes a header row that contains field names, the corresponding fields were automatically detected in the data:
Use the Match Fields form to identify which guest account fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 53
Page 54
To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account.
Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are shown.
The icon displayed for each user account indicates if it is a new entry ( ) or if an existing user account will be updated ( ).
By default, this form shows ten entries per page. To view additional entries, click the arrow button at the bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of the form and select the number of entries that should appear on each page.
Click the check box by the account entries you want to create, or click one of the following options to select the desired accounts:
l Click the This Page link to select all entries on the current page.
l Click the All link to select all entries on all pages
l Click the None link to deselect all entries
l Click the New link to select all new entries
54 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 55
l Click the Existing link to select all existing user accounts in the list.
Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating
Multiple Guest Account Receipts" on page 47 in this chapter for more information.

Managing Single Guest Accounts

Use the Manage Guest Accounts list view to work with individual guest accounts. To open the Manage Guest Accounts list, go to Guest > Manage Accounts.
The Manage Guest Accounts list view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields" on page 206 for details about this customization process. The default settings for this view are described below.
The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created:
l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The
expiration time is additionally highlighted in boldface if the account will expire within the next hour.
l In addition, icons in the Username column indicate the account’s activation status:
n —Visitor account is active
n —Visitor account was created but is not activated yet
n —Visitor account was disabled by Administrator
n —Visitor account has expired
n —Visitor account was deleted
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 55
Page 56
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:
Table 11: Operators supported in filters
Operator Meaning Additional Information
= is equal to You may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!= is not equal to
values, list them separated by the pipe character ( | ).
> is greater than
>= is greater than or equal to
< is less than
<= is less than or equal to
~ matches the regular expression
!~ does not match the regular
expression
For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".
To restore the default view, click the Clear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account.
Use the Create tab to create new visitor accounts using the Create New Guest Account form. See
"Creating a Guest Account " on page 39 for details about this form.
Use the More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view.
Click a user account’s row to select it. You can then select from one of these actions:
l Reset password – Changes the password for a guest account. A new randomly generated password is
displayed on the Reset Password form. The default password length is six characters.
56 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 57
Click Update Account to reset the guest account’s password. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.
l Change expiration – Changes the expiration time for a guest account.
This form (change_expiration) can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views" on page 212 for details about this customization process.
Select an option from the drop-down list to change the expiration time of the guest account.
Click Update Account to set the new expiration time for the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.
l Remove – Disables or deletes a guest account.
Select the appropriate Action radio button, and click Make Changes to disable or delete the account.
If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See "Configuring W-ClearPass Guest Authentication " on page 188.
l Activate – Re-enables a disabled guest account, or specifies an activation time for the guest account.
Select an option from the drop-down list to change the activation time of the guest account. To re-enable an account that has been disabled, choose Now. Click Enable Account to set the new activation time for
the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 57
Page 58
l Edit – Changes the properties of a guest account.
This form can be customized by adding new fields, or modifying or removing the existing fields. See "Customizing
Forms and Views" on page 212 for details about this customization process.
Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details.
l Sessions – Displays the active sessions for a guest account. See "Active Sessions Management" on page
33 in this chapter for details about managing active sessions.
l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons,
the guest’s password is not displayed on this receipt. To recover a forgotten or lost guest account password, use the Reset password link.
l Show Details—The row expands to display all the properties of the guest's account in a table, including
endpoint details. This option is only available to users whose operator profile includes the Show Details privilege.
58 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 59

Managing Devices

To view the list of current MAC devices, go to Guest > Manage Devices.
The Guest Manager Devices page opens.
All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration time; activate, remove, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information.
The MAC Address, Device Name, Expiration, Sponsor, and Sharing columns display information about the device accounts that have been created:
l The value in the Expiration column is colored red if the device account will expire within the next 24 hours.
The expiration time is additionally highlighted in boldface if the device account will expire within the next hour.
l In addition, icons in the MAC Address column indicate the device account’s activation status:
n —Device account is active
n —Device account was created but is not activated yet
n —Device account was disabled by Administrator
n —Device account has expired
n —Device account was deleted
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 59
Page 60
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of any fields that are configured for search, and you can include the following operators:
Table 12: Operators supported in filters
Operator Meaning Additional Information
= is equal to You may search for multiple values when using the
equality (=) or inequality !=) operators. To specify
!= is not equal to
> is greater than
>= is greater than or equal to
< is less than
<= is less than or equal to
~ matches the regular expression
!~ does not match the regular
expression
multiple values, list them separated by the pipe character ( | ).
For example, specifying the filter "role_id=2|3, custom_field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".
To restore the default view, click the Clear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
To select a device, click the device you want to work with.
Changing a Device’s Expiration Date
To change a device’s expiration date, click the device’s row in the Guest Manager Devices list, then click its Change expiration link. The row expands to include the Change Expiration form.
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date:
l If you choose Account expires after, the Expires After row is added to the form. Choose an interval
of hours, days, or weeks from the drop-down list.
60 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 61
l If you choose Account Expires at a specified time, the Expiration Time row is added to the form.
Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table. Use the drop-down list in this row to specify one of the following actions: delete, delete and log out, disable, or disable and log out.
3. Click Update Account to commit your changes.
Disabling and Deleting Devices
To remove a device’s account by disabling or deleting it, click the device’s row in the Guest Manager Devices list, then click its Remove link. The row expands to include the Remove Account form.
You may choose to either disable or delete the account. If you disable it, it remains in the device list and you may activate it again later. If you delete the account, it is removed from the list permanently.
Activating a Device
To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form.
1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time.
2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
3. Click Enable Account to commit your changes.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 61
Page 62
Editing a Device
To edit a device’s account, click the device’s row in the Guest Manager Devices list, then click its Edit link. The row expands to include the Edit Device form. You can edit any of the device's properties.
Table 13: New Device
Field Description
MAC Address The device's MAC address.
Device Name The name for the device.
If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin.
AirGroup Enables AirGroup for the device. Configuration options are added to the form.
Ownership Specifies whether device ownership should be personal or shared. Personal devices are
automatically shared with the owner's other devices.
Shared With Usernames of people who can share this device. Enter usernames as a comma-separated
list. To make the device available to all users, leave this field blank. Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Shared Locations Locations where the device can be shared. When you type a location name in the Shared
Locations field and press the Enter key, the location appears as a "tag" and is created in the system when the form is saved. Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Shared Roles User roles that can share this device. When you type a role name in the Shared Roles field
62 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 63
Field Description
and press the Enter key, the role appears as a "tag" and is created in the system when the form is saved. Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Shared Groups User groups that can share this device. These will be available in the Shared Groups field
for users to choose from when they share a device. When you type a name for the group in the Group Names field and press the Enter key, the group appears as a "tag" and is created in the system when the form is saved. Each group name may not exceed 64 characters. A maximum of 32 group names may be entered. The maximum character limit for the list is 320 characters (including comma separators).
Time Sharing Time-based sharing rules for this device. For more information, see "About AirGroup Time-
Based Sharing" on page 75.
Syntax Opens the help topic "AirGroup Time-Based Sharing Syntax Examples" on page 71.
Account Activation Options include: Activate the account immediately, at a preset interval of hours or days, at a
specified time, or leave the account disabled. If you choose Activate at a specified time, the ActivationTime row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Account Expiration Options include: Never expire, expire at a preset interval of hours or days, or expire at a
specified time.
l If you choose any time in the future, the Expire Action row is added to the form.
Indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row.
l If you choose Account expires after, the ExpiresAfter row is added to the form.
Choose an interval of hours, days, or weeks. The maximum is two weeks.
l If you choose Account Expires at a specified time, the ExpirationTime row is added
to the form. In the calendar picker, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Account Role Assigns the visitor’s role.
Notes Optional additional information.
Update Device Commits your changes and updates the device. The Updated Device Details and print
options are displayed.
Viewing Current Sessions for a Device
To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see "Active Sessions
Management" on page 33.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 63
Page 64
Printing Device Details
To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link. The row expands to include the Account Details form and a drop- down list of information that can be printed for the device.
Choosing an option in the Open print window using template drop-down list opens a print preview window and the printer dialog. Options include account details, receipts in various formats, a session expiration alert, and a sponsorship confirmation notice.
Viewing Device Details
l Show Details—The row expands to display all the properties of the device's account in a table. This option
is only available to users whose operator profile includes the Show Details privilege.

