Page 1 ClearPass Guest 3.9...
Page 2 Copyright ® ® © 2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks , Aruba Wireless Networks ® ® the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System , Mobile Edge Architecture , People Move. ® ®...
Page 3: Table Of Contents
Contents Chapter 1 ClearPass Guest ..................19 About this Manual....................19 Documentation Conventions.................19 Documentation Overview................20 Getting Support ....................21 Field Help ......................21 Quick Help ....................21 Context-Sensitive Help .................21 Searching Help....................21 If You Need More Assistance................22 Chapter 2 Management Overview ................. 23 Visitor Access Scenarios ..................23 Reference Network Diagram ................24 Key Interactions....................24 AAA Framework....................25...
Page 4 Configuring the ClearPass Guest Subscription ID ........45 Installing Subscription Updates ..............46 Setup Completion ..................47 Chapter 4 Onboard....................49 About ClearPass Onboard...................49 Onboard Deployment Checklist ..............49 Onboard Feature List ..................51 Supported Platforms..................51 Public Key Infrastructure for Onboard ............52 Certificate Hierarchy ................52 Revoking Unique Device Credentials............53 Revoking Credentials to Prevent Network Access.........54 Re-Provisioning a Device ...............54...
Page 5 Configuring Provisioning Settings ...............89 Configuring Basic Provisioning Settings............90 Configuring Certificate Properties for Device Provisioning......90 Configuring Provisioning Settings for iOS and OS X ........93 Configuring Provisioning Settings for Mac OS X, Windows, and Android Devices ..................94 Configuring User Interface Options for Mac OS X, Windows, and Android Devices ..................96 Configuring Authorization Settings for Device Provisioning ......96 Configuring Network Settings for Device Provisioning ........97...
Page 6 NAS Login Parameters................135 Using Web Login Parameters ..............135 Apple Captive Network Assistant Bypass with ClearPass Guest .....136 Solution Implementation ................138 Captive Portal Profile Configuration .............139 Database Lists ....................140 Database Maintenance Tasks..............141 Dictionary......................141 Import Dictionary..................142 Export Dictionary..................142 Reset Dictionary..................142 Vendors .......................143 Creating a New Vendor ................143 Edit Vendor ....................143 Delete Vendor .....................143...
Page 7 Chapter 6 Operator Logins ................... 179 Accessing Operator Logins ................179 About Operator Logins ..................179 Role-Based Access Control for Multiple Operator Profiles ......179 Operator Profiles ....................180 Creating an Operator Profile ...............180 Configuring the User Interface..............184 Customizing Forms and Views .............185 Operator Profile Privileges ................186 Managing Operator Profiles ................186 Local Operator Authentication................187 Creating a New Operator ................187...
Page 8 Visitor Account Expiration Properties...........227 Other Properties ...................227 Account Expiration Types ................227 Standard Fields ...................228 Standard Forms and Views.................228 Customization of Fields ..................229 Creating a Custom Field ................230 Duplicating a Field..................231 Editing a Field .....................231 Deleting a Field ...................231 Displaying Forms that Use a Field ..............231 Displaying Views that Use a Field ...............232 Customization of Forms and Views..............232 Editing Forms and Views ................232...
Page 9 MAC Authentication in ClearPass Guest............279 MAC Address Formats................279 Managing Devices ..................280 Changing a Device’s Expiration Date ...........281 Disabling and Deleting Devices ............282 Activating a Device ................283 Editing a Device..................283 Viewing Current Sessions for a Device..........285 Viewing and Printing Device Details .............285 MAC Creation Modes..................285 Creating Devices Manually in ClearPass Guest ........285 Creating Devices During Guest Self-Registration - MAC Only.....287...
Page 10 Delete a Report ...................320 Duplicate a Report ..................320 Permissions....................320 Exporting Report Definitions ................322 Importing report Definitions ................323 Resetting Report Definitions ...............323 About Custom Reports..................324 Data Sources ....................325 Binning ......................325 Binning Example – Time Measurements.............325 Groups ......................326 Statistics from Classification Groups............327 Components of the Report Editor ..............327 Report Type ....................328 Report Parameters ..................329...
Page 11 Network Diagnostics – Packet Capturing ...........372 Network Hosts ....................374 HTTP Proxy Configuration ................375 SNMP Configuration ...................375 Supported MIBs ..................377 SMTP Configuration..................378 SSL Certificate....................379 Requesting an SSL Certificate ..............379 Installing an SSL Certificate ................380 Displaying the Current SSL Certificate ............382 Backup and Restore..................383 Backing Up Appliance Configuration............383 Scheduling Automatic Backups..............384 Restoring a Backup..................386...
Page 12 Chapter 10 Hotspot Manager ................. 415 Manage Hotspot Sign-up ..................416 Captive Portal Integration ................417 Look and Feel .....................417 SMS Services....................417 Hotspot Plans ....................417 Modifying an Existing Plan................418 Creating New Plans..................419 Managing Transaction Processors ..............419 Creating a New Transaction Processor ............420 Managing Existing Transaction Processors..........420 Managing Customer Information...............420 Managing Hotspot Invoice ................420...
Page 13 Comments....................444 Variable Assignment ...................444 Conditional Text Blocks ................444 Script Blocks....................444 Repeated Text Blocks.................444 Foreach Text Blocks ...................445 Modifiers .....................445 Predefined Template Functions ..............446 dump ....................446 nwa_commandlink................446 nwa_iconlink ..................447 nwa_icontext ..................447 nwa_quotejs ..................448 nwa_radius_query.................448 Advanced Developer Reference ..............450 nwa_assign ...................450 nwa_bling....................450 nwa_makeid..................451 nwa_nav....................451 nwa_plugin....................452...
Page 14 Form Field Conversion Functions ...............475 Form Field Display Formatting Functions ...........476 View Display Expression Technical Reference ...........478 Standard RADIUS Request Functions...............479 Variables Available in Execution Context............479 AccessReject().....................479 EnableDebug().....................480 DisableDebug()....................480 GetAttr().......................480 ShowAttr()....................480 MacAddr()....................480 MacEqual() ....................481 MacAddrConvert() ..................481 GetTraffic()....................481 GetTime().....................481 GetSessions() ....................482 GetCallingStationTraffic() ................482 GetUserTraffic() ...................483 GetIpAddressTraffic() ..................483...
Page 15 Figures Figure 1 Visitor access using ClearPass Guest ..............23 Figure 2 Reference network diagram for visitor access ............24 Figure 3 Interactions involved in guest access..............25 Figure 4 Sequence diagram for network access using AAA ..........26 Figure 5 Rear port configuration for AMG-HW-100/-2500 appliances ......33 Figure 6 Relationship of Certificates in the Onboard Public Key Infrastructure ....53 Figure 7...
Page 16 Figure 45 Reporting – Bin statistics with groups...............327 Figure 46 Components of the Report Editor ..............328 Figure 47 Network diagram showing IP addressing for a GRE tunnel ......366 Figure 48 Data Retention Policy page ................405 Figure 49 Guest self-provisioning..................415 Figure 50 Network architecture of high availability cluster..........426 ClearPass Guest 3.9 | Deployment Guide...
Page 17 Tables Table 1 Quick Links ......................20 Table 2 List of Key features....................27 Table 3 Common Terms....................29 Table 4 Site Preparation Checklist ...................31 Table 5 Default port configurations ..................33 Table 6 Ethernet adapter configuration................34 Table 7 Virtual ethernet adapter configuration ..............35 Table 8 Console access methods ..................35 Table 9...
Page 18 Table 43 Date and Time Format Strings................456 Table 44 Parsing Options ....................459 Table 45 NwaVLookup Options..................461 Table 46 GuestManager Standard Fields.................462 Table 47 Hotspot Standard Fields..................469 Table 48 SMS Services Standard Fields ................470 Table 49 SMPT Services Standard Fields ................471 Table 50 Picture String Symbols ..................472 Table 51...
Page 19: Clearpass Guest
Chapter 1 ClearPass Guest Collaboration between companies and mobility of staff has never been greater. Distributed workforces, traveling sales staff and a dependence on outsourced contractors and consultants requires efficient management, which can pose problems for network security and operational staff. With visitors increasingly requiring online access to perform their work, ClearPass Guest provides a simple interface that can quickly create and manage visitor accounts within a pre-defined security profile.
Page 20: Documentation Overview
Documentation Overview Click the context-sensitive Help link displayed at the top right of each page to go directly to the relevant section of the deployment guide. The following quick links may be useful in getting started. Table 1Quick Links For information about... Refer to...
Page 21: Getting Support
Chapter 11, “High Availability Services” describes the optional high availability services that may be  used to deploy a cluster of appliances in a fault-tolerant configuration. Chapter 12, “Reference” contains technical reference information about many of the built-in features of ...
Page 22: If You Need More Assistance
Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example- exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”). If You Need More Assistance If you encounter a problem using ClearPass Guest, your first step should be to consult the appropriate section in this Deployment Guide.
Page 23: Management Overview
Chapter 2 Management Overview This section explains the terms, concepts, processes, and equipment involved in managing visitor access to a network. The content here is intended for network architects, IT administrators and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution.
Page 24: Reference Network Diagram
Reference Network Diagram The following figure shows the network connections and protocols used by ClearPass Guest. See Figure Figure 2 Reference network diagram for visitor access The network administrator, operators and visitors may use different network interfaces to access the visitor management features.
Page 25: Aaa Framework
Figure 3 Interactions involved in guest access ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Guest to authenticate the username and password provided by a guest logging in to the network.
Page 26: Figure 4 Sequence Diagram For Network Access Using Aaa
Figure 4 Sequence diagram for network access using AAA In the standard AAA framework, network access is provided to a user according to the following process: The user connects to the network by associating with a local access point [1]. ...
Page 27: Key Features
Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide. Table 2 List of Key features Feature Refer to… Visitor Access RADIUS server providing authentication, authorization, and accounting (AAA) “RADIUS Services”...
Page 28 Table 2 List of Key features (Continued) Visitor Account Features Independent activation time, expiration time, and maximum usage time “Business Logic for Account Creation” Disable or delete at account expiration “Account Expiration Types” Logout at account expiration “Account Expiration Types” Define unlimited custom fields “Customization of Fields”...
Page 29: Visitor Management Terminology
Table 2 List of Key features (Continued) Advanced RADIUS modules for custom configuration “Server Configuration” Customize RADIUS dictionary “Dictionary” User Interface Features Context-sensitive help with searchable online documentation Documentation Overview Visitor Management Terminology The following tables describes the common terms used in this guide. See Table Table 3 Common Terms Term...
Page 30: Deployment Process
Table 3 Common Terms (Continued) Web Login/NAS Login Login page displayed to a guest user. Deployment Process As part of your preparations for deploying a visitor management solution, you should consider the following areas: Management decisions about security policy  Decisions about the day-to-day operation of visitor management ...
Page 31: Site Preparation Checklist
Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest. Table 4 Site Preparation Checklist  Policy Decision Security Policy Segregated guest accounts? Type of network access? Time of day access? Bandwidth allocation to guests? Prioritization of traffic? Different guest roles?
Page 32 | Management Overview ClearPass Guest 3.9 | Deployment Guide...
Page 33: Setup Guide
Chapter 3 Setup Guide This section covers the initial deployment and configuration of ClearPass Guest. If you have a hardware appliance, See “Hardware Appliance Setup” in this chapter. If you are using ClearPass Guest in a virtual machine, See “Setting Up the Virtual Appliance” in this chapter.
Page 34: Setting Up The Virtual Appliance
Setting Up the Virtual Appliance VMware Workstation or VMware Player The virtual appliance is packaged as a zip file containing a directory with the files for the virtual machine. To install the virtual appliance: 1. Extract the contents of the zip file to a new directory. 2.
Page 35: Accessing The Console User Interface
The configuration for the virtual machine includes one virtual Ethernet adapter. The initial network configuration of this adapter is: Table 7 Virtual ethernet adapter configuration Item Network Adapter Configuration Method DHCP IP Address – Netmask – Gateway – – Adapter Name eth0 Hostname clearpass-guest.localdomain...
Page 36: Console User Interface Functions
When the administrator password is set during the setup wizard, the root password for the system will also be set to this password. However, once you have set the initial root password, future changes to the administrator password will not change the appliance’s root password. The username to access the console user interface is always admin and cannot be changed.
Page 37: Accessing The Graphical User Interface
Accessing the Graphical User Interface After you start ClearPass Guest, the initial startup screen is displayed in the console. To open the ClearPass Guest graphical user interface (GUI): Either type or copy and paste the displayed URL into your Web browser. ...
Page 38: Accepting The Clearpass Guest License Agreement
Accepting the ClearPass Guest License Agreement The first time you log in, you are prompted to accept the license agreement. To accept the agreement and continue the insatallation: 1. Review the software license agreement. 2. Mark the Accept check box, then click Continue. If you have any questions about the license agreement, contact Aruba support using the Web site http:// support.arubanetworks.com.
Page 39: Setting The System Hostname
To create a new password for the administrator account: 1. (Optional) For enhanced security, you may choose to change the Operator Username of the administrative account. Changing the username of the administrator account does not change the username for logging in to the console user interface. 2.
Page 40: Configuring Network Interfaces
2. In the Hostname field, enter the new name. A valid hostname is a domain name that contains two or more components separated by a period (.). Hostname parameters are: Each component of the hostname must not exceed 63 characters ...
Page 41: Configuring Http Proxy Settings
ClearPass Guest must be configured appropriately for your organization’s relevant network infrastructure. For details on how to configure your network interface, see Changing Network Interface Settings in the Administrator Tasks chapter. Configuring HTTP Proxy Settings If you do not need to configure an HTTP proxy, click Skip to Mail Settings to continue with setup. To configure HTTP proxy settings: 1.
Page 42: Configuring Smtp Mail Settings
Configuring SMTP Mail Settings To configure SMTP settings: 1. Go to Administrator > Network Setup > SMTP Configuration. 2. For details on how to complete the SMTP configuration, see “SNMP Configuration” in the Administrator Tasks chapter. 3. When you have completed the fields on this form, click the Send Test Message button to send an email to a test email address.
Page 43: Configuring Server Time And Time Zone
2. For details on how to complete the SNMP configuration, see “SNMP Configuration” in the Administrator Tasks chapter. 3. Click the Save Changes button to apply the SNMP configuration. Configuring Server Time and Time Zone To ensure that authentication, authorization and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times.
Page 44: Configuring The Default Radius Nas Vendor Type
To use a public NTP server, enter the following hostnames: 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org You can also use NTP pool servers located in your region. For more information, refer to the NTP Pool Project Web site: http://www.pool.ntp.org. NTP can interfere with timekeeping in virtual machines. The default virtual machine configuration will automatically synchronize its time with the host server, so you should not configure NTP within the virtual machine.
Page 45: Configuring The Clearpass Guest Subscription Id
To define the RADIUS network access servers: 1. In the Name field, enter a descriptive name to identify the first NAS server. 2. For details on how to complete the rest of the fields for defining the NAS entry, see “Creating a in the RADIUS Services chapter.
Page 46: Installing Subscription Updates
To provide your subscription information: 1. In the Subscription ID field, enter your subscription ID or IDs. A subscription ID consists of number and letter groups separated with hyphens. A typical subscription ID might look like this: xn2ncr-gyjyd4-mxlx2s-fv9gcy-rwy7n6 Incorrectly-formatted subscription IDs cannot be entered in this form. A form validation error is displayed if an incorrect value is entered.
Page 47: Setup Completion
To install the default selections: You do not need to make any selections; the system has already determined what you need. Simply click  the Finish button to download and install the selected plugins. Setup Completion After downloading and installing the available plugin updates, the setup process is complete. and the Welcome screen is displayed.
Page 48 Operator logins are the login accounts used for administration and management of ClearPass Guest. The default administrative operator account is configured during the setup process. See “About Operator Logins” in the Operator Logins chapter for more details on configuring operator logins. Visitor accounts are the user accounts for which ClearPass Guest performs authentication, authorization and accounting (AAA) functions.
Page 49: Onboard
Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless and VPNs.
Page 50 Table 10 Onboard Deployment Checklist Deployment Step Reference Configure SSL certificate for the Onboard provisioning server. “SSL Certificate”in the Administrator Tasks chapter A commercial SSL certificate is required to enable secure device provisioning for iOS devices. Configure the Onboard certificate authority. “Configuring the Certificate Authority ”...
Page 51: Onboard Feature List
Onboard Feature List The following features are available in ClearPass Onboard. Table 11 Onboard Features Feature Uses Automatic configuration of network settings  Configure wired networks using 802.1X for wired and wireless endpoints.  Configure Wi-Fi networks using either 802.1X or pre-shared key (PSK) ...
Page 52: Public Key Infrastructure For Onboard
Table 12 Platforms Supported by ClearPass Onboard Version Required for Platform Example Devices Notes Onboard Support Apple Mac OS X MacBook Pro Mac OS X 10.8 “Mountain Lion” MacBook Air Mac OS X 10.7 “Lion” Mac OS X 10.6 “Snow Leopard” Mac OS X 10.5 “Leopard”...
Page 53: Revoking Unique Device Credentials
Figure 6 Relationship of Certificates in the Onboard Public Key Infrastructure The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate CAs used to issue certificates within the enterprise. Onboard may operate as a root CA directly, or as an intermediate CA. See “Configuring the Certificate Authority ”.
