Dell Powerconnect W-ClearPass Virtual Appliances User Manual
Dell Networking W-ClearPass
Guest 6.4
User Guide
Copyright
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba
Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®.
Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject
to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source
Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011
Infoblox, Inc. All rights reserved.This product includes software developed by Lars Fenneberg, et al. The Open Source
code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
2 | Dell Networking W-ClearPass Guest 6.4 | User Guide
Contents
About this Guide 17
Audience 17
Conventions 17
Contacting Support 18
W-ClearPass Guest Overview 19
About Dell Networking W-ClearPass Guest 19
Visitor Access Scenarios 20
Reference Network Diagram 21
Key Interactions 22
AAA Framework 23
Key Features 24
Visitor Management Terminology 25
W-ClearPass Guest Deployment Process 26
Operational Concerns 26
Network Provisioning 26
Site Preparation Checklist 27
Security Policy Considerations 27
AirGroup Deployment Process 28
Documentation and User Assistance 29
User Guide and Online Help 29
Context-Sensitive Help 29
Field Help 29
Quick Help 30
If You Need More Assistance 30
Use of Cookies 30
W-ClearPass Guest Manager 31
Accessing Guest Manager 31
About Guest Management Processes 32
Sponsored Guest Access 32
Self Provisioned Guest Access 32
Active Sessions Management 33
Session States 35
RFC 3576 Dynamic Authorization 35
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 3
Filtering the List of Active Sessions 36
Disconnecting Multiple Active Sessions 37
Sending Multiple SMS Alerts 37
About SMS Guest Account Receipts 38
Using Standard Guest Management Features 38
Creating a Guest Account 39
Creating a Guest Account Receipt 41
Creating a Device 41
Creating Devices Manually in W-ClearPass Guest 42
Creating Devices During Self-Registration - MAC Only 44
Creating Devices During Self-Registration - Paired Accounts 44
Creating Multiple Guest Accounts 45
Creating Multiple Guest Account Receipts 47
Creating a Single Password for Multiple Accounts 48
Exporting Guest Account Information 50
About CSV and TSV Exports 51
About XML Exports 51
Importing Guest Accounts 52
Managing Single Guest Accounts 55
Managing Devices 59
Changing a Device’s Expiration Date 60
Disabling and Deleting Devices 61
Activating a Device 61
Editing a Device 62
Viewing Current Sessions for a Device 63
Printing Device Details 64
Viewing Device Details 64
Managing Multiple Guest Accounts 64
AirGroup Device Registration 66
Registering Groups of Devices or Services 67
Registering Personal Devices 69
AirGroup Time-Based Sharing Syntax Examples 71
Time-Based Syntax Reference 73
About AirGroup Time-Based Sharing 75
Basics of Time-Based Sharing Setup 75
MAC Authentication in W-ClearPass Guest 76
MAC Address Formats 76
Automatically Registering MAC Devices in W-ClearPass Policy Manager 76
4 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Importing MAC Devices 77
Advanced MAC Features 77
User Detection on Landing Pages 77
Click-Through Login Pages 78
Onboard 79
Accessing Onboard 79
About W-ClearPass Onboard 80
Onboard Deployment Checklist 81
Onboard Feature List 83
Supported Platforms 84
Public Key Infrastructure for Onboard 85
Certificate Hierarchy 85
Certificate Configuration in a Cluster 86
Revoking Unique Device Credentials 86
Revoking Credentials to Prevent Network Access 86
Re-Provisioning a Device 87
Network Requirements for Onboard 87
Using Same SSID for Provisioning and Provisioned Networks 87
Using Different SSID for Provisioning and Provisioned Networks 88
Configuring Online Certificate Status Protocol 88
Configuring Certificate Revocation List (CRL) 88
Network Architecture for Onboard 89
Network Architecture for Onboard when Using W-ClearPass Guest 90
The W-ClearPass Onboard Process 91
Devices Supporting Over-the-Air Provisioning 91
Devices Supporting Onboard Provisioning 93
Configuring the User Interface for Device Provisioning 95
Using the {nwa_mdps_config} Template Function 95
Onboard Troubleshooting 96
iOS Device Provisioning Failures 96
Hostname-to-Certificate Match Failures 97
Onboard Interface Not Displayed 97
Certificate Renewal through OS X Mavericks 97
Certificate Authorities 97