Managing Multiple Guest Accounts

Use the Bulk Edit Accounts list view to work with multiple guest accounts. To open the Bulk Edit Accounts list, go to Guest > Manage Multiple Accounts.
This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. The default settings for this view are described below.
The Username, Role, State, Activation, Expiration, and Lifetime columns display information about the visitor accounts that have been created:
l The value in the Expiration column is colored red if the visitor account will expire within the next 24 hours.
The expiration time is additionally highlighted in boldface if the visitor account will expire within the next
64 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 65
hour.
l In addition, icons in the Username column indicate the account’s activation status:
n —Visitor account is active
n —Visitor account was created but is not activated yet
n —Visitor account was disabled by Administrator
n —Visitor account has expired
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators:
Table 14: Operators supported in filters
Operator Meaning Additional Information
= is equal to You may search for multiple values when using the
equality (=) or inequality !=) operators. To specify multiple
!= is not equal to
values, list them separated by the pipe character ( | ).
> is greater than
>= is greater than or equal to
< is less than
<= is less than or equal to
~ matches the regular expression
!~ does not match the regular
expression
For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value".
To restore the default view, click the Clear Filter link.
Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page.
To select guest accounts, click the accounts you want to work with. You may click either the check box or the row to select a visitor account. To select or unselect all visible visitor accounts, click the check box in the header row of the table.
Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection.
Use the Create tab to create new visitor accounts using the Create Multiple Guest Accounts form. See
"Managing Multiple Guest Accounts " on page 64 in this chapter for details about this form.
Use the Delete tab to delete the visitor accounts that you have selected. This option is not active if there are no visitor accounts selected.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 65
Page 66
Use the Edit tab to make changes to multiple visitor accounts at once. This option is not active if there are no visitor accounts selected.
The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Guest Self-Registration" on page 235 for details about this customization process. This is the guest_multi_form form.
The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See "Creating
Multiple Guest Account Receipts" on page 47 in this chapter for more information.
The More Options tab includes the Choose Columns command link. You can click this link to open the Configuration module’s CustomizeView Fields form, which may be used to customize the Edit Guest Accounts view.

AirGroup Device Registration

AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators can provision their organization’s shared devices and manage access, and AirGroup operators can register and provision a limited number of their own personal devices for sharing. For complete AirGroup deployment information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOSUser Guide and the W-ClearPass Policy Manager documentation.
66 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 67

Registering Groups of Devices or Services

This functionality is only available to AirGroup administrators.
To register and manage an organization’s shared devices and configure device access, log in as the AirGroup administrator and go to Guest > Create Device. The Register Shared Device form opens.
1. In the Device Name field, enter the name used to identify the device.
2. In the Device Type field, use the drop-down list to select the device type.
3. In the MAC Address field, enter the device’s MAC address.
4. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to be shared with all locations, leave this field blank.
Each location name may not exceed 64 characters. A maximum of 100 location names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to the registered device. Use commas to separate the tag=value pairs in the list. Tag=value pair formats are shown in the following table:
Table 15: Tag=Value Pair Formats
AP Type Tag=Value Format
Name-based AP ap-name=<name>
Group-based AP ap-group=<group>
FQLN-based AP fqln=<fqln>
l AP FQLNs should be configured in the format <ap name>.<floor>.<building>.<campus>
l Floor names should be in the format floor <number>
l The <ap-name> should not include periods ( . )
Example:
AP105-1.Floor 1.TowerD.Mycompany
5. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to use the device. Use commas to separate usernames in the list.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 67
Page 68
Each username may not exceed 64 characters. A maximum of 100 usernames may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
l If the Share With field is left blank, this device can be accessed by all devices.
l If users are entered in the Shared With field, the device can only be accessed by the specified users.
6. In the Shared Roles field, enter the user roles that areallowed to use the device. Use commas to separate the roles in the list.
Each role name may not exceed 64 characters. A maximum of 100 role names may be entered. The maximum character limit for the list is 1000 characters (including comma separators).
l To make the device available to all roles, leave this field blank.
l If roles are entered in the Shared Roles field, the device can only be accessed by users with matching
roles.
7. Click Register Shared Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.
To view and edit your organization’s shared AirGroup devices:
1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list, or shared roles; print device details; or add a new device.
2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and
Print options.
68 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 69
3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles.
4. When your edits are complete, click Save Changes.

Registering Personal Devices

This functionality is available to AirGroup operators.
To register your personal devices and define a group who can share them:
1. Log in as the AirGroup operator and go to Guest > Create Device. The Register Device form opens.
2. In the Your Name field, enter your username for your organization.
3. In the Device Name field, enter the name used to identify the device.
4. In the Device Type drop-down list, select the device type.
5. In the MAC Address field, enter the device’s MAC address.
6. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the device. Use commas to separate usernames in the list. You may enter up to ten usernames.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 69
Page 70
l If the Shared With field is left blank, this device can only be accessed by devices registered by the same
operator or with a dot1x username that matches the operator’s name.
l If users are entered in the Shared With field, the device can be accessed by the device owner and by the
specified users.
7. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options.
To view and edit your personal AirGroup devices, go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The List Device page lets you remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device.
To view and edit your personal AirGroup devices:
1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all your personal AirGroup devices. You can remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device.
2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and Print options.
3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device form. You can modify the device’s name, MAC address, and group of users.
70 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 71
4. When your edits are complete, click Save Changes.