Page 54: Revoking Credentials To Prevent Network Access
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See “Working with Certificates”. Note: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability. Revoking Credentials to Prevent Network Access Revoking a device’s certificate will also prevent the device from being re-provisioned.
Page 55: Network Requirements For Onboard
Network Requirements for Onboard For complete functionality to be achieved, ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network: The provisioning network must use a captive portal or other method to redirect a new device to the ...
Page 56: Configuring A Certificate Revocation List (Crl) For The Provisioned Network
For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is: http:// onboard.example.com/mdps_ocsp.php/1. Note: OCSP does not require the use of HTTPS and can be configured to use HTTP. Configuring a Certificate Revocation List (CRL) for the Provisioned Network Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that have been revoked.
Page 57: Network Architecture For Onboard When Using Clearpass Guest
Figure 8 Detailed View of the ClearPass Onboard Network Architecture The components shown in Figure 8 are: 1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks.
Page 58: The Clearpass Onboard Process
Figure 9 ClearPass Onboard Network Architecture when Using ClearPass Guest The user experience for device provisioning is the same in Figure 9 Figure 7 on page 56, however there are implementation differences between these approaches: When using the ClearPass Guest RADIUS server for provisioning and authentication, EAP-TLS and ...
Page 59: Figure 10 Clearpass Onboard Process For Ios Devices
Figure 10 ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device. 2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server.
Page 60: Figure 11 Sequence Diagram For The Onboard Workflow On Ios Platform
Figure 11 Sequence Diagram for the Onboard Workflow on iOS Platform 1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page.
Page 61: Devices Supporting Onboard Provisioning
Figure 12 Over-the-Air Provisioning Workflow for iOS Platform 1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity. 2. An iOS device will have two certificates after over-the-air provisioning is complete: a.
Page 62: Figure 13 Clearpass Onboard Process For Onboard-Capable Devices
Figure 13 ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the Aruba Networks QuickConnect app must be installed for secure provisioning of the device. 2.
Page 63: Figure 14 Sequence Diagram For The Onboard Workflow On Android Platform
Figure 14 Sequence Diagram for the Onboard Workflow on Android Platform 1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2.
Page 64: Accessing Onboard
Figure 15 Onboard Provisioning Workflow in the QuickConnect App Accessing Onboard To access ClearPass Onboard: From the Home page, click the ClearPass Onboard command link. Alternatively, use the Onboard link  at the top level of the left navigation to go directly to any of the features within Onboard. Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways: Customizing the Web login page used for device provisioning.
Page 65: Customizing The Device Provisioning Web Login Page
After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration profile. See “Configuring Provisioning Settings for iOS and OS X”to make changes to the content of this profile. Customizing the user interface of the QuickConnect app for Windows, Mac OS X and Android devices. ...
Page 66: Using The {Nwa_Mdps_Config} Template Function
<br> <strong>1.</strong>    {nwa_iconlink icon="images/icon- certificate22.png" text="Install root certificate (click here)"}{nwa_mdps_config name=root_cert}{/nwa_iconlink}<br> <strong>2.</strong>    Login below using your {nwa_mdps_config name=organization_name} credentials<br> <strong>3.</strong>    Install the certificate when prompted<br> <strong>4.</strong>    Go to your Wi-Fi settings and connect to SSID: <strong>{nwa_mdps_config name=wifi_ssid}</strong> <br> </p> Using the {nwa_mdps_config} Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page.
Page 67 The first part of the form is used to specify the connection details for the ClearPass Policy Manager. Mark the Send device information to ClearPass Policy Manager check box when you will use Policy Manager as the authentication server for devices provisioned with Onboard. Specify the hostname or IP address of the Policy Manager publisher node in the Host text field.
Page 68: Configuring The Certificate Authority
Mark the Send device information to ClearPass Profiler check box when you will use Profiler to collect device information. Select the events of interest in the Profiling Events checklist: When client requests a guest-facing page – Device information is sent to Profiler as soon as a guest- ...
Page 69: Setting Up The Certificate Authority
Determine the OCSP URL for the certificate authority  View the trust chain for the certificate authority (See “Viewing the Certificate Authority’s Trust Chain”)  Renew the certificate authority’s certificate (See “Renewing the Certificate Authority’s Certificate”)  Configure the data retention policy applied to certificates issued by the authority (See “Configuring Data ...
Page 70: Setting Up A Root Certificate Authority
Select the appropriate mode for the certificate authority: Root CA – The Onboard certificate authority issues its own root certificate. The certificate authority  issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate.
Page 71 In the Identity section of the form: Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that  correspond to your organization. These values form part of the distinguished name for the root certificate. Enter a descriptive name for the root certificate in the Common Name text field. This value will be used ...
Page 72: Setting Up An Intermediate Certificate Authority
In the Private Key section: Mark the Generate a new private key check box to create a new private key for the root certificate.  This is only necessary if you are recreating the entire certificate authority from the beginning. Note: If you have previously created any client or server certificates or performed device provisioning using the existing root certificate, these certificates will be invalidated when changing the root certificate’s private key.
Page 73 In the Identity section of the form: Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that  correspond to your organization. These values form part of the distinguished name for the certificate authority. Enter a descriptive name for the certificate authority in the Common Name text field. This value will be ...
Page 74: Obtaining A Certificate For The Certificate Authority
The Key Type drop-down list specifies the type of private key that should be created for the certificate.  You can select one of these options: 1024-bit RSA – not recommended for a certificate authority  2048-bit RSA – recommended for general use ...
Page 75 Click the Request a Certificate link on this page. The Request a Certificate page is displayed. Click the link to submit an advanced certificate request. The Submit a Certificate Request or Renewal Request page is displayed. ClearPass Guest 3.9 | Deployment Guide Onboard |...
Page 76 Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate. The Certificate Issued page is displayed. Select the Base 64 encoded option and then click the Download certificate chain link.
Page 77: Installing A Certificate Authority's Certificate
Installing a Certificate Authority’s Certificate The CA Certificate Import page may be used to: Upload a certificate that has been issued by another certificate authority. This process is required when  configuring an intermediate certificate authority. A private key is not required, as the certificate authority has already generated one and used it to ...
Page 78: Renewing The Certificate Authority's Certificate
Choose the file to upload in the Certificate field. To upload a single certificate, choose a certificate file in PEM (base-64 encoded) or binary format (.crt or PKCS#7). Leave the passphrase fields blank. To upload a certificate’s private key as a separate file, choose the private key file in PEM (base-64 encoded) format.
Page 79: Configuring Data Retention Policy For Certificates
Replacement Renewal – Generates a new private key for the root certificate, and reissues the root CA  certificate with an updated validity period. Use this option if the root certificate has been compromised, or if you want to invalidate all certificate that were previously issued by the CA. Whether you renew or replace the root certificate, you should distribute a new copy of the root certificate to all users of that certificate.
Page 80: Creating A Certificate
Click the Show certificate link to view the properties of a certificate in the trust chain. Creating a Certificate From the Certificate Management page, click the Generate a new certificate signing request link to access the Certificate Request form. To create a new certificate or certificate signing request, first select the type of certificate you want to create from the Certificate Type drop-down list: TLS Client Certificate –...
Page 81: Specifying The Identity Of The Certificate Subject
Specifying the Identity of the Certificate Subject In the first part of the form, provide the identity of the person or device for which the certificate is to be issued (the “subject” of the certificate). Together, these fields are collectively known as a distinguished name, or “DN”.
Page 82: Issuing The Certificate Request
Table 14 Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Desctiption Device Type Type of device, such as “iOS”, “Android”, etc. Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32 or 40 characters, respectively).
Page 83: Searching For Certificates
Table 15 Types of Certificate Supported by Onboard Certificate Management Certificate Type “Type” Column Notes Root certificate Self-signed certificate for the certificate authority Intermediate certificate Issued by the root CA or another intermediate CA Profile signing certificate profile-signing Issued by the certificate authority Certificate signing request tls-client or tls-server The type shown depends on the kind of...
Page 84 Use the Format drop-down list to select the format in which the certificate should be exported. The following formats are supported: PKCS#7 Certificates (.p7b) – Exports the certificate, and optionally the other certificates forming  the trust chain for the certificate, as a PKCS#7 container. Base-64 Encoded (.pem) –...
Page 85: Working With Certificate Signing Requests
Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. Note: Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error.
Page 86 Use the Format drop-down list to select the format in which the certificate signing request should be exported. The following formats are supported: PKCS#10 Certificate Request (.p10) – Exports the certificate signing request in binary format.  Base-64 Encoded (.pem) – Exports the certificate signing request as a base-64 encoded text file. ...
Page 87: Requesting A Certificate
Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. Delete request – Removes the certificate signing request from the list. This option is only available if ...
Page 88: Providing A Certificate Signing Request File
Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines. A complete certificate signing request looks like the following: -----BEGIN CERTIFICATE REQUEST----- MIIB7DCCAVUCAQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRIwEAYDVQQHEwlTdW5ueXZhbGUxFzAVBgNVBAoTDkFDTUUgU3Byb2NrZXRzMRkw FwYDVQQLExBWaXNpdG9yIFNlcnZpY2VzMR4wHAYDVQQDExVBdXRoZW50aWNhdGlv biBTZXJ2ZXIxHzAdBgkqhkiG9w0BCQEWEGluZm9AZXhhbXBsZS5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALR4wRSH26wlcf3OEPEIh34iXRQIUrnYnDfo +ZezeB/i4NZUhRvLMvhPW7DcLpiZJ17ILj3aPPUXWDBYYiiuOkmuFX3dG7eKCLMH...
Page 89: Specifying Certificate Properties
Use the Certificate Signing Request field to select the appropriate file for upload. Note: The file should be a base-64 encoded (PEM format) PKCS#10 certificate signing request. Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: TLS Client Certificate –...
Page 90: Configuring Basic Provisioning Settings
This page is used to configure the settings for ClearPass Onboard device provisioning, including: The organization name displayed during device provisioning  Properties for the certificates issued to devices when they are provisioned  Which operating systems should be supported ...
Page 91 The Certificate Authority drop-down list can be used to select a different certificate authority. By default, there is only a single certificate authority. Use the Validity Period text field to specify the maximum length of time for which a client certificate issued during device provisioning will remain valid.
Page 92: Table 16 Device Information Stored In Tls Client Certificates
Mark the Include device information in TLS client certificates check box to include additional fields in the TLS client certificate issued for a device. These fields are stored in the subject alternative name (subjectAltName) of the certificate. Refer to Table 16 on page 92 for a list of the fields that are stored in the certificate when this option is enabled.
Page 93: Configuring Provisioning Settings For Ios And Os X
Configuring Provisioning Settings for iOS and OS X The third part of the Device Provisioning Settings form is used to specify provisioning settings related to iOS devices. Mark the Enable iOS and OS X 10.7+ (Lion or later) device provisioning check box to enable provisioning for these devices.
Page 94: Configuring Provisioning Settings For Mac Os X, Windows, And Android Devices
Select one of the following options in the Profile Security drop-down list to control how a device provisioning profile may be removed: Always allow removal – The user may remove the device provisioning profile at any time, which will  also remove the associated device configuration and unique device credentials.
Page 95 Mark the appropriate check boxes here to enable device provisioning on the respective platforms: Enable OS X 10.5 (Leopard) and 10.6 (Snow Leopard) device provisioning  Enable Windows XP, Vista and 7 (or later) device provisioning  Enable Android device provisioning ...
Page 96: Configuring User Interface Options For Mac Os X, Windows, And Android Devices
The Provisioning Access warning message is displayed when HTTPS is not required for guest access. HTTPS is recommended for all deployments as it secures the unique device credentials that will be issued to the device. Note: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self- signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for …...
Page 97: Configuring Network Settings For Device Provisioning
Enter a number in the Maximum Devices field to limit the maximum number of devices that each user may provision. Devices are recognized as unique when they have a different MAC address, or a different device identifier (when the MAC address is not available). Configuring Network Settings for Device Provisioning To configure the network settings that will be sent to a provisioned device, go to Onboard >...
Page 98 The options available in the Network Type drop-down list are: Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use  this option when you have 802.1X configured for all types of network access. Wireless only – Configures only wireless network adapters. ...
Page 99: Configuring 802.1X Authentication Network Settings
Configuring 802.1X Authentication Network Settings Click the Protocols tab to display the Enterprise Protocols form. Use this form to specify the authentication methods required by your network infrastructure. The Legacy OS X EAP option supports only PEAP with MSCHAPv2.  The Windows EAP option supports only PEAP with MSCHAPv2.
Page 100: Configuring Device Authentication Settings
Click the Previous button to return to the Access tab. Click the Next button to continue to the Authentication tab. Click the Save Changes button to make the new network configuration settings take effect. Click the Cancel button to discard your changes and return to the main Onboard configuration user interface.
Page 101 In the Trusted Certificates row, mark the check box for each server certificate that the client should trust. Use the Upload Certificate field to upload additional server certificates. These certificates will be displayed in the certificate management list view with the type “tls-server”. These best practices are recommended for enterprise trust options: Provide the certificate for each authentication server that a provisioned device will use, and select it in ...
Page 102: Configuring Windows-Specific Network Settings
take effect. Click the Cancel button to discard your changes and return to the main Onboard configuration user interface. Configuring Windows-Specific Network Settings Click the Windows tab to display the Windows Network Settings form. Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy.
Page 103: Configuring Post-Installation Instructions
Select one of these options in the Proxy Type drop-down list: None – No proxy server will be configured.  Manual – A proxy server will be configured, if the device supports it. Specify the proxy server settings  in the Server and Server Port fields. Automatic –...
Page 104: Configuring An Ios Device Vpn Connection
The Instructions text field can be used to provide more information or instructions to an iOS or OS X user immediately after device provisioning has completed. For example, if you have provisioned Wi-Fi network settings for an SSID that is separate from the initial provisioning SSID, you could add a message requesting that the user now switch to the new SSID in order to complete setup.
Page 105 Mark the Add this VPN to the device profile check box to enable provisioning of VPN settings. The Display Name text field specifies the name for this VPN connection. This will be displayed on the device in the Settings app. To help the user identify the connection easily, include your organization’s name in the Display Name field.
Page 106: Configuring An Ios Device Email Account
Shared Secret / Group Name – An optional group name may be specified. A shared secret (pre-  shared key) is used to establish the IPSec VPN. Authentication is performed with a username and password. The Proxy Settings section of the form specifies a proxy server that is used when the VPN connection is active.
Page 107 Mark the Add this ActiveSync configuration to the device profile check box to enable email account provisioning. The Account Name text field specifies the name for this email account. This will be displayed on the device in the Settings app, and also within the Mail app to identify the mailbox. To help the user identify this mailbox easily, include your organization’s name in the Account Name field.
Page 108: Configuring An Ios Device Passcode Policy
In the Sync Settings group, choose one of the following options from the Days of Mail drop-down list: No Limit  1 day  3 days  1 week  2 weeks  1 month  Click the Save Changes button to save the Exchange ActiveSync profile and return to the main Onboard configuration user interface.
Page 109 To enable the passcode policy on all iOS devices, mark the Enable passcode policy check box and configure the remaining options according to your enterprise’s security requirements. Click the Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface.
Page 110: Resetting Onboard Certificates And Configuration
Resetting Onboard Certificates and Configuration To delete certificates, re-create the Onboard Web login page, or reset configuration to factory default settings, go to Onboard > Reset to Factory Defaults, or click the Reset to Factory Defaults command link. The Reset to Factory Defaults page opens. This page is used to delete certificates, or restore the default configuration for Onboard.
Page 111: Onboard Troubleshooting
Table 17 RADIUS Attributes Included with a Device Authentication Request. RADIUS Attribute Value User-Name (1) The username for the current device provisioning process. User-Password (2) Password credentials supplied by the user during device provisioning. Calling-Station-Id (31) MAC address of the device being provisioned. This attribute is omitted if the MAC address information is unavailable.
Page 112: Ios Device Provisioning Failures
iOS Device Provisioning Failures Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”. Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for …...
Page 113: Chapter 5 Radius Services
Chapter 5 RADIUS Services RADIUS is a network access-control protocol that verifies and authenticates users. The framework around which RADIUS is built is known as the AAA process, consisting of authentication, authorization, and accounting. RADIUS authenticates a guest user’s session by checking that the guest’s password matches the guest’s login details stored in the RADIUS database.
Page 114: Debug Radius Server
Log entries that are displayed include both successful and unsuccessful authentication attempts, the details about any authentication or authorization failures, and server configuration messages when the RADIUS server is started. Debug RADIUS Server The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets.
Page 115: Server Configuration
Each row in the table groups together authentication attempts based on the username (that is, the User- Name attribute provided to the RADIUS server in the Access-Request). The Status column displays one of the following messages for each authentication record, explaining the current state of the user account in the system: Does not exist –...
Page 116 The NAS Type list may be used to select a default type for network access servers. Use this option if you have a deployment that uses only one type of NAS. The AAA Debug option on the RADIUS Server Configuration page enables additional debugging messages logged during the handling of RADIUS packets.
Page 117: Example: Removing A User-Name Suffix
Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form ‘@domain.com’ to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server. It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module. Use the following Server Configuration entries to perform this modification: module.attr_rewrite.consentry.attribute = User-Name module.attr_rewrite.consentry.searchin = packet...
