Dell Powerconnect W Clearpass Hardware Appliances Deployment Guide Guest 6.0
: Dell Dell-Powerconnect-W-Clearpass-Hardware-Appliances-Deployment-Guide-136727 dell-powerconnect-w-clearpass-hardware-appliances-deployment-guide-136727 dell pdf
Open the PDF directly: View PDF .
Page Count: 320
Download | |
Open PDF In Browser | View PDF |
Dell Networking WClearPass Guest 6.0 Deployment Guide Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wire® less Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox, Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open Source code used can be found at this site: http://www.arubanetworks.com/open_source Legal Notice The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors. 2| Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Contents About this Guide 13 Audience 13 Conventions 13 Contacting Support Dell Networking W-ClearPass Guest Overview 14 15 About Dell Networking W-ClearPass Guest 15 Visitor Access Scenarios 16 Reference Network Diagram 16 Key Interactions 17 AAA Framework 18 Key Features 19 Visitor Management Terminology 20 ClearPass Guest Deployment Process 21 Operational Concerns 21 Network Provisioning 21 Site Preparation Checklist 22 Security Policy Considerations 23 AirGroup Deployment Process 23 Documentation and User Assistance 24 Deployment Guide and Online Help 24 Context-Sensitive Help 24 Field Help 25 Quick Help 25 If You Need More Assistance 25 Use of Cookies Guest Manager 25 27 Accessing Guest Manager 27 About Guest Management Processes 28 Sponsored Guest Access 28 Self Provisioned Guest Access 28 Using Standard Guest Management Features 29 Creating a Guest Account 29 Creating a Guest Account Receipt 30 Creating Multiple Guest Accounts 30 Creating Multiple Guest Account Receipts 31 Creating a Single Password for Multiple Accounts 32 Managing Guest Accounts 34 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide |3 Managing Multiple Guest Accounts 38 Importing Guest Accounts 40 Exporting Guest Account Information 43 About CSV and TSV Exports 43 About XML Exports 43 MAC Authentication in ClearPass Guest 44 MAC Address Formats 44 Managing Devices 44 Changing a Device’s Expiration Date 46 Disabling and Deleting Devices 47 Activating a Device 47 Editing a Device 47 Viewing Current Sessions for a Device 49 Viewing and Printing Device Details 49 MAC Creation Modes 49 Creating Devices Manually in ClearPass Guest 50 Creating Devices During Self-Registration - MAC Only 51 Creating Devices During Self-Registration - Paired Accounts 52 AirGroup Device Registration Registering Groups of Devices or Services 53 Registering Personal Devices 55 Automatically Registering MAC Devices in ClearPass Policy Manager 56 Importing MAC Devices 57 Advanced MAC Features 57 2-Factor Authentication 57 MAC-Based Derivation of Role 57 User Detection on Landing Pages 58 Click-Through Login Pages 58 Active Sessions Management 59 Session States 60 RFC 3576 Dynamic Authorization 61 Filtering the List of Active Sessions 61 Disconnecting Multiple Active Sessions 62 Sending Multiple SMS Alerts 63 About SMS Guest Account Receipts 63 Onboard 65 Accessing Onboard 65 About ClearPass Onboard 65 Onboard Deployment Checklist 66 Onboard Feature List 67 Supported Platforms 68 Public Key Infrastructure for Onboard 68 Certificate Hierarchy 69 Certificate Configuration in a Cluster 70 Revoking Unique Device Credentials 4| 53 70 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Revoking Credentials to Prevent Network Access 70 Re-Provisioning a Device 71 Network Requirements for Onboard 71 Using Same SSID for Provisioning and Provisioned Networks 71 Using Different SSID for Provisioning and Provisioned Networks 71 Configuring Online Certificate Status Protocol 72 Configuring Certificate Revocation List (CRL) 72 Network Architecture for Onboard Network Architecture for Onboard when Using ClearPass Guest The ClearPass Onboard Process 72 74 75 Devices Supporting Over-the-Air Provisioning 75 Devices Supporting Onboard Provisioning 76 Managing Provisioned Applications 78 Configuring the User Interface for Device Provisioning 79 Customizing the Device Provisioning Web Login Page 79 Using the {nwa_mdps_config} Template Function 80 Configuring the Certificate Authority 81 Setting Up the Certificate Authority 81 Setting Up a Root Certificate Authority 82 Setting Up an Intermediate Certificate Authority 84 Obtaining a Certificate for the Certificate Authority 86 Using Microsoft Active Directory Certificate Services 86 Installing a Certificate Authority’s Certificate 88 Renewing the Certificate Authority’s Certificate 90 Configuring Data Retention Policy for Certificates 90 Uploading Certificates for the Certificate Authority 91 Creating a Certificate 93 Specifying the Identity of the Certificate Subject 93 Issuing the Certificate Request 95 Managing Certificates 95 Searching for Certificates in the List 96 Working with Certificates in the List 97 Working with Certificate Signing Requests 99 Importing a Code-Signing Certificate 101 Importing a Trusted Certificate 103 Requesting a Certificate 104 Providing a Certificate Signing Request in Text Format 104 Providing a Certificate Signing Request File 105 Specifying Certificate Properties 106 Configuring Provisioning Settings Configuring Basic Provisioning Settings 106 107 Configuring Certificate Properties for Device Provisioning 107 Configuring Revocation Checks and Authorization 109 Configuring Provisioning Settings for iOS and OS X 110 Configuring Instructions for iOS and OS X 111 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide |5 Configuring Reconnect Behavior for iOS and OS X 111 Configuring Provisioning Settings for Legacy OS X Devices 112 Configuring Provisioning Settings for Windows Devices 113 Configuring Provisioning Settings for Android Devices 114 Configuring Options for Legacy OS X, Windows, and Android Devices 116 Configuring Network Settings for Device Provisioning 117 Configuring Basic Network Access Settings 118 Configuring 802.1X Authentication Network Settings 120 Configuring Device Authentication Settings 121 Configuring Mutual Authentication Settings 122 Configuring Trust Settings Automatically 122 Configuring Trust Settings Manually 123 Configuring Windows-Specific Network Settings 124 Configuring Proxy Settings 125 Configuring an iOS Device VPN Connection 125 Configuring an iOS Device Email Account 127 Configuring an iOS Device Passcode Policy 129 Resetting Onboard Certificates and Configuration 130 Onboard Troubleshooting 131 Configuration 133 Accessing Configuration 133 Configuring ClearPass Guest Authentication 134 Content Manager 134 Uploading Content 135 Downloading Content 135 Additional Content Actions 136 Customizing Guest Manager 137 Default Settings for Account Creation 137 About Fields, Forms, and Views 141 Business Logic for Account Creation 141 Verification Properties 141 Basic User Properties 141 Visitor Account Activation Properties 142 Visitor Account Expiration Properties 142 Other Properties 143 Standard Forms and Views 143 Customizing Fields 145 Creating a Custom Field 145 Duplicating a Field 147 Editing a Field 147 Deleting a Field 147 Displaying Forms that Use a Field 147 Displaying Views that Use a Field 147 Customizing AirGroup Registration Forms 147 Configuring the Shared Locations and Shared Role Fields 6| 147 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Example: Customizing Forms and Views 149 150 Editing Forms and Views 151 Duplicating Forms and Views 151 Editing Forms 152 Form Field Editor 152 Form Validation Properties 162 Examples of Form field Validation 163 Advanced Form Field Properties 165 Form Field Validation Processing Sequence 166 Editing Views 169 View Field Editor 169 Customizing Self-Provisioned Access 171 Self-Registration Sequence Diagram 171 Creating a Self-Registration Page 172 Editing Self-Registration Pages 173 Configuring Basic Properties for Self-Registration 174 Using a Parent Page 174 Paying for Access 175 Requiring Operator Credentials 175 Editing Registration Page Properties 176 Editing the Default Self-Registration Form Settings 177 Creating a Single Password for Multiple Accounts 177 Editing Guest Receipt Page Properties 178 Editing Receipt Actions 178 Enabling Sponsor Confirmation for Role Selection 179 Editing Download and Print Actions for Guest Receipt Delivery 181 Editing Email Delivery of Guest Receipts 181 Editing SMS Delivery of Guest Receipts 182 Enabling and Editing NAS Login Properties 183 Editing Login Page Properties 184 Self-Service Portal Properties 186 Resetting Passwords with the Self-Service Portal 187 Email Receipts and SMTP Services 189 About Email Receipts 189 Configuring Email Receipts 190 Email Receipt Options 190 About Customizing SMTP Email Receipt Fields 192 Customizing Print Templates 194 Creating New Print Templates 194 Print Template Wizard 196 Modifying Wizard-Generated Templates 196 Setting Print Template Permissions 197 Customize SMS Receipt 198 SMS Receipt Fields 199 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide |7 Configuring Access Code Logins Customize Random Username and Passwords 199 Create the Print Template 199 Customize the Guest Accounts Form 201 Create the Access Code Guest Accounts 201 Hotspot Manager 203 Accessing Hotspot Manager 203 About Hotspot Management 203 Managing the Hotspot Sign-up Interface 204 Captive Portal Integration 205 Web Site Look-and-Feel 206 SMS Services 206 Managing Hotspot Plans Editing or Creating a Hotspot Plan Managing Transaction Processors 206 207 209 Creating a New Transaction Processor 209 Managing Existing Transaction Processors 210 Managing Customer Information 210 Managing Hotspot Invoices 210 Customizing the User Interface 211 Customizing Visitor Sign-Up Page One 212 Customizing Visitor Sign-Up Page Two 212 Customizing Visitor Sign-Up Page Three 215 Viewing the Hotspot User Interface Administration AirGroup Services 217 219 220 Configuring the AirGroup Services Plugin 220 Creating AirGroup Administrators 221 Creating AirGroup Operators 221 Authenticating AirGroup Users via LDAP 221 Data Retention 221 Import Configuration 222 Plugin Manager 223 Viewing Available Plugins 223 Configuring Plugins 224 Configuring the Kernel Plugin 225 Configuring the Dell W-ClearPass Skin Plugin 226 Configuring the SMS Services Plugin 227 SMS Services 8| 199 228 Viewing SMS Gateways 228 Creating a New SMS Gateway 229 Editing an SMS Gateway 231 Sending an SMS 232 About SMS Credits 233 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide About SMS Guest Account Receipts 233 SMS Receipt Options 234 Working with the SMTP Carrier List 234 Support Services 236 Viewing the Application Log 237 Exporting the Application Log 238 Contacting Support 239 Viewing Documentation 239 Operator Logins 241 Accessing Operator Logins 241 About Operator Logins 241 Role-Based Access Control for Multiple Operator Profiles Operator Profiles Creating an Operator Profile 242 242 242 Configuring the User Interface 245 Customizing Forms and Views 245 Operator Profile Privileges 246 Managing Operator Profiles 247 Configuring AirGroup Operator Device Limit 247 Local Operator Authentication 247 Creating a New Operator 248 External Operator Authentication 248 Manage LDAP Operator Authentication Servers 249 Creating an LDAP Server 249 Advanced LDAP URL Syntax 251 Viewing the LDAP Server List 251 LDAP Operator Server Troubleshooting 252 Testing Connectivity 252 Testing Operator Login Authentication 252 Looking Up Sponsor Names 253 Troubleshooting Error Messages 253 LDAP Translation Rules 254 Custom LDAP Translation Processing 256 Operator Logins Configuration 257 Custom Login Message 258 Advanced Operator Login Options 259 Automatic Logout Reference Basic HTML Syntax Standard HTML Styles Smarty Template Syntax 259 261 261 262 264 Basic Template Syntax 264 Text Substitution 264 Template File Inclusion 264 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide |9 Comments 264 Variable Assignment 264 Conditional Text Blocks 264 Script Blocks 265 Repeated Text Blocks 265 Foreach Text Blocks 265 Modifiers 266 Predefined Template Functions 266 dump 266 nwa_commandlink 267 nwa_iconlink 267 nwa_icontext 268 nwa_quotejs 269 nwa_radius_query 269 ChangeToRole() 270 GetCallingStationCurrentSession() 270 GetCallingStationSessions() 270 GetCallingStationTime() 270 GetCallingStationTraffic() 271 GetCurrentSession() 271 GetIpAddressCurrentSession() 272 GetIpAddressSessions() 272 GetIpAddressTime() 272 GetIpAddressTraffic() 272 GetSessions() 273 GetSessionTimeRemaining() 273 GetTime() 273 GetTraffic() 274 GetUserActiveSessions() 274 GetUserActiveSessionCount() 274 GetUserCumulativeUsage() 274 GetUserCurrentSession() 274 GetUserFirstLoginTime() 274 GetUserSessions() 275 GetUserTraffic() 275 Advanced Developer Reference 10 | 275 nwa_assign 275 nwa_bling 275 nwa_makeid 276 nwa_nav 276 nwa_plugin 277 nwa_privilege 278 nwa_replace 278 nwa_text 278 nwa_userpref 279 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide nwa_youtube Date/Time Format Syntax 279 279 nwadateformat Modifier 279 nwatimeformat Modifier 280 Date/Time Format String Reference 281 Programmer’s Reference 282 NwaAlnumPassword 282 NwaBoolFormat 282 NwaByteFormat 283 NwaByteFormatBase10 283 NwaComplexPassword 283 NwaCsvCache 283 NwaDigitsPassword($len) 283 NwaDynamicLoad 283 NwaGeneratePictureString 283 NwaGenerateRandomPasswordMix 284 NwaLettersDigitsPassword 284 NwaLettersPassword 284 NwaMoneyFormat 284 NwaParseCsv 284 NwaParseXml 285 NwaPasswordByComplexity 285 NwaSmsIsValidPhoneNumber 286 NwaStrongPassword 286 NwaVLookup 286 NwaWordsPassword 287 Field, Form, and View Reference 287 GuestManager Standard Fields 287 Hotspot Standard Fields 294 SMS Services Standard Fields 295 SMTP Services Standard Fields 296 Format Picture String Symbols 297 Form Field Validation Functions 298 Form Field Conversion Functions 301 Form Field Display Formatting Functions 301 View Display Expression Technical Reference 303 LDAP Standard Attributes for User Class 304 Regular Expressions 305 Glossary Index Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 307 311 | 11 12 | Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 1 About this Guide Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manager visitor network access. Audience This deployment guide is intended for system administrators and people who are installing and configuring Dell Networking W-ClearPass Guest as their visitor management solution. It describes the installation and configuration process. Conventions The following conventions are used throughout this guide to emphasize important concepts: Table 1: Typographical Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books. System items This fixed-width font depicts the following: Sample screen output l System prompts l Filenames, software devices, and specific commands when mentioned in the text l Commands In the command examples, this bold font depicts text that you must type exactly as shown.In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example: # send In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. [Optional] Command examples enclosed in brackets are optional. Do not type the brackets. {Item A | Item B} In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide About this Guide | 13 The following informational icons are used throughout this guide: NOTE: Indicates helpful suggestions, pertinent information, and important things to remember. CAUTION: Indicates a risk of damage to your hardware or loss of data. WARNING: Indicates a risk of personal injury or death. Contacting Support Web Site Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 14 | Contacting Support Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 2 Dell Networking W-ClearPass Guest Overview This chapter explains the terms, concepts, processes, and equipment involved in managing visitor access to a network, and helps you understand how Dell Networking W-ClearPass Guest can be successfully integrated into your network infrastructure. It is intended for network architects, IT administrators, and security consultants who are planning to deploy visitor access, or who are in the early stages of deploying a visitor access solution. This chapter includes the following sections: l "About Dell Networking W-ClearPass Guest" on page 15 l "Visitor Access Scenarios " on page 16 l "Reference Network Diagram " on page 16 l "Key Interactions" on page 17 l "AAA Framework" on page 18 l "Key Features" on page 19 l "Visitor Management Terminology" on page 20 l "ClearPass Guest Deployment Process " on page 21 l "AirGroup Deployment Process " on page 23 l "Documentation and User Assistance " on page 24 l "Use of Cookies " on page 25 About Dell Networking W-ClearPass Guest Dell Networking W-ClearPass Guest provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. It gives your non-technical staff controlled access to a dedicated visitor management user database. Through a customizable Web portal, your staff can easily create an account, reset a password, or set an expiry time for visitors. Access permissions to ClearPass Guest functions are controlled through an operator profile that can be integrated with an LDAP server or Active Directory login. Visitors can be registered at reception and provisioned with an individual guest account that defines their visitor profile and the duration of their visit. The visitor can be given a printed customized receipt with account details, or the receipt can be delivered wirelessly using the integrated SMS services. Companies are also able to pre-generate custom scratch cards, each with a defined network access time, which can then be handed out in a corporate environment or sold in public access scenarios. You can use the customization features to define settings that allow your visitors to self-provision their own guest accounts. Visitors register through a branded and customized Web portal, ensuring a streamlined and professional experience. Surveys can also be presented during the self-registration process and the data stored for later analysis and reporting, providing additional insight to your visitors and their network usage. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Dell Networking W-ClearPass Guest Overview | 15 ClearPass Guest integrates with all leading wireless and NAC solutions through a flexible definition point, ClearPass Policy Manager. This ensures that IT administrators have a standard integration with the network security framework, but gives operational staff the user interface they require. Visitor Access Scenarios The following figure shows a high-level representation of a typical visitor access scenario. Figure 1: Visitor access using ClearPass Guest In this scenario, visitors are using their own mobile devices to access a corporate wireless network. Because access to the network is restricted, visitors must first obtain a username and password. A guest account may be provisioned by a corporate operator such as a receptionist, who can then give the visitor a print receipt that shows their username and password for the network. When visitors use self-registration, as might be the case for a network offering public access, the process is broadly similar but does not require a corporate operator to create the guest account. The username and password for a selfprovisioned guest account may be delivered directly to the visitor’s Web browser, or sent via SMS or email. Reference Network Diagram The following figure shows the network connections and protocols used by ClearPass Guest. 16 | Visitor Access Scenarios Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Figure 2: Reference network diagram for visitor access The network administrator, operators, and visitors may use different network interfaces to access the visitor management features. The exact topology of the network and the connections made to it will depend on the type of network access offered to visitors and the geographical layout of the access points. Key Interactions The following figure shows the key interactions between ClearPass Guest and the people and other components involved in providing guest access. Figure 3: Interactions involved in guest access Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Key Interactions | 17 ClearPass Guest is part of your network’s core infrastructure and manages guest access to the network. NAS devices, such as wireless access points and wired switches on the edge of the network, use the RADIUS protocol to ask ClearPass Policy Manager to authenticate the username and password provided by a guest logging in to the network. If authentication is successful, the guest is then authorized to access the network. Roles are assigned to a guest as part of the context ClearPass Policy Manager uses to apply its policies. RADIUS attributes that define a role’s access permissions are contained within Policy Manager’s Enforcement Profile. Additional features such as role mapping for ClearPass Guest can be performed in ClearPass Policy Manager. The network usage of authorized guests is monitored by the NAS and reported in summary form to ClearPass Policy Manager using RADIUS accounting, which allows administrators to generate network reports in ClearPass Insight. AAA Framework ClearPass Guest is built on the industry standard AAA framework, which consists of authentication, authorization, and accounting components. The following figure shows how the different components of this framework are employed in a guest access scenario. Figure 4: Sequence diagram for network access using AAA In the standard AAA framework, network access is provided to a user according to the following process: l The user connects to the network by associating with a local access point [1]. 