AirGroup Time-Based Sharing Syntax Examples

This section provides examples and discussions of syntax for time-based sharing policies for AirGroup shared devices.
For information on using time-based sharing for AirGroup, see "About AirGroup Time-Based Sharing" on page
75. For supplemental time-based syntax information, see "Time-Based Syntax Reference" on page 73.
Example:
periodic Monday 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday (relative to the server's current time zone). Outside of this time slot, the device is not shared (except as otherwise controlled by AOS).
Example:
periodic Monday 9:00 to 10:30 shared users A, B periodic Monday 12:00 to 13:30 shared users A, B periodic Monday 15:00 to 16:30 shared users C, D
The device is shared with users A and B, from 9am to 10:30am and from noon to 1:30pm every Monday (relative to the server's current time zone). From 3pm to 4:30pm, the device is shared with users C and D.
Outside of these two time slots, the device is not shared.
With periodic, times may be specified either in 24-hour format (hh:mm, from 0:00 to 24:00), or in 12-hour format (hh:mm and am or pm).
Don't specify overlapping time ranges with periodic rules; this can lead to unexpected results.
The synonyms rep, repeat or repeating may also be used in place of period or periodic. All of these terms are treated identically.
Example:
default allow periodic mon 9am to 10am shared users A, B
As in the first example, the device is shared with users A and B, from 9am to 10am every Monday. Outside of this time slot, the device is shared as specified by the other sharing state fields (shared users, locations, roles and/or groups). This is the meaning of the default allow statement.
If default allow is not specified, the normal behavior is default deny, which is the same as in the first example. Note that with default deny in effect, the AirGroup time sharing policy will override any other sharing rules that are specified, for as long as the time sharing policy is in effect.
Two and three-character shortened forms of weekdays are acceptable (e.g. "Mon" or "Mo" can be used for Monday, "Tue" or "Tu" for Tuesday, etc.) Case is not significant in the time sharing policy, so "Mon", "MON", and "mon" are all equivalent ways to specify "Monday".
Example:
default deny not after 01-Feb-2014 periodic mon 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday. The not after date sets the end of the time sharing policy. Monday, January 27, 2014 is the last day that this time sharing policy will take effect.
After 10am on this date, the time sharing policy is no longer in effect; any other sharing rules that have been specified will then take effect.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 71
Page 72
Example:
default deny not before 1/1/14 not after 01-Feb-2014 periodic mon 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday. The not before date sets the beginning of the time sharing policy. In this case, Monday, January 6, 2014 is the first day that this time sharing policy will take effect.
Prior to 9am 6 January 2014, the device is not shared (due to the default deny).
After 10am on 27 January 2014, the time sharing policy is no longer in effect; any other sharing rules that have been specified will then take effect.
Example:
time zone America/Los_Angeles periodic Monday 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every Monday (relative to the U.S. Pacific time zone). Daylight savings time rules are observed; the time period 9am to 10am is always relative to that time zone.
Example:
periodic mon tue wed thu fri 9am to 10am shared users A, B
The device is shared with users A and B, from 9am to 10am every weekday (Monday, Tuesday, Wednesday, Thursday and Friday).
Example:
periodic weekdays 9am to 10am shared users A, B
weekday or weekdays can be used as a synonym for "Monday Tuesday Wednesday Thursday Friday". Similarly, weekend or weekends can be used as a synonym for "Saturday Sunday".
Example:
on Sep 16 9:00 to 13:00 shared location AP-Name=1341-ap01 shared group ABC shared role SomeRole shared user user02, user03, "user04", 'user05'
The device is shared with a single access point named 1341-ap01, a single group named ABC, a single role named SomeRole, and 4 users named user02,user03, user04, and user05.
Note the quotes are not considered to be part of the user names user04 and user05. (In this case, the quotes are redundant as there is no space or comma that requires quoting.)
No time zone is specified, so the date and time are determined relative to the server's time zone.
No year is specified, so the server's current year is used. In particular, after September 16 of any year, this rule will have no effect until the following year.
Example:
default allow periodic 0:00 to 24:00 shared roles default_role periodic mon 9am to 5pm shared roles other_role
The device is normally shared ("default allow") with a single role named default_role ("periodic 0:00 to 24:00 shared roles default_role").
On Monday from 9am to 5pm, the device is shared with a different role named other_role.
Note that even though the time ranges overlap, the sharing policies are completely distinct; on Mondays from 9am to 5pm, the role default_role will NOT have access to the device, because a different sharing rule
72 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 73
is in effect. (The rule could instead have been written "periodic mon 9am to 5pm shared roles default_role, other_role" if this was the desired result.)
This example shows how to use an overlapping time range: place the most general time range first, with more specific time ranges later. In particular, reversing the order of the periodic statements will not work.
Example:
default deny periodic 9:00 to 22:00 shared roles default_role no periodic thu 9:00 to 17:00 periodic fri 9:00 to 17:00 not shared
This example shows how to share a device with a basic policy, and demonstrates two ways to disable sharing for a subset of the time period.
The device will be shared with a single role named default_role, from 9:00 to 22:00 each day. ("periodic 9:00 to 22:00 shared roles default_role").
On Thursday, the device is not shared between 9:00 and 17:00.
On Friday, the device is not shared between 9:00 and 17:00.
Example:
default allow periodic 9:00 to 22:00 shared roles default_role no periodic thu 9:00 to 17:00 periodic fri 9:00 to 17:00 not shared
This example is similar to the previous example; the device is not shared on Thursday and Friday between 9:00 and 17:00.
The difference is after 22:00 and before 9:00: in the previous example, the device is not shared during this time period, whereas with default allow the other AirGroup sharing rules will take effect (any shared users, roles, groups or locations that have been defined for the device).
Time-Based Syntax Reference
This reference describes the syntax used for time formats in time-based sharing rules. It supplements the examples for AirGroup time-based sharing by user groups discussed in "AirGroup Time-Based Sharing Syntax
Examples" on page 71. For more information on using time-based sharing with AirGroup, see "About AirGroup Time-Based Sharing" on page 75.
The syntax for AirGroup time-based sharing policies supports all the default time-based ACL rules specified in TimeRangeACL. This ACL is a sequence of rules, one per line, according to the following syntax:
l default allow|deny
Specifies the default behavior for unmatched times; this is 'allow' only if no 'periodic' or 'absolute' rules are specified, otherwise it is 'deny'. Use 'default allow' if the remaining rules exclude times, otherwise use 'default deny' if the remaining rules are to include times. This rule may only be used once.
l [time] zone default|server|...
Specifies the time zone to use for matching times and specifying the time of day. If unset, the current time zone setting is used (note that this may vary due to operator and/or profile settings). If the value "default" or "server" is specified, the system's time zone is used. Otherwise, the named time zone is used. This rule may only be used once, and must be before any rules specifying a time interval.
l [not] period(ic) [day-list] hh:mm to [day] hh:mm
Specifies a periodic or daily interval. Recognized days include Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday and 3-letter abbreviations; the tokens "weekends" and "weekdays" may also be
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 73
Page 74
used. Without a day-list, all days of the week are matched. Time may be specified in 12 or 24 hour format, with the special time 24:00 indicating the end of the day.
Example: periodic monday 8:00 to friday 17:00 matches between 8am and 5pm, Monday through
Friday.
Example: periodic weekdays 8:00 to 17:00 specifies the same thing as the example in the previous line.
Example: periodic wed 11am to 11pm matches between 11:00 and 23:00 on a Wednesday.
Example: periodic weekend 0:00 to 24:00 matches any time on a Saturday or Sunday.
Example: periodic saturday sunday 0:00 to 24:00 specifies the same thing as the example in the
previous line.
The 'not' keyword may be specified to invert the allow/deny decision.
Example: default allow; not period 23:00 to 6:00 (on 2 separate lines) allows access, except between
11pm and 6am.
Example: period 6:00 to 23:00 is equivalent to the example in the previous line.
l not before [date-and-time]
Specifies an absolute time before which access will always be rejected.
Example: not before 2010-07-01 09:00 matches after 9am on 1 July 2010.
l not after [date-and-time]
Specifies an absolute time after which access will always be rejected.
Example: not after 2011-01-01 00:00 matches before midnight on New Year's Day 2011.
l [not] abs(olute) [start-date-and-time] to [end-date-and-time]
Specifies a start and end interval. The date and time is a format recognized by strtotime(). Times between the start and end point are matched. The 'not' keyword may be specified to invert the allow/deny decision.
Example: absolute December 25 to December 26 matches all day on Christmas Day each year. (This does
not match on December 26 as midnight on this date is the endpoint of the interval.)
A blank time ACL means "all times are allowed".
The following examples give common usage:
l 8:00 to 18:00 - allows access 8am to 6pm, every day, but not outside those times
l weekdays 9am to 5pm - allows access 9am to 5pm, Monday through Friday, but not outside those times
l weekdays 9am to 5pm
weekends 10am to 4pm - allows access 9am to 5pm, Monday through Friday, with reduced hours on
Saturday and Sunday
Annual recurrences may be specified:
l weekdays 9am to 5pm
not absolute December 25 to December 26 - allows access 9am to 5pm, Monday through Friday, but not
on Christmas Day
Less common cases:
l default allow
not 23:00 to 6:00 - allows access, except between 11pm and 6am daily
l 9:00 to 18:00
not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010
74 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 75
l time zone Etc/GMT
9:00 to 18:00 not before 2010-02-01 - allows daily access between 9am and 6pm, starting on February 1, 2010, in the
GMT time zone (useful if server is in a different time zone)