Page 118: Creating A User Role
User roles can be used to apply different security policies to different classes of guest user accounts. For example, guest users, employees, and contractors might all have differing network security policies. The RADIUS attributes defined by a user role can then specify what each class of user is authorized to do. To create and configure user roles for the server to use for RADIUS authorization: Go to RADIUS >...
Page 119: Adding Role Attributes
2. In the Role Name field, enter a brief descriptive name for the role—for example, if you are creating a role for the guest users in your network, you might choose ‘Guest’ or “Visitor” as the role name. 3. (Optional) You may enter a description of the role in the Description field. This can be useful, as it appears in the list of user roles.
Page 120: Defining Attribute Tags
Enter a value for this attribute in the Value field. For integer enumerated attributes, choose an appropriate value from the Value drop-down list. To calculate the value of the attribute using an expression, See “Dictionary” in this chapter. Additional attributes can be added by clicking the Add Attribute button at the bottom of the window.
Page 121: Example: Time Of Day Conditions
Example: Time of Day Conditions In this example, the Reply-Message attribute will be modified to provide a greeting to the guest that changes depending on the time of day. 1. Create a new role named Sample role. 2. Click the Add Attribute tab.
Page 122: Calculating Attribute Value Expressions
2. Click the Add Attribute tab. 3. Select the Reply-Message attribute from the drop-down list. Any attribute can be used for this example, because the attribute will never be included in the response. 4. Select Enter condition expression… from the Condition drop-down list and enter the following code in the Expression text field: return GetUserTraffic(86400) >...
Page 123: Example: Location-Specific Vlan Assignment
Example: Location-Specific VLAN Assignment In this example, the value of a vendor-specific VLAN attribute will be modified based on the NAS to which visitors are connecting. The network has an Aruba wireless controller at 192.168.30.2 which should be configured to place all visitor traffic into VLAN ID 100.
Page 124: Network Access Servers
3. Complete the Role Override, Expiration, Device Limit, account Limit, and Limit Action fields with the appropriate information, then click Save Changes. Network Access Servers A Network Access Server (NAS) is a device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server.
Page 125: Creating A Network Access Server Entry
Creating a Network Access Server Entry A new NAS device is added by clicking on the Create tab. The NAS name is used in the RADIUS server log to identify access requests from NAS servers. This name must be unique. The NAS type is selected from a drop down list with the following predefined types: Other NAS ...
Page 126: Importing A List Of Network Access Servers
Motorola (RFC 3576 support)  Ruckus Networks  Trapeze Networks (RFC 3576 support)  Trendnet  Xirrus  RFC 3576 is used by the RADIUS server to request that a NAS disconnect or reauthorize a session that was previously authorized by the RADIUS server. If your NAS vendor is not listed, select the “Other NAS”...
Page 127 Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected. Click the Next Step button to upload the data. In step 2 of 3, the format of the uploaded data is determined and the appropriate fields are matched to the data.
Page 128: Web Logins
Select the NAS entries to be created or updated with the imported data. The icon displayed in each row indicates if it is a new entry ( ) or if an existing NAS entry will be updated ( ). Click the Update existing entries check box to select or unselect all existing NAS entries in the list.
Page 129: Creating A Web Login Page
Figure 17 Sequence diagram for guest captive portal and Web login In a typical configuration, you would enable the captive portal functionality of your NAS [1], and use the URL of your custom Web login page as the default portal landing page for unauthorized guests.
Page 130 The first section requires that you enter a name for this login page, as well as an optional page name. You can also provide an optional description of the login page. To use predefined network settings for NAS equipment, select the appropriate vendor in the Vendor Settings drop-down list.
Page 131 When using this option, the guest’s username and password credentials will be sent to a value provided in the URL. As this is a potential security hazard, enter the known IP addresses of the controllers in your network in the Allowed Dynamic and Denied Dynamic fields, to prevent an information leak vulnerability that could be exploited by guest users on your network.
Page 132 When the Web login form is submitted, the username and password are submitted to the NAS using the field names specified in Username Field and Password Field: The visitor’s username is submitted to the NAS, with any suffix provided in Username Suffix appended ...
Page 133 The fifth section allows you to control the look and feel of the login page. Use the Insert self-registration link… drop-down list to insert HTML code that creates a link to an existing guest self-registration page. This may be of use when you are creating a landing page suitable for both registered and unregistered visitors.
Page 134: Universal Access Method (Uam) Password Encryption
The ‘Allowed Access’ and ‘Denied Access’ fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax: 1.2.3.4 – IP address ...
Page 135: Nas Login Parameters
This will in turn result in a hidden field included in the Web login form. The field will be named wlan and will be set to the value ClearPass Guest. NAS Login Parameters Extra fields in the NAS login form may be defined using name=value pairs in the Web login form configuration.
Page 136: Apple Captive Network Assistant Bypass With Clearpass Guest
To access the value of a remembered field called “wlan”, use the syntax: {$extra_fields.wlan} To display all the remembered fields for the current visitor session, use the syntax: {dump var=$extra_fields export=html} Apple Captive Network Assistant Bypass with ClearPass Guest This section describes the process for leveraging the captive portal to bypass the Captive Network Assistant (Web sheet) that is displayed on iOS devices such as iPhones, iPad, and more recently Mac OS X machines running Lion (10.7).
Page 137: Figure 18 Captive Network Assistant On Macos X
Also if the user chooses to cancel the Web sheet, the Wi-Fi connection to the Open network will be dropped automatically preventing any further interaction via the full browser or other applications. The following are examples of these Web sheet sessions from a Mac OS X Lion (10.7) laptop, iPad and an iPhone. Figure 18 Captive Network Assistant on MacOS X Figure 19 Captive Network Assistant on iPad ClearPass Guest 3.9 | Deployment Guide...
Page 138: Solution Implementation
Figure 20 Captive Network Assistant on iPhone The Web sheet can be easily identified by the lack of a URL bar at the top of the screen and typical menu bar items. For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community.
Page 139: Captive Portal Profile Configuration
The following CLI and WebUI examples show a typical configuration of the Captive Portal profile. The login page is set to point directly to the hosted Web Login page.: http://10.169.130.50/Aruba_Login.php Captive Portal Profile Configuration aaa authentication captive-portal "guestnet" default-role auth-guest direct-pause 3 no logout-popup-window login-page http://10.169.130.50/Aruba_Login.php...
Page 140: Database Lists
Figure 22 Configuring the Web Login page For example, a Captive Portal profile login page configuration like the following sample would link to a hosted Web login page called Aruba_Login: http://<server IP or FQDN>/landing.php/Aruba_Login.php. Database Lists This is a list of databases on the NAS server. The ClearPass Guest RADIUS server uses a database to store the user accounts for authentication and other settings for the server.
Page 141: Database Maintenance Tasks
Database Maintenance Tasks Database optimization and other maintenance tasks can be performed using this form. These tasks are normally carried out automatically and do not require administrative intervention. Some system updates may require a database schema upgrade. If this is required, it is indicated on the database list with the schema upgrade icon.
Page 142: Import Dictionary
The dictionary can be sorted by clicking on a column heading. Import Dictionary You are able to import RADIUS dictionary entries from a text file using the Import Dictionary command located under the More Options tab. These text files can be created by you or you can download them from a manufacturer who is not in the standard list.
Page 143: Vendors
3. Click the Reset Dictionary button to have the dictionary reset. This action cannot be undone. Vendors Vendors are manufacturers of NAS equipment. ClearPass Guest provides a list of manufacturers but you are able to add to this list. Vendor-specific attributes as defined in RFC 2865 can be used to configure specific options related to a particular vendor’s equipment.
Page 144: Vendor-Specific Attributes
Vendor-Specific Attributes Vendor-specific attributes identify configuration items specific to that vendor’s equipment Add a Vendor-Specific Attribute (VSA) A Vendor Specific Attribute (VSA) is a RADIUS attribute defined for a specific vendor. You are able to add vendor-specific attributes to a vendor by clicking the vendor in the RADIUS dictionary list view and then clicking the Add VSA icon link.
Page 145: Delete Vendor-Specific Attribute
Once an attribute has been edited, click the Update Attribute button to save your changes. Delete Vendor-Specific Attribute Attributes can only be deleted from vendors that you have added to the dictionary. Vendor-specific attributes with a lock symbol ( ) next to their name are standard RADIUS dictionary entries and cannot be deleted.
Page 146: Deleting Attribute Value
You are required to enter the name of the value to be added as well as its value. Values can only be added to attributes that are of integer type. Deleting Attribute Value Values that have been added to a vendor-specific attribute can be deleted using the Delete Value button.
Page 147: Specifying Supported Eap Types
To specify supported EAP types and the default type, and to configure OCSP options, see “Specifying Supported EAP Types”. To create a server certificate and self-signed certificate authority, see “Creating a Server Certificate and Self-Signed Certificate Authority”. To request a certificate from another certificate authority, see “Requesting a Certificate from a Certificate Authority”.
Page 148: Creating A Server Certificate And Self-Signed Certificate Authority
2. In the Supported EAP Types row, mark the check box for each type the RADIUS server should support. The available types are EAP-MD5, EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, and PEAP. If you select EAP-TLS, the EAP-TLS Configuration area is added at the bottom of the form. 3.
Page 149: Creating The Certificate Signing Request
RADIUS Server Certificate form is displayed. The unique set of identifying details you enter on this form creates the Distinguished Name (DN) for the new certificate. Creating a new server certificate and self-signed CA is a three-step process: In step 1, a certificate signing request is created with the identifying details of the Distinguished Name ...
Page 150: Signing Radius Server Certificate
The “Common Name” of the CA certificate will be used to identify it to clients installing it as a trusted CA root. Make sure to choose a sensible name. Signing RADIUS Server Certificate For a client to verify that the RADIUS server’s identity is valid, the server’s certificate must be issued by a certificate authority (CA) that is trusted by the client.
Page 151: Importing A Server Certificate
Complete the details for the certificate, and click the Download Request button to save the certificate signing request. This signing request should be submitted to your certificate authority (CA). The CA signs the request to create the server’s digital certificate. Once you have the certificate, you need to import it to set it up for use with EAP.
Page 152: Installing A Server Certificate From A Certificate Authority
A digital certificate may be imported from either the PKCS#12 format, which is a single file containing one or more certificates and an encrypted private key, or from three individual files for the certificate, private key (optionally encrypted with a passphrase), and the root certificate authority. Complete the form with the details for your certificate, and click Continue to proceed to Step 2.
Page 153: Importing A Root Certificate - Windows Vista And Windows 7
2. Select the appropriate PEAP options in the EAP Configuration form, as shown below: 3. Click the Save Changes button, and restart the RADIUS Server to apply the configuration. 4. You may verify that the EAP configuration is loaded by checking for a certain startup message on the RADIUS Server Control screen: Tue Nov 17 01:04:05 2009 : Info: rlm_eap_tls: Loading the certificate file as a chain 5.
Page 154 1. Open the .p7b file from Windows Explorer: 2. Select the certificate in the list. Right-click it and choose Open. The Certificate Information dialog opens. 3. Click the Install Certificate button. The Certificate Import Wizard opens. 4. Click Next. The Certificate Store form opens. | RADIUS Services ClearPass Guest 3.9 | Deployment Guide...
Page 155 5. Click the Browse button to select the Trusted Root Certification Authorities store. 6. Click OK, and then click Next. The last page of the Certificate Import Wizard is displayed. ClearPass Guest 3.9 | Deployment Guide RADIUS Services |...
Page 156 7. Click Finish. A security warning reminds you that if you install the certificate, all future certificates from this certificate authority will automatically be trusted. 8. To make use of the imported root certificate, make sure that the CA is specified as a Trusted Root Certification Authority for the wireless network connection that is using PEAP.
Page 157: Active Directory Domain Services
Active Directory Domain Services To perform certain types of user authentication, such as using the MS-CHAPv2 protocol to verify a username and password, the RADIUS server must first be joined to an Active Directory domain. For information on Proxy RADIUS, LDAP, and local certifiacate authority external authentication servers, External Authentication Servers (EAS).
Page 158: Joining An Active Directory Domain
Joining an Active Directory Domain To start the two-step process to join the domain, click the Join Domain command link on the RADIUS > Authentication > Active Directory Services page. The Join Active Directory Domain form is displayed, and includes troubleshooting tips. When the server’s DNS and network settings are correctly configured, all the necessary domain-related information is automatically detected.
Page 159: Testing Active Directory User Authentication
Use the Edit Settings link at the top of this page if any of the automatically detected settings need to be modified. Joining the server to the Active Directory domain then requires entering the username and password for a domain administrator account. Click the Join Domain button to complete the process.
Page 160: Configuring Active Directory Domain Authentication
The following options are available in the Authentication drop-down list: MS-CHAPv2 – Encrypted password – Use this option to encrypt the user’s password using the MS-  CHAPv2 authentication method and verify it with the server. A successful authentication using this method can only be performed when the ClearPass Guest server has joined the domain.
Page 161: External Authentication Servers (Eas)
Provide these credentials in the Leave Active Directory Domain form and click the Leave Domain button. External Authentication Servers (EAS) Many networks have more than one place where user credentials are stored. Networks that have different types of users, geographically separate systems, or networks created by integrating different types of systems are all situations where user account information can be spread across several places.
Page 162: Managing External Authentication Servers
Managing External Authentication Servers To view the list of external RADIUS authentication servers and create, edit, enable or disable, delete, test, view user roles or configure EAP for them, go to RADIUS > Authentication > Authentication Servers. The RADIUS Authentication Servers page lists all available sources that may be used for authentication. Changing the properties of an authentication server requires restarting the RADIUS server.
Page 163: Configuring An Active Directory Eas
The top part of the form contains basic properties for the external authentication server. The middle part of the form differs depending on the type of authentication being performed: Active Directory Authentication Server— See “Configuring an Active Directory EAS”  LDAP Authentication Server—...
Page 164 NetBIOS Domain – automatically detected when joining the domain.  LDAP Server and Port Number – the hostname or IP address of the domain controller, with the  corresponding port number of the LDAP service. Bind Identity and Bind Password – credentials used to bind to the directory. ...
Page 165 The default settings for the “access_attr” and “access_attr_used_for_allow” settings mean that only users with the Remote Access Permission selected above will be authorized. To authorize all users in Active Directory, regardless of the individual user account settings for remote access permission, use the following settings: access_attr = nonexistentAttribute access_attr_used_for_allow = no Additional details about the precise operation of these parameters are as follows:...
Page 166: Configuring An Ldap Eas
timelimit = 3 The number of seconds the LDAP server has to process the query (server-side time limit). net_timeout = 1 The number of seconds to wait for a response from the LDAP server (network failures). use_mppe = yes If this option is set to ‘yes’, MS-CHAP authentication will return the RADIUS attribute MS-CHAP-MPPE- Keys for MS-CHAPv1, and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
Page 167 LDAP Server and Port Number – the hostname or IP address of the LDAP server, with the  corresponding port number of the LDAP service. Security – select from one of these options:  Automatic – based on port number – LDAP connections to port 636 are encrypted using TLS, ...
Page 168: Configuring A Proxy Radius Eas
Base DN – the LDAP distinguished name of the root of the search tree. This is typically a user’s  container within the directory, but may be different depending on the directory’s schema. Username Attribute – the LDAP attribute that corresponds to the username. A filter expression is ...
Page 169: Configuring A Local Certificate Authority Eas
To configure the authorization method for a Proxy RADIUS external authentication server, see “Configuring Authorization for External Authentication Servers.” Configuring a Local Certificate Authority EAS For Local Certificate Authority authentication servers, the following fields are displayed in the Edit Authentication Server form. 1.
Page 170: Configuring Authorization For External Authentication Servers
Configuring Authorization for External Authentication Servers The level of authorized access an authenticated user can have is controlled by the external authentication server’s authorization method. To configure a server’s authorization method, use the options under the Authorization heading of the RADIUS server’s Edit Authentication form. For more information about authorization methods, including examples, see “About Authorization Methods in External Authentication Servers”...
Page 171: About Authorization Methods In External Authentication Servers
Use PHP code to assign a user role (Advanced) may be used to control the mapping between the  user account returned by an external authentication server and the RADIUS user role. The RADIUS server will return an Access-Reject message if the user authentication fails. ...
Page 172 Use role assigned to local user is the only authorization method available for the local user database.  If the user’s authentication attempt is successful, the RADIUS server will respond with an Access-Accept message that includes the RADIUS attributes defined for the user’s role. Use the common name of the client certificate to match a local user account may be specified ...
Page 173 With authorization method Assign a fixed user role:  Sending Access-Request of id 122 to 127.0.0.1 port 1812 User-Name = "demouser" User-Password = "XXXXXXXX" rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=122, length=27 Reply-Message = "Guest" Note that in this case, the RADIUS attribute returned (Reply-Message) corresponds to the user role selected.
Page 174: Testing External Authentication Servers
For example, to implement the following configuration: Members of the Domain Admins group should be mapped to RADIUS role ID 4  Members of the Users group should be mapped to RADIUS role ID 5  All other users should be rejected ...
Page 175: Testing A Local Certificate Authority Eas
Testing a Local Certificate Authority EAS For Local Certificate Authority external authentication servers, additional testing options are included to simulate EAP-TLS authentication with a client certificate. 1. To specify the network layer to test against, mark the radio button in the Mode row for either the local RADIUS server or a remote RADIUS server.