18 | AAA Framework Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account. l The NAS authenticates the user with the RADIUS protocol [5]. l ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes [6] that are used to configure the NAS based on the user’s role and other policies [7]. l If the user’s access is granted, the NAS permits the guest access to the network based on the settings provided by the ClearPass Policy Manager server. l The NAS reports details about the user’s session to the ClearPass Policy Manager server using RADIUS accounting messages [8]. l After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the details of the user’s session with an accounting update [10]. Key Features Refer to the table below for a list of key features and a cross-reference to the relevant section of this deployment guide. Table 2: List of Key features Feature Refer to… Visitor Access Web server providing content delivery for guests "Content Manager " on page 134 Guest self-registration "Customizing Self-Provisioned Access " on page 171 Visitor Management Create and manage visitor accounts, individually or in groups "Using Standard Guest Management Features" on page 29 Manage active RADIUS sessions using RFC 3576 dynamic authorization support "Active Sessions Management " on page 59 Import and export visitor accounts "Importing Guest Accounts " on page 40 Create guest self-registration forms "Creating a Self-Registration Page " on page 172 Configure a self-service portal for guests "Self-Service Portal Properties" on page 186 Local printer, SMS or email delivery of account receipts "Editing Guest Receipt Page Properties" on page 178 Visitor Account Features Independent activation time, expiration time, and maximum usage time Dell Networking W-ClearPass Guest 6.0 | Deployment Guide "Business Logic for Account Key Features | 19 Feature Refer to… Creation" on page 141 Define unlimited custom fields "Customizing Fields " on page 145 Username up to 64 characters "GuestManager Standard Fields" on page 287 Customization Features Create new fields and forms for visitor management "Customizing Forms and Views " on page 150 Use built-in data validation to implement visitor survey forms "Form Validation Properties" on page 162 Create print templates for visitor account receipts "Editing Guest Receipt Page Properties" on page 178 Administrative Management Features Operators defined and authenticated locally "Local Operator Authentication" on page 247 Operators authenticated via LDAP "External Operator Authentication" on page 248 Role based access control for operators "Operator Profiles " on page 242 Plugin-based application features, automatically updated by ClearPass Policy Manager "Plugin Manager " on page 223 User Interface Features Context-sensitive help with searchable online documentation "Documentation and User Assistance " on page 24 Visitor Management Terminology The following table describes the common terms used in ClearPass Guest and this guide. Table 3: Common Terms Term Explanation Accounting Process of recording summary information about network access by users and devices. Authentication Verification of a user’s credentials; typically a username and password. Authorization Controls the type of access that an authenticated user is permitted to have. Captive Portal Implemented by a Network Access Server to restrict network access to authorized users only. 20 | Visitor Management Terminology Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Term Explanation Field In a user interface or database, a single item of information about a user account. Form In a user interface, a collection of editable fields displayed to an operator. Network Access Server Device that provides network access to users, such as a wireless access point, network switch, or dial-in terminal server. When a user connects to the NAS device, a RADIUS access request is generated by the NAS. Operator Profile Characteristics assigned to a class of operators, such as the permissions granted to those operators. Operator/Operator Login User of ClearPass Guest to create guest accounts or perform system configuration. Print Template Formatted template used to generate guest account receipts. Role Type of access being granted to visitors. You can define multiple roles. Such roles could include employee, guest, team member, or press. Sponsor Operator User Database Database listing the guest accounts in ClearPass Guest. View In a user interface, a table displaying data, such as visitor account information, to operators. Visitor/Guest Someone who is permitted to access the Internet through your Network Access Server. Visitor Account Settings for a visitor stored in the user database, including username, password and other fields. Web Login/NAS Login Login page displayed to a guest user. ClearPass Guest Deployment Process As part of your preparations for deploying a visitor management solution, you should consider the following areas: l Management decisions about security policy l Decisions about the day-to-day operation of visitor management l Technical decisions related to network provisioning Operational Concerns When deploying a visitor management solution, you should consider these operational concerns: l Who is going to be responsible for managing guest accounts? What privileges will the guest account manager have? Will this person only create guest accounts or will this person also be permitted access to reports? l Do you want guests to be able to self-provision their own network access? What settings should be applied to self-provisioned visitor accounts? l How will operator logins be provisioned? Should operators be authenticated against an LDAP server? l Who will manage reporting of guest access? What are the reports of interest? Are any custom reports needed? Network Provisioning Deploying ClearPass Guest requires provisioning the following: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide ClearPass Guest Deployment Process | 21 l Physical location – rack space, power and cooling requirements; or deployment using virtualization l Network connectivity – VLAN selection, IP address, and hostname l Security infrastructure – SSL certificate Site Preparation Checklist The following is a checklist of the items that should be considered when setting up ClearPass Guest. Table 4: Site Preparation Checklist ü Policy Decision Security Policy Segregated guest accounts? Type of network access? Time of day access? Bandwidth allocation to guests? Prioritization of traffic? Different guest roles? IP address ranges for operators? Enforce access via HTTPS? Operational Concerns Who will manage guest accounts? Guest account self provisioning? What privileges will the guest managers have? Who will be responsible for printing reports? Network Management Policy Password format for guest accounts? Shared secret format? Operator provisioning? Network Provisioning Physical location? Network connectivity? Security infrastructure? 22 | Site Preparation Checklist Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Security Policy Considerations To ensure that your network remains secure, decisions have to be made regarding guest access: l Do you wish to segregate guest access? Do you want a different VLAN, or different physical network infrastructure to be used by your guests? l What resources are you going to make available to guests (for example, type of network access; permitted times of day; bandwidth allocation)? l Will guest access be separated into different roles? If so, what roles are needed? l How will you prioritize traffic on the network to differentiate quality of service for guest accounts and non-guest accounts? l What will be the password format for guest accounts? Will you be changing this format on a regular basis? l What requirements will you place on the shared secret, between NAS and the RADIUS server to ensure network security is not compromised? l What IP address ranges will operators be using to access the server? l Should HTTPS be required in order to access the visitor management server? AirGroup Deployment Process AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. You use ClearPass Guest to define AirGroup administrators and operators. AirGroup administrators can then use ClearPass Guest to register and manage an organization’s shared devices and configure access according to username, role, or location. AirGroup operators (end users) can use ClearPass Guest to register their personal devices and define the group who can share them. Table 5 summarizes the steps for configuring AirGroup functionality in ClearPass Guest. Details for these steps are provided in the relevant sections of this Guide. This table does not include the configuration steps performed in ClearPass Policy Manager or the W-Series controller. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation. Table 5: Summary of AirGroup Configuration Steps in ClearPass Guest Step Section in this Guide Create AirGroup administrators "Creating a New Operator" on page 248 Create AirGroup operators "Creating a New Operator" on page 248 Configure an operator’s device limit "Configuring AirGroup Operator Device Limit " on page 247 l To authenticate AirGroup users via LDAP: Define the LDAP server l Define appropriate translation rules "External Operator Authentication" on page 248 "LDAP Translation Rules " on page 254 AirGroup administrator: Register devices or groups of devices "AirGroup Device Registration " on page 53 AirGroup operator: Register personal devices "AirGroup Device Registration " on page 53 (Optional) Configure device registration form with dropdown lists for existing locations and roles "Customizing AirGroup Registration Forms " on page 147 Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Security Policy Considerations | 23 Documentation and User Assistance This section describes the variety of user assistance available for ClearPass Guest. Deployment Guide and Online Help This Deployment Guide provides complete information for all ClearPass Guest features. The following quick links may be useful in getting started. Table 6: Quick Links For information about... Refer to... What visitor management is and how it works "About Dell Networking W-ClearPass Guest" on page 15 Using the guest management features "Using Standard Guest Management Features" on page 29 Role-based access control for operators "Operator Profiles " on page 242 Setting up LDAP authentication for operators "External Operator Authentication" on page 248 Guest self-provisioning features "Self Provisioned Guest Access" on page 28 Dynamic authorization extensions "RFC 3576 Dynamic Authorization" on page 61 SMS receipts for guest accounts "SMS Services " on page 228 Email receipts for guest accounts "Email Receipts and SMTP Services" on page 189 Network administration of the appliance "Administration " on page 219 Context-Sensitive Help For more detailed information about the area of the application you are using, click the context-sensitive Help link displayed at the top right of the page. This opens a new browser tab showing the relevant section of this deployment guide. The deployment guide may be searched using the Search box in the top right corner. Type in keywords related to your search and click the Search button to display a list of matches. The most relevant matches will be displayed first. Words may be excluded from the search by typing a minus sign directly before the word to exclude (for example-exclude). Exact phrase matches may also be searched for by enclosing the phrase in double quotes (for example, “word phrase”). 24 | Documentation and User Assistance Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Field Help The ClearPass Guest user interface has field help built into every form. The field help provides a short summary of the purpose of the field at the point you need it most. In many cases this is sufficient to use the application without further assistance or training. Quick Help In list views, click the Quick Help tab located at the top left of the list to display additional information about the list you are viewing and the actions that are available within the list. On some forms and views, the Quick Help icon may also be used to provide additional detail about a field. If You Need More Assistance If you encounter a problem using ClearPass Guest, your first step should be to consult the appropriate section in this Deployment Guide. If you cannot find an answer here, the next step is to contact your reseller. The reseller can usually provide you with the answer or obtain a solution to your problem. If you still need information, you can refer to the Contact Support command available under Support Services in the user interface, or see "Contacting Support" on page 14. Use of Cookies Cookies are small text files that are placed on a user’s computer by Web sites the user visits. They are widely used in order to make Web sites work, or work more efficiently, as well as to provide information to the owners of a site. Session cookies are temporary cookies that last only for the duration of one user session. When a user registers or logs in via a W-Series captive portal, Dell uses session cookies solely to remember between clicks who a guest or operator is. Dell uses this information in a way that does not identify any user-specific information, and does not make any attempt to find out the identities of those using its W-Series ClearPass products. Dell does not associate any data gathered by the cookie with any personally identifiable information (PII) from any source. Dell uses session cookies only during the user’s active session and does not store any permanent cookies on a user’s computer. Session cookies are deleted when the user closes his/her Web browser. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Field Help | 25 26 | Use of Cookies Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 3 Guest Manager The ability to easily create and manage guest accounts is the primary function of Dell Networking W-ClearPass Guest. The Guest Manager module provides complete control over the user account creation process. Guest Manager features for managing guest accounts let you: l Create single or multiple guest accounts and receipts l List guest accounts and edit individual or multiple accounts l View and manage active sessions l Import new accounts from a text file l Export a list of accounts l View MAC devices l Create new MAC devices Many features can also be customized. For information on customizing Guest Manager settings, forms and views, guest self-registration, and print templates, see "Configuration " on page 133. Accessing Guest Manager To access Dell Networking W-ClearPass Guest’s guest management features, click the Guest link in the left navigation. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Guest Manager | 27 About Guest Management Processes There are two major ways to manage guest access – either by your operators provisioning guest accounts, or by the guests self-provisioning their own accounts. Both of these processes are described in the next sections. Sponsored Guest Access The following figure shows the process of sponsored guest access. Figure 5: Sponsored guest access with guest created by operator The operator creates the guest accounts and generates a receipt for the account. The guest logs on to the Network Access Server (NAS) using the credentials provided on her receipt. The NAS authenticates and authorizes the guest’s login in ClearPass Guest. Once authorized, the guest is able to access the network. Self Provisioned Guest Access Self-provisioned access is similar to sponsored guest access, but there is no need for an operator to create the account or to print the receipt. The following figure shows the process of self-provisioned guest access. Figure 6: Guest access when guest is self-provisioned The guest logs on to the Network Access Server (NAS), which captures the guest and redirects them to a captive portal login page. From the login page, guests without an account can browse to the guest self-registration page, where the guest creates a new account. At the conclusion of the registration process, the guest is automatically redirected to the NAS to log in. The guest can print or download a receipt, or have the receipt information delivered by SMS or email. 28 | About Guest Management Processes Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The NAS performs authentication and authorization for the guest in ClearPass Guest. Once authorized, the guest is then able to access the network. See"Customizing Self-Provisioned Access " on page 171 for details on creating and managing self-registration pages. Using Standard Guest Management Features This section describes: l How to create a single guest account and a guest account receipt l How to create multiple guest accounts and multiple guest account receipts l How to create a single password for multiple accounts l How to list and edit single and multiple guest accounts To customize guest self-registration, please see Configuration on page 133. Creating a Guest Account To create a new account, go to Guest > Create Account, or click the Create New Guest Account command link on the Guest Manager page. The New Visitor Account form opens. NOTE: The New Visitor Account form (create_user) may be customized by adding new fields, or modifying or removing the existing fields. See"Customizing Self-Provisioned Access " on page 171 for details about the customization process. The default settings for this form are described below. To complete the form, first enter the visitor’s details into the Sponsor’s Name, Visitor Name, Company Name and Email Address fields. The visitor’s email address will become their username to log into the network. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Using Standard Guest Management Features | 29 You can specify the account activation and expiration times. The visitor account cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of account the visitor should have. A random password is created for each visitor account. This is displayed on this form, but will also be available on the guest account receipt. You must mark the Terms of Use check box in order to create the visitor account. Click the Create Account button after completing the form. Creating a Guest Account Receipt After you click the Create Account button on the New Visitor Account form, the details for that account are displayed. To print a receipt for the visitor, select an appropriate template from the Open print window using template… list. A new Web browser window will open and the browser’s Print dialog box will be displayed. Click the Send SMS receipt link to send a guest account receipt via text message. Use the SMS Receipt form to enter the mobile telephone number to which the receipt should be sent. Sending SMS receipts requires the SMS Services plugin. If the administrator has enabled automatic SMS, and the visitor’s phone number was typed into the New Visitor Account form, an SMS message will be sent automatically. A message is displayed on the account receipt page after an SMS message has been sent. Click the Send email receipt link to send an email copy of the guest account receipt. Use the Email Receipt form to enter the email address to which the receipt should be sent. You can also specify the subject line for the email message. If the administrator has enabled automatic email for guest account receipts, and the visitor’s email address was typed into the New Visitor Account form, an email receipt will be sent automatically. A message is displayed on the account receipt page after an email has been sent. Creating Multiple Guest Accounts The Create Guest Accounts form is used to create a group of visitor accounts. To create multiple accounts, go to Guest > Create Multiple, or click the Create Multiple Guest Accounts command link on the Guest Manager page. The Create Guest Accounts form opens. 30 | Creating a Guest Account Receipt Dell Networking W-ClearPass Guest 6.0 | Deployment Guide NOTE: The Create Guest Accounts form (create_multi) may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about the customization process. The default settings for this form are described below. To complete the form, you must enter the number of visitor accounts you want to create. A random username and password will be created for each visitor account. This is not displayed on this form, but will be available on the guest account receipt. The visitor accounts cannot be used before the activation time, or after the expiration time. The Account Role specifies what type of accounts to create. Click the Create Accounts button after completing the form. Creating Multiple Guest Account Receipts Once a group of guest accounts has been created, the details for the accounts are displayed. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating Multiple Guest Account Receipts | 31 To print the receipts, select an appropriate template from the Open print window using template… drop-down list. A new browser window opens with the Print dialog displayed. To download a copy of the receipt information in CSV format, click the Save list for scratch cards (CSV file) link. You will be prompted to either open or save the spreadsheet (CSV) file. The fields available in the CSV file are: l Number – the sequential number of the visitor account, starting at one l Username – the username for the visitor account l Password – the password for the visitor account l Role – the visitor account’s role l Activation Time – the date and time at which the account will be activated, or N/A if there is no activation time l Expiration Time – the date and time at which the account will expire, or N/A if there is no activation time l Lifetime – the account lifetime in minutes, or N/A if the account does not have a lifetime specified l Successful – “Yes” if the account was created successfully, or “No” if there was an error creating the account Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field. 32 | Creating a Single Password for Multiple Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide To include the Password field on the Create Multiple Guest Accounts form: 1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions. At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_multi) has not yet been customized to include it. You will create it for the form in the next step. 2. Click on any field in the list to expand a row, then click the Insert After link (you can modify this placement later). The Customize Form Field form opens. 3. In the Field Name row, choose password from the drop-down list. The form displays configuration options for this field. 