About AirGroup Time-Based Sharing

This section discusses time-based sharing policies for an AirGroup shared device.
For information on the syntax for time-based sharing policies for a AirGroup shared devices, see "AirGroup
Time-Based Sharing Syntax Examples" on page 71
Time-based sharing is used in settings where an organization's shared devices are madeavailable to groups of users according to a regular schedule, and device access is configured by group at the user levelfor example:
l A university classroom or laboratory is used by a first-year physics class on Mondays, Wednesdays, and
Fridays, by a group of researchers on Tuesdays and Thursdays, and for visiting speakers every other Saturday.
l A convention center has several major exhibitors who each hold an annual event, and who reserve their
customary section of the convention center several years in advance.
In cases like this, you can enter rules to define the schedule on which shared devices in an area will be available to certain groups. You can also specify times when a device will not be available. This is a time-based sharing policy.
Device association is dynamic: When a shared device is available to a group, any user with that group attribute can access the device. When the user is no longer a member of the group (for example, at the end of the semester), they no longer have access, but the time-based sharing policy remains in effect and new users who areassigned the group attribute can access the shared device.
Basics of Time-Based Sharing Setup
When you create a device, enable it for AirGroup Services, and configure it as a shared device, you also have the option to specify time-based sharing (time fencing) for the device.
You first use the Administration > AirGroup Services >Configure form to create the groups who can share devices. When you type a name for the group in the Group Name field, press the Enter key, and click Save, the group is created in the system and appears as a "tag".
On the Guest > Create Device or Guest > List Devices >Edit forms, the shared user groups you created arethen available for selection when you click in the Shared Groups field. (This feature requires AOS 6.4 or later)
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 75
Page 76
On the same screen, the next step is then to enter the rules for the time-based sharing policy, using the group names you created. For more information, see"AirGroup Time-Based Sharing Syntax Examples" on page 71

MAC Authentication in W-ClearPass Guest

W-ClearPass Guest supports a number of options for MAC Authentication and the ability to authenticate devices.
The advanced features described in this section generally require a WLAN capable of MAC authentication with captive portal fallback. Please refer to your WLAN documentation for setting up the controller appropriately.
To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features, go to Administration > Plugin Manager . For information on plugin management, see "Plugin Manager" on page 444.

MAC Address Formats

Different vendors format the client MAC address in different ways—for example:
l 112233AABBCC
l 11:22:33:aa:bb:cc
l 11-22-33-AA-BB-CC
W-ClearPass Guest supports adjusting the expected format of a MAC address. To configure formatting of separators and case in the address, as well as user detection and device filtering for views, go to Administration > Plugin Manager and click the Configuration link for the MAC Authentication plugin. The MAC Authentication Configuration page opens.
Figure 8 MAC Authentication Plugin—Configuration
On the controller, the fields look as follows:
Figure 9 MAC Authentication Profile

Automatically Registering MAC Devices in W-ClearPass Policy Manager

If W-ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in W-ClearPass Policy Manager when the guest uses a Web login page or a
76 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 77
guest self-registration workflow. This customization option is available if a valid Local or RADIUS pre­authentication check was performed.
To configure auto-registration for an address through a Web login page:
1. Go to Configuration > Pages > Web Logins, click the row of the page you wish to configure, then click its Edit link. The RADIUS Web Login Editor form opens.
2. Scroll down to the Post-Authentication area.
3. In the Policy Manager row, mark the check box to register the guest’s MAC address with W-ClearPass Policy Manager. The Advanced row is added to the form.
4. In the Advanced row, mark the check box to enable advanced options in W-ClearPass Policy Manager. The Endpoint Attributes row is added to the form.
5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed.
6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and
Reload to proceed to Policy Manager and apply the network settings.