Page 176: Managing Certificates For External Authentication Servers
If you selected Separate certificate and key files (.pem, .cer, .crt ) for the TLS identity: 1. In the PKCS#12 row, browse to the file in your system that contains both the client certificate and the client’s private key. When this file is uploaded, if a CA certificate is also included, it is used to verify the server’s identity.
Page 177 The list displays the certificates that have been installed. By default, the list is empty. After selecting a certificate in the list, the following actions are available: Show Details – display information about the certificate, including its unique “fingerprint” identifier ...
Page 178 | RADIUS Services ClearPass Guest 3.9 | Deployment Guide...
Page 179: Chapter 6 Operator Logins
Chapter 6 Operator Logins An operator is a company’s staff member who is able to log in to ClearPass Guest. Different operators may have different roles that can be specified with an operator profile. These profiles might be to administer the ClearPass Guest network, manage guests, or run reports.
Page 180: Operator Profiles
Figure 23 Operator profiles and visitor access control “About Operator Logins” in this chapter for details on configuring different forms and views for operator profiles. Operator Profiles An operator profile determines what actions an operator is permitted to take when using ClearPass Guest. Some of the settings in an operator profile may be overridden in a specific operator’s account settings.
Page 181 The fields in the first area of the form identify the operator profile and capture any optional information: 1. You must enter a name for this profile in the Name field. 2. (Optional) You may enter additional information about the profile in the Description field. The fields in the second area of the form define permissions for the operator profile: 1.
Page 182 For each permission, you may grant No Access, Read Only Access, Full Access, or Custom access. The default in all cases is No Access. This means that you must select the appropriate privileges in order for the profile to work. See “Operator Profile Privileges”...
Page 183 If one or more roles are selected, then only those roles will be available for the operator to select from when creating a new guest account. The guest account list is also filtered to show only guest accounts with these roles. If a database is selected in the User Roles list, but no roles within that database are selected, then all roles defined in the database will be available.
Page 184: Configuring The User Interface
The user can enter a simple substring to match a portion of the username or any other fields that are configured for search, and may include the following operators: Table 19 Operators supported in filters Operator Meaning Additional Information is equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
Page 185: Customizing Forms And Views
operator profile, choose a page from the drop-down list. For example, if a profile is designed for users who do only certain tasks, you might want the application to open at the module where those tasks are performed. 3. (Optional) In the Language row, the default setting is Auto-detect. This lets the application determine the operator’s language preference from their local system settings.
Page 186: Operator Profile Privileges
Operator Profile Privileges The privilege selections available for an operator profile provide you with control over the functionality that is available to operators. No Access means that the operator will have no access to the particular area of functionality. Options for that functionality will not appear for that operator in the menus.
Page 187: Local Operator Authentication
Local Operator Authentication Local operators are those defined in ClearPass Guest. Creating a New Operator After you create a profile, you can create an operator to use that profile. ClearPass Guest 3.9 | Deployment Guide Operator Logins |...
Page 188: Viewing All Operator Logins
Any properties for the operator login that are set to (Default) are taken from the operator profile. The Operator Filter field lets you select from three other options besides Default: No operator filter—All guest accounts display.  Only show accounts created by the operator—Only guest accounts created by the operator display. ...
Page 189 The Operator Logins list opens. When you click an operator login entry in the Operator Logins list, the row expands to provide links that allow you to perform various operations. Depending on the operator entry, the operations available may include: View/Hide Details—displays or hides configuration details for the selected operator login ...
Page 190: Changing Operator Passwords
Changing Operator Passwords To change the password for an operator, edit the operator login and type a new password in the “Operator Password” and “Confirm Password” password fields. You may also want to select “Force a password change on their next login” under Password Options to allow the operator to select a new password. Operators can change their own passwords by navigating to Home >...
Page 191 To specify a basic LDAP server connection (hostname and optional port number), use a Server URL of the form ldap://hostname/ or ldap://hostname:port/. See “Advanced LDAP URL Syntax” in this chapter for more details about the types of LDAP URL you may specify. Select the Enabled option if you want this server to authenticate operator logins.
Page 192: Table 21 Server Type Parameters
This form allows you to specify the type of LDAP server your system will use. Click the Server Type drop- down list and select one of the following options: Table 21 Server Type Parameters Server Type Required Configuration Parameters Microsoft Active Directory ...
Page 193: Advanced Ldap Url Syntax
Once you have completed the form, check your settings by clicking the Test Settings button. Use the Test Username and Test Password fields to supply a username and password for the authentication check. If the authentication is successful, the operator profile assigned to the username will be displayed. If the authentication fails, an error message will be displayed.
Page 194: Ldap Operator Server Troubleshooting
Ping—Sends a ping message (echo request) to the LDAP server to verify connectivity between the  LDAP server and the ClearPass Guest server. Test Auth—Adds a Test Operator Login area in the LDAP servers form that allows you to test ...
Page 195: Looking Up Sponsor Names
You can also verify operator authentication when you create a new LDAP server configuration using the Test Settings button on the LDAP Configuration form ( See “Creating an LDAP Server” in this chapter for a description). Looking Up Sponsor Names This option is only available if sponsor lookup has been enabled for the server on the Edit Authentication Server page.
Page 196: Ldap Translation Rules
Verify that the Bind DN is correct – the correct DN will depend on the structure of your directory,  and is only required if the directory does not permit anonymous bind. Verify that the Base DN is correct – the Base DN for user searches is fixed and must be specified as ...
Page 197 greater than – numerical value is greater than the match value  starts with – case-insensitive substring match at start of string  ends with – case-insensitive substring match at end of string  4. Select a Value. The Value field states what is to be matched, in this case CN=Administrators to look for a specific group of which the user is a member.
Page 198: Custom Ldap Translation Processing
To edit the matching rule list, select an entry in the table to display a menu that lets you perform the following actions: Edit – changes the configuration of matching rule  Delete – removes matching rule from the list ...
Page 199 For example, to permit non-administrator users to access the system only between the hours of 8:00 am and 6:00 pm, you could define the following LDAP translation rule: The Custom rule is: {strip} {if stripos($user.memberof, "CN=Administrators")!==false} {elseif date('H') >= 8 && date('H') < 18} {else} {/if} {/strip}...
Page 200: Operator Logins Configuration
Operator Logins Configuration You are able to configure a message on the login screen that will be displayed to all operators. This must be written in HTML. You may also use template code to further customize the appearance and behavior of the login screen.
Page 201: Operator Password Options
<a href="http://www.arubanetworks.com/">contactando con Aruba Networks</a>. </p> {else} <p> The ClearPass Guest demo site <br> requires a username and password. </p> <p> If you don’t have a login, <br> <a href="http://www.arubanetworks.com/">contact Aruba Networks</a> to obtain one. </p> {/if} <br clear="all"> In the Login Footer field, enter any HTML information that you want displayed in the Operator Login form. Select the login skin from the Login Skin drop-down menu.
Page 202: Advanced Operator Login Options
Advanced Operator Login Options The following options are available in the Logging drop-down list: No logging  Log only failed operator login attempts  Log only Web logins  Log only XMLRPC access  Log all access  Log messages for operator logins, whether successful or unsuccessful, are shown in the application log. Automatic Logout The Logout After option in the Advanced Options section lets you configure an amount of idle time after which an operator’s session will be ended.
Page 203: Chapter 7 Guest Management
Chapter 7 Guest Management The ability to easily create and manage guest accounts is the primary function of ClearPass Guest. Guest Manager provides complete control over the user account creation process. Using the built-in customization editor you can customize fields, forms and views as well as the forms for guest self- registration.
Page 204: Sponsored Guest Access
Sponsored Guest Access The following figure shows the process of sponsored guest access. See Figure Figure 24 Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login in ClearPass Guest.
Page 205: Standard Guest Management Features
registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in. The guest can print or download a receipt, or have the receipt information sent to her by SMS or email. The NAS performs authentication and authorization for the guest in ClearPass Guest.
Page 206: Creating A Guest Account Receipt
To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network. You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time.
Page 207: Creating Multiple Guest Accounts
To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent.
Page 208: Creating Multiple Guest Account Receipts
To complete the form, you must enter the number of visitor accounts you want to create. A random password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. You can specify the account activation and expiration times.
Page 209: Creating A Single Password For Multiple Accounts
Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified  Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the  account Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password.
Page 210 2. In the Number of Accounts field, enter the number of accounts you wish to create. 3. In the Visitor Password field, enter the password that is to be used by all the accounts. 4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens.
Page 211: Managing Guest Accounts
Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guests > List Guest Accounts. This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields.
Page 212: Table 24 Operators Supported In Filters
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 24 Operators supported in filters Operator Meaning Additional Information...
Page 213 Click the Update Account button to reset the guest account’s password. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details. Change expiration – Changes the expiration time for a guest account. ...
Page 214: Managing Multiple Guest Accounts
This form may be customized by adding new fields, or modifying or removing the existing fields. Refer to the section of this chapter for details about this customization process. This is the guest_edit form. Click the Update Account button to update the properties of the guest account. A new account receipt is then displayed, which allows you to print a receipt showing the updated account details.
Page 215: Table 25 Operators Supported In Filters
You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 25 Operators supported in filters Operator Meaning Additional Information...
Page 216: Importing Guest Accounts
Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection.
Page 217 To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options: Character Set: ClearPass Guest uses the UTF-8 character set encoding internally to store visitor ...
Page 218 In this example, the following data was used: username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00 Because this data includes a header row that contains field names, the corresponding fields have been automatically detected in the data: Use the Match Fields form to identify which guest account fields are present in the imported data.
Page 219 Click the Next Step button to preview the final result. Step 3 of 3 displays a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are displayed. The icon displayed for each user account indicates if it is a new entry ( ) or if an existing user account will be updated ( By default, this form shows ten entries per page.
Page 220: Exporting Guest Account Information
Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tab-separated values (TSV), or XML format. This view (guest_export) may be customized by adding new fields, modifying or removing the existing fields.
Page 221: Default Settings For Account Creation
SMS and email receipts – Include a short text message with your guest’s username and password, or  send HTML emails containing images. Advanced customization – ClearPass Guest is flexible and can be used to provide location sensitive  content and advertising. Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation.
Page 222 Username Length –This field is displayed if the Username Type is set to “Random digits”,  “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_length field.
Page 223: Figure 27 Customize Guest Manager Page (Part 2)-Continued
Figure 27 Customize Guest Manager page (part 2)—continued Expire Action – Default action to take when the expiration time is reached. There are four options. A  logout can only occur if the NAS is RFC-3576 compliant. Account Retention – Deleted user accounts are available for reporting purposes. The default value is 1 ...
Page 224: Figure 28 Customize Guest Manager Page (Part 3)-Continued
Figure 28 Customize Guest Manager page (part 3)—continued Lifetime Options – Default values for account lifetimes. These options are displayed as the values of  the “Account Lifetime” field when creating a user account. Terms of Use URL – URL of a terms and conditions page provided to sponsors. You may upload an ...
Page 225: About Fields, Forms, And Views
Password Display – Select the “View guest account passwords” to enable the display of visitor account  passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege. Initial Sequence –...
Page 226: Visitor Account Activation Properties
modify_password: This field controls password modification for the visitor account. It may be set to  one of these values: “reset” to randomly generate a new password according to the values of the  random_password_method and random_password_length fields “password” to use the password specified in the password field ...
Page 227: Visitor Account Expiration Properties
Visitor Account Expiration Properties do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine  the time at which the visitor account will expire. If modify_expire_time is “none”, then the account has no expiration time set.  If modify_expire_time is “now”, then the account is disabled and has no expiration time set. ...
Page 228: Standard Fields
“Logout” indicates that a RADIUS Disconnect-Request will be used for all active sessions that have a username matching the account username. This option requires the NAS to support RFC 3576 dynamic authorization. See “RFC 3576 Dynamic Authorization” in this chapter for more information. Standard Fields “Field, Form and View Reference”...
Page 229: Customization Of Fields
Table 27 Visitor Management Forms and Views (Continued) guest_register Form Guest Self-Registration guest_register_receipt Form Guest Self-Registration Receipt guest_sessions View Active Sessions guest_users View List Accounts remove_account Form Remove Account reset_password Form Reset Password These forms are accessed directly: create_multi form – multiple account creation ...
Page 230: Creating A Custom Field
A complete list of fields is displayed when you click the Fields command link on the Customize Guest Manager page. To display only the fields that you have been created, click the Custom Fields Only link in the bottom row of the list view. To return to displaying all fields, click the All Fields link.
Page 231: Duplicating A Field
You can specify the default properties to use when adding the field to a form. See “View Field Editor” this chapter for a list of the available user interface types. You can specify the default validation rules that should be applied to this field when it is added to a form. “Form Validation Properties”...
Page 232: Displaying Views That Use A Field
Displaying Views that Use a Field You are able to click the Show Views link to see a list of views that use the selected field. The list displays the views that use the selected field. It also allows you to edit the view’s fields by clicking on the Edit Fields link.
Page 233: Duplicating Forms And Views
Duplicating Forms and Views Click the Duplicate link to make a copy of a form or view. Use the Duplicate link to provide different forms and views to different operator profiles. See “Role-Based Access Control for Multiple Operator Profiles” in the Operator Logins chapter for a description. This enables you to provide different views of the underlying visitor accounts in the database depending on the operator’s profile.
Page 234: Form Field Editor
Form fields have a rank number, which specifies the relative ordering of the fields when displaying the form. The Customize Form Fields editor always shows the fields in order by rank. The type of each form field is displayed. This controls what kind of user interface element is used to interact with the user.
Page 235: Form Display Properties
Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: Form Display Properties  Form Validation Properties ...
Page 236 Check box – A check box is displayed for the field. The check box label can be specified using HTML. If  the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1).
Page 237 Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type. To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma”...
Page 238 How this works: Suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field.
Page 239 File upload – Displays a file selection text field and dialog box (the exact appearance differs from  browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields. Hidden field –...
Page 240 Password text field – The field is displayed as a text field, with input from the user obscured. The text  typed in this field is submitted as the value for the field. Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected. The text ...
Page 241 The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to- bottom or left-to-right order. The default is “Vertical” if not specified. Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be ...
Page 242 Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters  in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors.
Page 243 Static group heading – The label and description of the field is used to display a group heading on the  form. The field’s value is not used, and the field is not submitted with the form. When using this user interface element, it is recommended that you use the “nwaImportant” CSS class to visually distinguish the group heading’s title.
Page 244 Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as  the value for the field. It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style (for example, “width: 460px;...
Page 245: Form Validation Properties
Form Validation Properties The form va lidation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value.
Page 246: Examples Of Form Field Validation
Validation errors are displayed to the user by highlighting the field(s) that are in error and displaying the validation error message with the field: All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid.
Page 247 With these validator settings, users that enter an invalid value will now receive a validation error message: Furthermore, note that blank values, or non-numeric values, will result in a different error message: The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer.
Page 248: Advanced Form Field Properties
Note that the regular expression used here includes beginning and ending delimiters (in this case the / character), and ensures that the whole string matches by the start-of-string marker ^ and the end-of-string marker $. The construct \d is used to match a single digit. Many equivalent regular expressions could be written to perform this validation task.
Page 249: Form Field Validation Processing Sequence
For pre-registered guest accounts, some fields may be completed during pre-registration and some fields may be left for the guest to complete at registration. You can use the Pre-Registration field to specify whether the guest’s entry must match the preliminary value provided for a field during pre-registration. If a value was not provided for a field when the account was created, choose Field was not pre- ...
Page 250 The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field. For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form.
Page 251 A comparison of these two approaches is shown below to illustrate the difference: When using a Conversion or Value Format function, you will almost always have to set up a Display Function for the form field. This function is used to perform the conversion in the reverse direction – between the internal stored value and the value displayed in the form field.
Page 252: Editing Views
Because of the scoping rules of JavaScript, all of the user interface elements that make up the form are available as variables in the local scope with the same name as the form field. Thus, to access the current value of a text field named sample_field in a JavaScript expression, you would use the code sample_field.value.
Page 253: View Field Editor
column are also shown in the list view. Values displayed in italics are default values defined for the field being displayed. Click a view field in the list view to select it. Use the Edit link to make changes to an existing column using the view field editor. Any changes made to the field using this editor will apply only to this field on this view.
Page 254: Customizing Self Provisioned Access
The Column Format may be used to specify how the field’s value should be displayed. You may choose from one of the following: Field Value – The value of the field is displayed as plain text.  Field Value (Un-Escaped) – The value of the field is displayed as HTML. ...
Page 255: Creating A Self-Registration Page
This process is shown as follows. See Figure Figure 30 Sequence diagram for guest self-registration The captive portal redirects unauthorized users to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed with the details of the guest account.
Page 256: Editing Self-Registration Pages
The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_register”...
Page 257: Configuring Basic Properties For Self-Registration
Figure 31 Guest self-registration process A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration.
Page 258: Using A Parent Page
Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu. This is useful if you need to configure multiple registrations. You can always override parent page vaules by editing field values yourself. To create a self-registration page with new values, select the Guest Self-Registration (guest_register) option from the Parent field drop-down menu.
Page 259: Editing Registration Page Properties
The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: 1.2.3.4 – IP address ...