4. In the Field row, mark the Enable this field check box. 5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field. 6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty. 7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited. To create multiple accounts that all use the same password: 1. Go to Guest > Create Multiple. The Create Guest Accounts form opens, and includes the Visitor Password field. 2. In the Number of Accounts field, enter the number of accounts you wish to create. 3. In the Visitor Password field, enter the password that is to be used by all the accounts. 4. Complete the other fields with the appropriate information, then click Create Accounts. The Finished Creating Guest Accounts view opens. The password and other account details are displayed for each account. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating a Single Password for Multiple Accounts | 33 Managing Guest Accounts Use the Guest Manager Accounts list view to work with individual guest accounts. To open the Guest Manager Accounts list, go to Guest > List Accounts. The Guests Manager Accounts view opens.This view (guest_users) may be customized by adding new fields or modifying or removing the existing fields. See "Customizing Fields " on page 145 for details about this customization process. The default settings for this view are described below. 34 | Managing Guest Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created: l The value in the Expiration column is colored red if the account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the account will expire within the next hour. l In addition, icons in the Username column indicate the account’s activation status: n —Visitor account is active n —Visitor account was created but is not activated yet n —Visitor account was disabled by Administrator n —Visitor account has expired n —Visitor account was deleted You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Table 7: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ). For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value". Clear Filter link. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Managing Guest Accounts | 35 NOTE: When the list contains numerous user accounts, consider using the Filter field to speed up finding a specific user account. Use the Create tab to create new visitor accounts using the New Visitor Account form. See "Creating a Guest Account " on page 29 for details about this form. Use the More Options tab for additional functions, including import and export of guest accounts and the ability to customize the view. Click a user account’s row to select it. You can then select from one of these actions: l Reset password – Changes the password for a guest account. A new randomly generated password is displayed on the Reset Password form. Click Update Account to reset the guest account’s password. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Change expiration – Changes the expiration time for a guest account. . NOTE: This form (change_expiration) may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views " on page 150 for details about this customization process. Select an option from the drop-down list to change the expiration time of the guest account. Click Update Account to set the new expiration time for the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Remove – Disables or deletes a guest account. 36 | Managing Guest Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Select the appropriate Action radio button, and click Make Changes to disable or delete the account. If you wish to have automatic disconnect messages sent when the enabled value changes, you can specify this in the Configuration module. See"Configuring ClearPass Guest Authentication " on page 134. l Activate – Re-enables a disabled guest account, or specifies an a ctivation time for the guest account. Select an option from the drop-down list to change the activation time of the guest account. To re-enable an account that has been disabled, choose Now. Click Enable Account to set the new activation time for the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Edit – Changes the properties of a guest account. NOTE: This form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Forms and Views " on page 150 for details about this customization process. This is the guest_edit form. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Managing Guest Accounts | 37 Click Update Account to update the properties of the guest account. A new account receipt is displayed, allowing you to print a receipt showing the updated account details. l Sessions – Displays the active sessions for a guest account. See "Active Sessions Management " on page 59 in this chapter for details about managing active sessions. l Print – Displays the guest account’s receipt and the delivery options for the receipt. For security reasons, the guest’s password is not displayed on this receipt. To recover a forgotten or lost guest account password, use the Reset password link. Managing Multiple Guest Accounts Use the Edit Accounts list view to work with multiple guest accounts. This view may be accessed by clicking the Edit Multiple Guest Accounts command link. This view (guest_multi) may be customized by adding new fields or by modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about this customization process. The default settings for this view are described below. The Username, Role, State, Activation, and Expiration columns display information about the visitor accounts that have been created: l The value in the Expiration column is colored red if the visitor account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the visitor account will expire within the next hour. l In addition, icons in the Username column indicate the account’s activation status: n —Visitor account is active n —Visitor account was created but is not activated yet n —Visitor account was disabled by Administrator n —Visitor account has expired You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: 38 | Managing Multiple Guest Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Table 8: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ). For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value". Clear Filter link. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. To select guest accounts, click the accounts you want to work with. You may click either the check box or the row to select a visitor account. To select or unselect all visible visitor accounts, click the check box in the header row of the table. Use the selection row at the top of the table to work with the current set of selected accounts. The number of currently selected accounts is shown. When a filter is in effect, the “All Matching” link can be used to add all pages of the filtered result to the selection. Use the Create tab to create new visitor accounts using the Create Guest Accounts form. See "Managing Multiple Guest Accounts " on page 38 in this chapter for details about this form. Use the Delete tab to delete the visitor accounts that you have selected. This option is not active if there are no visitor accounts selected. Use the Edit tab to make changes to multiple visitor accounts at once. This option is not active if there are no visitor accounts selected. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Managing Multiple Guest Accounts | 39 The Edit Guest Accounts form may be customized by adding new fields, or modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about this customization process. This is the guest_multi_form form. The Results tab will be automatically selected after you have made changes to one or more guest accounts. You can create new guest account receipts or download the updated guest account information. See "Creating Multiple Guest Account Receipts " on page 31 in this chapter for more information. The More Options tab includes the Choose Columns command link. You can click this link to open the Configuration module’s Customize View Fields form, which may be used to customize the Edit Guest Accounts view. Importing Guest Accounts Guest accounts may be created from an existing list by uploading the list to ClearPass Guest. To upload a list of existing accounts, go to Guest > Import Accounts, or click the Import Guest Accounts command link on the Guest Manager page. The Upload User List form opens. The Upload User List form provides you with different options for importing guest account data. To complete the form, you must either specify a file containing account information, or type or paste in the account information to the Accounts Text area. Select the Show additional import options check box to display the following advanced import options: l Character Set: ClearPass Guest uses the UTF-8 character set encoding internally to store visitor account information. If your accounts file is not encoded in UTF-8, the import may fail or produce unexpected results if non-ASCII characters are used. To avoid this, you should specify what character set encoding you are using. l Import format: The format of the accounts file is automatically detected. You may specify a different encoding type if automatic detection is not suitable for your data. The Import Format drop-down list includes the following options: 40 | Importing Guest Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l n Automatically detect format (This default option recognizes guest accounts exported from ClearPass Policy Manager in XML format) n XML n Comma separated values n Tab separated values n Pipe (|) separated values n Colon (:) separated values n Semicolon (;) separated values Select the Force first row as header row check box if your data contains a header row that specifies the field names. This option is only required if the header row is not automatically detected. Click Next Step to upload the account data. In step 2 of 3, ClearPass Guest determines the format of the uploaded account data and matches the appropriate fields are m to the data. The first few records in the data will be displayed, together with any automatically detected field names. In this example, the following data was used: username,visitor_name,password,expire_time demo005,Demo five,secret005,2011-06-10 09:00 demo006,Demo six,secret006,2011-06-11 10:00 demo007,Demo seven,secret007,2011-06-12 11:00 demo008,Demo eight,secret008,2011-06-13 12:00 demo009,Demo nine,secret009,2011-06-13 12:00 demo010,Demo ten,secret010,2011-06-13 12:00 demo011,Demo eleven,secret011,2011-06-13 12:00 Because this data includes a header row that contains field names, the corresponding fields have been automatically detected in the data: Use the Match Fields form to identify which guest account fields are present in the imported data. You can also specify the values to be used for fields that are not present in the data. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Importing Guest Accounts | 41 To complete the Match Fields form, make a selection from each of the drop-down lists. Choose a column name to use the values from that column when importing guest accounts, or select one of the other available options to use a fixed value for each imported guest account. Click the Next Step button to preview the final result. Import Step 3 of 3, the Import Accounts form, opens and shows a preview of the import operation. The values of each guest account field are determined, and any conflicts with existing user accounts are shown. The icon displayed for each user account indicates if it is a new entry ( updated ( ). ) or if an existing user account will be By default, this form shows ten entries per page. To view additional entries, click the arrow button at the bottom of the form to display the next page, or click the 10 rows per page drop-down list at the bottom of the form and select the number of entries that should appear on each page. Click the check box by the account entries you want to create, or click one of the following options to select the desired accounts: l Click the ThisPage link to select all entries on the current page. l Click the All link to select all entries on all pages l Click the None link to deselect all entries l Click the 42 | Importing Guest Accounts New link to select all new entries Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Click the Existing link to select all existing user accounts in the list. Click the Create Accounts button to finish the import process. The selected items will be created or updated. You can then print new guest account receipts or download a list of the guest accounts. See "Creating Multiple Guest Account Receipts " on page 31 in this chapter for more information. Exporting Guest Account Information Guest account information may be exported to a file in one of several different formats. Click the appropriate command link to save a list of all guest accounts in comma-separated values (CSV), tabseparated values (TSV), or XML format. The Export Accounts view (guest_export) may be customized by adding new fields, or by modifying or removing the existing fields. See "Customizing Self-Provisioned Access " on page 171 for details about this customization process. About CSV and TSV Exports In CSV and TSV format, the following default fields are included in the export: l Number – Sequential number of the guest account in the exported data l User ID – Numeric user ID of the guest account l Username – Username for the guest account l Role – Role for the guest account l Activation – Date and time at which the guest account will be activated, or “N/A” if there is no activation time l Expiration – Date and time at which the guest account will expire, or “N/A” if there is no expiration time l Lifetime – The guest account’s lifetime in minutes after login, or 0 if the account lifetime is not set l Expire Action – Number specifying the action to take when the guest account expires (0 through 4) About XML Exports The default XML format consists of a element containing a element for each exported guest account. The numeric ID of the guest account is provided as the “id” attribute of the element. This format is compatible with the ClearPass Policy Manager XML format for guest users. The values for both standard and custom fields for guest accounts are exported as the contents of an XML tag, where the tag has the same name as the guest account field. An example XML export is given below: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Exporting Guest Account Information | 43 tagValue="ff" tagName="Company Name"/> tagValue="2012-12-04 12:39:14" tagName="Create Time"/> tagValue="fff@df" tagName="Email"/> tagValue="ff" tagName="first_name"/> tagValue="plan0" tagName="hotspot_plan_id"/> tagValue="Free Access" tagName="hotspot_plan_name"/> tagValue="ff" tagName="last_name"/> tagValue="ff ff" tagName="Visitor Name"/> tagValue="ff" tagName="zip"/> MAC Authentication in ClearPass Guest ClearPass Guest supports a number of options for MAC Authentication and the ability to authenticate devices. The advanced features described in this section generally require a WLAN capable of MAC authentication with captive portal fallback. Please refer to your WLAN documentation for setting up the controller appropriately. To verify that you have the most recent MAC Authentication Plugin installed and enabled before you configure these advanced features, go to Administration > Plugin Manager > List Available Plugins. For information on plugin management, see "Plugin Manager " on page 223. MAC Address Formats Different vendors format the client MAC address in different ways—for example: l 112233AABBCC l 11:22:33:aa:bb:cc l 11-22-33-AA-BB-CC ClearPass Guest supports adjusting the expected format of a MAC address. To configure formatting of separators and case in the address, as well as user detection and device filtering for views, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication plugin. The MAC Authentication Configuration page opens. Figure 7: MAC Authentication Plugin—Configuration On the controller, the fields look as follows: Figure 8: MAC Authentication Profile Managing Devices To view the list of current MAC devices, go to Guest > List Devices. 44 | MAC Authentication in ClearPass Guest Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Guest Manager Devices page opens. All devices created by one of methods described in the following section are listed. Options on the form let you change a device’s account expiration date; remove, activate, or edit the device; view active sessions or details for the device; or print details, receipts, confirmations, or other information. The MAC Address, Role, State, Activation, and Expiration columns display information about the device accounts that have been created: l The value in the Expiration column is colored red if the device account will expire within the next 24 hours. The expiration time is additionally highlighted in boldface if the device account will expire within the next hour. l In addition, icons in the MAC Address column indicate the device account’s activation status: n —Device account is active n —Device account was created but is not activated yet n —Device account was disabled by Administrator n —Device account has expired n —Device account was deleted You can use the Filter field to narrow the search parameters. You may enter a simple substring to match a portion of any fields that are configured for search, and you can include the following operators: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Managing Devices | 45 Table 9: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ). For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value". Clear Filter link. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. To select a device, click the device you want to work with. Changing a Device’s Expiration Date To change a device’s expiration date, click the device’s row in the Guest Manager Devices list, then click its Change expiration link. The row expands to include the Change Expiration form. 1. In the Account Expiration row, choose one of the options in the drop-down list to set an expiration date: l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. 46 | Changing a Device’s Expiration Date Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 2. If you choose any option other than “will not expire” or “now” in the Account Expiration field, the Expire Action row is added to the table. Use the drop-down list in this row to specify one of the following actions: delete, delete and log out, disable, or disable and log out. 3. Click Update Account to commit your changes. Disabling and Deleting Devices To remove a device’s account by disabling or deleting it, click the device’s row in the Guest Manager Devices list, then click its Remove link. The row expands to include the Remove Account form. You may choose to either disable or delete the account. If you disable it, it remains in the device list and you may activate it again later. If you delete the account, it is removed from the list permanently. Activating a Device To activate a disabled device’s account, click the device’s row in the Guest Manager Devices list, then click its Activate link. The row expands to include the Enable Guest Account form. 1. In the Activate Account row, choose one of the options in the drop-down list to specify when to activate the account. You may choose an interval, or you may choose to specify a time. 2. If you choose Activate at specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 3. Click Enable Account to commit your changes. Editing a Device To edit a device’s account, click the device’s row in the Guest Manager Devices list, then click its Edit link. The row expands to include the Edit MAC form. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Disabling and Deleting Devices | 47 1. You can change the device’s address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication plugin. 2. If you need to change the activation time, choose one of the options in the Account Activation drop-down list. You may choose to activate the account immediately, at a preset interval of hours or days, or at a specified time. l If you choose Activate at a specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 3. If you need to change the expiration time, choose one of the options in the Account Expiration drop-down list. You may terminate the account immediately, at a preset interval of hours or days, or at a specified time. l If you choose any time in the future, the Expire Action row is added to the form. Use this drop-down list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row. l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. The maximum is two weeks. 48 | Editing a Device Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 4. To change the maximum usage allowed for the account, choose an option from the Total Allowed Usage dropdown list. You may set the total usage to one or two hours, add one or two hours to the existing setting, or subtract one or two hours from the existing setting. 5. You can use the Account Role drop-down list to change the visitor’s assigned role. 6. (Optional) In the Notes row, you may enter additional information. 7. To commit your changes, click Update MAC. Viewing Current Sessions for a Device To view any sessions that are currently active for a device, click the Sessions link in the device’s row on the Guest Manager Devices form. The Active Sessions list opens. For more information, see "Active Sessions Management " on page 59. Viewing and Printing Device Details To print details, receipts, confirmations, or other information for a device, click the device’s row in the Guest Manager Devices list, then click its Print link. The row expands to include the Account Details form and a dropdown list of information that can be printed for the device. Choosing an option in the Open print window using template drop-down list opens a print preview window and the printer dialog. Options include account details, receipts in various formats, a session expiration alert, and a sponsorship confirmation notice. MAC Creation Modes MAC device accounts may be created in three ways: l Manually in ClearPass Guest using the Create Device form l During guest self-registration by a mac parameter passed in the redirect URL, if the process is configured to create a MAC device account l During guest self-registration by a mac parameter passed in the redirect URL, creating a parallel account paired with the visitor account Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Viewing Current Sessions for a Device | 49 Creating Devices Manually in ClearPass Guest If you have the MAC address, you can create a new device manually. You do this on the New MAC Authentication form. To create a new device: 1. Go to Guest > List Devices and click the Create link, or you can go to the Guest navigation page and click the Create Device command. The New MAC Authentication page opens. 