Creating a New Certificate Authority 98
Editing Certificate Authority Settings 101
Requesting a Certificate for the Certificate Authority 105
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 5
Installing a Certificate Authority’s Certificate 105
Using Microsoft Active Directory Certificate Services 107
Management and Control 109
Device Management (View by Device) 110
Device Management (View by Username) 113
Certificate Management (View by Certificate) 115
Searching for Certificates in the List 116
Working with Certificates in the List 116
Working with Certificate Signing Requests 119
Importing a Code-Signing Certificate 122
Importing a Trusted Certificate 123
Creating a Certificate 123
Requesting a Certificate 126
The Trust Chain and Uploading Certificates for the CA 128
Considerations for iOS Devices 130
Onboard Configuration 130
Network Settings 130
Configuring Basic Network Access Settings 131
Configuring Enterprise Protocol Settings 134
Configuring Device Authentication Settings 135
Configuring Certificate Trust Settings 136
Configuring Windows-Specific Network Settings 138
Configuring Proxy Settings 139
iOS Settings 140
Configuring ActiveSync Settings 141
Configuring AirPlay Settings 143
Configuring AirPrint Settings 144
Configuring APN Settings 145
Configuring Calendar Settings 145
Configuring Contacts Settings 147
Configuring Email Settings 148
Configuring Global HTTP Proxy Settings 151
Configuring an iOS Device Passcode Policy 152
Configuring Single Sign-On Settings 154
Configuring Calendar Subscription Settings 155
Configuring an iOS Device VPN Connection 156
Configuring Web Clips 160
Configuring Web Content Filter Settings 161
6 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Windows Applications 163
Configuring App Sets 163
Deployment and Provisioning 164
Configuration Profiles 165
Creating and Editing Configuration Profiles 165
Provisioning Settings 168
About Configuring Provisioning Settings 169
Configuring Basic Provisioning Settings 170
Configuring Provisioning Settings for the Web Login Page 174
Configuring Provisioning Settings for iOS and OS X 176
Configuring Provisioning Settings for Legacy OS X Devices 178
Configuring Provisioning Settings for Windows Devices 179
Configuring Provisioning Settings for Android Devices 180
Configuring Provisioning Settings for Ubuntu 181
Configuring Provisioning Settings for Chromebook 182
Configuring Options for Onboard Client Devices 184
About the Self-Service Portal 185
Configuration 187
Accessing Configuration 187
Configuring W-ClearPass Guest Authentication 188
Content Manager 189
Managing Content: Private Files and Public Files 189
Uploading Content 190
Downloading Content 191
Creating a New Content Directory 191
Configuring Guest Manager 192
Default Settings for Account Creation 192
About Fields, Forms, and Views 198
Business Logic for Account Creation 198
Verification Properties 198
Basic User Properties 198
Visitor Account Activation Properties 199
Visitor Account Expiration Properties 200
Other Properties 200
Standard Forms and Views 201
Configuring Access Code Logins 202
Customize Random Username and Passwords 202
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 7
Create the Print Template 202
Customize the Guest Accounts Form 204
Create the Access Code Guest Accounts 204
Pages 206
Customizing Fields 206
Creating a Custom Field 206
Duplicating a Field 208
Editing a Field 208
Deleting a Field 208
Displaying Forms that Use a Field 209
Displaying Views that Use a Field 209
Customizing AirGroup Registration Forms 209
Customizing Forms and Views 212
Editing Forms and Views 213
Duplicating Forms and Views 213
Editing Forms 214
Form Field Editor 215
Form Display Properties 215
Form Validation Properties 227
Examples of Form field Validation 228
Advanced Form Field Properties 230
Form Field Validation Processing Sequence 231
Editing Views 233
View Field Editor 234
Customizing Guest Self-Registration 235
Accessing the Guest Self-Registration Customization Forms 236
Self-Registration Sequence Diagram 239
Editing Self-Registration Pages 240
Creating a Self-Registration Page 241
Configuring Basic Properties for Self-Registration 243
Editing Registration Page Properties 245
Editing the Default Self-Registration Form Settings 245