Page 260: Editing The Default Self-Registration Form Settings
Template code for the title, header, and footer may be specified. See “Smarty Template Syntax” in the Reference chapter for details on the template code that may be inserted. Select the Do not include guest registration form contents check box to override the normal behavior of the registration page, which is to display the registration form between the header and footer templates.
Page 261: Editing Guest Receipt Page Properties
Editing Guest Receipt Page Properties Click the Receipt Page link or one of the Title, Header or Footer fields for the Receipt Page to edit the properties of the receipt page. This page is shown to guests after their visitor account has been created. Click the Save Changes button to return to the process diagram for self-registration.
Page 262: Editing Receipt Actions
Editing Receipt Actions Click the Actions link to edit the actions that are available once a visitor account has been created. Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self- registered account.
Page 263 The Receipt Actions form opens. 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4.
Page 264: Editing Download And Print Actions For Guest Receipt Delivery
The Guest Registration login page is displayed as the guest would see it. When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form.
Page 265: Editing Sms Delivery Of Guest Receipts
When email delivery is enabled, the following options are available to control email delivery: Disable sending guest receipts by email – Email receipts are never sent for a guest registration.  Always auto-send guest receipts by email – An email receipt is always generated using the selected ...
Page 266: Enabling And Editing Nas Login Properties
These options under Enabled are available to control delivery of SMS receipts: Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration.  Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected ...
Page 267: Editing Login Page Properties
If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Many of the properties on this page are the same as for a RADIUS Web Login page. For details about specifying NAS login settings, extra fields, or URL redirection parameters, See “Creating a Web Login Page”...
Page 268: Self-Service Portal Properties
The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections.
Page 269 The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest self- registration pages, and may be used to determine the URL that guests should use to access the portal.
Page 270: Resetting Passwords With The Self-Service Portal
session (that is, the guest’s HTTP client address is the same as the RADIUS Framed-IP-Address attribute for an active session). The Password Generation drop-down list controls what kind of password reset method is used in the portal. The default option is “Passwords will be randomly generated”, but the alternative option “Manually enter passwords”...
Page 271: Customizing Print Templates
Next, enable the “Required Field” option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value. With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: Selecting a different value for the “Required Field”...
Page 272: Creating New Print Templates
Plain text print templates may be used with SMS services to send guest account receipts; See “About SMS Guest Account Receipts” in this chapter for details. Because SMS has a 160 character limit, the number of character used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb).
Page 273: Print Template Wizard
Your guest account has been updated. </p> {elseif $action == "delete"} {/if} <table {$table_class_content} width="500"> <tbody> {if $u.guest_name} <tr> <th class="nwaLeft">guest name</th> <td class="nwaBody">{$u.guest_name}</td> </tr> {/if} If this code is placed in the User Account HTML section it will cater for the create, edit and delete options. Print Template Wizard Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image, title and content text, and selecting the guest account...
Page 274: Modifying Wizard-Generated Templates
Use the Remove, Move Up, Move Down, Insert Before, and Insert After links to adjust the fields that are to be included on the print template. Click the Create Template button to save your newly created print template and return to the list. Modifying Wizard-Generated Templates Once you have created a print template using the print template wizard, you can return to the wizard to modify it.
Page 275: Configuring Access Code Logins
Select one of the following entities in the Entity drop-down list: Operator Profiles – a specific operator profile may be selected. The corresponding permissions  will apply to all operators with that operator profile. Other Entities  Authenticated operators – the permissions for all operators (other than the owner profile) may ...
Page 276: Customize Random Username And Passwords
Customize Random Username and Passwords In this example we will set the random usernames and passwords to be a mix of letters and digits. 1. Navigate to Customization > Guest Manager. The Customize Guest Manager field appears. 2. In the Username Type field, select Random Letters and digits. Note that the generator matching the complexity will also include a mix of upper and lower case letters.
Page 277: Customize The Guest Accounts Form
<th class="nwaLeft">Error</th> <td class="nwaBody"><span class="nwaError">{$u.create_result.message}</span></td> </tr> {/if} </tbody> </table> 6. Click Save Changes to save your settings. 7. To preview the new template, select the template in the Guest Manager Print Templates list, then click Preview. The template created in this example appears as shown below. Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication.
Page 278: Create Access Code Guest Accounts
4. Click Save Changes to save your settings. Once the field is enabled or inserted, you should see it bolded in the list of fields. Create Access Code Guest Accounts Once the account fields have been customized, you can create new accounts. 1.
Page 279: Mac Authentication In Clearpass Guest
4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure.
Page 280: Managing Devices
Administrator > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. The MAC Authentication Plugin page opens. Figure 32 MAC Authentication Plugin—Configuration On the controller, the fields look as follows: Figure 33 MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guests >...
Page 281: Changing A Device's Expiration Date
All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information. You can use the Filter field to narrow the search parameters.
Page 282: Disabling And Deleting Devices
1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: If you choose Account expires after, the Expires After row is added to the form. Choose an  interval of hours, days, or weeks from the drop-down list. If you choose Account Expires at a specified time, the Expiration Time row is added to the ...
Page 283: Activating A Device
Activating a Device To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form. 1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account.
Page 284 2. If you need to change the activation time, choose one of the options in the Account Activation drop- down list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time. If you choose Activate at a specified time, the Activation Time row is added to the form.
Page 285: Viewing Current Sessions For A Device
Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see “Active Sessions Management”.
Page 286 1. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 2. Enter the name for the device in the Device Name row. 3. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administrator > Plugin Manager >...
Page 287: Creating Devices During Guest Self-Registration - Mac Only
5. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time.
Page 288: Creating Devices During Guest Self-Registration - Paired Accounts
Figure 34 Modify fields Edit the receipt form fields: Edit username to be a Hidden field  Edit password to be a Hidden field  Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means.
Page 289: Accounting-Based Mac Authentication
UI: Hidden field  Field Required: optional  Validator: IsValidMacAddress  Add or enable mac_auth_pair  UI: Hidden field  Initial Value: -1  Any other expiration options, role choice, surveys and so on can be entered as usual.  You will see an entry under both List Accounts and List Devices.
Page 290 && NwaDynamicLoad('NwaNormalizeMacAddress') // Required call && ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id'))) // All MACs need to be normalized && ((!empty($user['id']) && NwaCreateUser(array(// We are caching the MAC for a local user account 'creator_accept_terms'=>1, 'mac_auth'=>1, // Flag as a MAC so it shows in List Devices 'mac'=>$mac, // The normalized MAC 'mac_auth_pair'=>$user['id'], // Formally pair the two accounts.
Page 291: Figure 35 Radius Role Editor
Figure 35 RADIUS Role Editor Note that modify_expire_time supports any valid syntax of strtotime. ClearPass Guest 3.9 | Deployment Guide Guest Management |...
Page 292: Automatically Registering Mac Devices In Clearpass Policy Manager
Automatically Registering MAC Devices in ClearPass Policy Manager If ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in ClearPass Policy Manager when the guest uses a Web login page or a guest self-registration workflow.
Page 293: Advanced Mac Features
Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form.
Page 294: Click-Through Login Pages
For debugging purposes, include the following to see all the fields available: {dump var=$guest_receipt export=html} Click-Through Login Pages A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection.
Page 295: Session States
On the Manage Multiple Sessions form, the start time of each session is used to select the sessions to  work with. To find relevant sessions easily, sort the list view by the Session Start column before you begin session management tasks. You can use the paging control at the bottom of the list to jump forwards or backwards by one page, or ...
Page 296: Rfc 3576 Dynamic Authorization
traffic, the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To ensure that accounting statistics are correct, you should check the list for stale sessions and close them. For information on configuring RADIUS server options, see “Server Configuration”...
Page 297: Managing Multiple Active Sessions
You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 29 Operators supported in filters Operator Meaning Additional Information is equal to You may search for multiple values when using the equality (=) or inequality !=) operators.
Page 298 1. To close all stale sessions at a certain time, mark the Close Open Sessions radio button on the Manage Multiple Sessions form. The form expands to include rows for calculating the stop time. 2. In the Close Sessions drop-down list, leave the All stale sessions option selected. 3.
Page 299: Closing Specified Open Sessions
To set a specific date and time, choose Specify a fixed end time from the drop-down list. This adds  the Session End row to the form, with a calendar option. In the Session End row, click the button to open the calendar picker. In the calendar, use the ...
Page 300: Disconnecting Or Reauthorizing Active Sessions
calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. If this End Time field is specified and the Start Time field is left empty, all sessions that started before ...
Page 301: Sending Multiple Sms Alerts
2. Use the Start Time row to indicate the beginning of the time range for selecting sessions. To specify a time for the beginning of the range, click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date.
Page 302: Sms Services
2. Use the filter to specify the group of addresses that should receive the message. See Filtering the List of Active Sessions. Only accounts with valid phone numbers can be sent SMS alerts. 3. Enter the message in the Message text box. Messages may contain up to 160 characters. 4.
Page 303 In the SMS Gateway field, if you choose Custom HTTP Handler from the drop-down list, you may specify the HTTP method to use. The form displays the configuration options for that gateway type, and the Service Method row includes the GET and POST options. When you select the POST option, the HTTP Headers and HTTP Post rows are added.
Page 304: Sending An Sms
If your country uses a national dialing prefix such as “0”, you may enter this on the form. When sending an SMS to a number that starts with the national dialing prefix, the prefix is removed and replaced with the country code instead.
Page 305: About Sms Credits
Complete the form by typing in the SMS message and entering the mobile phone number that you are sending the SMS to. If multiple services are available, you may also choose the service to use when sending the message. The SMS is limited to a maximum length of 160 characters. The number of remaining characters is displayed on this form.
Page 306: Sms Receipt Options
ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt, navigate to the Guests > List Accounts window, select the guest to which you want to send a receipt, then click the Send SMS receipt link displayed on the guest account receipt page.
Page 307: Figure 36 Configure Sms Services Plugin
Figure 36 Configure SMS Services Plugin SMS Receipt – Select the print template to be used when an SMS receipt is created. The print template used for the receipt must be in plain text format. Phone Number Field – Select which guest account field contains the guest’s mobile telephone number. ...
Page 308: Customize Sms Receipt
Auto-Send Field – Select a guest account field which, if set to a non-empty string or non-zero value,  will trigger an automatic SMS when the guest account is created or updated. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected.
Page 309: Sms Receipt Fields
Figure 37 Customize SMS Receipt page SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields. sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the ...
Page 310: Smtp Services
values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively. sms_warn_before_message – This field overrides the logout warning message. If blank or unset, the  default value from the Customize SMS Receipt page is used. The logic used to send an SMS receipt is: If SMS receipts are disabled, take no action.
Page 311 Email receipts may be sent manually by clicking the Send email receipt link displayed on the guest account receipt page. When using guest self-registration, the Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery.
Page 312: Email Receipt Options
Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. Figure 38 Customize Email Receipt page The Subject line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field.
Page 313: Figure 39 Customize Email Receipt Page-Continued
Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if  no guest account email address is available). Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt ...
Page 314: Smtp Receipt Fields
SMTP Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a per user basis. smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, ...
Page 315 smtp_warn_before_template_id – This field overrides the print template ID specified under Logout  Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to ...
Page 316 | Guest Management ClearPass Guest 3.9 | Deployment Guide...
Page 317: Report Management
Chapter 8 Report Management The Reporting Manager provides you with a set of tools to summarize the visitor accounts that have been created and analyze the accounting data collected by the RADIUS server. Through the predefined reports and the custom reports you can create using the report editor, you can get a complete picture of the network usage of your guests.
Page 318: Running And Managing Reports
Number of sessions per NAS – This report shows the total number of sessions per NAS in the selected  period. Number of sessions per day – This report shows the total number of sessions per day.  Number of users per day – This report shows the number of distinct users per day. ...
Page 319: Run
Run option allows you to change the date range of the report before it is run. Choose a time period for the report from the Date Range drop-down list. If the report definition includes any additional parameters that have a user interface, these will also be displayed as part of the Report Options form.
Page 320: Delete A Report
The Report Type editor allows you to change the defaults for the Date Range and the Formats for the report you have selected. If you want to change the default for another report you must also edit that report. Click Save Changes button to have these changes become the new default.
Page 321 Visible-only access – the report is visible in the list. It can be viewed in HTML but cannot be edited  Read-only access – the report is visible in the list and it may be viewed and duplicated. The report ...
Page 322: Exporting Report Definitions
Exporting Report Definitions Report definitions may be exported to a file and later imported. This provides an easy way to move reports from one appliance to another. Click the More Options tab at the top of the report list to access the Export Reports command link. (This link also appears on the Reporting start page.) Use the check boxes to select the reports to export.
Page 323: Importing Report Definitions
Importing report Definitions Report definitions may be imported from a file that has been generated with the Export Reports command. Click the More Options tab at the top of the report list to access the Import Reports command link. (This link also appears on the Reporting start page.) You may select a file to upload using your Web browser, or alternatively the report definition may be pasted into the text area provided.
Page 324: About Custom Reports
About Custom Reports The Report Editor is used to build a custom report. The process used to generate a report is shown in the figure below. In this diagram, the arrows represent the flow of data, while the icons represent the processing stages that the data goes through.
Page 325: Data Sources
Data Sources The available data sources are: Local RADIUS Accounting – Accounting traffic consists of summary information about visitor  sessions, reported by NAS devices to the application. In the RADIUS Accounting data source, each data record corresponds to a single visitor session. The data record contains information such as the start and stop times for the session, the NAS IP address, client IP address and MAC address, and statistics such as the total amount of input and output traffic and the length of the session.
Page 326: Groups
Figure 42 Reporting – Bin west of GMT The next diagram is similar but for time zones that are east of GMT Figure 43 Reporting – Bin east of GMT This process may be automated by entering an expression as the value for the time zone offset. The correct expression to use for the Bin Offset is: <?= -date("Z") Explanation: The PHP date() function returns the time zone offset in seconds when passed the “Z”...
Page 327: Statistics From Classification Groups
Group classifications may be created using the report editor. See “Groups” in this chapter for a list of the available group classification methods. Statistics from Classification Groups The classification groups that you define in a report will determine what type of statistics that can be derived for that report.
Page 328: Report Type
Figure 46 Components of the Report Editor Report Type | Report Management ClearPass Guest 3.9 | Deployment Guide...
Page 329: Report Parameters
The Report Type link opens a window where you type a distinct name or Title for the report. You can add additional information in the Description field. This could be used to explain the purpose of the report. While you are working on creating the report you could leave the Enabled field unchecked. When you want the report to be available for use, mark the Enabled check box.
Page 330 Properties for classification methods (bin size and offset)  Properties for output series (limit and remainder category)  Properties for individual fields within an output series (header)  Properties for presentation blocks (container CSS style)  Properties for table cells within a presentation block (CSS style) ...
Page 331: Parameter User Interface Editing
Parameter User Interface Editing The Edit Parameter form is used to specify the default value for a parameter as well as the type of user interface to use for this parameter. If No user interface is selected, then the parameter will have a fixed value and cannot be edited before the report is run.
Page 332: Data Source
The initial value displayed on this form for a report parameter may be specified as the Value for the parameter. Run Preview and Run Default icon links will be available for a report if all parameters have an acceptable default value. This is determined by the validation properties for each parameter. If no validation properties are specified, all parameter values are considered to be valid.
Page 333: Select Fields
Click the Save Changes button to return to the Report Editor. Select Fields If you have not selected fields in the Data Source form, you must select the required source fields here. Fields can be defined one at a time by clicking the Create Source Field tab.
Page 334 Each source field has a name that is unique within the report. You can also attach a description to the field for use by the report designer. If you select a field from the Data Source Field drop down list, that field name is automatically placed in the Field Name area.
Page 335: Source Filters
If you select to calculate a value by summing over source fields, you are required to nominate the fields to be summed. Click the Create Source Field button to create the source or derived field in the report. Source Filters Source filters are applied to the data source fields to determine whether a data record will be included for processing in the report.
Page 336 To add additional filters, click the first source filter. An action row is displayed with Edit and Insert After links. There is also a Set Default Report Range option for the first date/time filter. Edit link allows you to alter the options for the source filter as well as being able to disable the filter.
Page 337: Classification Groups
You must then select the filter from the Filter Type drop down list. The following options are available: List: Value is not one of a list  List: Value is not one of a list (case sensitive)  List: Value is one of a list ...
Page 338 To create a bin or a classification group, click the Create Classifier tab in the Edit Classification Groups list view. You are required to choose the classification method and the Source Field to use for the classification. The Create Classifier tab can be accessed from the Classification, Bins or Groups options in the Report Editor.
Page 339: Statistics And Metrics
Time measurement: bin by days – See “Binning Example – Time Measurements” in this chapter for  the bin classification method description. The bin classification method uses the specified date/time field to calculate a day number. Times that fall within the same day are assigned the same bin number. The bin offset is used to account for time zones as explained in the .
Page 340 Like the statistic fields, metrics share a close relationship with the report’s classification groups. When designing a report, consider the metrics that you would like to generate, and work backwards to determine the statistics you will need in order to calculate each metric and the classification groups will be needed to calculate each statistic.
Page 341 Median value – the median (middle) value of the source field over the selected classification group is  calculated Minimum value – the minimum value of the source field over the selected classification group is  calculated Number of bins – the number of different bin classification groups is calculated ...