2. In the Sponsor’s Name row, enter the name of the person sponsoring the visitor account. 3. Enter the name for the device in the Device Name row. 4. Enter the address in the MAC Address row. If you need to modify the configuration for expected separator format or case, go to Administration > Plugin Manager > Manage Plugins and click the Configuration link for the MAC Authentication Plugin. 5. Choose one of the options in the Account Activation drop-down list. You may choose to activate the account immediately, at a preset interval of hours or days, at a specified time, or leave the account disabled. l If you choose Activate at a specified time, the Activation Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 50 | Creating Devices Manually in ClearPass Guest Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 6. To set the account’s expiration time, choose one of the options in the Account Expiration drop-down list. You may set the account to never expire, or to expire at a preset interval of hours or days, or at a specified time. l If you choose any time in the future, the Expire Action row is added to the form. Use this drop-down list to indicate the expiration action for the account—either delete, delete and log out, disable, or disable and log out. The action will be applied at the time set in the Account Expiration row. l If you choose Account expires after, the Expires After row is added to the form. Choose an interval of hours, days, or weeks from the drop-down list. The maximum is two weeks. l If you choose Account Expires at a specified time, the Expiration Time row is added to the form. Click the button to open the calendar picker. In the calendar, use the arrows to select the year and month, click the numbers in the Time fields to increment the hours and minutes, then click a day to select the date. 7. Use the Account Role drop-down list to assign the visitor’s role. 8. In the Terms of Use row, first click the terms of use link and read the agreement, then mark the check box to agree to the terms. 9. To commit your changes and create the device, click Create MAC. The Account Details and print options are displayed. For more information, see "Viewing and Printing Device Details " on page 49. Creating Devices During Self-Registration - MAC Only This section describes how to configure a guest self-registration so that it creates a MAC device account. Once the guest is registered, future authentication can take place without the need for the guest to enter their credentials. A registration can be converted to create a MAC device instead of standard guest credentials. This requires a vendor passing a mac parameter in the redirect URL. ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP. To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields: l l Add or enable mac n UI: Hidden field n Field Required: checked n Validator: IsValidMacAddress Add or enable mac_auth n l UI: Hidden field Any other expiration options, role choice, surveys, and so on can be entered as usual. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating Devices During Self-Registration - MAC Only | 51 Figure 9: Modify fields l l Edit the receipt form fields: n Edit username to be a Hidden field n Edit password to be a Hidden field Adjust any headers or footers as needed. When the visitor registers, they should be able to still log in via the Log In button. The MAC will be passed as their username and password via standard captive portal means. The account will only be visible on the List Devices page. If the guest logs out and reconnects, they should be immediately logged in without being redirected to the captive portal page. Creating Devices During Self-Registration - Paired Accounts Paired accounts is a means to create a standard visitor account with credentials, but to have a MAC account created in parallel that is directly tied to the visitor account. These accounts share the same role, expiration and other properties. This requires a vendor passing a mac parameter in the redirect URL. ClearPass Guest does not support querying the controller or DHCP servers for the client's MAC based on IP. To edit the registration form fields, go to Configuration > Forms and Views. In the guest_register row, click the Edit Fields link. The Customize Form Fields page opens. If you do not see mac or mac_auth_pair in the list, click the Customize fields link above the list. Click the Edit link in the field’s row. In the Define Custom Field form, edit the registration form fields: l l l Add or enable mac n UI: Hidden field n Field Required: optional n Validator: IsValidMacAddress Add or enable mac_auth_pair n UI: Hidden field n Initial Value: -1 Any other expiration options, role choice, surveys and so on can be entered as usual. You will see an entry under both List Accounts and List Devices. Each should have a View Pair action that cross links the two. 52 | Creating Devices During Self-Registration - Paired Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide NOTE: If you delete the base account, all of its pairings will also be deleted. If RFC-3576 has been configured, all pairs will be logged out. AirGroup Device Registration AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators can provision their organization’s shared devices and manage access, and AirGroup operators can register and provision a limited number of their own personal devices for sharing. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation. Registering Groups of Devices or Services This functionality is only available to AirGroup administrators. To register and manage an organization’s shared devices and configure device access: 1. Log in as the AirGroup administrator and go to Guest > Create Device. The Register Shared Device form opens. 2. In the Device Name field, enter the name used to identify the device. 3. In the MAC Address field, enter the device’s MAC address. 4. In the Shared Locations field, enter the locations where the device can be shared. To allow the device to be shared with all locations, leave this field blank. Each location is entered as a tag=value pair describing the MAC address of the access point (AP) closest to the registered device. Use commas to separate the tag=value pairs in the list. Tag=value pair formats are shown in the following table. Table 10: Tag=Value Pair Formats AP Type Tag=Value Format Name-based AP ap-name= Group-based AP ap-group= FQLN-based AP fqln= Dell Networking W-ClearPass Guest 6.0 | Deployment Guide AirGroup Device Registration | 53 l AP FQLNs should be configured in the format . . . l Floor names should be in the format floor l The should not include periods ( . ) Example: AP105-1.Floor 1.TowerD.Mycompany 5. In the Shared With field, enter the usernames of your organization’s staff or students who are allowed to use the device. Use commas to separate usernames in the list. l If the Share With field is left blank, this device can be accessed by all devices. l If users are entered in the Shared With field, the device can only be accessed by the specified users. 6. In the Shared Roles field, enter the user roles that are allowed to use the device. Use commas to separate the roles in the list. l To make the device available to all roles, leave this field blank. l If roles are entered in the Shared Roles field, the device can only be accessed by users with matching roles. 7. Click Register Shared Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options. To view and edit your organization’s shared AirGroup devices: 1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all the shared AirGroup devices for the organization. You can remove a device; edit a device’s name, MAC address, shared locations, shared-user list, or shared roles; print device details; or add a new device. 2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and Print options. 54 | Registering Groups of Devices or Services Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 3. To edit properties of a shared device, click the Edit link for the device. The row expands to include the Edit Shared Device form. You can modify the device’s name, MAC address, shared locations, group of users, and shared roles. 4. When your edits are complete, click Save Changes. Registering Personal Devices This functionality is available to AirGroup operators. To register your personal devices and define a group who can share them: 1. Log in as the AirGroup operator and go to Guest > Create Device. The Register Device form opens. 2. In the Your Name field, enter your username for your organization. 3. In the Device Name field, enter the name used to identify the device. 4. In the MAC Address field, enter the device’s MAC address. 5. In the Shared With field, enter the usernames of your friends or colleagues who are allowed to use the device. Use commas to separate usernames in the list. You may enter up to ten usernames. l If the Shared With field is left blank, this device can only be accessed by devices registered by the same operator or with a dot1x username that matches the operator’s name. l If users are entered in the Shared With field, the device can be accessed by the device owner and by the specified users. 6. Click Register Device. The Finished Creating Guest Account page opens. This page displays Account Details and provides printer options. To view and edit your personal AirGroup devices, go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The List Device page lets you remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device. To view and edit your personal AirGroup devices: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Registering Personal Devices | 55 1. Go to Guest > List Devices, or click the Manage my AirGroup Devices link on the Create AirGroup Device page. The AirGroup Devices page opens. This page lists all your personal AirGroup devices. You can remove a device; edit a device’s name, MAC address, or shared-user list; print device details; or add a new device. 2. To work with a device, click the device’s row in the list. The form expands to include the Remove, Edit, and Print options. 3. To edit properties of a device, click the Edit link for the device. The row expands to include the Edit Device form. You can modify the device’s name, MAC address, and group of users. 4. When your edits are complete, click Save Changes. Automatically Registering MAC Devices in ClearPass Policy Manager If ClearPass Policy Manager is enabled, you can configure a guest MAC address to be automatically registered as an endpoint record in ClearPass Policy Manager when the guest uses a Web login page or a guest self-registration workflow. This customization option is available if a valid Local or RADIUS pre-authentication check was performed. To configure auto-registration for an address through a Web login page: 1. Go to Configuration > Web Logins, click the row of the page you wish to configure, then click its Edit link. The RADIUS Web Login Editor form opens. 2. Scroll down to the Post-Authentication area. 56 | Automatically Registering MAC Devices in ClearPass Policy Manager Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 3. In the Policy Manager row, mark the check box to register the guest’s MAC address with ClearPass Policy Manager. The Advanced row is added to the form. 4. In the Advanced row, mark the check box to enable advanced options in ClearPass Policy Manager. The Endpoint Attributes row is added to the form. 5. In the Endpoint Attributes row, enter name|value pairs for the user fields and Endpoint Attributes to be passed. 6. Click Save Changes to complete this configuration and continue with other tasks, or click Save and Reload to proceed to Policy Manager and apply the network settings. Importing MAC Devices The standard Guest > Import Accounts form supports importing MAC devices. At a minimum the following two columns are required: mac and mac_auth. mac_auth,mac,notes 1,aa:aa:aa:aa:aa:aa,Device A 1,bb:bb:bb:bb:bb:bb,Device B 1,cc:cc:cc:cc:cc:cc,Device C Any of the other standard fields can be added similar to importing regular guests. Advanced MAC Features 2-Factor Authentication 2-factor authentication checks against both credentials and the MAC address on record. Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration it will be included in the account as long as mac is passed in the URL. Relying on self-registration may defeat the purpose of two-factor authentication, however. The 2-factors are performed as follows: 1. Regular RADIUS authentication using username and password 2. Role checks the user account mac against the passed Calling-Station-Id. Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from Always to Enter conditional expression. return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject(); There is an alternative syntax where you keep the condition at Always and instead adjust the Value. = MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] : AccessReject() or = MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject() MAC-Based Derivation of Role Depending on whether the MAC address matches a registered value, you can also adjust which role is returned. The controller must be configured with the appropriate roles and the reply attributes mapping to them as expected. Edit the Value of the attribute within the role returning the role to the controller. If you are on the registered MAC, apply the Employee role, otherwise set them as Guest. = MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest' Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Importing MAC Devices | 57 This can be expanded if you create multiple MAC fields. Navigate to Customize > Fields and duplicate mac. Rename it as mac_byod and then add it to the 'create_user and guest_edit forms. In this example the account has a registered employee device under mac, and a registered BYOD device under mac_byod. = MacEqual(GetAttr('Calling-Station-Id'), $user['mac_byod']) ? 'BYOD' : (MacEqual(GetAttr(' Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest') User Detection on Landing Pages When mac is passed in the redirect URL, the user is detected and a customized message displays on the landing page. Navigate to Administration > Plugin Manager > Manage Plugins: MAC Authentication: Configuration and enable MAC Detect. Edit the header of your redirect landing page (login or registration) and include the following: {if $guest_receipt.u.visitor_name} Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}! {else} Welcome to the show! {/if}
For debugging purposes, include the following to see all the fields available: {dump var=$guest_receipt export=html} Click-Through Login Pages A click-through login page will present a splash or terms screen to the guest, yet still provide MAC-auth style seamless authentication. Under this scenario, you could have people create an account, with a paired MAC, yet still have them click the terms and conditions on every new connection. Disable MAC authentication on the controller. Navigate to Administration > Plugin Manager > Manage Plugins: MAC Authentication: Configuration and enable MAC Detect. Create a Web Login l Authentication: Anonymous l Anonymous User: _mac (_mac is a special secret value) l Pre-Auth Check: Local l Terms: Require a Terms and Conditions confirmation Set the Web login as your landing page and test. Using a registered device the 'Log In' button should be enabled, otherwise it will be disabled. You may also want to add a message so visitors get some direction.{if $guest_receipt.u.username} {if $guest_receipt.u.visitor_name} Welcome back, {$guest_receipt.u.visitor_name|htmlspecialchars}! {else} Welcome back. {/if} Please accept the terms before proceeding. {else} You need to register... {/if}
You can hide the login form by having the final line of the header be: {if !$guest_receipt.u.username} {/if} Active Sessions Management The RADIUS server maintains a list of active visitor sessions. If your NAS equipment has RFC 3576 support, the RADIUS dynamic authorization extensions allow you to disconnect or modify an active session. To view and manage active sessions for the RADIUS server, go to Guest > Active Sessions. The Active Sessions list opens. You can use this list to modify, disconnect or reauthorize, or send SMS notifications for active visitor sessions; manage multiple sessions; or customize the list to include additional fields. l To view details for an active session, click the session’s row in the list, then click its Show Details link. The form expands to include the Session Details view. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Active Sessions Management | 59 l If the NAS equipment has RFC 3576 support, you can disconnect or dynamically reauthorize active sessions. See "RFC 3576 Dynamic Authorization" on page 61 for more information. n To disconnect an active session, click the session’s row in the list, then click its Disconnect link. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To reauthorize a session that was disconnected, click the session’s row in the list, then click its Reauthorize link. The Reauthorize Session form opens. Click Reauthorize Session. A message is displayed to show that the disconnect is in progress and acknowledge when it is complete. n To disconnect multiple sessions, click the Manage Multiple tab. The form expands to include the Manage Multiple Sessions form. For more information, see "Disconnecting Multiple Active Sessions " on page 62. l To view and work with the guest accounts associated with a session, click the session’s row in the list, then click its List Accounts link. The Guest Manager Accounts view opens. See "Managing Guest Accounts " on page 34 for more information. l To display only sessions that meet certain criteria, click the Filter tab. For more information, see "Filtering the List of Active Sessions" on page 61. l To send SMS notifications to visitors, click the SMS tab. For more information, see "Sending Multiple SMS Alerts " on page 63. l To include additional fields in the Active Sessions list, or delete fields from it, click the More Options tab. The Customize View Fields page opens. For more information, see "Editing Forms " on page 152. l You can use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. Session States A session may be in one of three possible states: l Active—An active session is one for which the RADIUS server has received an accounting start message and has not received a stop message, which indicates that service is being provided by a NAS on behalf of an authorized client. While a session is in progress, the NAS sends interim accounting update messages to the RADIUS server. This maintains up-to-date traffic statistics and keeps the session active. The frequency of the accounting update messages is configurable in the RADIUS server. l Stale—If an accounting stop message is never sent for a session—for example, if the visitor does not log out— that session will remain open. After 24 hours without an accounting update indicating session traffic, the session is considered ‘stale’ and is not counted towards the active sessions limit for a visitor account. To ensure that accounting statistics are correct, you should check the list for stale sessions and close them. l Closed—A session ends when the visitor logs out or if the session is disconnected. When a session is explicitly ended in either of these ways, the NAS sends an accounting stop message to the RADIUS server. This closes the session. No further accounting updates are possible for a closed session. 60 | Session States Dell Networking W-ClearPass Guest 6.0 | Deployment Guide RFC 3576 Dynamic Authorization Dynamic authorization describes the ability to make changes to a visitor account’s session while it is in progress. This includes disconnecting a session, or updating some aspect of the authorization for the session. The Active Sessions page provides two dynamic authorization capabilities that apply to currently active sessions: l Disconnect causes a Disconnect-Request message to be sent to the NAS for an active session, requesting that the NAS terminate the session immediately. The NAS should respond with a Disconnect-ACK message if the session was terminated or Disconnect-NAK if the session was not terminated. l Reauthorize causes a Disconnect-Request message to be sent to the NAS for an active session. This message will contain a Service-Type attribute with the value ‘Authorize Only’. The NAS should respond with a Disconnect-NAK message, and should then reauthorize the session by sending an Access-Request message to the RADIUS server. The RADIUS server’s response will contain the current authorization details for the visitor account, which will then update the corresponding properties in the NAS session. If the NAS does not support RFC 3576, attempts to perform dynamic authorization will time out and result in a ‘No response from NAS’ error message. Refer to RFC 3576 for more details about dynamic authorization extensions to the RADIUS protocol. Filtering the List of Active Sessions You can use the Filter tab to narrow the search parameters and quickly find all matching sessions: Enter a username or IP address in the Filter field. Additional fields can be included in the search if the “Include values when performing a quick search” option was selected for the field within the view. To control this option, use the Choose Columns command link on the More Options tab. You may enter a simple substring to match a portion of the username or any other fields that are configured for search, and you can include the following operators: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide RFC 3576 Dynamic Authorization | 61 Table 11: Operators supported in filters Operator Meaning = is equal to != is not equal to > is greater than >= is greater than or equal to < is less than <= is less than or equal to ~ matches the regular expression !