Creating a Single Password for Multiple Accounts 247
Editing Guest Receipt Page Properties 248
Editing Receipt Actions 248
Enabling and Editing NAS Login Properties 253
Editing Login Page Properties 254
Self-Service Portal Properties 257
8 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Resetting Passwords with the Self-Service Portal 258
Managing Web Logins 260
Creating and Editing Web Login Pages 261
Receipts 270
Digital Passes 271
About Digital Passes 271
Viewing Digital Pass Certificates 274
Installing Digital Pass Certificates 275
Managing Digital Passes 276
Creating and Editing a Digital Pass Template 277
Example Template Code Variables 283
Images in Digital Passes 283
Email Receipts and SMTP Services 284
About Email Receipts 284
Configuring Email Receipts 285
Email Receipt Options 286
About Customizing SMTP Email Receipt Fields 288
Customizing SMS Receipt 290
SMS Receipt Fields 290
Customizing Print Templates 291
Creating New Print Templates 292
Print Template Wizard 293
Modifying Wizard-Generated Templates 294
Setting Print Template Permissions 294
SMS Services 296
Viewing SMS Gateways 296
Creating a New SMS Gateway 297
Editing an SMS Gateway 301
Sending an SMS 303
About SMS Credits 303
About SMS Guest Account Receipts 304
SMS Receipt Options 305
Working with the MobileCarriers List 305
About Translations 307
Translation Packs 308
Creating and Editing Translation Packs 308
Translation Assistant 310
Customizing Translated User Interface Text 311
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 9
Advertising Services 313
About Advertising Services 313
Materials 313
Promotions 313
Campaigns 314
Spaces 314
Pages 314
Advertising Services Process Overview 314
About the Tutorial 314
Navigating the Tutorial 315
Advertising Pages 315
Editing Advertising Pages 316
The nwa_adspace Smarty Template Tag 320
Advertising Spaces 323
Creating and Editing Advertising Spaces 324
"Other Location" Example 326
"Maximum Height" Example 327
"Maximum Width" Example 328
Advertising Campaigns 329
Creating and Editing Advertising Campaigns 329
Campaign Rank and Weight 332
Advertising Promotions 332
Creating and Editing Advertising Promotions 333
Using Labels in Advertising Services 336
Advertising Materials 337
Creating and Editing Advertising Materials 338
Hotspot Manager 341
Accessing Hotspot Manager 341
About Hotspot Management 342
Managing the Hotspot Sign-up Interface 342
Captive Portal Integration 343
Web Site Look-and-Feel 344
SMS Services 344
Managing Hotspot Plans 344
Editing or Creating a Hotspot Plan 345
Managing Transaction Processors 346
Creating a New Transaction Processor 347
10 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Managing Existing Transaction Processors 348
Managing Customer Information 348
Managing Hotspot Invoices 348
Customizing the User Interface 349
Customizing Visitor Sign-Up Page One 349
Customizing Visitor Sign-Up Page Two 351
Customizing Visitor Sign-Up Page Three 354
Viewing the Hotspot User Interface 355
Administration 357
Accessing Administration 357
AirGroup Services 358
AirGroup Controllers 358
Creating and Editing AirGroup Controllers 359
Configuring AirGroup Services 361
AirGroup Diagnostics 362
Creating AirGroup Administrators 363
Creating AirGroup Operators 364
Authenticating AirGroup Users via LDAP 364
Configuring LDAP User Search for AirGroup 364
LDAP User Search Architecture 364
User Search Workflow 364
Configuration Summary 365
Basic LDAP Server Settings 365
User Search Settings 366
Configuring the AirGroup Shared User Field 367
Select2 Options Details 368
Select2 Hook Details 369
MACTrac Services 370
Creating MACTrac Operators 371
Managing MACTrac Devices 371
Registering MACTrac Devices 373
About MAC Addresses 374
Automatically Supplying the MACTrac Device Address 374
API Services 375
API Clients 375
Creating and Editing API Clients 376
Configuring the API Framework Plugin 378
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 11
Setting API Privileges in Operator Profiles 379
About OAuth 380
OAuth Basics 380
OAuth2 Client or App 381
Client ID and Secret 381
Redirect URI 381
Authorization Grant Types for OAuth 381
Application Service Accounts for OAuth 383
SOAP Web Services and API 383
Viewing Available Web Services 384
Configuring Web Services 385
SOAPAPIIntroduction 385
Audience 386