Page 342: Output Series
Number of distinct values – the number of distinct values that the statistic field takes over the  selected report dimension is calculated Subtract (value 1 – value 2) – the values are subtracted  Sum of values – the sum of all values of the statistic field over the selected report dimension is ...
Page 343: Output Series Fields
You are required to enter a unique name for this output series. You must also select the Dimension to be used. This could be the source data or one of the classification groups defined in the report. Click the Create Output Series button to add the output series definition to the report. The Edit Output Series form will then be displayed to allow the components of the output series to be defined.
Page 344: Output Filters
To edit an output series field, click the Edit link for the field. The Edit Series field opens, as shown below. The Header is displayed in tables and charts that use this output series. Use a short description of the values contained in this field.
Page 345 Match filters check if a value matches a particular condition, which could be a regular expression or  other match value. List filters check to see if a value is found in a list.  Click the Create output filter link to create an output filter. Select the output series you want to filter in order to view the remaining filter options.
Page 346: Presentation Options
Unconditionally exclude item if filter matches – If the filter matches the item in the output series,  the item will never be included in the output. No further filters will be applied to the data once this filter has matched. Click the Create Output Filter button to add the new output filter to the report definition.
Page 347: Table Presentations
Scatter  Polar  In general, the first field in the output series is used as the category values for the chart. The second and subsequent fields are used as the values to display on the chart. The Pie and Pie 3-D charts support only a single data point for each category value. A pie chart is used to compare the relative proportions of different values in a single data series.
Page 348: Final Report
This standard header includes the report title, the time at which the report was run, and the date range included in the report. The variables available for use in the template include any of the parameters defined in the report, as well as the following special variables: Table 32 Template Variables Variable...
Page 349: Creating The Report - Step 1
Creating the Report – Step 1 The following form will be displayed when the Create New Report link is clicked. This is the same form that you would obtain if you clicked the Report Type option in the Report Editor. See “Report Type”...
Page 350: Creating Sample Reports
Creating Sample Reports Report Based on Modifying an Existing Report This sample involves modifying the predefined Number of users per day report to report on the number of users per week. 1. Select the “Number of users per day” report. 2.
Page 351: Report Created From Report Manager Using Create New Report
Report Created from Report Manager using Create New Report To create a report that lists today’s user sessions, follow this process. 1. To create a new report without it being based on an existing report, click Create New Report. 2. You must give the report a Title. For this report, Today’s Sessions would be an appropriate name. 3.
Page 352 6. Select the required fields in Step 2. For this report the fields are shown in the screen below. These are the fields of interest for the report. 7. Click the Save Changes button to have the report created. The Report Editor screen is displayed. 8.
Page 353: Report Created By Duplicating An Existing Report
9. You can continue to further enhance this report using the Report Editor. To change the formatting of the table you would use the Presentation Options; to remove a column you would use the Output Series option; to restrict the data in the table you would use a filter, for example, a source filter to limit by NAS IP address;...
Page 354 11. The Source Field will be changed to nas_ip_address, as this report is to calculate the average traffic by NAS rather than the average traffic by user. The field will also be renamed to total_nas to reflect the new value it will contain. These changes are shown in the screen below. 12.
Page 355: Report Troubleshooting
20. Click the Back to report editor link to return to the Report Editor. 21. As there are no further changes required, click the Final Report icon to preview your new report. Report Troubleshooting Report Preview with Debugging If you are experiencing problems with your report, you can receive help with the Report Diagnostics. The diagnostics run the report and show you the internal data that is being used to generate the contents of the final report.
Page 356: Troubleshooting Tips
0 => /* group 0 */ array ( 'a' => /* group value: 'a' */ array ( 0 => first data record 1 => second data record 234 => /* bin value: 234 */ array ( /* bin items organized by group */ 1 =>...
Page 357: Chapter 9 Administrator Tasks
Chapter 9 Administrator Tasks The Administrator module provides tools used by a network administrator to perform both the initial configuration and ongoing maintenance of ClearPass Guest. Accessing Administrator Use the Administrator command link on the home page to access the system administration features. Alternatively, use the Administrator navigation menu to jump directly to any of the system administration features.
Page 358: Configuring Integration With Other Clearpass Servers
Configuring Integration with Other ClearPass Servers The Administrator module lets you configure integration with ClearPass Profiler and Policy Manager servers. To configure integration with ClearPass servers: 1. Go to Administrator > Network Setup > ClearPass. The Manage ClearPass Servers form opens. 2.
Page 359 3. To configure integration with ClearPass Profiler, mark the Enable Profiling check box. The form expands to include options for sending device error, event, and profile interval information, as well as the hostname, username, and password for the primary and secondary Profiler servers. ClearPass Guest 3.9 | Deployment Guide Administrator Tasks |...
Page 360: Automatic Network Diagnostics
Automatic Network Diagnostics When you view or edit the appliance’s network configuration on the Network Setup, HTTP Proxy, Network Diagnostics, or Network Interfaces page, an automatic network connectivity test determines the current status of the network, and the results of the diagnostic are displayed. The problems that can be detected with this built-in diagnostic include: No default gateway set ...
Page 361: Viewing Or Setting System Hostname
Viewing or Setting System Hostname The system hostname is a fully-qualified domain name. By default, this is set to clearpass-guest.localdomain, but you may specify another valid domain name. The system hostname should match the common name of the installed SSL certificate. If these names do not match, then HTTPS access to the appliance may result in security warnings from your Web browser.
Page 362: Changing Network Interface Settings
Edit – Change the configuration of a network interface, including IP address, DNS settings, or  Ethernet settings. See “Changing Network Interface Settings” in the Adminstrator Tasks chapter for details. Delete – Remove a network interface. Manually created network interfaces may be deleted—for ...
Page 363 To specify an IP address for the network interface, select Manually configure IP address. The  following form is displayed for IP address details. The MTU field allows you to specify the Maximum Transfer Unit size in bytes for the network interface. While standard Ethernet uses a MTU of 1500 bytes, you may find it necessary to reduce the MTU slightly in some network topologies.
Page 364: About Default Gateway Settings
Click the Save Changes button to update the network interface with the specified settings. The new settings will be tested and the results of the test displayed. If DNS name resolution is not working, the system will be unable to perform many common tasks. To ...
Page 365: Managing Static Routes
Managing Static Routes In the Network Interfaces list view, click the network interface to edit, and then click Routes. The Network Interface Routes list view will be displayed. Click the Create tab to add a new static route. You must specify the network address of the destination network as an IP address and netmask, and the gateway for the destination network.
Page 366: Creating A Vlan Interface
Figure 47 Network diagram showing IP addressing for a GRE tunnel To create a GRE tunnel, navigate to the Network Interfaces page and click the Create a tunnel network interface link. The Network Interface Settings form is displayed. The Interface Name is the system’s internal name for this tunnel interface. A default value is supplied, which may be used without modification.
Page 367: Managing Vlan Interfaces
Use the Create a VLAN interface link to create a new network interface with a specific VLAN tag. The Create a New VLAN form is displayed. In this form, select the physical interface through which the VLAN traffic will be routed, and enter a name for the VLAN and the corresponding VLAN ID.
Page 368: Creating A Secondary Network Interface
VLAN interfaces are distinguished from other network interfaces with blue icons. The possible states for the system’s network interfaces are summarized in the table below Table 34 Network Interface States Interface State Physical VLAN Active (up) Active with default gateway Inactive (down) The actions available when selecting a VLAN interface are: Show Details –...
Page 369: Login Access Control
Secondary network interfaces have the same name as the underlying physical interface, with a suffix such as “:1”, “:2” and so on for each subsequent IP address created. All secondary interfaces will be brought down if the corresponding physical interface is brought down. Login Access Control Authentication and role based access control is used to identify operators and their level of access to the system.
Page 370: Network Diagnostic Tools
The ‘Deny Behavior’ drop-down list may be used to specify the action to take when access is denied. The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0.
Page 371 Select a diagnostic from the drop-down list. Depending on the diagnostic you have selected, additional parameters will also be available: DHCP Leases – Select a network interface to view the DHCP lease information for that interface.  DNS Lookup – Enter a hostname to perform a domain name lookup and display the results. ...
Page 372: Network Diagnostics - Packet Capturing
form. Additional RADIUS attributes may also be included by adding Attribute-Name = Value pairs in the Extra Arguments field; see the example below. Routing Table – Displays the current IPv4 routing table. The list shows the static, network addresses  and default routes configured for the system.
Page 373 Select the network interface and, if required, enter filtering parameters to restrict the type and number of packets to be captured. The maximum size of a packet capture is 100,000 packets. You can enter network addresses in the Source IP and Destination IP fields by using an IP address and a network address length;...
Page 374: Network Hosts
Once the packet capture has completed, the status is updated, and a link to Download packet capture file is available. Click this link to download a packet capture file, which may be analyzed using the Wireshark utility or another tool capable of reading the “pcap” file format. To delete the saved file, select the Delete current packet capture file check box and click the Delete button.
Page 375: Http Proxy Configuration
The fields on each line are separated by any number of blanks or tab characters. Any text from a # character to the end of the line is a comment, and is ignored. Hostnames may contain only alphanumeric characters, minus signs (“-”), and periods (“.”). A hostname must begin with an alphabetic character and end with an alphanumeric character.
Page 376 The SNMP Setup form is used to configure the system’s SNMP server and enable SNMP access. To enable SNMP access, one of the available modes must be selected. Version 2c, version 3, or both versions may be enabled. The System Contact and System Location parameters are basic SNMP “system” MIB parameters that are frequently used to identify network equipment.
Page 377: Supported Mibs
SNMP version 2c has only one configuration option, which is the name of the community string. SNMP clients must provide this value in order to access the server. The default community string is public. SNMP version 3 adds authentication and encryption capabilities to the protocol. You must supply a set of credentials to be used for SNMP v3 access.
Page 378: Smtp Configuration
SNMP-VIEW-BASED-ACM-MIB  TCP-MIB  UCD-DISKIO-MIB  UCD-DLMOD-MIB  UCD-SNMP-MIB  UDP-MIB  SMTP Configuration The SMTP Configuration form is used to provide system default settings used when sending email messages. To manage and view the current SMTP configuration click the SMTP Configuration command link on the Administrator >...
Page 379: Ssl Certificate
The From Address must be specified. This is the sender of the email and will be visible to all email recipients. It is recommended that you provide a valid email address so that guests receiving email receipts are able to contact you. When using the SMTP Server option, the following special header values are recognized: X-Smtp-Timeout –...
Page 380: Installing An Ssl Certificate
A completed sample certificate request is shown below. Click the Create Certificate Request button to generate the certificate signing request. The certificate signing request is displayed in a text field in the browser. This can be used to copy and paste the request directly to a certificate authority that supports this form of request submission.
Page 381 The process for installing an SSL certificate has been simplified. In the first step, select whether you will be copying and pasting the certificate as plain text, or uploading the certificate from a file. In the second step, you must provide between one and three items of information: The Certificate field must contain the digital certificate.
Page 382: Displaying The Current Ssl Certificate
To resolve this error, first check that you have provided the correct intermediate certificate. If the problem persists, check with your certificate authority for the appropriate root certificate to use. As an optional third step, if you have a private key that corresponds to the SSL certificate, it may be specified separately.
Page 383: Backup And Restore
Backup and Restore Click the Backup & Restore command link on the Administrator start page to make backups of the appliance’s current configuration as well as restore a previous backup. It is recommended that you make a complete configuration backup of the system after completing a deployment and after making configuration changes.
Page 384: Scheduling Automatic Backups
Server Configuration), you can select to back up the entire area or only a particular part of that area. To access the components within an area, click the down arrow There are five possible states for each area, described below: 1.
Page 385 You are able to select either a complete or custom backup to run on the schedule. The options available are the same as for the manual backup. You are required to enter a prefix for the backup filename. The backup name is used as the basis for the name of the backup file.
Page 386: Restoring A Backup
proxy*: proxy related arguments  quote=CMD: send custom command to FTP server  require-ssl: require SSL connection for success  SMB options  kerberos: use Kerberos authentication (Active Directory)  domain=NAME or workgroup=NAME: set the workgroup to NAME  debug: generate additional debugging messages which are logged to the application log ...
Page 387: Content Manager
restore, be sure to select the appropriate items by clicking the tick icon for each configuration item to restore. 4. Mark the Restore settings from backup check box. Be aware that it is possible to overwrite any local configuration changes that have been made since the backup was created. 5.
Page 388: Uploading Content
server. To access the Content Manager, click the Content Manager command link on the Customization start page. You can add content items by using your Web browser to upload them. You can also copy a content item stored on another Web server by downloading it. To use a content item, you can insert a reference to it into any custom HTML editor within the application.
Page 389: Downloading Content
Downloading Content To download a file from the Internet for use in ClearPass Guest, click on the Download New Content tab. The Fetch Content form is displayed. After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server.
Page 390: Performing A Security Audit
Performing a Security Audit Use the Check Security command link on the Administrator > Security Manager page to start a security audit of the system. A security assessment will be performed and a report will be displayed containing the recommendations from the security assessment.
Page 391: Changing Network Security Settings
attention. Use the Disable Check link to prevent the security audit from raising warnings about a specific security condition. Changing Network Security Settings Use the Network Security command link to check the current settings for remote console access. ClearPass Guest has a command line interface(CLI) which may be accessed using the appliance console or SSH.
Page 392: Os Updates
1. To configure notifications, go to Administrator > Notifications. The Configure Notifications page opens. 2. In the Warning Levels drop-down list, specify the maximum number of alerts to receive. If you do not want to receive notifications, choose 0-Disable warnings. 3.
Page 393: Determining Installed Operating System Packages
Determining Installed Operating System Packages Use the Advanced view of the System Information page to display a list of the installed operating system packages, together with the corresponding version numbers. Plugin Manager Plugins are the software components that fit together to make your Web application. The Plugin Manager allows you to manage subscriptions, list available plugins, add new plugins, and check for updates to the installed plugins.
Page 394: Managing Subscriptions
clusters after the plugins are updated. Please see Destroying a Cluster Cluster Setup in the High Availability Services chapter. Managing Subscriptions A subscription ID is a unique number used to identify your software license and any custom software modules that are part of your ClearPass Guest solution. To view current subscription IDs, navigate to Administrator >...
Page 395: Adding Or Updating New Plugins
Plugins cannot be disabled or removed if other enabled plugins are dependent on them. An error message will be displayed if an operation is attempted that would leave the application in an inconsistent state. Adding or Updating New Plugins You can add or update plugins either from the Internet or from a file provided to you by email. If your new plugin was emailed to you as a file, navigate to Administrator >...
Page 396: Configuring Plugin Update Notifications
The default view of the Add New Plugins page lists all available updates and plugins that are not yet installed on your system. You can configure the list to display all plugins (including those already installed on the system) or just new plugins and updates. To change the list, click the Display All Plugins or Display Changed Plugins link.The default selections include all new plugins and any...
Page 397: Configuring The Kernel Plugin
To undo any changes to the plugin’s configuration, click the plugin’s Restore default configuration link. The plugin’s configuration is restored to the factory default settings. In most cases, plugin configuration settings do not need to be modified directly. Use the customization options available elsewhere in the application to make configuration changes.
Page 398: Configuring The Aruba Clearpass Skin Plugin
1. To change the application’s title, enter the new name in the Application Title field (for example, your company name) to display that text as the title of your Web application. Click Save Configuration. 2. TheKernel plugin’s Debug Level, Update Base URL and Application URL options should not be modified unless you are instructed to do so by Aruba support.
Page 399: Server Time
2. The default navigation layout is “expanded.” To change the behavior of the navigation menu, click the Navigation Layout drop-down list and select a different expansion level for menu items. 3. The Page Heading field allows you to enter additional heading text to be displayed at the very top of the page.
Page 400 To ensure that authentication, authorization, and accounting (AAA) is performed correctly, it is vital that the server maintains the correct time of day at all times. It is strongly recommended that you configure one or more NTP servers to automatically synchronize the server’s time. NTP can interfere with timekeeping in virtual machines.
Page 401: System Control
If the server’s clock is running slow, changing the server’s time may cause your current login to expire. In this case you will need to log in again after clicking the Save Changes button. System Control The System Control commands on the Administrator > System Control page allow you to: Shut down the server immediately.
Page 402: Log Rotation: Configuring Data Retention
5—Notice: normal but significant condition  6—Informational: informational messages  7—Debug: debug-level messages  When a syslog server has been defined, messages matching the rules defined here are sent to the syslog server. The syslog protocol uses UDP port 514. Log Rotation: Configuring Data Retention To configure the number of weeks to retain records for data, log files, disabled accounts, and mobile device certificates, click the Configure data retention link in Log Rotation row.
Page 403: Facility: Redirecting Application Log Messages
Facility: Redirecting Application Log Messages To redirect log messages from the application log to the syslog, select an option from the Facility field drop-down menu. The default option None – Do not send application log messages to syslog stores all application-generated messages in the separate application log.
Page 404: Managing Data Retention
For high-traffic sites that are maintaining many weeks of log files, enter a non-zero value for Disk Space to ensure that the log files cannot fill up the system’s disk. If the disk space check is enabled, the server’s free disk space is checked daily at midnight, and if it is below the specified threshold, old log files are deleted to free up space.