~ does not match the regular expression To restore the default view, click the Additional Information You may search for multiple values when using the equality (=) or inequality !=) operators. To specify multiple values, list them separated by the pipe character ( | ). For example, specifying the filter "role_id=2|3, custom_ field=Value" restricts the accounts displayed to those with role IDs 2 and 3 (Guest and Employee), and with the field named "custom_field" set to "Value". Clear Filter link. Click the Apply Filter button to save your changes and update the view, or click the the filter and return to the default view. Reset button to remove Disconnecting Multiple Active Sessions To disconnect multiple sessions, click the l Manage Multiple tab. The Manage Multiple Sessions form opens. To close all active sessions, leave the Start Time and End Time fields empty and click Make Changes. All active sessions are closed and are removed from the Active Sessions list. You can specify sessions in a time range. 1. To close all sessions that started after a particular time, click the button in the Start Time row. The calendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started after the specified date and time will be disconnected. 2. To close all sessions that started before a particular time, click the button in the End Time row. The calendar picker opens. Use the calendar to specify the year, month, and day, and click the numbers in the Time fields to increment the hours and minutes. All sessions that started before the specified date and time will be disconnected. 3. Click Make Changes. The specified sessions are closed and are removed from the Active Sessions list. 62 | Disconnecting Multiple Active Sessions Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Sending Multiple SMS Alerts The SMS tab on the Active Sessions page lets you send an SMS alert message to all active sessions that have a valid phone number. An SMS alert during an active session can be used to send a group of visitors information you might want them to have immediately—for example, a special offer that will only be available for an hour, a change in a meeting’s schedule or location, or a public safety announcement. To create an SMS message: 1. Click the SMS tab on the Active Sessions page. The Send SMS Notification form opens. 2. Use the filter to specify the group of addresses that should receive the message. See "Filtering the List of Active Sessions" on page 61. Only accounts with valid phone numbers can be sent SMS alerts. 3. Enter the message in the Message text box. Messages may contain up to 160 characters. 4. Click Send. About SMS Guest Account Receipts You can send SMS receipts for guest accounts that are created using either sponsored guest access or self-provisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt. ClearPass Guest may be configured to automatically send SMS receipts to visitors, or to send receipts only on demand. To manually send an SMS receipt: 1. Navigate to the Guest > List Accounts and click to expand the row of the guest to whom you want to send a receipt. 2. Click Print to display the Account Details view, then click the Send SMS receipt link. The SMS Reciept form opens. Use the fields on this form to enter the service to use, the recipient’s mobile phone number, the mobile carrier, and the message text. For more information on SMS services, see "SMS Services " on page 228. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Sending Multiple SMS Alerts | 63 64 | About SMS Guest Account Receipts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 4 Onboard Onboarding is the process of preparing a device for use on an enterprise network by creating the appropriate access credentials and setting up the network connection parameters. Dell Networking W-ClearPass Onboard automates 802.1X configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices—Windows, Mac OS X, iOS and Android—across wired, wireless, and VPNs. ClearPass Onboard includes the following key features: l Automatic configuration of network settings for wired and wireless endpoints. l Provisioning of unique device credentials for BYOD and IT-managed devices. l Support for Windows, Mac OS X, iOS, and Android devices. l Enables the revocation of unique credentials on a specific user’s device. l Leverages ClearPass profiling to identify device type, manufacturer, and model. Accessing Onboard To access Dell Networking W-ClearPass Onboard’s device provisioning features, click the Onboard link in the left navigation. About ClearPass Onboard This section provides important information about Dell Networking W-ClearPass Onboard. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Onboard | 65 Onboard Deployment Checklist Table 12 lists planning, configuration, and testing procedures. Use this checklist to complete your Onboard deployment. Onboard events are stored in the Application Log for seven days by default. After seven days, significant runtime events are listed in the Audit Viewer in Dell Networking W-ClearPass Policy Manager’s Monitoring module. Onboard events that are listed include: l Changing the CA certificate l Issuing a new certificate l Signing a certificate signing request l Revoking a certificate l Deleting a certificate l Importing a trusted certificate l Uploading a code-signing or other certificate Table 12: Onboard Deployment Checklist Deployment Step Reference Planning and Preparation Review the Onboard feature list to identify the major areas of interest for your deployment. "Onboard Feature List " on page 67 Review the list of platforms supported by Onboard, and identify the platforms of interest for your deployment. "Supported Platforms" on page 68 Review the Onboard public key infrastructure, and identify any certificate authorities that will be needed during the deployment. "Public Key Infrastructure for Onboard" on page 68 Review the network requirements and the network architecture diagrams to determine how and where to deploy the Onboard solution. Refer to the ClearPass Policy Manager documentation, and "Network Architecture for Onboard" on page 72 in this chapter Configuration Configure the hostname and networking properties of the Onboard provisioning server. l DNS is required for SSL. l Ensure that hostname resolution will work for devices being provisioned. Refer to the ClearPass Policy Manager documentation Configure SSL certificate for the Onboard provisioning server. A commercial SSL certificate is required to enable secure device provisioning for iOS devices. Refer to the ClearPass Policy Manager documentation Configure the Onboard certificate authority. Decide whether to use the Root CA or Intermediate CA mode of operation. Create the certificate for the certificate authority. "Configuring the Certificate Authority " on page 81 Configure the data retention policy for the certificate authority. "Configuring Data Retention Policy for Certificates" on page 90 l 66 | Onboard Deployment Checklist Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Deployment Step Reference l Configure device provisioning settings. Select certificate options for device provisioning. Select which device types should be supported. "Configuring Provisioning Settings " on page 106 Configure network settings for device provisioning. Set network properties. l Upload 802.1X server certificates. Set device-specific networking settings. "Configuring Network Settings for Device Provisioning " on page 117 Configure networking equipment for non-provisioned devices. Set authentication for the provisioning SSID, if required. Ensure the captive portal redirects non-provisioned devices to the device provisioning page. "Network Requirements for Onboard" on page 71 Configure networking equipment to authenticate provisioned devices. Ensure 802.1X authentication methods and trust settings are configured correctly for all EAP types that are required. Configure OCSP or CRL on the authentication server to check for client certificate validity. "Network Requirements for Onboard" on page 71 Configure the user interface for device provisioning. Set display options for iOS devices. l Set user interface options for other Onboard devices. Setup the device provisioning Web login page. "Configuring the User Interface for Device Provisioning" on page 79 l l l l Testing and Verification Test device provisioning. Verify that each type of device can be provisioned successfully. Verify that each type of device can join the provisioned network and is authenticated successfully. l Test device revocation. Revoke a device’s certificate. l Verify that the device is no longer able to authenticate. Verify that re-provisioning the device fails. l Onboard Feature List The following features are available in Dell Networking W-ClearPass Onboard. Table 13: Onboard Features Feature Uses l Automatic configuration of network settings for wired and wireless endpoints. l l l l Configure wired networks using 802.1X Configure Wi-Fi networks using either 802.1X or pre-shared key (PSK) Configure trusted server certificates for 802.1X Configure Windows-specific networking settings Configure HTTP proxy settings for client devices (Android, OS X only) Secure provisioning of unique device credentials for BYOD and IT-managed devices. l l Configure EAP-TLS and PEAP-MSCHAPv2 without user interaction Revoke unique device credentials to prevent network access Support for Windows, Mac OS X, iOS, and l Leverage ClearPass Profiling to identify device type, manufacturer, Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Onboard Feature List | 67 Feature Uses Android devices. l l l l l Certificate authority enables the creation and revocation of unique credentials on a specific user’s device. l l l l l l l l Provision additional settings specific to iOS devices l l l and model Control the user interface displayed during device provisioning Root and intermediate CA modes of operation Supports SCEP enrollment of certificates Supports CRL generation to list revoked certificates Supports OCSP responder to query for certificate status Approve certificate signing request Reject certificate signing request Sign certificate from uploaded certificate signing request (CSR) Issue certificate Revoke certificate Display certificates Export certificate Renew root certificate Exchange ActiveSync Passcode policy VPN settings Supported Platforms The platforms supported by Dell Networking W-ClearPass Onboard and the version requirements for each platform are summarized in the following table. Table 14: Platforms Supported by ClearPass Onboard Platform Example Devices Version Required for Onboard Support Notes Apple iOS iPhone iPad iPod Touch iOS 4 iOS 5 1, 3 Mac OS X 10.8 “Mountain Lion” Mac OS X 10.7 “Lion” 1 Mac OS X 10.6 “Snow Leopard” Mac OS X 10.5 “Leopard” 2 Apple Mac OS X MacBook Pro MacBook Air Android Samsung Galaxy S Samsung Galaxy Tab Motorola Droid Android 2.2 (or higher) 2 Microsoft Windows Laptop Netbook Windows XP with Service Pack 3 Windows Vista with Service Pack 3 Windows 7 2 Note 1: Uses the “Over-the-air provisioning” method. Note 2: Uses the “Onboard provisioning” method. Note 3: Onboard may also be used to provision VPN settings, Exchange ActiveSync settings, and passcode policy on these devices. Public Key Infrastructure for Onboard During the device provisioning process, one or more digital certificates are issued to the device. These are used as the unique credentials for a device. To issue the certificate, Dell Networking W-ClearPass Onboard must operate as 68 | Supported Platforms Dell Networking W-ClearPass Guest 6.0 | Deployment Guide a certificate authority (CA). The following sections explain how the certificate authority works, and which certificates are used in this process. Certificate Hierarchy In a public key infrastructure (PKI) system, certificates are related to each other in a tree-like structure. Figure 10: Relationship of Certificates in the Onboard Public Key Infrastructure The root certificate authority (CA) is typically an enterprise certificate authority, with one or more intermediate CAs used to issue certificates within the enterprise. Onboard may operate as a root CA directly, or as an intermediate CA. See "Configuring the Certificate Authority " on page 81. For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a Cluster " on page 70. The Onboard CA issues certificates for several purposes: l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices. n l One or more Server Certificates may be issued for various reasons – typically, for an enterprise’s authentication server. n l The identity information in the profile signing certificate is displayed during device provisioning. The identity information in the server certificate may be displayed during network authentication. One or more Device Certificates may be issued – typically, one or two per provisioned device. n The identity information in the device certificate uniquely identifies the device and the user that provisioned the device. You do not need to manually create the profile signing certificate; it is created when it is needed See "Configuring Provisioning Settings for iOS and OS X" on page 110 to control the contents of this certificate. You may revoke the profile signing certificate; it will be recreated when it is needed for the next device provisioning attempt. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Certificate Hierarchy | 69 Certificate Configuration in a Cluster When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM server certificates for the cluster. This allows the “verified” message in iOS and lets you verify that the CPPM server certificate is valid during EAP-PEAP or EAP-TLS authentication. In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration, these are self-signed certificates—that is, they are not issued by a root CA. This configuration of multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed certificates are not. There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster: l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster. l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard. Provisioning and authentication will then work across the entire cluster. Revoking Unique Device Credentials Because each provisioned device uses unique credentials to access the network, it is possible to disable network access for an individual device. This offers a greater degree of control than traditional user-based authentication — disabling a user’s account would impact all devices using those credentials. To disable network access for a device, revoke the TLS client certificate provisioned to the device. See "Working with Certificates in the List " on page 97. NOTE: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this capability. Revoking Credentials to Prevent Network Access NOTE: Revoking a device's certificate will also prevent the device from being re-provisioned. This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the device, the revoked certificate must be deleted. If the device is provisioned with an EAP-TLS client certificate, revoking the certificate will cause the certificate authority to update the certificate’s state. When the certificate is next used for authentication, it will be recognized as a revoked certificate and the device will be denied access. NOTE: When using EAP-TLS authentication, you must configure your authentication server to use either OCSP or CRL to check the revocation status of a client certificate. OCSP is recommended as it offers a real-time status update for certificates. If the device is provisioned with PEAP unique device credentials, revoking the certificate will automatically delete the unique username and password associated with the device. When this username is next used for authentication, it will not be recognized as valid and the device will be denied access. NOTE: OCSP and CRL are not used when using PEAP unique device credentials. The ClearPass Onbord server automatically updates the status of the username when the device's client certificate is revoked. 70 | Certificate Configuration in a Cluster Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Re-Provisioning a Device Because “bring your own” devices are not under the complete control of the network administrator, it is possible for unexpected configuration changes to occur on a provisioned device. For example, the user may delete the configuration profile containing the settings for the provisioned network, instruct the device to forget the provisioned network settings, or reset the device to factory defaults and destroy all the configuration on the device. When these events occur, the user will not be able to access the provisioned network and will need to re-provision their device. The Onboard server detects a device that is being re-provisioned and prompts the user to take a suitable action (such as connecting to the appropriate network). If this is not possible, the user may choose to restart the provisioning process and re-provision the device. Re-provisioning a device will reuse an existing TLS client certificate or unique device credentials, if these credentials are still valid. If the TLS client certificate has expired then the device will be issued a new certificate. This enables re-provisioning to occur on a regular basis. If the TLS client certificate has been revoked, then the device will not be permitted to re-provision. The revoked certificate must be deleted before the device is able to be provisioned. Network Requirements for Onboard For complete functionality to be achieved, Dell Networking W-ClearPass Onboard has certain requirements that must be met by the provisioning network and the provisioned network: l The provisioning network must use a captive portal or other method to redirect a new device to the device provisioning page. l The provisioning server (Onboard server) must have an SSL certificate that is trusted by devices that will be provisioned. In practice, this means a commercial SSL certificate is required. l The provisioned network l must support EAP-TLS and PEAP-MSCHAPv2 authentication methods. l The provisioned network must support either OCSP or CRL checks to detect when a device has been revoked and deny access to the network. Using Same SSID for Provisioning and Provisioned Networks To configure a single SSID to support both provisioned and non-provisioned devices, use the following guidelines: l Configure the network to use both PEAP and EAP-TLS authentication methods. l When a user authenticates via PEAP with their domain credentials, place them into a provisioning role. l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. l When a user authenticates via PEAP with unique device credentials, place them into a provisioned role. l When a user authenticates via EAP-TLS using an Onboard client certificate, place them into a provisioned role. For provisioned devices, additional authorization steps can be taken after authentication has completed to determine the appropriate provisioned role. Using Different SSID for Provisioning and Provisioned Networks To configure dual SSIDs to support provisioned devices on one network, and non-provisioned devices on a separate network, use the following guidelines: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Re-Provisioning a Device | 71 l Configure the provisioning SSID to use PEAP, or another suitable authentication method. l When a user connects to the provisioning SSID, place them into a provisioning role. n l The provisioning role should have limited network access and a captive portal that redirects users to the device provisioning page. When a user connects to the provisioned SSID, authenticate based on the type of credentials presented. n For PEAP authentication with unique device credentials, place them into a provisioned role. n For EAP-TLS authentication using an Onboard client certificate, place them into the provisioned role. n In all other cases, deny access. As for the single-SSID case, additional authorization steps may be taken after authentication has completed to determine the appropriate provisioned role. Configuring Online Certificate Status Protocol Onboard supports the Online Certificate Status Protocol (OCSP) to provide a real-time check on the validity of a certificate. To configure OCSP for your network, you will need to provide the URL of an OCSP service to your network equipment. This URL can be constructed by using the relative path mdps_ocsp.php/1. For example, if the Onboard server’s hostname is onboard.example.com, the OCSP URL to use is: http://onboard.example.com/mdps_ocsp.php/1. NOTE: OCSP does not require the use of HTTPS and can be configured to use HTTP. Configuring Certificate Revocation List (CRL) Onboard supports generating a Certificate Revocation List (CRL) that lists the serial numbers of certificates that have been revoked. To configure a CRL, you will need to provide its URL to your network equipment. This URL can be constructed by using the relative path mdps_crl.php?id=1. For example, if the Onboard server’s hostname is onboard.example.com, the location of the CRL is: http://onboard.example.com/mdps_crl.php?id=1. NOTE: A certificate revocation list does not require the use of HTTPS and can be configured to use HTTP. Network Architecture for Onboard The high-level network architecture for the Onboard solution is shown in the following figure. 72 | Configuring Online Certificate Status Protocol Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Figure 11: ClearPass Onboard Network Architecture The sequence of events shown in Figure 11 is: 1. Users bring their own device to the enterprise. 2. The Dell Networking W-ClearPass Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. 