API Documentation Overview 386
Disclaimer 386
About the SOAPAPI 386
Using the SOAPAPI 388
Integration Example 391
API Documentation 395
The XML-RPC Interface and API 408
About the XML-RPC API 408
Accessing the API 411
Invoking the API 413
Method Summary 414
API Documentation 414
Data Retention 431
3.9 Configuration Import 432
Creating a Customized Configuration Backup 432
Uploading the 3.9 Backup File 433
Restoring Configuration Items 434
Viewing Imported Item Details 435
Import Information for Specific Import Items 437
Import Information: Advertising Services 438
Import Information: AirGroup Services 438
Import Information: Cisco IP Phones 438
Import Information: Guest Manager 438
Import Information: High Availability (HA) 439
Import Information: Hotspot Manager 439
12 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Import Information: Onboard 440
Import Information: Operator Logins 440
Import Information: Palo Alto Network Services 440
Import Information: RADIUSServices 440
Import Information: Reporting Manager Definitions 441
Import Information: Server Configuration 442
Import Information: SMSServices 443
Import Information: SMTP Services 443
Plugin Manager 444
Viewing Available Plugins 444
Configuring Plugins 445
Configuring the Kernel Plugin 446
Configuring the ArubaW-ClearPass Skin Plugin 447
Configuring the SMS Services Plugin 448
Configuring the IP Phone Services Plugin 449
Configuring the Translations Plugin 450
Support Services 450
Viewing the Application Log 451
Exporting the Application Log 452
Viewing Documentation 453
Contacting Support 453
Operator Logins 455
Accessing Operator Logins 455
About Operator Logins 455
Role-Based Access Control for Multiple Operator Profiles 456
Operator Logins Configuration 456
Custom Login Message 457
Advanced Operator Login Options 458
Automatic Logout 458
Operator Profiles 458
Creating an Operator Profile 458
Configuring the User Interface 461
Customizing Forms and Views 462
Operator Profile Privileges 462
Managing Operator Profiles 463
Configuring AirGroup Operator Device Limit 464
Local Operator Authentication 464
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 13
Creating a New Operator 464
External Operator Authentication 465
Manage LDAP Operator Authentication Servers 465
Viewing the LDAP Server List 466
Creating an LDAP Server 467
Advanced LDAP URL Syntax 469
LDAP Operator Server Troubleshooting 469
Testing Connectivity 470
Testing Operator Login Authentication 470
Looking Up Sponsor Names 470
Troubleshooting Error Messages 471
LDAP Translation Rules 472
Custom LDAP Translation Processing 474
Reference 477
Basic HTML Syntax 477
Standard HTML Styles 478
Smarty Template Syntax 480
Basic Template Syntax 480
Text Substitution 480
Template File Inclusion 480
Comments 480
Variable Assignment 480
Conditional Text Blocks 481
Script Blocks 481
Repeated Text Blocks 481
Foreach Text Blocks 481
Modifiers 482
Predefined Template Functions 482
dump 483
nwa_commandlink 483
nwa_iconlink 484
nwa_icontext 484
nwa_quotejs 485
nwa_radius_query 485
Advanced Developer Reference 491
nwa_assign 492
nwa_bling 492
14 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
nwa_makeid 492
nwa_nav 493
nwa_plugin 494
nwa_privilege 494
nwa_replace 495
nwa_text 495
nwa_userpref 495
nwa_youtube 495
Date/Time Format Syntax 496
nwadateformat Modifier 496
nwatimeformat Modifier 497
Date/Time Format String Reference 497
Programmer’s Reference 498
NwaAlnumPassword 499
NwaBoolFormat 499
NwaByteFormat 499
NwaByteFormatBase10 499
NwaComplexPassword 500
NwaCsvCache 500
NwaDigitsPassword($len) 500
NwaDynamicLoad 500
NwaGeneratePictureString 500
NwaGenerateRandomPasswordMix 500
NwaLettersDigitsPassword 501
NwaLettersPassword 501
NwaMoneyFormat 501
NwaParseCsv 501
NwaParseXml 502
NwaPasswordByComplexity 502
NwaSmsIsValidPhoneNumber 503
NwaStrongPassword 503
NwaVLookup 503
NwaWordsPassword 504
Field, Form, and View Reference 504
GuestManager Standard Fields 504
Hotspot Standard Fields 512
SMS Services Standard Fields 513
SMTP Services Standard Fields 513
Dell Networking W-ClearPass Guest 6.4 | User Guide Contents | 15
Format Picture String Symbols 515
Form Field Validation Functions 516
Form Field Conversion Functions 521
Form Field Display Formatting Functions 522
View Display Expression Technical Reference 523