Importing MAC Devices

The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth.
mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C
Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

This section describes some advanced features for MAC authentication.
User Detection on Landing Pages
When mac is passed in the redirect URL, the user is detected and a customized message displays on the landing page.
To use this feature:
1. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MAC Detect.
2. Edit the header of your redirect landing page (login or registration) and include the following:
<p>{if $guest_receipt.u.visitor_name} Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}!
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Manager | 77
Page 78
{else} Welcome to the show! {/if}</p>
3. For debugging purposes, include the following to see all the fields available:
{dump var=$guest_receipt export=html}
Click-Through Login Pages
A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection.
To use this feature:
1. Disable MAC authentication on the controller.
2. Go to Administration > Plugin Manager: MAC Authentication: Configuration and enable MAC Detect.
3. Create a Web Login. Include the following settings:
l Authentication: Anonymous
l Anonymous User: _mac (_mac is a special secret value)
l Pre-Auth Check: Local
l Terms: Require a Terms and Conditions confirmation
4. Set the Web login as your landing page and test. Using a registered device the 'Log In' button should be enabled, otherwise it will be disabled.
5. You might also want to add a message so visitors get some direction:
<p>{if $guest_receipt.u.username} {if $guest_receipt.u.visitor_name} Welcome back, {$guest_receipt.u.visitor_name|htmlspecialchars}! {else} Welcome back. {/if}
Please accept the terms before proceeding. {else} You need to register... {/if}</p>
6. You can hide the login form by having the final line of the header be:
{if!$guest_receipt.u.username}<div style="display:none">{/if}
and the first line of the footer be:
{if!$guest_receipt.u.username}</div>{/if}
78 | W-ClearPass Guest Manager Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 79
Chapter 4

Onboard

Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. W-ClearPass Onboard automates
802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs).
W-ClearPass Onboard includes the following key features:
l Automatic configuration of network settings for wired and wireless endpoints
l Provisioning of unique device credentials for BYOD and IT-managed devices
l Support for Windows, Mac OS X, iOS, and Android devices
l Ability to revoke unique credentials on a specific user's device
l W-ClearPass Profile for identifying device type, manufacturer, and model

Accessing Onboard

To access the device provisioning features of W-ClearPass Onboard, click the Onboard link in the left navigation.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 79
Page 80

About W-ClearPass Onboard

Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and virtual private networks (VPNs).
W-ClearPass Onboard includes the following key features:
l Automatic configuration of network settings for wired and wireless endpoints.
l Provisioning of unique device credentials for BYOD and IT-managed devices.
l Support for Windows, Mac OS X, iOS, and Android devices.
l Enables the revocation of unique credentials on a specific user’s device.
l Leverages W-ClearPass Profile to identify device type, manufacturer, and model.
This section provides the following important information about Dell Networking W-ClearPass Onboard:
l "Onboard Deployment Checklist " on page 81
l "Onboard Feature List " on page 83
l "Supported Platforms" on page 84
l "Public Key Infrastructure for Onboard" on page 85
l "Revoking Unique Device Credentials" on page 86
l "Network Requirements for Onboard" on page 87
80 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 81
l "Network Architecture for Onboard" on page 89
l "TheW-ClearPass Onboard Process" on page 91
l "Configuring the User Interface for Device Provisioning" on page 95
l "Onboard Troubleshooting" on page 96

Onboard Deployment Checklist

Table 16 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard
deployment.
Onboard events are stored in the Application Log for seven days by default. After seven days, significant runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring module. Onboard events that are listed include:
l Changing the CA certificate
l Issuing a new certificate
l Signing a certificate signing request
l Revoking a certificate
l Deleting a certificate
l Importing a trusted certificate
l Uploading a code-signing or other certificate
Table 16: Onboard Deployment Checklist
Deployment Step Reference
Planning and Preparation
Review the Onboard feature list to identify the major areas of interest for your deployment.
Review the list of platforms supported by Onboard, and identify the platforms of interest for your deployment.
Review the Onboard public key infrastructure, and identify any certificate authorities that will be needed during the deployment.
Review the network requirements and the network architecture diagrams to determine how and where to deploy the Onboard solution.
Configuration
Configure the hostname and networking properties of the Onboard provisioning server.
l DNS is required for SSL. l Ensure that hostname resolution will work for devices being
provisioned.
"Onboard Feature List " on page 83
"Supported Platforms" on page 84
"Public Key Infrastructure for Onboard" on page 85
Refer to the W-ClearPass Policy Manager documentation, and "Network Architecture
for Onboard" on page 89 in this chapter
Refer to the W-ClearPass Policy Manager documentation
Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device
Refer to the W-ClearPass Policy Manager documentation
provisioning for iOS devices.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 81
Page 82
Deployment Step Reference
Configure the Onboard certificate authority.
l Decide whether to use the Root CA or Intermediate CA mode of
operation.
Create the certificate for the certificate authority.
Configure device provisioning settings.
l Select certificate options for device provisioning.
Select which device types should be supported.
Configure network settings for device provisioning.
l Set network properties. l Upload 802.1X server certificates.
Set device-specific networking settings.
Configure networking equipment for non-provisioned devices.
l Set authentication for the provisioning SSID, if required.
Ensure the captive portal redirects non-provisioned devices to the device provisioning page.
Configure networking equipment to authenticate provisioned devices.
l Ensure 802.1X authentication methods and trust settings are
configured correctly for all EAP types that are required. Configure OCSP or CRL on the authentication server to check for client certificate validity.
Configure the user interface for device provisioning.
l Set display options for iOS devices. l Set user interface options for other W-Onboard devices.
Setup the device provisioning Web login page.
"Certificate Authorities " on page 97
"About Configuring Provisioning Settings " on page 169
"Network Settings " on page 130
"Network Requirements for Onboard" on page 87
"Network Requirements for Onboard" on page 87
"Configuring the User Interface for Device Provisioning" on page 95
Testing and Verification
Test device provisioning.
l Verify that each type of device can be provisioned successfully.
Verify that each type of device can join the provisioned network and is authenticated successfully.
Test device revocation.
l Revoke a device’s certificate. l Verify that the device is no longer able to authenticate.
Verify that re-provisioning the device fails.
82 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 83