3. Once provisioned, the device re-authenticates to the network using a set of unique device credentials. These credentials uniquely identify the device and user and enable management of provisioned devices. 4. Administrators can configure all aspects of the provisioning workflow – including the devices that have been provisioned, policies to apply to devices and the overall user experience for BYOD. A more detailed view of the network architecture is shown in Figure 12. This diagram shows different types of client devices using the Onboard workflow to gain access to the network. Some of the components that may be configured by the network administrator are also shown. Figure 12: Detailed View of the ClearPass Onboard Network Architecture The components shown in Figure 12 are: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Network Architecture for Onboard | 73 1. Users bring different kinds of client device with them. Onboard supports “smart devices” that use the iOS or Android operating systems, such as smartphones and personal tablets. Onboard also supports the most common versions of Windows and Mac OS X operating systems found on desktop computers, laptops and netbooks. 2. The Onboard workflow is used to provision the user’s device securely and with a minimum of user interaction. The provisioning method used depends on the type of device. a. Newer versions of Mac OS X (10.7 and later) and iOS devices use the “over-the-air” provisioning method. b. Other supported platforms use the “Onboard provisioning” method. 3. Once provisioned, client devices use a secure authentication method based on 802.1X and the capabilities best supported by the device. a. The unique device credentials issued during provisioning are in the form of an EAP-TLS client certificate for iOS devices and OS X (10.7+) devices. b. Other supported devices are also issued a client certificate, but will use the PEAP-MSCHAPv2 authentication method with a unique username and strong password. 4. Administrators can manage all Onboard devices using the certificate issued to that device. Network Architecture for Onboard when Using ClearPass Guest ClearPass Guest supports the provisioning, authentication, and management aspects of the complete Onboard solution. Figure 13 shows the high-level network architecture for the Onboard solution when using ClearPass Guest as the provisioning and authentication server. Figure 13: ClearPass Onboard Network Architecture when Using ClearPass Guest The user experience for device provisioning is the same in Figure 13 and Figure 11, however there are implementation differences between these approaches: l When using the ClearPass Guest RADIUS server for provisioning and authentication, EAP-TLS and PEAP authentication must be configured. Navigate to RADIUS > Authentication > EAP & 802.1X to configure a server certificate and the appropriate EAP types for the ClearPass Guest RADIUS server. l ClearPass Policy Manager supports a rich policy definition framework. If you have complex policies to enforce, multiple authentication or authorization sources that define user accounts, or you need features beyond those available in the ClearPass Guest RADIUS server, you should deploy Policy Manager for authentication. 74 | Network Architecture for Onboard when Using ClearPass Guest Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The ClearPass Onboard Process Devices Supporting Over-the-Air Provisioning Dell Networking W-ClearPass Onboard supports secure device provisioning for iOS 4, iOS 5, and recent versions of Mac OS X (10.7 “Lion” and later). These are collectively referred to as “iOS devices”. The Onboard process for iOS devices is shown in Figure 14. Figure 14: ClearPass Onboard Process for iOS Devices The Onboard process is divided into three stages: 1. Pre-provisioning. The enterprise’s root certificate is installed on the iOS device. 2. Provisioning. The user is authenticated at the device provisioning page and then provisions their device with the Onboard server. The device is configured with appropriate network settings and a device-specific certificate. 3. Authentication. Once configuration is complete, the user switches to the secure network and is authenticated using an EAP-TLS client certificate. A sequence diagram showing the interactions between each component of this workflow is shown in Figure 15. Figure 15: Sequence Diagram for the Onboard Workflow on iOS Platform Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The ClearPass Onboard Process | 75 1. When a BYOD device first joins the provisioning network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. 2. A link on the mobile device provisioning page prompts the user to install the enterprise’s root certificate. Installing the enterprise’s root certificate enables the user to establish the authenticity of the provisioning server during device provisioning. 3. The user then authenticates with their provisioning credentials – these are typically the user’s enterprise credentials from Active Directory. If the user is authorized to provision a mobile device, the over-the-air provisioning workflow is then triggered (see Figure 16, below). 4. After provisioning has completed, the device switches to EAP-TLS authentication using the newly provisioned client certificate. Mutual authentication is performed (the authentication server verifies the client certificate, and the client verifies the authentication server’s certificate). 5. The device is now onboard and is able to securely access the provisioned network. Over-the-air provisioning is used to securely provision a device and configure it with network settings. Figure 16 shows a sequence diagram that explains the steps involved in this workflow. Figure 16: Over-the-Air Provisioning Workflow for iOS Platform 1. The only user interaction required is to accept the provisioning profile. This profile is signed by the Onboard server, so that the user can be assured of its authenticity. 2. An iOS device will have two certificates after over-the-air provisioning is complete: a. A Simple Certificate Enrollment Protocol (SCEP) certificate is issued to the device during the provisioning process. This certificate identifies the device uniquely, and is used to encrypt the device configuration profile so that only this device can read its unique settings. b. A Transport Layer Security (TLS) client certificate is issued to the device. This certificate identifies the device and the user that provisioned the device. It is used as the device’s network identity during EAP-TLS authentication. Devices Supporting Onboard Provisioning Dell Networking W-ClearPass Onboard supports secure device provisioning for Microsoft Windows XP (service pack 3 and later), Microsoft Windows Vista, Microsoft Windows 7, Apple Mac OS X 10.5 and 10.6, and Android devices (smartphones and tablets). These are collectively referred to as “Onboard-capable devices”. The Onboard process for these devices is shown in Figure 17. 76 | Devices Supporting Onboard Provisioning Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Figure 17: ClearPass Onboard Process for Onboard-Capable Devices The Onboard process is divided into three stages: 1. Pre-provisioning. This step is only required for Android devices; the W-Series QuickConnect app must be installed for secure provisioning of the device. 2. Provisioning. The device provisioning page detects the device type and downloads or starts the QuickConnect app. The app authenticates the user and then provisions their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device. See Figure 18 for details. 3. Authentication. Once configuration is complete, the user switches to the secure network and is authenticated using PEAP-MSCHAPv2 unique device credentials. Figure 18: Sequence Diagram for the Onboard Workflow on Android Platform 1. When a BYOD device first joins the network it does not have a set of unique device credentials. This will trigger the captive portal for that device, which brings the user to the mobile device provisioning page. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Devices Supporting Onboard Provisioning | 77 2. The Onboard portal is displayed. The user’s device type is detected, and a link is displayed depending on the device type: a. For Android devices, the link is to a file containing the Onboard configuration settings; downloading this file will launch the QuickConnect app on the device. b. For Windows and Mac, the link is to a executable file appropriate for that operating system that includes both the QuickConnect app and the Onboard configuration settings. 3. The QuickConnect app uses the Onboard provisioning workflow to authenticate the user and provision their device with the Onboard server. The device is configured with appropriate network settings and credentials that are unique to the device. 4. After provisioning has completed, the app switches the device to PEAP authentication using the newly provisioned unique device credentials. Mutual authentication is performed (the authentication server verifies the client’s username and password, and the client verifies the authentication server’s certificate). 5. The device is now onboard and is able to securely access the network. The Onboard provisioning workflow is used to securely provision a device and configure it with network settings. Figure 19 shows a sequence diagram that explains the steps involved in this workflow. Figure 19: Onboard Provisioning Workflow in the QuickConnect App Managing Provisioned Applications The Applications form lets you mark individual applications for installation during device provisioning, and specify whether they should be restarted when the device is provisioned. If restart is selected, you can specify whether the restart should take effect when the installation is complete or at a later time. To manage your applications: 1. Go to Onboard > Applications. The Applications form opens. 78 | Managing Provisioned Applications Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 2. To upload applications, click the Content Manager link above the form. 3. To select applications to install, mark their check boxes, then click Save Changes. Configuring the User Interface for Device Provisioning The user interface for device provisioning can be customized in three different ways: l Customizing the Web login page used for device provisioning. All devices will reach the device provisioning Web login page as the first step of the provisioning process.See "Customizing the Device Provisioning Web Login Page" on page 79 to make changes to the content or formatting of this page. l Customizing the properties of the device provisioning profile for iOS and OS X devices. After starting the provisioning process, users of iOS and OS X are prompted to accept a configuration profile. See "Configuring Provisioning Settings for iOS and OS X" on page 110 to make changes to the content of this profile. l Customizing the user interface of the QuickConnect app for Windows, Mac OS X and Android devices. The provisioning process for Windows, Mac OS X and Android devices uses a separate app, which has a customizable user interface. See "Configuring Options for Legacy OS X, Windows, and Android Devices " on page 116 to make changes to the user interface. Customizing the Device Provisioning Web Login Page Onboard creates a default Web login page that is used to start the device provisioning process. To edit this page, navigate to Configuration > Start Here, then click the Web Logins command link. Click to expand the Onboard Provisioning row in the list, and then click Edit. The RADIUS Web Login Editor form for Onboard opens. Scroll to the Onboard Device Provisioning rows of the form. The Onboard-specific settings required for a device provisioning page are described below: Mark the Enable device provisioning check box to activate the Onboard features for this Web login page. NOTE: If this check box is not marked, device provisioning will be inoperative. Select the appropriate Onboard configuration from the Configuration drop-down list. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring the User Interface for Device Provisioning | 79 To modify the instructions provided to users on the device provisioning page, edit the contents of the Header HTML text area. The default instructions are displayed to the user as: This corresponds to the following text prepopulated in the Header HTML text area:Please configure security and network settings on your device to allow secure
Using the {nwa_mdps_config} Template Function Certain properties can be extracted from the Onboard configuration and used in the device provisioning page. To obtain these properties, use the {nwa_mdps_config} Smarty template function. The “name” parameter specifies which property should be returned, as described in Table 15. Table 15: Properties Available with the (nwa_mdps_config) Smarty Template Function Name root_cert Description URL of the Onboard certificate authority’s root certificate. Browsing to this URL will install the root certificate on the device, which is required as part of the pre-provisioning step. Example: Install Onboard root certificate 80 | Using the {nwa_mdps_config} Template Function Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Name Description wifi_ssid Name of the wireless network. See "Configuring Basic Network Access Settings " on page 118. Example: Connect to the network named {nwa_mdps_config name=wifi_ssid} organization_name The organization name. See "Configuring Basic Provisioning Settings " on page 107. Example:
access to the internal network. Please follow the instructions listed below:
1. {nwa_iconlink icon="images/icon-certificate22.png" text="Install root certificate (click here)"}{nwa_mdps_config name=root_cert}{/nwa_iconlink}< br> 2. Login below using your {nwa_mdps_config name=organ ization_name} credentials
3. Install the certificate when prompted
4. Go to your Wi-Fi settings and connect to SSID:{nwa_mdps_config name=wifi_ssid}
Welcome to {nwa_mdps_config name=organization_name}
Configuring the Certificate Authority To configure certificate authority settings, Navigate to Onboard > Certificate Authority Settings, or click the Certificate Authority Settings command link. The Certificate Authority Settings form opens. This page is used to configure the Onboard certificate authority and to perform maintenance tasks for the CA.: l Set up a root or intermediate certificate authority (See "Setting Up the Certificate Authority" on page 81) l Determine the OCSP URL for the certificate authority l View the trust chain for the certificate authority (See "Uploading Certificates for the Certificate Authority " on page 91) l Renew the certificate authority’s certificate (See "Renewing the Certificate Authority’s Certificate " on page 90) l Configure the data retention policy applied to certificates issued by the authority (See "Configuring Data Retention Policy for Certificates" on page 90) l Import a private key/certificate pair (See "Installing a Certificate Authority’s Certificate " on page 88) NOTE: For information on setting up certificates when using Onboard in a cluster, see "Certificate Configuration in a Cluster " on page 70. Setting Up the Certificate Authority The Certificate Authority Settings form is used to set up the mode of operation for the certificate authority. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring the Certificate Authority | 81 The Name and Description fields are used internally to identify this certificate authority for the network administrator. These values are never displayed to the user during device provisioning. Select the appropriate mode for the certificate authority: l Root CA – The Onboard certificate authority issues its own root certificate. The certificate authority issues client and server certificates using a local signing certificate, which is an intermediate CA that is subordinate to the root certificate. Use this option when you do not have an existing public-key infrastructure (PKI), or if you want to completely separate the certificates issued for Onboard devices from your existing PKI. Click the Root CA image in the Mode area, then click Up a Root Certificate Authority " on page 82. l Continue to proceed to the second step. See "Setting Intermediate CA – The Onboard certificate authority is issued a certificate by an external certificate authority. The Onboard certificate authority issues client and server certificates using this certificate. Use this option when you already have a public-key infrastructure (PKI), and would like to include the certificate issued for Onboard devices in that infrastructure. Click the Intermediate CA image in the Mode area, then click "Setting Up an Intermediate Certificate Authority" on page 84. Continue to proceed to the second step. See Setting Up a Root Certificate Authority If you already have a certificate and private key for the certificate authority, see "Installing a Certificate Authority’s Certificate " on page 88. After you choose Root CA on the Certificate Authority Settings form and click Continue, the Root Certificate Settings form opens. The Root Certificate Settings form is used to configure the distinguished name and properties for the certificate authority’s root (self-signed) certificate. 82 | Setting Up a Root Certificate Authority Dell Networking W-ClearPass Guest 6.0 | Deployment Guide NOTE: If you intend to change any of the root certificate's distinguished name properties, and you have previously created any client or server certificates or performed device provisioning using the existing root certificate, these certificates will be invalidated and deleted because the root certificate's distinguished name has changed. To avoid the complication of revoking and reissuing certificates, it is recommended that you configure the certificate authority before any device provisioning or other configuration is done. In the Identity section of the form: l Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that correspond to your organization. These values form part of the distinguished name for the root certificate. l Enter a descriptive name for the root certificate in the Common Name text field. This value will be used to identify the root certificate as the issuer of other certificates, notably the signing certificate. l Enter a descriptive name for the signing certificate in the Signing Common Name text field. This value will be used to identify the signing certificate as the issuer of client and server certificates from this certificate authority. The other identity information in the signing certificate will be the same as for the root certificate. l Enter a contact email address in the Email Address text field. This email address will be included in the root and signing certificates, and provides a way for users of the certificate authority to contact your organization. In the Private Key section: l To create a new private key for the root certificate, mark the Generate a new private key check box. The form expands to include the Key Type drop-down list. Creating a new private key is only necessary if you are recreating the entire certificate authority from the beginning. NOTE: If you have previously created any client or server certificates or performed device provisioning using the existing root certificate, these certificates will be invalidated when changing the root certificate's private key. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Setting Up a Root Certificate Authority | 83 l The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: n 1024-bit RSA – not recommended for a root certificate n 2048-bit RSA – recommended for general use n 4096-bit RSA – higher security In the Self-Signed Certificate section: l Use the CA Expiration field to specify the lifetime of the root certificate in days. The default value of 3653 days is a 10-year lifetime. l The Clock Skew Allowance field adds a small amount of time to the start and end of the root certificate’s validity period. This permits a newly issued certificate to be recognized as valid in a network where not all devices are perfectly synchronized. l The Digest Algorithm drop-down list allows you to specify which hash algorithm should be used. NOTE: MD5 is not recommended for use with root certificates. Mark the Generate CA certificate and invalidate all other certificates check box to confirm the changes. Click the Create Root Certificate button to save the settings and generate a new root certificate. Setting Up an Intermediate Certificate Authority After you choose Intermediate CA on the Certificate Authority Settings form and click Continue, the Intermediate Certificate Settings form opens. The Intermediate Certificate Settings form is used to configure the distinguished name and properties for the certificate authority’s certificate, which will be issued by an external certificate authority. NOTE: If you intend to change any of the intermediate certificate's distinguished name properties, and you have previously created any client or server certificates or performed device provisioning using the existing intermediate certificate, these certificates will be invalidated because the intermediate certificate's distinguished name has changed. In this case, you should use the Reset to Factory Defaults form (see "Resetting Onboard Certificates and Configuration " on page 130) to delete all client certificates and reprovision all devices. You will also need to reissue any server or subordinate CA certificates. To avoid the complication of revoking and reissuing certificates, it is recommended that you configure the certificate authority before any device provisioning or other configuration is done. 84 | Setting Up an Intermediate Certificate Authority Dell Networking W-ClearPass Guest 6.0 | Deployment Guide In the Identity section of the form: l Enter values in the Country, State, Locality, Organization, and Organizational Unit text fields that correspond to your organization. These values form part of the distinguished name for the certificate authority. l Enter a descriptive name for the certificate authority in the Common Name text field. This value will be used to identify the intermediate certificate as the issuer of client and server certificates from this certificate authority. l Enter a contact email address in the Email Address text field. This email address will be included in the certificate authority’s certificate, and provides a way for users of the certificate authority to contact your organization. In the Private Key section: l To create a new private key for the intermediate certificate, mark the Generate a new private key check box. The form expands to include the Key Type drop-down list. Creating a new key is only necessary if you are recreating the entire certificate authority from the beginning. NOTE: If you have previously created any client or server certificates or performed device provisioning using the existing intermediate CA certificate, these certificates will be invalidated when changing the intermediate CA's private key. l The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: n 1024-bit RSA – not recommended for a certificate authority n 2048-bit RSA – recommended for general use n 4096-bit RSA – higher security In the Intermediate Certificate section: l The Digest Algorithm drop-down list allows you to specify which hash algorithm should be used. NOTE: MD5 is not recommended for use with certificate authority certificates. Mark the Generate CA certificate request and invalidate all other certificates check box to confirm the changes. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Setting Up an Intermediate Certificate Authority | 85 Click the Create Certificate Request button to save the settings and generate a new certificate signing request. Obtaining a Certificate for the Certificate Authority The Intermediate Certificate Request page displays the certificate signing request for the certificate authority’s intermediate certificate. This page is also used to renew the certificate authority’s intermediate certificate when it is close to expiring. You can copy the certificate signing request in text format using your Web browser. Use this option when you can paste the request directly into another application to obtain a certificate. You can click the Download the current CSR link to download the certificate signing request as a file. Use this option when you need to provide the certificate signing request as a file to obtain a certificate. Once you have obtained the certificate, click the Install a signed certificate link to continue configuring the intermediate certificate authority. See "Installing a Certificate Authority’s Certificate " on page 88. You can also click the Change CA settings link to return to the main Certificate Authority Settings form. Use this option to switch to a root CA, or to change the name or properties of the intermediate CA and reissue the certificate signing request. Using Microsoft Active Directory Certificate Services Navigate to the Microsoft Active Directory Certificate Services Web page. This page is typically found at https://yourdomain/certsrv/. The Welcome page opens. Click the Request a Certificate link on this page. The Request a Certificate page opens. Click the link to submit an advanced certificate request. The Advanced Certificate Request page opens. 86 | Obtaining a Certificate for the Certificate Authority Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Click the link to submit a request using a base-64-encoded CMC or PKCS #10 file. The Submit a Certificate Request or Renewal Request page is displayed. Copy and paste the certificate signing request text into the Saved Request text field. Because this certificate is for a certificate authority, select the “Subordinate Certificate Authority” in the Certificate Template drop-down list. Click the Submit button to issue the certificate. Either the Certificate Pending or the Certificate Issued page is displayed. Figure 20: The Certificate Pending Page Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Using Microsoft Active Directory Certificate Services | 87 If the Certificate Pending page is displayed, follow the directions on the page to retrieve the certificate when it is issued. Figure 21: The Certificate Issued Page If the Certificate Issued page is displayed, select the Base 64 encoded option and then click the Download certificate chain link. A file containing the intermediate certificate and the issuing certificates in the trust chain will be downloaded to your system. Refer to the instructions in "Installing a Certificate Authority’s Certificate " on page 88 for information on uploading the certificate file to Onboard. Installing a Certificate Authority’s Certificate You can import a private key and certificate pair to use for the root certificate or intermediate certificate. The CA Certificate Import page may be used to: l Upload a certificate that has been issued by another certificate authority. This process is required when configuring an intermediate certificate authority. n l A private key is not required, as the certificate authority has already generated one and used it to create the certificate signing request. Upload a certificate and private key to be used as the certificate authority’s certificate. This process may be used to configure a root certificate authority. n A private key is required, as the certificate authority’s existing private key will be replaced. NOTE: This form may be used multiple times in order to import each of the certificates in the trust chain. Check the message displayed above the form to determine which certificate or type of file must be uploaded next. To upload a certificate: 1. Go to Onboard > Certificate Authority Settings, and choose either Root CA or Intermediate CA, as appropriate. For more information, see "Setting Up the Certificate Authority" on page 81. 2. On either the Root Certificate Settings or Intermediate Certificate Settings page, click the Import Certificate link above the form. The Step 1 area of the CA Certificate Import form opens. 88 | Installing a Certificate Authority’s Certificate Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 3. Select one of the radio buttons to either copy and paste the certificate as encoded text or browse to the file to upload. The form expands to include options for that method. 4. If you selected Copy and paste certificate as text: l To upload a single certificate, copy and paste the certificate into the Certificate text field. The text must include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines. Leave the passphrase fields blank. l To upload a certificate and private key, copy and paste the certificate and private key into the Certificate text field. The text must include the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines, as well as the “BEGIN RSA PRIVATE KEY” and “END RSA PRIVATE KEY” lines. 5. If you selected Upload certificate file, click Choose File in the Certificate row to browse to the file and select it. l To upload a single certificate, choose a certificate file in PEM (base-64 encoded) or binary format (.crt or PKCS#7). Leave the passphrase fields blank. l To upload a certificate’s private key as a separate file, choose the private key file in PEM (base-64 encoded) format. If the private key has a passphrase, enter it in the Private Key Passphrase and Confirm Passphrase fields. The private key will be automatically matched to its corresponding certificate when uploaded. l To upload a combined certificate and private key, choose a file in either PEM (base-64 encoded) or PKCS#12 format. If the private key has a passphrase, enter it in the Private Key Passphrase and Confirm Passphrase fields. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Installing a Certificate Authority’s Certificate | 89 6. Click the Upload Certificate button to save your changes. If additional certificates are required, you will remain at the same page. Check the message displayed above the form to determine which certificate or type of file must be uploaded next. When the trust chain is complete, it will be displayed. This completes the initialization of the certificate authority. Renewing the Certificate Authority’s Certificate When a root certificate is close to expiration, it must be renewed. Navigate to Onboard> Certificate Authority Settings and click the Renew Root Certificate link. The Root Certificate Renewal form is displayed. Select an option in the Renewal Type drop-down list: l Basic Renewal – Uses the same private key for the root certificate, but reissues the root CA certificate with an updated validity period. Use this option to maintain the validity of all certificates issued by the CA. l Replacement Renewal – Generates a new private key for the root certificate, and reissues the root CA certificate with an updated validity period. Use this option if the root certificate has been compromised, or if you want to invalidate all certificate that were previously issued by the CA. Whether you renew or replace the root certificate, you should distribute a new copy of the root certificate to all users of that certificate. Click the Renew Root Certificate button to perform the renewal action. Configuring Data Retention Policy for Certificates The data retention policy for certificates and certificate requests can be configured by navigating to Onboard > Certificate Authority Settings and clicking the Configure data retention link. The Manage Data Retention form is displayed. 90 | Renewing the Certificate Authority’s Certificate Dell Networking W-ClearPass Guest 6.0 | Deployment Guide In the Onboard Device Certificates section of the form, specify a value in the Minimum Period and Maximum Period fields that is appropriate for your organization’s retention policy. NOTE: Use a blank value for Minimum Period to enable the Delete Certificate and Delete Request actions in the Certificate Management list view. This is useful for testing and initial deployment. The default data retention policy specifies the values: l Minimum Period of 12 weeks l Maximum Period of 52 weeks Uploading Certificates for the Certificate Authority The Certificate Authority Trust Chain page is used to view the certificate authority’s current trust chain, or to upload a new certificate in the trust chain when configuring a certificate authority. To view the Certificate Authority’s trust chain, go to Onboard > Certificate Authority Settings and click the View CA Certificate link at the top of the page. The Certificate Authority Trust Chain page is displayed. This page shows a graphical representation of the certificates that make up the trust chain. The first certificate listed is the root certificate. Root certificates are always self-signed and are explicitly trusted by clients. Each additional certificate shown is an intermediate certificate. The last certificate in the list is the signing certificate that is used to issue client and server certificates. To view the properties of a certificate in the trust chain, click the Information view opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Show certificate link. The Certificate Uploading Certificates for the Certificate Authority | 91 To export a certificate: 1. Click the Download Bundle link. The Export Certificate form opens. 2. In the Format row, choose the certificate format. The form expands to include configuration options for that format. 3. Complete the fields with the appropriate information, then click Export Certificate. 92 | Uploading Certificates for the Certificate Authority Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating a Certificate From the Certificate Management page, click the Certificate Request form. Generate a new certificate signing request link to access the To create a new certificate or certificate signing request, first select the type of certificate you want to create from the Certificate Type drop-down list: l TLS Client Certificate—Use this option when the certificate is to be issued to a client, such as a user or a user’s device. n l Trusted Certificate—Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server. n l When this option is selected, the issued certificate’s extended key usage property will contain a value of “Server Auth”, indicating that the certificate may be used to identify a server. Certificate Authority—Use this option when the certificate is for a subordinate certificate authority. n l When this option is selected, the issued certificate’s extended key usage property will contain a value of “Client Auth”, indicating that the certificate may be used to identify a client. When this option is selected, the issued certificate will contain an extension identifying it as an intermediate certificate authority, and the extended key usage property will contain the three values “Client Auth”, “Server Auth” and “OCSP Signing”. Code Signing—Use this option for signing the Windows provisioning application. Specifying the Identity of the Certificate Subject In the first part of the form, provide the identity of the person or device for which the certificate is to be issued (the “subject” of the certificate). Together, these fields are collectively known as a distinguished name, or “DN”. l Country l State l Locality l Organization Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating a Certificate | 93 l Organizational Unit l Common Name – this is the primary name used to identify the certificate l Email Address The Key Type drop-down list specifies the type of private key that should be created for the certificate. You can select one of these options: l 1024-bit RSA – lower security l 2048-bit RSA – recommended for general use l 4096-bit RSA – higher security NOTE: Using a private key containing more bits will increase security, but will also increase the processing time required to create the certificate and authenticate the device. The additional processing required will also affect the battery life of a mobile device. It is recommended to use the smallest private key size that is feasible for your organization. If you have selected TLS Client as the certificate type, the Subject Alternative Name section is also shown. The alternative name can be used to specify additional identification details for the certificate’s subject. If one or more of these options are provided, the issued certificate will contain a subjectAltName extension with the specified values. Table 16 explains the fields that may be included as part of the subject alternative name. Table 16: Subject Alternative Name Fields Supported When Creating a TLS Client Certificate Signing Request Name Description Device Type Type of device, such as “iOS”, “Android”, etc. Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160bit number represented in hexadecimal (16, 32 or 40 characters, respectively). Device IMEI International Mobile Equipment Identity (IMEI) number allocated to this device. Device ICCID Integrated Circuit Card Identifier (ICCID) number from the Subscriber Identity Module (SIM) card present in the device. 94 | Specifying the Identity of the Certificate Subject Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Name Description Device Serial Serial number of the device. MAC Address IEEE MAC address of this device. Product Name Product string identifying the device and often including the hardware version information. Product Version Software version number for the device. User Name Username of the user who provisioned the device. Issuing the Certificate Request Mark the Issue this certificate immediately check box to automatically create the certificate. Click the Create Certificate Request button to save your changes. l If the “Issue this certificate immediately” check box is marked, the certificate will be issued immediately and will be displayed in the Certificate Management list view. l If the “Issue this certificate immediately” check box is not marked, the certificate request will be displayed in the Certificate Management list view. The certificate can then be issued or rejected at a later time. Managing Certificates To view the list of certificates and work with them, go to Onboard > Certificate Management, or click the Certificate Management command link. The Certificate Management list view opens. This list displays all of the certificates and certificate requests in the Onboard system. Information provided in the Certificate Management list includes common name, serial number (if available), certificate type, validity date range, and device type—iOS, Android, Windows, or None (if not associated with a device type). Table 17 lists the types of certificate that are displayed in this list. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Issuing the Certificate Request | 95 Table 17: Types of Certificate Supported by Onboard Certificate Management Certificate Type “Type” Column Notes Root certificate ca Self-signed certificate for the certificate authority Intermediate certificate ca Issued by the root CA or another intermediate CA Profile signing certificate profile-signing Issued by the certificate authority Certificate signing request tls-client or trusted The type shown depends on the kind of certificate requested Rejected certificate signing request tls-client or trusted Certificate request that was rejected due to an administrator decision Device certificate scep-client Issued to iOS and OS X (10.7+) devices only Client certificate tls-client Identity certificate issued to a specific user’s device Server certificate trusted Identity certificate issued to a server Code-signing certificate ca Used for signing the Windows provisioning application Revoked certificate -- Certificate that has been administratively revoked and is no longer valid Expired certificate -- Certificate that is outside its validity period and is no longer valid Searching for Certificates in the List The Filter field can be used to quickly search for a matching certificate. Type a username into this field to locate all certificates matching that username quickly. The filter is applied to all columns displayed in the list view. To search by another field, such as MAC address, device type, or device serial number, click the Columns tab, select the appropriate column(s), and then click the Save and Reload button. The list view will refresh to update the results of the filter. Click the Clear Filter link to restore the default view. Use the paging control at the bottom of the list to jump forwards or backwards by one page, or to the first or last page of the list. You can also click an individual page number to jump directly to that page. NOTE: When the list contains many thousands of certificates, consider using the Filter field to speed up finding a specific certificate. Click the column headers to sort the list view by that column. Click the column header a second time to reverse the direction of the sort. 96 | Searching for Certificates in the List Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Working with Certificates in the List Click on a certificate to select it. You can then select from one of these actions: l View certificate – Displays the properties of the certificate. Click the certificate properties. Cancel button to close the Export certificate – Displays the Export Certificate form. l Use the Format drop-down list to select the format in which the certificate should be exported. The following formats are supported: l PKCS#7 Certificates (.p7b)—Exports the certificate, and optionally the other certificates forming the trust chain for the certificate, as a PKCS#7 container. l Base-64 Encoded (.pem)—Exports the certificate as a base-64 encoded text file. This is also known as “PEM format”. You may optionally include the other certificates forming the trust chain for the certificate. l Binary Certificate (.crt)—Exports the certificate as a binary file. This is also known as “DER format”. l Open SSL Text Format—Exports the certificate as a full openssl text-format output, allowing you to view advanced details such as X509v3 extensions. It also includes the certificate in .pem format appended to the .txt file. l PKCS#12 Certificate & Key (.p12)—Exports the certificate and its associated private key, and optionally any other certificates required to establish the trust chain for the certificate, as a PKCS#12 container. This option is only available if the private key for the certificate is available to the server. If you select the PKCS#12 format, you must enter a passphrase to protect the private key stored in the file. NOTE: To protect against brute-force password attacks and ensure the security of the private key, you should use a strong passphrase – one consisting of several words, mixed upper- and lower-case letters, and punctuation or other symbol characters. Click the l Export Certificate button to download the certificate file in the selected format. Revoke certificate – Displays the Revoke Certificate form. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Working with Certificates in the List | 97 Mark the Revoke this client certificate check box to confirm that the certificate should be revoked, and then click the Revoke Certificate button. Once the certificate has been revoked, future checks of the certificate’s validity using OCSP or CRL will indicate that the certificate is no longer valid. NOTE: Due to the way in which certificate revocation lists work, a certificate cannot be un-revoked. A new certificate must be issued if a certificate is revoked in error. NOTE: Revoking a device’s certificate will also prevent the device from being re-provisioned. This is necessary to prevent the user from simply re-provisioning and obtaining a new certificate. To re-provision the device, the revoked certificate must be deleted. l Delete certificate – Removes the certificate from the list. Trusted certificates that were imported into Onboard may be deleted at any time after import. For all other certificates, this option is only available if the data retention policy is configured to permit the certificate’s deletion. See "Configuring Data Retention Policy for Certificates" on page 90. 