Page 405: Figure 48 Data Retention Policy Page
Figure 48 Data Retention Policy page Select Enable to enable the the data retention policy opton and enter how many weeks in the Log Rotation field to indicated how many weeks you want log files kept before they are deleted. You can specify how many weeks a guest account persists after the account is disabled in the Guest Accounts field.
Page 406: Changing Database Configuration Parameters
Changing Database Configuration Parameters The Database Configuration form allows you to configure the system’s database and manage its maintenance schedule. Access this form by navigating to System Control > Database Config. The Options field is a text field that accepts multiple name = value pairs. You can also add comments by entering lines starting with a # character.
Page 407: Changing Web Application Configuration
Changing Web Application Configuration Certain performance and security options may be configured that affect the operation of the Web application user interface. Use the Web Application Co nfiguration command link to adjust these configuration parameters. The Memory Limit may be increased to allow larger reports to be run on the system. The File Upload Size may be increased to allow larger content items to be uploaded, or larger backup files to be restored.
Page 408: Changing Web Server Configuration
Changing Web Server Configuration High-traffic deployments may need to adjust certain performance options related to the system’s Web server. Use the Web Server Configuration command link to adjust these configuration parameters. The Maximum Clients option specifies the maximum number of clients that may simultaneously be making HTTP requests.
Page 409: Adding Disk Space
This report can be downloaded for support purposes. Adding Disk Space Storage capacity can be increased on VMware-based deployments. To increase available storage, click the Add Space option on the System Information screen. TheAdding Disk Space screen appears. Follow instructions on this page. ClearPass Guest 3.9 | Deployment Guide Administrator Tasks |...
Page 410 | Administrator Tasks ClearPass Guest 3.9 | Deployment Guide...
Page 411: System Log
System Log The system log viewer available on the Support > System Logs page displays messages that have been generated from multiple different sources: Application Logs—messages generated by the ClearPass Guest application.  HTTP Logs—messages generated by the Apache Web Server. ...
Page 412: Exporting The System Log
Use the Filter tab to control advanced filtering settings, such as which logs to search and the time period to display: Click the Apply Filter button to save your changes and update the view, or click the Reset button to remove the filter and return to the default view.
Page 413: Searching The Application Log
Searching the Application Log You are able to search for particular log records using the form displayed when you click the Search tab. Click the Reset Form button to clear the search and return to displaying all records in the log. Exporting the Application Log Use the Export tab to save the log in other formats, including HTML, text, CSV, TSV and XML.
Page 414 | Administrator Tasks ClearPass Guest 3.9 | Deployment Guide...
Page 415: Chapter 10 Hotspot Manager
Chapter 10 Hotspot Manager The Hotspot Manager controls self provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts.
Page 416: Manage Hotspot Sign-Up
Manage Hotspot Sign-up You can enable visitor access self provisioning by navigating to Customization > Hotspot Manager and selecting the Manage Hotspot Sign-up command. This allows you to change user interface options and set global preferences for the self-provisioning of visitor accounts. The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available.
Page 417: Captive Portal Integration
The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See “Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format this message.
Page 418: Modifying An Existing Plan
You can customize which plans are available for selection, and any of the details of a plan, such as its description, cost to purchase, allocated role and what sort of username will be provided to customers. Above is the list of default plans provided by the application. Plans that you have enabled have their name in bold with the following icon: .
Page 419: Creating New Plans
Creating New Plans Custom hotspot plans are added by clicking the Create Hotspot plan button. The following form is displayed. Click the Create Plan button to create this plan for use by your Hotspot visitors. “Format Picture String Symbols” in the Reference chapter for a list of the special characters that may be used in the Generated Username and Generated Password format strings.
Page 420: Creating A New Transaction Processor
eWAY  Netregistry  Paypal  WorldPay  ClearPass Guest also includes a Demo transaction processor that you can use to create hotspot forms and test hotspot transactions. Creating a New Transaction Processor To define a new transaction processor, navigate to Customization > Hotspot Manager, click Manage Transaction Processors, then select New Transaction Processor.
Page 421: Customize User Interface
You can customize the title shown on the invoice and how the invoice number is created. You can also customize the currency displayed on the invoice. The Invoice Title must be written in HTML. See “Basic HTML Syntax” in the Reference chapter for details about basic HTML syntax.
Page 422: Customize Page One
Customize Page One Page one of the guest self-provisioning process requires that the guest selects a plan. You are able to customize how this page is displayed to the guest. You are able to give this page a title, some introductory text and a footer. The Introduction and the Footer are HTML text that may use template syntax, See “Smarty Template Syntax”...
Page 423 ClearPass Guest 3.9 | Deployment Guide Hotspot Manager |...
Page 424: Customize Page Three
“Smarty Template Syntax” in the Reference chapter for details about the template syntax you may use to format the content on this page. Customize Page Three You can make changes to the content of page 3, where the customer receives an invoice containing confirmation of their transaction and the details of their newly created wireless account.
Page 425: Chapter 11 High Availability Services
Chapter 11 High Availability Services The goal of a highly available system is to continue to provide network services even if a hardware failure occurs. High Availability Services provides the tools required to achieve this goal. These tools include service clustering, fault tolerance, database replication, configuration replication, automatic failover and automatic recovery.
Page 426: Network Architecture
A cluster’s virtual IP address is a unique IP address that will always be assigned to the primary node of the cluster. In order to take advantage of the cluster’s fault tolerance, all clients that use the cluster must use the cluster’s virtual IP address, rather than each node’s IP address.
Page 427: Deploying An Ssl Certificate
There should be no routers, gateways, firewalls, or network address translation (NAT) between the two nodes. Having nodes in different physical locations is not recommended and is not a supported configuration for the cluster. Deploying an SSL Certificate Special consideration needs to be given to deployments that require SSL access to the cluster. The Common Name (CN) of an SSL certificate must match the hostname of the site being visited.
Page 428: Configuration Replication
Replicating the database contents ensures that in the event of a primary node failure, the secondary node is up to date and can continue to deliver the same network services to clients. While the primary node is online, the secondary node’s database can only be updated with replication changes from the primary node. No other database changes can take place on the secondary node.
Page 429: Primary Node Failure
SNMP server settings ( See “SNMP Configuration” in the Administrator Tasks chapter)  The set of currently installed plugins ( See “Plugin Manager” in the Administrator Tasks chapter)  Web Login pages ( See “Web Logins” in the RADIUS Services chapter) ...
Page 430: Email Notification
The cluster will continue operating without service interruption. Network services will be unaffected as the cluster’s virtual IP address is assigned to the primary node. While the secondary node is offline, the cluster will no longer be fault-tolerant. A subsequent failure of the primary node will leave the cluster inoperable.
Page 431: Cluster Setup
Table 36 Cluster Status Descriptions (Continued) The primary node is running, but the secondary node is down or stopped. The secondary is no longer available. Check the Remote Status on the primary node to determine  the cause of the problem. ...
Page 432: Prepare Primary Node
Prepare Primary Node Use the Cluster Configuration form to enter the basic network and control parameters for the cluster. If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname.
Page 433 If you have not already set a unique hostname for this server, you can do so here. Each node in the cluster must have a unique hostname. A valid hostname is a domain name that contains two or more components separated by a period (.).
Page 434: Prepare Secondary Node
Each node in the cluster must be able to resolve the other node by using a DNS lookup. This is verified during the cluster initialization. In practice, this means that you must configure your local DNS or DHCP server with appropriate entries for each node.
Page 435: Cluster Deployment
The Cluster Initialization form is displayed. Select the check box and click the Initialize Cluster button to proceed. During the cluster initialization process, the entire contents of the RADIUS database (including guest accounts, user roles, and accounting history) and all configuration settings of the primary node will be replicated to the secondary node.
Page 436: Cluster Maintenance
Cluster Maintenance Use the Cluster Maintenance command link to access maintenance functions related to the cluster. The maintenance commands that are available on this page will depend on the current state of the cluster as well as which node you are logged into. Some maintenance commands are only available on the secondary node.
Page 437: Recovering From A Hardware Failure
5. A progress meter is displayed while the cluster is recovered. The cluster’s virtual IP address will be temporarily unavailable while the recovery takes place. 6. Recovery is complete. The secondary node is now the new primary node for the cluster. The cluster is back in a fault-tolerant mode of operation.
Page 438: Performing Scheduled Maintenance
A similar procedure can be used to rebuild the cluster in the event of a secondary node suffering a hardware failure. Performing Scheduled Maintenance Routine maintenance tasks such as a server reboot or shutdown may occasionally be required for a server that is part of a cluster.
Page 439: Cluster Troubleshooting
Immediately after the cluster is destroyed, both nodes will have the same database and configuration state. However, changes on one node will no longer be replicated to the other node as the cluster is no longer functioning. Cluster Troubleshooting When building a cluster, use the recommended values for the downtime threshold, keep-alive rate and configuration sync rate.
Page 440 | High Availability Services ClearPass Guest 3.9 | Deployment Guide...
Page 441: Chapter 12 Reference
Chapter 12 Reference Basic HTML Syntax ClearPass Guest allows different parts of the user interface to be customized using the Hypertext Markup Language (HTML). Most customization tasks only require basic HTML knowledge, which is covered in this section. HTML is a markup language that consists primarily of tags that are enclosed inside angle brackets, for example, <p>.
Page 442: Standard Html Styles
Table 38 Standard HTML Tags (Continued) Styled text (block) <div style="…">Uses CSS formatting</div> <div class="…">Uses predefined style</div> Hypertext Hyperlink <a href="url">Link text to click on</a> Inline image <img src="url"> <img src="url" /> – XHTML equivalent Floating image <img src="url" align="left"> For more details about HTML syntax and detailed examples of its use, consult a HTML tutorial or reference guide.
Page 443: Smarty Template Syntax
Table 39 Formatting Classes (Continued) nwaTop Table Header Table heading at top nwaLeft Table Header Left column of table nwaRight Table Header Right column of table nwaBottom Table Header Table heading at bottom nwaBody Table Cell Style to apply to table cell containing data nwaHighlight Table Cell Highlighted text (used for mouseover)
Page 444: Comments
Comments To remove text entirely from the template, comment it out with the Smarty syntax {* commented text *} Note that this is different from a HTML comment, in that the Smarty template comment will never be included in the page sent to the Web browser. Variable Assignment To assign a value to a page variable, use the following syntax: {assign var=name value=value}...
Page 445: Foreach Text Blocks
 {/section} Note that the content after a {sectionelse} tag is included only if the {section} block would otherwise be empty. Foreach Text Blocks An easier to use alternative to the {section} … {/section} tag is to use the {foreach} … {/foreach} block: {foreach key=key_var item=item_var from=$collection} {$key_var} = {$item_var} {foreachelse}...
Page 446: Predefined Template Functions
Table 40 Smarty Modifiers (Continued) Modifier Description nwatimeformat Date/time formatting; see “Date/Time Format String Reference” in this chapter for details about this modifier function nwamoneyformat Formats a monetary amount for display purposes; an optional modifier argument may be used to specify the format string. This modifier is equivalent to the NwaMoneyFormat() function;...
Page 447: Nwa_Iconlink
The “icon” parameter is the SRC to the image of the icon. This should normally be a relative path.  The “command” parameter is the main text of the command link.  The “text” parameter is the explanatory text describing the action that lies behind the command link. ...
Page 448: Nwa_Quotejs
The “icon” parameter, if specified, is the SRC to the image of the icon. This should normally be a relative  path. The “width” and “height” parameters, if specified, provide the dimensions of the icon to display. If not  specified, this is automatically determined from the image.
Page 449 Usage example: {nwa_radius_query _method=GetCallingStationTraffic callingstationid=$dhcp_lease.mac_address from_time=86400 in_out=out _assign=total_traffic} This example uses the query function. , and passes the “callingstationid”, GetCallingStationTraffic “from_time” and “in_out” parameters. The result is assigned to a template variable called total_traffic, and will not generate any output. See “GetCallingStationTraffic()”...
Page 450: Advanced Developer Reference
GetUserActiveSessions($username, $callingstationid = null)  GetCurrentSession($criteria)  GetUserCurrentSession($username)  GetIpAddressCurrentSession($ip_addr = null)  GetCallingStationCurrentSession($callingstationid, $mac_format = null)  GetSessionTimeRemaining($username, $format = “relative”)  ChangeToRole($username, $role_name)  The $criteria array consists of of one or more criteria on which to perform a databased search. This array is used for advanced cases where pre-defined helper functions do not provide required flexiblity.
Page 451: Nwa_Makeid
nwa_makeid {nwa_makeid …} Smarty registered template function. Creates a unique identifier and assigns it to a named page variable. Identifiers are unique for a given page instantiation. Usage example: {nwa_makeid var=some_id} The “var” parameter specifies the page variable that will be assigned. Alternative usage: {nwa_makeid var=some_id file=filename} The “file”...
Page 452: Nwa_Plugin
The “reset” parameter may be specified to clear any existing navigation settings. Usage example: {nwa_nav block=level1_active}<li class="active">@a@</li>{/nwa_nav} {nwa_nav block=level1_inactive}<li>@a@</li>{/nwa_nav} {nwa_nav type=simple}{/nwa_nav} {* this generates the HTML *} Block types can be one of the following types: enter_level1_item  enter_level2_item  enter_level3_item ...
Page 453: Nwa_Privilege
The ‘output’ parameter specifies the metadata field to return  If ‘output’ is not specified, the default is ‘output=id’; that is, the plugin ID is returned. nwa_privilege {nwa_privilege} … {/nwa_privilege} Smarty registered block function. Includes output only if a certain kind of privilege has been granted. Usage examples: {nwa_privilege access=create_user} ..
Page 454: Nwa_Youtube
Usage examples: {nwa_userpref name=prefName} {nwa_userpref name=prefName default=10} {nwa_userpref has=prefName} “name”: return the named user preference  “default”: supply a value to be returned if the preference is not set  “has”: return 1 if the named preference exists for the current user, 0 if the preference does not exist ...
Page 455: Nwatimeformat Modifier
The full list of special formats is: Table 42 Date and Time Formats Preset Name Date/Time Format Example hhmmss %H%M%S 141345 hh:mm:ss %H:%M:%S 14:13:45 iso8601 %Y%m%d 20080407 iso8601t %Y%m%d%H%M%S 20080407141345 iso-8601 %Y-%m-%d 2008-04-07 iso-8601t %Y-%m-%d %H:%M:%S 2008-04-07 14:13:45 longdate %A, %d %B %Y, %I:%M %p Monday, 07 April 2008, 2:13 PM rfc822 %a, %d %b %Y %H:%M:%S %Z...
Page 456: Date/Time Format String Reference
Date/Time Format String Reference Table 43 Date and Time Format Strings Format Result Abbreviated weekday name for the current locale Full weekday name for the current locale Abbreviated month name for the current locale Full month name for the current locale Preferred date and time representation for the current locale Century number (2-digit number, 00 to 99) Day of the month as a decimal number (01 to 31)
Page 457: Programmer's Reference
Programmer’s Reference NwaAlnumPassword NwaAlnumPassword($len) Generates an alpha-numeric password (mixed case) of length $len characters. NwaBoolFormat NwaBoolFormat($value, $options = null) Formats a boolean value as a string. If 3 function arguments are supplied, the 2nd and 3rd arguments are the values to return for false and true, respectively. Otherwise, the $options parameter specifies how to do the conversion: If an integer 0 or 1, the string values “0”...
Page 458: Nwadigitspassword($Len)
NwaDigitsPassword($len) NwaDigitsPassword($len) Generates digit-only passwords of at least $len characters in length. NwaDynamicLoad NwaDynamicLoad($func) Loads the PHP function $func for use in the current expression or code block. Returns true if the function exists (that is, the function is already present or was loaded successfully), or false if the function does not exist.
Page 459: Nwaparsecsv
Formats a monetary amount for display purposes. The current page language is used to adjust formatting to the country specified. Returns a result that is guaranteed to be in UTF-8. The $format argument may be null, to specify the default behavior (U.S. English format), or it may be a pattern string containing the following: currency symbol (prefix) ...
Page 460: Nwaparsexml
“NwaParseCsv” and “NwaVLookup”. NwaParseXml NwaParseXml($xml_text) Parses a string as an XML document and returns the corresponding document structure as an associative array. Returns an array containing the following elements: error – set if there was a problem parsing the XML ...
Page 461: Nwavlookup
NwaVLookup NwaVLookup($value, $table, $column_index, $range_lookup = true, $value_column = 0, $cmp_fn = null) Table lookup function, similar to the Excel function VLOOKUP(). This function searches for a value in the first column of a table and returns a value in the same row from another column in the table. This function supports the values described in the table below.
Page 462: Table 46 Guestmanager Standard Fields
Table 46 GuestManager Standard Fields Field Description account_activation String. The current account activation time in long form. This field is available on the change_expiration and guest_enable forms. The value is generated from the do_schedule and schedule_time fields, and may be one of the following: Account will be enabled at date and time ...
Page 463 Table 46 GuestManager Standard Fields (Continued) Field Description do_expire Integer that specifies the action to take when the expire time of the account is reached. See “expire_time”  0—Account will not expire  1—Disable  2—Disable and logout 3—Delete  ...
Page 464 Table 46 GuestManager Standard Fields (Continued) Field Description expire_time Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp. Setting an expire_time value also requires a non-zero value to be set for the do_expire field;...