Onboard Feature List

The following features are available in Dell Networking W-ClearPass Onboard.
Table 17: OnboardFeatures
Feature Uses
Automatic configuration of network settings for wired and wireless endpoints.
Secure provisioning of unique device credentials for BYOD and IT-managed devices.
Support for Windows, Mac OS X, iOS, and Android devices.
Certificate authority enables the creation and revocation of unique credentials on a specific user’s device.
l Configure wired networks using 802.1X l Configure Wi-Fi networks using either 802.1X or pre-shared key
(PSK)
l Configure trusted server certificates for 802.1X l Configure Windows-specific networking settings l Configure HTTP proxy settings for client devices (Android, OS X
only)
l Configure EAP-TLS and PEAP-MSCHAPv2 without user
interaction
l Revoke unique device credentials to prevent network access
l Leverage ClearPass Profiling to identify device type,
manufacturer, and model
l Control the user interface displayed during device provisioning
l Root and intermediate CA modes of operation l Supports SCEP enrollment of certificates l Supports CRL generation to list revoked certificates l Supports OCSP responder to query for certificate status l Approve certificate signing request l Reject certificate signing request l Sign certificate from uploaded certificate signing request (CSR) l Issue certificate l Revoke certificate l Display certificates l Export certificate l Renew root certificate
Provision additional settings specific to iOS devices
l Exchange ActiveSync l Passcode policy l VPN settings
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 83
Page 84

Supported Platforms

The platforms supported by Dell Networking W-ClearPass Onboard and the version requirements for each platform are summarized in the following table.
Table 18: Platforms Supported by W-ClearPass Onboard
Platform Example Devices Version Required for Onboard Support Notes
Apple iOS iPhone
iPad iPod Touch
Apple Mac OS X MacBook Pro
MacBook Air
Android Samsung Galaxy S
Samsung Galaxy Tab Motorola Droid
Microsoft Windows Laptop
Netbook
Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method. Note 3: Onboard may also be used to provision VPN settings, Exchange ActiveSync settings, and passcode policy on these
devices.
iOS 4 iOS 5
Mac OS X 10.8 “Mountain Lion” Mac OS X 10.7 “Lion”
Mac OS X 10.6 “Snow Leopard” Mac OS X 10.5 “Leopard”
Android 2.2 (or higher) 2
Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 Windows 8 Windows 8.1
1, 3
1
2
2
84 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 85

Public Key Infrastructure for Onboard

During the device provisioning process, one or more digital certificates are issued to the device. These are used as the unique credentials for a device. To issue the certificate, Dell Networking W-ClearPass Onboard must operate as a certificate authority (CA). The following sections explain how the certificate authority works, and which certificates are used in this process.
Certificate Hierarchy
In a public key infrastructure (PKI) system, certificates are related to each other in a tree-like structure.
Figure 10 Relationship of Certificates in the Onboard Public Key Infrastructure
The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate CAs used to issue certificates within the enterprise.
Onboardmay operate as a root CA directly, or as an intermediate CA. See "Certificate Authorities " on page 97. For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a
Cluster " on page 86.
The Onboard CA issues certificates for several purposes:
l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.
n The identity information in the profile signing certificate is displayed during device provisioning.
l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s
authentication server.
n The identity information in the server certificate may be displayed during network authentication.
l One or more Device Certificates may beissued – typically, one or two per provisioned device.
n The identity information in the devicecertificate uniquely identifies the device and the user that
provisioned the device.
You do not need to manually create the profile signing certificate; it is created when it is needed See
"Configuring Provisioning Settings for iOS and OS X" on page 176 to control the contents of this certificate.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 85
Page 86
You may revoke the profile signing certificate. It will be recreated when it is needed for the next device provisioning attempt.
Certificate Configuration in a Cluster
When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication.
In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration, these are self-signed certificates—that is, they are not issued by a root CA. This configuration of multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed certificates are not.
There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:
l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the
certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster.
l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at
the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard. Provisioning and authentication will then work across the entire cluster.

Revoking Unique Device Credentials

Because each provisioned device uses unique credentials to access the network, it is possible to disable network access for an individual device. This offers a greater degree of control than traditional user-based authentication — disabling a user’s account would impact all devices using those credentials.
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See"Working
with Certificates in the List" on page 116.
Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability.
Revoking Credentials to Prevent Network Access
Revoking a device's certificate will cause the device to be unable to authenticate. It will not prevent it from being re­provisioned. If you wish to deny access to a device, use the Manage Access link in the device's row on the Onboard >Management and Control > View by Device form.
If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access.
When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the device will be denied access.
OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onboard server automatically updates the status of the username when the device's client certificate is revoked.
86 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 87
Re-Provisioning a Device
Because “bring your own” devices arenot under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device.
For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device.
When these events occur, the user will not be able to access the provisioned network and will need to re­provision their device.
The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process and re-provision the device.
Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials are still valid.
If the TLS client certificate has expired then the device will be issued a new certificate. This enables re­provisioning to occur on a regular basis.
If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked certificate must be deleted before the device is able to be provisioned.

Network Requirements for Onboard

To achieve complete functionality, Dell Networking W-ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network:
l The provisioning network must use a captive portal or other method to redirect a new device to the device
provisioning page.
l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be
provisioned. In practice, this means a commercial SSL certificate is required.
l The provisioned network must support EAP-TLS and PEAP-MSCHAPv2 authentication methods.
l The provisioned network must support either OCSP or CRL checks to detect when a device has been
revoked and deny access to the network.
Using Same SSID for Provisioning and Provisioned Networks
To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines:
l Configure the network to use both PEAP and EAP-TLS authentication methods.
l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role.
l The provisioning role should have limited network access and a captive portal that redirects users to the
device provisioning page.
l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role.
l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned
role.
For provisioned devices, additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 87
Page 88
Using Different SSID for Provisioning and Provisioned Networks
To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate network, use the following guidelines:
l Configure the provisioning SSID to use PEAP, or another suitable authentication method.
l When a user connects to the provisioning SSID, place them into a provisioning role.
n The provisioning role should have limited network access and a captive portal that redirects users to the
device provisioning page.
l When a user connects to the provisioned SSID, authenticate based on the type of credentials presented.
n For PEAP authentication with unique device credentials, place them into a provisioned role.
n For EAP-TLS authentication using an Onboard client certificate, place them into the provisioned role.
n In all other cases, deny access.
As for the single-SSID case, additional authorization steps may be taken after authentication has completed to determine the appropriate provisioned role.
Configuring Online Certificate Status Protocol
Onboard supports the Online Certificate Status Protocol (OCSP) to provide a real-time check on the validity of a certificate.
To configure OCSP for your network, you will need to provide the URL of an OCSP service to your network equipment. This URL can be constructed by using the relative path mdps_ocsp.php/1.
For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is: http://onboard.example.com/guest/mdps_ocsp.php/1.
OCSP does not require the use of HTTPS and can be configured to use HTTP.
Configuring Certificate Revocation List (CRL)
Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that have been revoked.
To configure a CRL, you will need to provide its URL to your network equipment. This URL can be constructed by using the relative path mdps_crl.php?id=1.
For example, if the Onboard server’s hostname is onboard.example.com, the location of the CRL is: http://onboard.example.com/guest/mdps_crl.php?id=1.
A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP.
88 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 89