LDAP Standard Attributes for User Class 525
Regular Expressions 526
Chromebook in Onboard 527
About Chromebook in Onboard 527
Caveats and Recommendations 528
Google Admin Chromebook License is Required 528
Managed Chromebook Deployment is Required 528
Chrome Extension is Required 528
Chromebook Release 37 or Later is Required 528
Chromebook Supports Only “Created by Device” Certificates 528
A Separate Provisioning SSID is Required 529
Directory-Based Authentication Source is Recommended 530
Onboard Configuration for Chromebook 530
Google Admin Configuration for Chromebook 531
Configuring the Chrome extension 531
Configuring Network Settings 533
Glossary 535
Index 545
16 | Contents Dell Networking W-ClearPass Guest 6.4 | User Guide
Chapter 1
About this Guide
Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which
operational staff can quickly and securely manager visitor network access.
Audience
This User Guide is intended for system administrators and people who are installing and configuring Dell
Networking W-ClearPass Guest as their visitor management solution. It describes the installation and
configuration process.
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Table 1: Typographical Conventions
Type Style Description
Italics
System items
Commands
<
Arguments
[Optional]
{Item A |
Item B}
> In the command examples, italicized text within angle brackets represents items that
This style is used to emphasize important terms and to mark the titles of books.
This fixed-width font depicts the following:
l Sample screen output
l System prompts
l Filenames, software devices, and specific commands when mentioned in the text
In the command examples, this bold font depicts text that you must type exactly as
shown.
you should replace with information appropriate to your specific situation. For example:
# send <text message>
In this example, you would type “send” at the system prompt exactly as shown, followed
by the text of the message you wish to send. Do not type the angle brackets.
Command examples enclosed in brackets are optional. Do not type the brackets.
In the command examples, items within curled braces and separated by a vertical bar
represent the available choices. Enter only one choice. Do not type the braces or bars.
Dell Networking W-ClearPass Guest 6.4 | User Guide About this Guide | 17
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Contacting Support
Web Site Support
Main Website dell.com
Support Website
Documentation Website
dell.com/support
dell.com/support/manuals
18 | About this Guide Dell Networking W-ClearPass Guest 6.4 | User Guide
Chapter 2
W-ClearPass Guest Overview
This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a
network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated
into your network infrastructure. It is intended for network architects, IT administrators, and security
consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor
access solution.
This chapter includes the following sections:
l "About Dell Networking W-ClearPass Guest" on page 19
l "Visitor Access Scenarios" on page 20
l "Reference Network Diagram" on page 21
l "Key Interactions" on page 22
l "AAA Framework" on page 23
l "Key Features" on page 24
l "Visitor Management Terminology" on page 25
l "W-ClearPass Guest Deployment Process" on page 26
l "AirGroup Deployment Process" on page 28
l "Documentation and User Assistance" on page 29
l "Use of Cookies" on page 30
About Dell Networking W-ClearPass Guest
Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which
operational staff can quickly and securely manage visitor network access. It gives your non-technical staff
controlled access to a dedicated visitor management user database. Through a customizable Web portal, your
staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to WClearPass Guest functions are controlled through an operator profile that can beintegrated with an LDAP
server or Active Directory login.
Visitors can be registered at reception and provisioned with an individual guest account that defines their
visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account
details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to
pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in
a corporate environment or sold in public access scenarios.