Page 465 Table 46 GuestManager Standard Fields (Continued) Field Description modify_expire_usage String. Value indicating how to modify the expire_usage field. This field is only of use when editing a visitor account. It may be set to one of the following values:  “expire_usage”...
Page 466 Table 46 GuestManager Standard Fields (Continued) Field Description netmask String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system.
Page 467 Table 46 GuestManager Standard Fields (Continued) Field Description password_last_change Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the self-service portal. random_password String.
Page 468 Table 46 GuestManager Standard Fields (Continued) Field Description random_username_method String. Identifier specifying how usernames are to be created. It may be one of the following identifiers:  nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.
Page 469: Hotspot Standard Fields
Table 46 GuestManager Standard Fields (Continued) Field Description simultaneous_use Integer. Maximum number of simultaneous sessions allowed for the account. sponsor_email Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator.
Page 470: Sms Services Standard Fields
Table 47 Hotspot Standard Fields (Continued) Field Description password2 String. Password for the account (used to confirm a manually typed password). personal_details No Type. Field attached to a form label. purchase_amount No Type. Total amount of the transaction. This field is only used during transaction processing.
Page 471: Table 49 Smpt Services Standard Fields
Table 49 SMPT Services Standard Fields Field Description auto_send_smtp Boolean. Flag indicating that an email receipt should be automatically sent upon creation of the guest account. Set this field to a non-zero value or a non-empty string to enable an automatic email receipt to be sent. This field can be used to create an opt-in facility for guests.
Page 472: Format Picture String Symbols
Table 49 SMPT Services Standard Fields (Continued) Field Description smtp_warn_before_receipt_format String. This field overrides the format in the Email Receipt field under Logout Warnings. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default”...
Page 473: Form Field Validation Functions
Any other alphanumeric characters in the picture string will be used in the resulting username or password. Some examples of the picture string are shown below: Table 51 Picture String Example Passwords Picture String Sample Password #### 3728 user#### user3728 v^^#__ vQU3nj @@@@@...
Page 474 'corp-domain.com', 'other-domain.com', 'deny' => array( 'blocked-domain.com', 'other-blocked-domain.com', The keys ‘whitelist’ and ‘blacklist’ may also be used for ‘allow’ and ‘deny’, respectively.  An ‘allow’ or ‘deny’ value that is a string is converted to a single element array.  Wildcard matching may be used on domain names: the prefix ‘*.’ means match any domain that ends ...
Page 475: Form Field Conversion Functions
username – specifies the name of the field containing the username. If empty or unset, the password  is not checked against this field for a match. minimum_length – specifies the minimum length of the password in characters.  disallowed_chars – if set, specifies characters that are not allowed in the password. ...
Page 476: Form Field Display Formatting Functions
NwaConvertOptionalInt – Converts a string representation of an integer to the equivalent integer  value. The conversion leaves blank values unmodified. NwaConvertStringToOptions – Converts a multi-line string representation of the form  key1 | value1 key2 | value2 to the array representation array ( 'key1' =>...
Page 477 Table 53 Form Field Display Functions (Continued) Function Description NwaDateFormat Format a date like the PHP function strftime(), using the argument as the date format string. Returns a result guaranteed to be in UTF-8 and correct for the current page language.
Page 478: View Display Expression Technical Reference
View Display Expression Technical Reference A page that contains a view is displayed in an operator’s Web browser. The view con tains data that is loaded from the server dynamically. Because of this, both data formatting and display operations for the view are implemented with JavaScript in the Web browser. For each item displayed in the view, a JavaScript object is constructed.
Page 479: Standard Radius Request Functions
Table 54 Display Expressions for Data Formatting (Continued) Value Description Nwa_NumberFormat(value[, if_undefined]) Converts a numerical value to a string. If the value has an Nwa_NumberFormat(value, decimals) undefined type (in other words, has not been set), and the Nwa_NumberFormat(value, decimals, dec_point, if_undefined parameter was provided, returns if_undefined.
Page 480: Enabledebug()
If the expression evaluates to true, the AccessReject() will cause authorization to be refused. If the expression evaluates to false, the AccessReject() is not called, and authorization process will continue (however, the attribute will not be included in the Access-Accept, as the condition expression has evaluated to false).
Page 481: Macequal()
MacEqual() MacEqual($addr1, $addr2) Compares two MAC addresses for equality, using their canonical forms. Example usage as a condition expression for an attribute: return MacEqual(GetAttr('Calling-Station-Id'), '00-01-02-44-55-66') MacAddrConvert() MacAddrConvert($mac, $mac_format) Converts a MAC address to a specified format. This function accepts anything that can be interpreted as a MAC address using some fairly liberal guidelines and returns the address formatted with the $mac_format string.
Page 482: Getsessions()
If $to_time is specified, the interval considered is between $from_time and $to_time. Returns the total session time for all matching accounting records in the time interval specified. GetSessions() GetSessions($criteria, $from_time, $to_time = null) Calculate the number of sessions from accounting records in the database. This is a multi-purpose function that has a very flexible query interface;...
Page 483: Getusertraffic()
Another way to limit the past 30 days downloads to 100 MB:  return GetUserTraffic($now - 86400*30, $now, 'out') > 100*1024*1024 && AccessReject() Limit by MAC address, 50 MB download in past 24 hours:  return GetCallingStationTraffic(86400, 'out') > 50000000 && AccessReject() GetUserTraffic() GetUserTraffic($from_time, $to_time = null, $in_out = null) Calculate sum of traffic counters in a time interval.
Page 484: Getcallingstationsessions()
GetCallingStationSessions() GetCallingStationSessions($from_time, $to_time = null, $mac_format = null) Calculate the number of sessions for accounting records matching a specific calling-station-id. The calling station id address is looked up automatically from the RADIUS Access-Request (Calling-Station-ID attribute). Because different NAS equipment can send differently-formatted MAC addresses in the Calling-Station-Id attribute, the $mac_format argument may be specified.
Page 485: Getusercurrentsession()
'acctsessionid' => '4a762dbf00000002', 'acctuniqueid' => 'c199b5a94ebf5184', 'username' => 'demo@example.com', 'realm' => '', 'role_name' => 'Guest', 'nasipaddress' => '192.168.2.20', 'nasportid' => '', 'nasporttype' => '', 'calledstationid' => '', 'callingstationid' => '', 'acctstarttime' => '1249258943', 'connectinfo_start' => '', 'acctstoptime' => NULL, 'connectinfo_stop' => NULL, 'acctsessiontime' =>...
Page 486: Getuserstationcount()
“GetCurrentSession()” for details of the return value. GetUserStationCount() GetUserStationCount($from_time = null, $to_time = null, $exclude_mac = null) Count the total number of unique MAC addresses used in a time interval, for all sessions with the same User-Name attribute as that specified in the RADIUS Access-Request. If $exclude_mac is set, any sessions matching that MAC address are excluded from the count.
Page 487: Radius Server Options
Example: Use the following as a conditional expression for an attribute. If the user's traffic in the past 24 hours exceeds 50 MB, the user is changed to the "Over-Quota" role. return GetUserTraffic(86400) > 50e6 && ChangeToRole("Over-Quota"); RADIUS Server Options These are the advanced server options that may be configured using the RADIUS Server Options text field.
Page 488 Table 56 General Configuration Settings (Continued) Value Description listen.type = not set Type of packets to listen for. Allowed values are “auth” for authentication packets, and “acct” for accounting packets. hostname_lookups = off Log the names of clients or just their IP addresses, for example, www.examle.com (on) or 209.97.207.76 (off).
Page 489: Security Configuration
Security Configuration Table 57 Security Configuration Settings Value Description security.max_attributes = 200 The maximum number of attributes permitted in a RADIUS packet. Packets which have more than this number of attributes in them will be dropped. If this number is set too low, then no RADIUS packets will be accepted. If this number is set too high, then an attacker may be able to send a small number of packets which will cause the server to use all available memory on the machine.
Page 490: Snmp Query Configuration
Table 58 Proxy Configuration Settings (Continued) Value Description proxy.dead_time = 120 If the home server does not respond to any of the multiple retries, then the RADIUS server will stop sending it proxy requests, and mark it ‘dead’. If there are multiple entries configured for this realm, then the server will failover to the next one listed.
Page 491: Authentication Module Configuration
Table 59 Thread Pool Settings (Continued) Value Description thread.max_requests_per_server = 0 Set the maximum number of requests a server should handle before exiting. Zero is a special value meaning “infinity”, or “the servers never exit”. thread.max_queue_size = 65536 Set the maximum number of incoming requests which may be queued for processing.
Page 492: Database Module Configuration
Table 60 Authentication Module Configuration Settings (Continued) Value Description mschap.ntlm_auth The module can perform authentication itself, or use a Windows Domain Controller. This configuration directive tells the module to call the ntlm_auth program, which will do the authentication, and return the NT-Key. Note that you MUST have “winbindd”...
Page 493: Table 62 Optional Eap Module Options
The following EAP module options are usually not required, as EAP configuration can be performed using the WebUI. For EAP documentation, See “EAP and 802.1X Authentication and Certificate Management” in the RADIUS Services chapter for further details. Table 62 Optional EAP Module Options Function Description advanced.eap = 1...
Page 494 Table 62 Optional EAP Module Options (Continued) Function Description module.eap_tls = no Enables EAP-TLS module. The following functions onfigure digital certificates for EAP-TLS. If the private key and certificate are located in the same file, then private_key_file and certificate_file must contain the same filename. ...
Page 495: Ldap Module Configuration
Table 62 Optional EAP Module Options (Continued) Function Description module.eap_peap= no PEAP authentication. The PEAP module needs the TLS module to be installed and configured, in order to use the TLS tunnel inside of the EAP packet. You will still need to configure the TLS module, even if you do not want to deploy EAP-TLS in your network.
Page 496 Table 63 LDAP Module Settings (Continued) Setting Description ldap.password_attribute = “nspmPassword” To support Novell eDirectory Universal Password, this option must be set to “nspmPassword”. Retrieves the user’s plain-text password from the directory and uses in the RADIUS server for user authentication. Universal Password requires a secure connection to the LDAP server.
Page 497 Table 63 LDAP Module Settings (Continued) Setting Description ldap.tls_certfile = not set The PEM Encoded certificate file that should be presented to clients that connect. ldap.tls_keyfile = not set The PEM Encoded private key that should be used to encrypt the session.
Page 498: Rewrite Module Configuration
Table 63 LDAP Module Settings (Continued) Setting Description ldap.groupmembership_filter = not set The filter to search for group membership of a particular user after we have found the DN for the group. Example filter: (|(&(objectClass=GroupOfNames)(member=%{Ldap- UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn}))) ldap.groupmembership_attribute = not set The attribute in the user entry that states the group the user belongs to.
Page 499: List Of Standard Radius Attributes
Table 64 Rewrite Module Configuration Settings (Continued) Value Description module.attr_rewrite.name.searchfor = not set A regular expression to use when determining if the attribute should be matched. See “Regular Expressions” in this chapter for information about the supported syntax for regular expressions.
Page 500 Service-Type: This attribute indicates the type of service the user has requested, or the type of service  to be provided. It may be used in both Access-Request and Access-Accept packets. Framed-Protocol: This attribute indicates the framing to be used for framed access. It may be used in ...
Page 501: Radius Server Internal Attributes
Acct-Terminate-Cause: This attribute indicates how the session was terminated, and can only be  present in Accounting-Request records where the Acct- Status-Type is set to Stop. RADIUS Server Internal Attributes The Simultaneous-Use attribute is used by the RADIUS server during the processing of a request. This internal attribute is never returned to a NAS.
Page 502: Table 65 Regular Expressions For Pattern Matching
Table 65 Regular Expressions for Pattern Matching Regex Matches Any string containing the letter “a” Any string starting with “a” Only the string “a” Any string ending with “a” Any single character A literal “.” [abc] Any of the characters a, b, or c [a-z0-9A-Z] Any alphanumeric character [^a-z]...
Page 503: Chapter 13 Glossary
Chapter 13 Glossary 802.1X IEEE standard for port-based network access control. Access-Accept Response from RADIUS server indicating successful authentication, and containing authorization information. Access-Reject Response from RADIUS server indicating a user is not authorized. RADIUS packet sent to a RADIUS server requesting authorization. Access-Request Accounting-Request RADIUS packet type sent to a RADIUS server containing accounting...
Page 504 in the certificate (only the certificate authority can create valid certificates). Disconnect-Ack NAS response packet to a Disconnect-Request, indicating that the session was disconnected. Disconnect-Nak NAS response packet to a Disconnect-Request, indicating that the session could not be disconnected. Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected.
Page 505 operator profile Characteristics assigned to a class of operators, such as the permissions granted to those operators. operator/operator login Person who uses ClearPass Guest to create guest accounts or perform system administration. OS X Operating system from Apple, Inc. for desktop and laptop computers. over-the-air provisioning Process used to securely provision a device and configure it with network settings;...
Page 506 sponsor See operator. See EAP-TLS. trust chain Sequence of certificates, starting at a trusted root certificate, that establishes the identity of each certificate in the chain. trusted root See root CA. unique device credentials Network authentication credentials that uniquely identify the device and user and enable management of provisioned devices.
Page 507: Index
Index application log............412 Numerics attributes ..............119 802.1Q VLAN............367 attribute values ..........145 802.1X ..............146 conditions ..........119, 120 deleting values..........146 editing ............... 144 AAA..............25, 113 editing values............ 145 access control RADIUS............. 119, 499 operator logins ..........369 role..............
Page 508 RADIUS server, importing......... 151 multiple guest accounts ......207, 220 RADIUS server, installing ........150 NAS..............125 root certificate........... 381 notifications, disk space ........391 operator profile ..........180 Challenge Handshake Authentication Protocol (CHAP) operator profiles ..........180 output filter ............345 character set encoding........
Page 509 debugging expiration time, guest account ......213 AAA debug..........114, 116 external authentication server ......162 RADIUS server .......... 113, 114 field ..............231 form ..............232 default form fields............234 EAP type ............147 forms..............233 network configuration ......... 33 forms and views ..........
Page 510 email............225, 463 smtp_email_field..........314 enabled ............. 226, 463 smtp_enabled ........... 314 expiration_time ..........463 smtp_receipt_format......... 314 expire_after ............227 smtp_subject ..........314, 471 expire_postlogin..........227 smtp_template_id ........314, 471 expire_time ..........227, 464 smtp_warn_before_cc_action....315, 472 expire_usage..........227, 464 smtp_warn_before_cc_list ......
Page 511 Value conversion..........250 Print ..............214 Value formatter ..........250 Receipts............207 Visible If............. 251 Reset password..........212 Scratch cards ........... 208 form fields Selection row ............ 216 check box ............236 SMS receipt ............207 conversion functions......... 475 View passwords..........225 display functions ........
Page 512 Primary failure ........... 429 Network interfaces..........40 Rebuild cluster ..........437 Password............37 Repair cluster............ 436 Setup wizard............37 Scheduled maintenance ........438 SMTP configuration..........42 Secondary failure ..........429 SNMP configuration ........... 42 SSL certificate........... 427 Subscription ID ........... 45 Troubleshooting ..........
Page 513 Subtract ............342 GRE tunnel............366 Sum..............342 security settings..........391 setup..............357 Microsoft Active Directory........161 Network access control .......... 146 MS-CHAPv2 ............160 Network Access Server........29, 124 MTU................. 363 Network access server multiple guest accounts Setup wizard............44 creating .............
Page 514 password attr_rewrite module........... 117 resetting ............212 attributes........... 119, 499 authentication log ..........114 Password Authentication Protocol (PAP) ....134 certificate authority (CA) ........150 Password options certificate creation ..........149 Operator logins ..........181 clients ............... 124 configuration..........115, 487 PHP authorization............
Page 515 Report editor reports Chart presentations .......... 346 exporting............322 Classification groups ........337 importing............323 Create output filter ..........345 predefined............317 Create output series ......... 342 resetting Create parameter ..........330 password ............212 Create report............. 348 RADIUS dictionary..........142 Create statistic ..........
Page 516 sequence diagram SMS services ............302 AAA ..............26 configuring............302 guest self-registration ........255 sending message..........304 report generation ..........324 SMTP configuration ..........378 Serial port interface ........... 35 SMTP Services............310 Server time .............. 399 SNMP..............375 servers access ..............
Page 517 translation rules ............196 VLAN RADIUS Attributes ..........123 troubleshooting ............114 application integrity check ........ 394 VLAN interface ............367 cluster ............... 439 VSA ................. 144 packet capture ..........372 Delete..............145 reports............... 355 security check........... 390 Web logins ............30, 128 TSV ................
Page 518 | Index ClearPass Guest 3.9 | Deployment Guide...

This manual is also suitable for:

Clearpass guest 3.9

Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual

Chapter 1 Clearpass Guest

Chapter 2 Management Overview

Chapter 3 Setup Guide

Chapter 4 Onboard

Chapter 5 RADIUS Services

Chapter 6 Operator Logins

Chapter 7 Guest Management

Quick Links

Troubleshooting

Related Manuals for Aruba Networks PowerConnect W Clearpass 100 Software

Summary of Contents for Aruba Networks PowerConnect W Clearpass 100 Software