Network Architecture for Onboard

The high-level network architecture for the Onboard solution is shown in the following figure.
Figure 11 ClearPass Onboard Network Architecture
The sequence of events shown in Figure11 is:
1. Users bring their own device to the enterprise.
2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction.
3. After it is provisioned, the device re-authenticates to the network using a set of unique device credentials. These credentials uniquely identify the device and user and enable management of provisioned devices.
4. Administrators can configure all aspects of the provisioning workflow – including the devices that have been provisioned, policies to apply to devices and the overall user experience for BYOD.
A more detailed view of the network architecture is shown in Figure 12. This diagram shows different types of client devices using the Onboard workflow to gain access to the network. Some of the components that may be configured by the network administrator are also shown.
Figure 12 Detailed View of the W-ClearPass Onboard Network Architecture
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 89
Page 90
The components shown in Figure 12 are:
1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks.
2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device.
a. Newer versions of Mac OS X (10.7 and later) and iOS devices use the “over-the-air” provisioning method.
b. Other supported platforms use the “Onboard provisioning” method.
3. After it is provisioned, a client device uses a secure authentication method based on 802.1X and the capabilities best supported by the device.
a. The unique device credentials issued during provisioning are in the form of an EAP-TLS client certificate
for iOS devices and OS X (10.7+) devices.
b. Other supported devices are also issued a client certificate, but will use the PEAP-MSCHAPv2
authentication method with a uniqueusername and strong password.
4. Administrators can manage all Onboard devices using the certificate issued to that device.
Network Architecture for Onboard when Using W-ClearPass Guest
W-ClearPass Guest supports the provisioning, authentication, and management aspects of the complete Onboard solution. Figure 13 shows the high-level network architecture for the Onboard solution when using ClearPass Guest as the provisioning and authentication server.
Figure 13 W-ClearPass Onboard Network Architecture when Using W-ClearPass Guest
90 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 91
The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are implementation differences between these approaches.

The W-ClearPass Onboard Process

Devices Supporting Over-the-Air Provisioning
Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14.
Figure 14 Onboard Process for iOS Devices
The W-Onboard process is divided into three stages:
1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device.
2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a device-specific certificate.
3. Authentication. After configuration is complete, the user switches to the secure network and is authenticated using an EAP-TLS client certificate.
A sequence diagram showing the interactions between each component of this workflow is shown in Figure 15.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 91
Page 92
Figure 15 Sequence Diagram for the W-Onboard Workflow on iOS Platform
1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page.
2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate. Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning.
3. The user then authenticates with their provisioning credentials – these are typically the user’s enterprise credentials from Active Directory. If the user is authorized to provision a mobile device, the over-the-air provisioning workflow is then triggered (see Figure 16, below).
4. After provisioning has completed, the device switches to EAP-TLS authentication using the newly provisioned client certificate. Mutual authentication is performed (the authentication server verifies the client certificate, and the client verifies the authentication server’s certificate).
5. The device is now onboard and is able to securely access the provisioned network.
Over-the-air provisioning is used to securely provision a device and configure it with network settings. Figure
16 shows a sequencediagram that explains the steps involved in this workflow.
Figure 16 Over-the-Air Provisioning Workflow for iOS Platform
92 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 93
1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity.
2. An iOS device will have two certificates after over-the-air provisioning is complete:
a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning
process. This certificate identifies the device uniquely, and is used to encrypt the device configuration profileso that only this device can read its unique settings.
b. A Transport Layer Security (TLS) client certificate is issued to the device. This certificate identifies the
device and the user that provisioned the device. It is used as the device’s network identity during EAP­TLS authentication.
Devices Supporting Onboard Provisioning
Dell Networking W-ClearPass Onboard supports secure device provisioning for Microsoft Windows XP (service pack 3 and later), Microsoft Windows Vista, Microsoft Windows 7, Apple Mac OS X 10.5 and 10.6, and Android devices (smartphones and tablets). These are collectively referred to as “Onboard-capable devices”. The Onboard process for these devices is shown in Figure 17.
Figure 17 W-ClearPass Onboard Process for Onboard-Capable Devices
The Onboard process is divided into three stages:
1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device.
2. Provisioning. The device provisioning page detects the devicetype and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device. See Figure 18 for details.
3. Authentication. After configuration is complete, the user switches to the secure network and is authenticated using PEAP-MSCHAPv2 unique device credentials.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 93
Page 94
Figure 18 Sequence Diagram for the Onboard Workflow on Android Platform
1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page.
2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type:
a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this
file will launch the QuickConnect app on the device.
b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes
both the QuickConnect app and the Onboard configuration settings.
3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device.
4. After provisioning has completed, the app switches the device to PEAP authentication using the newly provisioned unique device credentials. Mutual authentication is performed (the authentication server verifies the client’s username and password, and the client verifies the authentication server’s certificate).
5. The device is now onboard and is able to securely access the network.
94 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 95
The Onboard provisioning workflow is used to securely provision a device and configure it with network settings. Figure 19 shows a sequence diagram that explains the steps involved in this workflow.
Figure 19 Onboard Provisioning Workflow in the QuickConnect App

Configuring the User Interface for Device Provisioning

The user interface for device provisioning can be customized in three different ways:
l Customizing the Web login page used for device provisioning.
All devices will reach the device provisioning Web login page as the first step of the provisioning process. See
"Configuring Provisioning Settings for the Web Login Page" on page 174 to make changes to the content or
formatting of this page.
l Customizing the properties of the device provisioning profile for iOS and OS X devices.
After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration profile. See "Configuring Provisioning Settings for iOS and OS X" on page 176 to make changes to the content of this profile.
l Customizing the user interface of the QuickConnect app for Windows, Mac OS X, and Android devices.
The provisioning process for Windows, Mac OS X, and Android devices uses a separate app, which has a customizable user interface. See "Configuring Options for Onboard Client Devices" on page 184 to make changes to the user interface.
Using the {nwa_mdps_config} Template Function
Certain properties can be extracted from the Onboard configuration and used in the device provisioning page.
To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter specifies which property should be returned, as described in Table 19.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 95
Page 96
Table 19: Properties Available with the (nwa_mdps_config Smarty Template Function
Name Description
root_cert URL of the Onboard certificate authority’s root certificate.
Browsing to this URL will install the root certificate on the device, which is required as part of the pre-provisioning step. Example:
<a href="{nwa_mdps_config name=root_cert}"> Install Onboard root
certificate</a>
wifi_ssid Name of the wireless network. See "Configuring Basic Network Access Settings "
on page 131.
Example: Connect to the network named {nwa_mdps_config name=wifi_ssid}
organization_name The organization name. See "Configuring Basic Provisioning Settings" on page
170.
Example:
<h2> Welcome to {nwa_mdps_config name=organization_name}</h2>