You can use the customization features to define settings that allow your visitors to self-provision their own
guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and
professional experience. Surveys can also be presented during the self-registration process and the data stored
for later analysis and reporting, providing additional insight to your visitors and their network usage.
W-ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, WClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network
security framework, but gives operational staff the user interface they require.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 19
Visitor Access Scenarios
The following figure shows a high-level representation of a typical visitor access scenario.
Figure 1 Visitor access using W-ClearPass Guest
In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because
access to the network is restricted, visitors must first obtain a username and password. A guest account may
be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that
shows their username and password for the network.
When visitors use self-registration, as might be the case for a network offering public access, the process is
broadly similar but does not require a corporate operator to create the guest account. The username and
password for a self-provisioned guest account may be delivered directly to the visitor’s Web browser, or sent
via SMS or email.
20 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Reference Network Diagram
The following figure shows the network connections and protocols used by W-ClearPass Guest.
Figure 2 Reference network diagram for visitor access
The network administrator, operators, and visitors may use different network interfaces to access the visitor
management features. The exact topology of the network and the connections made to it will depend on the
type of network access offered to visitors and the geographical layout of the access points.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 21
Key Interactions
The following figure shows the key interactions between W-ClearPass Guest and the people and other
components involved in providing guest access.
Figure 3 Interactions involved in guest access
W-ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network.
NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS
protocol to ask W-ClearPass Policy Manager to authenticate the username and password provided by a guest
logging in to the network. If authentication is successful, the guest is then authorized to access the network.
Roles are assigned to a guest as part of the context W-ClearPass Policy Manager uses to apply its policies.
RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement
Profile. Additional features such as role mapping for W-ClearPass Guest can be performed in W-ClearPass
Policy Manager.
The network usage of authorized guests is monitored by the NAS and reported in summary form to WClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports
in W-ClearPass Insight.
22 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
AAA Framework
W-ClearPass Guest is built on the industry standard AAA framework, which consists of authentication,
authorization, and accounting components.
The following figure shows how the different components of this framework are employed in a guest access
scenario.
Figure 4 Sequence diagram for network access using AAA
In the standard AAA framework, network access is provided to a user according to the following process:
l The user connects to the network by associating with a local access point [1].
l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login
name and password of their guest account.
l The NAS authenticates the user with the RADIUS protocol [5].
l W-ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific
attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].
l If the user’s access is granted, the NAS permits the guest access to the network based on the settings
provided by the W-ClearPass Policy Manager server.
l The NAS reports details about the user’s session to the W-ClearPass Policy Manager server using RADIUS
accounting messages [8].
l After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the
details of the user’s session with an accounting update [10].
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 23
Key Features
Refer to the table below for a list of key features and a cross-reference to the relevant section of this User
Guide.
Table 2: List of Key features
Feature Reference
Visitor Access
Web server providing content delivery for guests "Managing Content: Private
Files and Public Files" on page
189
Guest self-registration "Customizing Guest Self-
Registration" on page 235
Visitor Management
Create and manage visitor accounts, individually or in groups "Using Standard Guest
Management Features" on
page 38
Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions
Management" on page 33
Import and export visitor accounts "Importing Guest Accounts"
on page 52
Create guest self-registration forms "Creating a Self-Registration
Page" on page 241
Configure a self-service portal for guests "Self-Service Portal
Properties" on page 257
Local printer, SMS or email delivery of account receipts "Editing Guest Receipt Page
Properties" on page 248
Visitor Account Features
Independent activation time, expiration time, and maximum usage time "Business Logic for Account
Creation" on page 198
Define unlimited custom fields "Customizing Fields" on page
206
Username up to 64 characters "GuestManager Standard
Fields" on page 504
Customization F eatures
Create new fields and forms for visitor management "Customizing Forms and
Views" on page 212
Use built-in data validation to implement visitor survey forms "Form Validation Properties"
on page 227
Create print templates for visitor account receipts "Editing Guest Receipt Page
Properties" on page 248
24 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Feature Reference
Administrative Management Feat ures
Operators defined and authenticated locally "Local Operator
Authentication" on page 464
Operators authenticated via LDAP "External Operator
Authentication" on page 465
Role based access control for operators "Operator Profiles" on page
458
Plugin-based application features, automatically updated by W-ClearPass
Policy Manager
User Interface Features
Context-sensitive help with searchable online documentation "Documentation and User
"Plugin Manager" on page
444
Assistance" on page 29
Visitor Management Terminology
The following table describes the common terms used in W-ClearPass Guest and this guide.