Onboard Troubleshooting

If you encounter a problem that is not listed here, refer to the "Onboard Deployment Checklist " on page 81 and check each of the configuration steps listed there.
iOS Device Provisioning Failures
Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”.
Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate.
Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”.
96 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 97
A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices.
Hostname-to-Certificate Match Failures
Symptom: Device provisioning fails with the message "Onboard provisioning cannot be performed at this
address. If your were directed here, please contact a network administrator."
This occurs if the hostname used to access CPPM does not match the hostname configured in the CPPM server certificate. These items must match or device provisioning will fail. This error is detected by Onboard and results in the above message.
Resolution: To correct the problem, ensure that the DNS is correctly configured for the server, ensure that the hostname is correctly set, and ensure that the server's certificate contains the correct hostname.
Onboard Interface Not Displayed
If Onboard is not visible in the ClearPass Guest user interface, verify whether Public Facing Enterprise (PFE) mode is set in ClearPass Policy Manager. If PFE mode is enabled, Onboard is not permitted and Onboard licenses cannot be added. The PFE mode is enabled or disabled in CPPM on the Mode tab at Administration
> Server Manager > Server Configuration > Cluster-Wide Parameters.
Certificate Renewal through OS X Mavericks
OS X Mavericks allows users to renew certificates automatically, and provides a notice and an Update link in the Mavericks Profile fifteen days before a certificate expires. Onboard supports certificate renewal through OS X Mavericks. However, only local certificates can be renewed; ADCS is not supported. Also, certificates that have been revoked cannot be renewed.

Certificate Authorities

You can create and manage multiple certificate authorities for Onboard. To view and work with the list of certificate authorities and to configure new certificate authorities, go to Onboard >Certificate Authorities. The Certificate Authorities list view opens. All certificate authorities that have been set up are included in the list. Information shown for each certificate authority includes its name, mode, status, expiration time, and OCSP URL.
You can click a certificate authority's row in the list for additional options:
l To view details for a certificate authority, click its Show Details link. The form expands to show a summary
of the settings defined for it, including information for certificate issuing, retention policy, identity, private key, and self-signed certificate.
l To edit any of a certificate authority's attributes and configure certificate issuing options, click its Edit link.
The Certificate Authority Settings form opens. See "Editing Certificate Authority Settings" on page 101.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 97
Page 98
l To create a copy of a certificate authority configuration to use as a basis for a new certificate authority, click
its Duplicate link. The first page of the Certificate Authority Settings form opens with the identity, private key, and self-signed certificate attributes prepopulated and "Copy" appended to the name. You can rename the new certificate authority and edit any of its attributes.
l To delete a certificate authority, you can click its Delete link. You will be asked to confirm the deletion
before it commits.
l To see if the certificate authority is currently used, click its Show Usage link. The form expands to show a
list of provisioning sets that use the certificate authority.
l To view the trust chain for the certificate authority, click its Trust Chain link. The Certificate Authority Trust
Chain page opens. See "The Trust Chain and Uploading Certificates for the CA " on page 128.
l To view a list of certificates associated with the certificate authority, click its Certificates link. The Certificate
Management page opens. See "Certificate Management (View by Certificate) " on page 115.
l To renew the certificate authority, click its Renew link. If it is an intermediate certificate authority, the
Intermediate Certificate Renewal page opens, where you can send a certificate signing request; see
"Requesting a Certificate for the Certificate Authority" on page 105. If it is a root certificate authority, the
row expands to include the Root Certificate Renewal option. Click the Renew Root Certificate button.
Renewing the certificate uses the same private key for the root certificate, but reissues the root CA certificate with an updated validity period. This will maintain the validity of all certificates issued by the CA. When you renew a certificate, you should distribute a new copy of the root certificate to all users of that certificate.
l To delete a certificate authority's client certificates, click its Delete Client Certificates link. The row
expands to include the Delete Client Certificates form. To confirm the deletion, you must mark the Reset the specified items check box in the Confirm Reset field, and then click the Delete Client Certificates
button. Doing so will permanently delete all client certificates for the certificate authority. This action cannot be reversed.
l To create a new certificate authority, click the Create new certificate authority link in the upper right
corner. The initial setup page of the Certificate Authority Settings form opens. See the next section,
"Creating a New Certificate Authority" on page 98.

Creating a New Certificate Authority

The first page of the Certificate Authority Settings form is used to create the Onboard certificate authority (CA) and to configure some basic properties:
l Give it a name and description
l Specify root CA, intermediate CA, or local CA mode
98 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Page 99
l Configure the identity, private key, and self-signed certificate attributes
To create an Onboard certificate authority:
1. Go to Onboard >Certificate Authorities, and then either click the Duplicate link for a certificate authority in the Certificate Authorities list or click the Create new certificate authority link. The initial setup page of the Certificate Authority Settings form opens.
2. In the Name field, give the CA a short name that identifies it clearly. Certificate authority names can include spaces. If you are duplicating a CA, the original name has "Copy" appended to it. You may highlight the name and replace it with a new name.
3. In the Description field, briefly describe the CA. This description is shown in the Certificate Authorities list.
The Name and Description fields are used internally to identify this certificate authority for the network administrator. These values are never displayed to the user during device provisioning.
4. The mode is used to set up the mode of operation for the certificate authority. In the Mode area, click one of the descriptions to specify the type of certificate authority:
l Root CA—The Onboard certificate authority issues its own root certificate. The certificate authority
issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate. Use this option when you do not have an existing public-key infrastructure (PKI), or if you want to completely separate the certificates issued for Onboard devices from your existing PKI.
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 99
Page 100
l Intermediate CA—The Onboard certificate authority is issued a certificate by an external certificate
authority. The Onboard certificate authority issues client and server certificates using this certificate. Use this option when you already have a public-key infrastructure (PKI), and would like to include the certificate issued for Onboard devices in that infrastructure.
l Imported CA— If you choose Imported CA, the following fields are removed from the form. If you
choose Root or Intermediate, complete the following fields.
5. In the Identity area, enter values in the Country, State, Locality, Organization, and Organizational Unit fields that correspond to your organization. These values form part of the distinguished name for the certificate.
6. Enter a descriptive name for the certificate in the Common Name field. This value is used to identify the certificate as the issuer of other certificates, notably the signing certificate.
7. For a root certificate, the Signing Common Name field is included on the form. Enter a descriptive name for the signing certificate in the Signing Common Name field. This value is used to identify the signing certificate as the issuer of client and server certificates from this certificate authority. The other identity information in the signing certificate will be the same as for the root certificate.
8. Enter a contact email address in the Email Address field. This email address is included in the root and signing certificates, and provides a way for users of the certificate authority to contact your organization.
9. In the Private Key area, use the Key Type drop-down list to specify the type of private key that should be created for the certificate:
100 | Onboard Dell Networking W-ClearPass Guest 6.4 | User Guide
Loading...