Table 3: Common Terms
Term Explanation
Accounting Process of recording summary information about network access by users and
devices.
Authentication Verification of a user’s credentials; typically a username and password.
Authorization Controls the type of access that an authenticated user is permitted to have.
Captive Portal Implemented by a Network Access Server to restrict network access to authorized
users only.
Field In a user interface or database, a single item of information about a user account.
Form In a user interface, a collection of editable fields displayed to an operator.
Network Access Server Device that provides network access to users, such as a wireless access point,
network switch, or dial-in terminal server. When a user connects to the NAS
device, a RADIUS access request is generated by the NAS.
Operator Profile Characteristics assigned to a class of operators, such as the permissions granted
to those operators.
Operator/Operator Login User of W-ClearPass Guest to create guest accounts or perform system
configuration.
Print Template Formatted template used to generate guest account receipts.
Role Type of access being granted to visitors. You can define multiple roles. Such roles
could include employee, guest, team member, or press.
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 25
Term Explanation
Sponsor Operator
User Database Database listing the guest accounts in W-ClearPass Guest.
View In a user interface, a table displaying data, such as visitor account information, to
operators.
Visitor/Guest Someone who is permitted to access the Internet through your Network Access
Server.
Visitor Account Settings for a visitor stored in the user database, including username, password
and other fields.
Web Login/NAS Login Login page displayed to a guest user.
W-ClearPass Guest Deployment Process
As part of your preparations for deploying a visitor management solution, you should consider the following
areas:
l Management decisions about security policy
l Decisions about the day-to-day operation of visitor management
l Technical decisions related to network provisioning
Operational Concerns
When deploying a visitor management solution, you should consider these operational concerns:
l Who is going to be responsible for managing guest accounts? What privileges will the guest account
manager have? Will this person only create guest accounts or will this person also be permitted access to
reports?
l Do you want guests to be able to self-provision their own network access? What settings should be applied
to self-provisioned visitor accounts?
l How will operator logins be provisioned? Should operators be authenticated against an LDAP server?
l Who will manage reporting of guest access? What are the reports of interest? Are any custom reports
needed?
Network Provisioning
W-ClearPass Guest requires provisioning the following:
l Physical location – rack space, power and cooling requirements; or deployment using virtualization
l Network connectivity – VLAN selection, IP address, and hostname
l Security infrastructure – SSL certificate
26 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Site Preparation Checklist
The following is a checklist of the items that should be considered when setting up W-ClearPass Guest.
Table 4: Site Preparation Checklist
ü
Security Policy
Operational Concerns
Policy Decision
Segregated guest accounts?
Type of network access?
Time of day access?
Bandwidth allocation to guests?
Prioritization of traffic?
Different guest roles?
IP address ranges for operators?
Enforce access via HTTPS?
Who will manage guest accounts?
Guest account self provisioning?
What privileges will the guest managers have?
Who will be responsible for printing reports?
Network Management Policy
Password format for guest accounts?
Shared secret format?
Operator provisioning?
Network Provisioning
Physical location?
Network connectivity?
Security infrastructure?
Security Policy Considerations
To ensure that your network remains secure, decisions have to be made regarding guest access:
l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network
infrastructure to be used by your guests?
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 27
l What resources are you going to make available to guests (for example, type of network access; permitted
times of day; bandwidth allocation)?
l Will guest access be separated into different roles? If so, what roles are needed?
l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-
guest accounts?
l What will be the password format for guest accounts? Will you be changing this format on a regular basis?
l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure
network security is not compromised?
l What IP address ranges will operators be using to access the server?
l Should HTTPS be required in order to access the visitor management server?
AirGroup Deployment Process
AirGroup allows users to register their personal mobile devices on the local network and define a group of
friends or associates who are allowed to share them. You use W-ClearPass Guest to define AirGroup
administrators and operators. AirGroup administrators can then use W-ClearPass Guest to register and
manage an organization’s shared devices and configure access according to username, role, location, or time.
AirGroup operators (end users) can use W-ClearPass Guest to register their personal devices and define the
group who can share them.
Table 5 summarizes the steps for configuring AirGroup functionality in W-ClearPass Guest. Details for these
steps areprovided in the relevant sections of this Guide. This table does not include the configuration steps
performed in W-ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment
information, refer to the AirGroup sections in the Dell Networking W-Series ArubaOS User Guide and the WClearPass Policy Manager documentation.
Table 5: Summary of AirGroup Configuration Steps in W-ClearPass Guest
Step Section in this Guide
Create AirGroup administrators "Creating a New Operator" on page 464
Create AirGroup operators
Configure an operator’s device limit "Configuring AirGroup Operator Device Limit" on page 464
Configure an AirGroup controller "AirGroup Controllers" on page 358
Enable support for dynamic notifications "Configuring AirGroup Services" on page 361
To authenticate AirGroup users via LDAP:
Define the LDAP server
Define appropriate translation rules
AirGroup administrator: Register devices or groups
of devices
"External Operator Authentication" on page 465
"LDAP Translation Rules" on page 472
"AirGroup Device Registration" on page 66
AirGroup operator: Register personal devices
(Optional) Configure device registration form with
drop-down lists for existing locations and roles
Set up time-based sharing "About AirGroup Time-Based Sharing" on page 75
28 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
"Customizing AirGroup Registration Forms" on page 209
Documentation and User Assistance
This section describes the variety of user assistance available for W-ClearPass Guest.
User Guide and Online Help
This User Guide provides complete information for all W-ClearPass Guest features. The following quick links
may be useful in getting started.
Table 6: Quick Links
For information about... Refer to...
What visitor management is and how it works "About Dell Networking W-ClearPass Guest" on page
19
Using the guest management features "Using Standard Guest Management Features" on
page 38
Role-based access control for operators "Operator Profiles" on page 458
Setting up LDAP authentication for operators "External Operator Authentication" on page 465
Guest self-provisioning features "Self Provisioned Guest Access" on page 32
Dynamic authorization extensions "RFC 3576 Dynamic Authorization" on page 35
SMS receipts for guest accounts "SMS Services" on page 296
Email receipts for guest accounts "Email Receipts and SMTP Services" on page 284
Network administration of the appliance "Administration" on page 357
Context-Sensitive Help
For more detailed information about the area of the application you areusing, click the context-sensitive Help
link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this
User Guide.
The User Guide may besearched using the Search box in the top right corner.
Type in keywords related to your search and click the Search button to display a list of matches. Themost
relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly
before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing
the phrase in double quotes (for example, “word phrase”).
Field Help
The W-ClearPass Guest user interface has field help built into every form. The field help provides a short
summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the
Dell Networking W-ClearPass Guest 6.4 | User Guide W-ClearPass Guest Overview | 29
application without further assistance or training.
Quick Help
In list views, click the Quick Help tab located at the top left of the list to display additional information
about the list you are viewing and the actions that areavailable within the list.
On some forms and views, the Quick Help icon may also be used to provide additional detail about a field.
If You Need More Assistance
If you encounter a problem using W-ClearPass Guest, your first step should be to consult the appropriate
section in this User Guide.
If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you
with the answer or obtain a solution to your problem.
If you still need information, you can refer to the Contact Support command available under Support
Services in the user interface, or see "Contacting Support" on page 18.
Use of Cookies
Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely
used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners
of a site. Session cookies are temporary cookies that last only for the duration of one user session.
When a user registers or logs in via a Dell captive portal, Dell uses session cookies solely to remember between
clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific
information, and does not make any attempt to find out the identities of those using its W-Series ClearPass
products. Dell does not associate any data gathered by the cookie with any personally identifiable information
(PII) from any source. Dell uses session cookies only during the user’s active session and does not store any
permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web
browser.
30 | W-ClearPass Guest Overview Dell Networking W-ClearPass Guest 6.4 | User Guide
Loading...