98 | Working with Certificates in the List Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Delete Certificate form is displayed. Mark the Delete this client certificate check box to confirm the certificate’s deletion, and then click the Delete Certificate button. Working with Certificate Signing Requests Certificate signing requests can be managed through the Certificate Management list view. This allows for server certificates, subordinate certificate authorities, and other client certificates not associated with a device to be issued by the Onboard certificate authority. Click on a certificate request to select it. You can then select from one of these actions: l View request – Displays the properties of the certificate request. Click the certificate request properties. Cancel button to close the Export request – Displays the Export Certificate Request form. l Use the Format drop-down list to select the format in which the certificate signing request should be exported. The following formats are supported: n PKCS#10 Certificate Request (.p10) – Exports the certificate signing request in binary format. n Base-64 Encoded (.pem) – Exports the certificate signing request as a base-64 encoded text file. This is also known as “PEM format”. If you choose Base-64 Encoded, the form expands to include the Trust Chain row. You can use this option to create and export a certificate bundle that includes the Intermediate CA and Root CA and can be imported in Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Working with Certificate Signing Requests | 99 ClearPass Policy Manager as the server certificate (ClearPass Policy Manager does not accept PKCS#7). To include the trust chain in a certificate bundle that can be imported as the server certificate in ClearPass Policy Manager, mark the Include certificate trust chain check box, then click the Export Certificate button. Click the Export Request button to download the certificate signing request file in the selected format. l Sign request – Displays the Sign Request form. Use this action to approve the request for a certificate and issue the certificate. Use the Expiration text field to specify how long the issued certificate should remain valid. Mark the Sign this request check box to confirm that the certificate should be issued, and then click the Sign Request button. The certificate will be issued and will then replace the certificate signing request in the list view. l Reject request – Displays the Reject Request form. Use this action to reject the request for a certificate. Rejected requests are automatically deleted according to the data retention policy. 100 | Working with Certificate Signing Requests Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Mark the Reject this request check box to confirm that the certificate signing request should be rejected, and then click the Reject Request button. l Delete request – Removes the certificate signing request from the list. This option is only available if the data retention policy is configured to permit the certificate signing requests’s deletion. See "Configuring Data Retention Policy for Certificates" on page 90. The Delete Request form is displayed. Mark the Delete this request check box to confirm the certificate signing request’s deletion, and then click the Delete Request button. Importing a Code-Signing Certificate Onboard supports importing a code-signing certificate chain and private key for signing the Windows provisioning application. Certificates can be uploaded as PFX, PKCS-12, SPC, or PKCS-7, and can include a chain of certificates. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Importing a Code-Signing Certificate | 101 An operator’s profile must include the Import Code-Signing Certificate privilege in order to access this feature. To import a code-signing certificate: 1. Go to Onboard > Certificate Management or Onboard > Provisioning Settings and click the Upload a codesigning certificate link at the top of the page. The Code-Signing Certificate Import form opens. 2. In the Certificate Type drop-down list, choose the file type—either SPC, PFX, PKCS-7, or PKCS-12. The form expands to include the Certificate area, with fields for uploading the certificate, uploading the private key, and entering the passphrase. For PFX and PKCS-12 files, the private key must be included in the certificate file, so the Private Key upload option is not available in the form. The private key passphrase is required. For SPC and PKCS-7 files, a PEM-encoded private key must be uploaded separately using the Private Key upload option on the form. If it is encrypted, the passphrase must also be provided. 3. Click Upload Certificate. The certificate chain is displayed. To use the certificate for code-signing: 1. Go to Onboard > Provisioning Settings and scroll to the Windows Provisioning section of the form. 2. In the Code-Signing Certificate drop-down list, select the uploaded certificate. To create a test certificate: 1. Go to Onboard > Certificate Management and click the Generate a new certificate signing request link. The Certificate Request Settings form opens. 2. In the Certificate Type drop-down list, choose Code-Signing. 102 | Importing a Code-Signing Certificate Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 3. Complete the rest of the form with your information. Mark the Issue this certificate immediately check box, then click Create Certificate Request. The test certificate is displayed in the list on the Certificate Management page, and can be selected on the Provisioning Settings form. Importing a Trusted Certificate Onboard’s Certificate Management page supports importing trusted certificates. Certificates may be uploaded in PEM format (*.pem). To import a trusted certificate: 1. Go to Onboard > Certificate Management and click the Upload a trusted certificate link in the upper-right corner. The Import Trusted Certificate form opens. 2. Click Choose File to browse to the certificate on your system, then click Upload Certificate. A confirmation message is displayed, and the imported certificate is included in the Certificate Management list. You can click the Show Certificate link next to the certificate’s name to view the certificate’s details. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Importing a Trusted Certificate | 103 3. You can use the following additional options in the upper-right corner of the Import Trusted Certificate page: l Click the Upload another trusted certificate link to upload additional certificates. l Click the Edittrust settings link to open the Trust tab of the Network Settings form. Requesting a Certificate From the Certificate Management page, click the Certificate Signing Request form. Upload a certificate signing request link to access the Providing a Certificate Signing Request in Text Format If you have a certificate signing request in text format, click the Copy and paste certificate signing request as text radio button. 104 | Requesting a Certificate Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Paste the text into the Certificate Signing Request text field. Be sure to include the complete block of text, including the beginning and ending lines. A complete certificate signing request looks like the following: -----BEGIN CERTIFICATE REQUEST----MIIB7DCCAVUCAQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRIwEAYDVQQHEwlTdW5ueXZhbGUxFzAVBgNVBAoTDkFDTUUgU3Byb2NrZXRzMRkw FwYDVQQLExBWaXNpdG9yIFNlcnZpY2VzMR4wHAYDVQQDExVBdXRoZW50aWNhdGlv biBTZXJ2ZXIxHzAdBgkqhkiG9w0BCQEWEGluZm9AZXhhbXBsZS5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALR4wRSH26wlcf3OEPEIh34iXRQIUrnYnDfo +ZezeB/i4NZUhRvLMvhPW7DcLpiZJ17ILj3aPPUXWDBYYiiuOkmuFX3dG7eKCLMH Z4E9z1ozK5Znm8cWIj56kg69le7QrAZBYrd5QaBTMxEe0F9CGFsYbFx1viMUMxN6 EJILaCTBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB8/So9KU5BS3oxjyxftIwF dWvNP2CNruKyQaba5RQ1ixdHAsPE+3uYIHNvlqqIpSzBlfYkr21S4DdR3SSC3bXy t4l/fyMuC1cEG/RpPSxdDALpeT8MuoGV1JonKo2BDitOEd4y5SXGmHmDBHrPW2Nd gthkrtBb/a2WAkNcRfDuiQ== -----END CERTIFICATE REQUEST----- Providing a Certificate Signing Request File Alternatively, if you have the certificate signing request as a file, click the Upload certificate signing request file radio button. Use the Certificate Signing Request field to select the appropriate file for upload. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Providing a Certificate Signing Request File | 105 NOTE: The file should be a base-64 encoded (PEM format) PKCS#10 certificate signing request. Specifying Certificate Properties Select the type of certificate from the Certificate Type drop-down list. Choose from one of the following options: l TLS Client Certificate – Use this option when the certificate is to be issued to a client, such as a user or a user’s device. n l TLS Server Certificate – Use this option when the certificate is to be issued to a network server, such as a Web server or as the EAP-TLS authentication server. n l When this option is selected, the issued certificate’s extended key usage property will contain a value of “Client Auth”, indicating that the certificate may be used to identify a client. When this option is selected, the issued certificate’s extended key usage property will contain a value of “Server Auth”, indicating that the certificate may be used to identify a server. Certificate Authority – Use this option when the certificate is for an subordinate certificate authority. n When this option is selected, the issued certificate will contain an extension identifying it as an intermediate certificate authority, and the extended key usage property will contain the three values “Client Auth”, “Server Auth” and “OCSP Signing”. Mark the Issue this certificate immediately check box to automatically issue the certificate. Click the Submit Certificate Signing Request button to save your changes. l If the “Issue this certificate immediately” check box is marked, the certificate will be issued immediately and will be displayed in the Certificate Management list view. l If the “Issue this certificate immediately” check box is not marked, the certificate request will be displayed in the Certificate Management list view. The certificate can then be issued or rejected at a later time. Configuring Provisioning Settings To configure basic device provisioning settings, go to Onboard > Provisioning Settings, or click the Provisioning Settings command link. The Device Provisioning Settings page opens. This page is used to configure the settings for ClearPass Onboard device provisioning, including: l The organization name displayed during device provisioning l Properties for the certificates issued to devices when they are provisioned l Which operating systems should be supported l Authorization properties – the number of devices that a user may provision The Device Provisioning form is organized in tabbed pages, with separate tabs for general, iOS & OS X, Legacy OS X, Windows, Android, and Onboard Client information. 106 | Specifying Certificate Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Basic Provisioning Settings To configure basic provisioning settings: 1. Go to Onboard > Provisioning Settings and click the General tab. The first part of the Device Provisioning Settings form’s General tab is used to specify basic information about Onboard provisioning. 2. The Name and Description fields are used internally to identify this set of Onboard settings for the network administrator. These values are never displayed to the user during device provisioning. 3. Use the Organization field to provide the name of your organization; this will be displayed to the user during the device provisioning process. Configuring Certificate Properties for Device Provisioning To specify the properties for certificates issued to devices: 1. Go to Onboard > Provisioning Settings, click the General tab, and scroll to the Certificate Authority row. 2. The Certificate Authority drop-down list can be used to select a different certificate authority. By default, there is only a single certificate authority. 3. Use the Validity Period text field to specify the maximum length of time for which a client certificate issued during device provisioning will remain valid. 4. The Clock Skew Allowance text field adds a small amount of time to the start and end of the client certificate’s validity period. This permits a newly issued certificate to be recognized as valid in a network where not all devices are perfectly synchronized. For example, if the current time is 12:00, and the clock skew allowance is set to the default value of 15 minutes, then the client certificate will be issued with a “not valid before” time of 11:45. In this case, if the authentication server that receives the client certificate has a time of 11:58, it will still recognize the certificate as valid. If the clock skew allowance was set to 0 minutes, then the authentication server would not recognize the certificate as valid until its clock has reached 12:00. The default of 15 minutes is reasonable. If you expect that all devices on the network will be synchronized then the value may be reduced. A setting of 0 minutes is not recommended as this does not permit any variance in clocks between devices. When issuing a certificate, the certificate’s validity period is determined as follows: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Basic Provisioning Settings | 107 l The “not valid before” time is set to the current time, less the clock skew allowance. l The “not valid after” time is first calculated as the earliest of the following: l The current time, plus the maximum validity period. l The expiration time of the user account for whom the device certificate is being issued. l The “not valid after” time is then increased by the clock skew allowance. 5. The Key Type drop-down list specifies the type of private key that should be created when issuing a new certificate. You can select one of these options: l 1024-bit RSA – created by device: Lower security. Uses SCEP to provision the EAP-TLS certificate. l 2048-bit RSA – created by device: Recommended for general use. Uses SCEP to provision the EAP-TLS certificate. l 1024-bit RSA – created by server: Lower security. l 2048-bit RSA – created by server: Recommended for general use. l 4096-bit RSA – created by server: Higher security. NOTE: Using a private key containing more bits will increase security, but will also increase the processing time required to create the certificate and authenticate the device. The additional processing required will also affect the battery life of a mobile device. It is recommended to use the smallest private key size that is feasible for your organization. The “created by device” options use SCEP to provision the EAP-TLS device certificate, so the private key is known only to the device rather than also known by the user. When a “created by device” option is selected, the generated key is used instead of a username/password authentication defined in Network Settings. 6. Mark the Include device information in TLS client certificates check box to include additional fields in the TLS client certificate issued for a device. These fields are stored in the subject alternative name (subjectAltName) of the certificate. Refer to Table 18 for a list of the fields that are stored in the certificate when this option is enabled. Storing additional device information in the client certificate allows for additional authorization checks to be performed during device authentication. NOTE: If you are usinga W-Series Controller to perform EAP-TLS authentication using these client certificates, you must have Aruba OS 6.1 or later to enable this option. Table 18: Device Information Stored in TLS Client Certificates Name Description OID Device ICCID Integrated Circuit Card Identifier (ICCID) number from the Subscriber Identity Module (SIM) card present in the device. This is only available for devices with GSM (cellular network) capability, where a SIM card has been installed. mdpsDeviceIccid (.4) Device IMEI International Mobile Equipment Identity (IMEI) number allocated to this device. This is only available for devices with GSM (cellular network) capability. mdpsDeviceImei (.3) Device Serial Serial number of the device. mdpsDeviceSerial (.9) Device Type Type of device, such as “iOS”, “Android”, etc. mdpsDeviceType (.1) Device UDID Unique device identifier (UDID) for this device. This is typically a 64-bit, 128-bit or 160-bit number represented in hexadecimal (16, 32, or 40 mdpsDeviceUdid (.2) 108 | Configuring Certificate Properties for Device Provisioning Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Name Description OID characters, respectively). MAC Address IEEE MAC address of this device. This element may be present multiple times, if a device has more than one MAC address (for example, an Ethernet port and a Wi-Fi adapter). mdpsMacAddress (.5) Product Name Product string identifying the device and often including the hardware version information. mdpsProductName (.6) Product Version String containing the software version number for the device. mdpsProductVersion (.7) User Name String containing the username of the user who provisioned the device. mdpsUserName (.8) Note: Object Identifier. These OIDs are relative to the ClearPass Guest base OID, which is 1.3.6.1.4.1.14823.1.5.1. Configuring Revocation Checks and Authorization To specify automatic certificate revocation checks and to configure device authorization: 1. Go to Onboard > Provisioning Settings, click the General tab, and scroll to the Authority Info Access row. 2. Specify one of the following options in the Authority Info Access drop-down list to control automatic certificate revocation checks: l Do not include OCSP responder URL – The Authority Info Access extension is not included in the client certificate. Certificate revocation checking must be configured manually on the authentication server. This is the default option. l Include OCSP responder URL – The Authority Info Access extension is added to the client certificates, with the OCSP responder URL set to a predetermined value. This value is displayed as the “OCSP URL”. l Specify an OCSP responder URL – The Authority Info Access extension is added to the client certificates, with the OCSP responder URL set to a value defined by the administrator. This value may be specified in the “OCSP URL” field. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Revocation Checks and Authorization | 109 3. In the Unsupported Device text box, enter instructions to be displayed to the user if they attempt to provision an unsupported device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the following default text will be displayed: “Your operating system is not supported. Please contact your network administrator.” 4. In the Authorization area of the form, enter a number in the Maximum Devices field to limit the maximum number of devices that each user may provision. Devices are recognized as unique when they have a different MAC address, or a different device identifier (when the MAC address is not available). 5. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab. Configuring Provisioning Settings for iOS and OS X To specify provisioning settings related to iOS and OS X devices: 1. Go to Onboard > Provisioning Settings and click the iOS & OS X tab. 2. In the iOS & OS X Devices row, mark the Enable iOS and OS X 10.7+ (Lion or later) device provisioning check box to enable provisioning for these devices. 3. Use the Display Name and Profile Description text fields to control the user interface displayed during device provisioning. 110 | Configuring Provisioning Settings for iOS and OS X Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 4. In the Profile Security row, select one of the following options from the drop-down list to control how a device provisioning profile may be removed: l Always allow removal – The user may remove the device provisioning profile at any time, which will also remove the associated device configuration and unique device credentials. l Remove only with authorization – The user may remove the device provisioning profile if they also provide a password. The administrator must specify the password in the “Removal Password” and “Confirm Removal Password” fields. l Never allow removal – The user cannot remove the device provisioning profile. This option should be used with caution, as the only way to remove the profile is to reset the device to factory defaults, and destroy all data on the device. 5. Use the Profile Signing text field to specify the display name of the certificate used to sign the configuration profile. This certificate will be automatically created by the certificate authority, and appears as the “Signed” field on the device when the user authorizes the device provisioning. 6. In the Edit ID row, Mark the Change the profile ID check box to change the unique value associated with the configuration profile. This value is used to identify the configuration settings as being from a particular source, and should be globally unique. When an iOS device receives a new configuration profile that has the same profile ID as an existing profile, the existing profile will be replaced with the new profile. NOTE: Changing the profile ID will affect any device that has already been provisioned with the existing profile ID. The default value is automatically generated and is globally unique. You should only change this value during initial configuration of device provisioning. Configuring Instructions for iOS and OS X To edit the instruction text shown during provisioning for iOS and OS X devices: 1. Go to Onboard > Provisioning Settings, click the iOS & OS X tab, and scroll to the Instructions area of the form. 2. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 3. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4. In the iOS-4 Same SSID text box, enter the instructions that are shown to the user of an iOS 4 device if they attempt to provision their device while connected to an SSID that will be provisioned. “Same SSID” provisioning is not supported. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. Configuring Reconnect Behavior for iOS and OS X Reconnect is only supported by iOS 5+ and OS X 10.7+ (Lion or later) devices. To configure the reconnect behavior iOS and OS X devices: 1. Go to Onboard > Provisioning Settings, click the iOS & OS X tab, and scroll to the Reconnect area of the form. 2. In the Allow Automatic Reconnect row, mark the check box if you want to allow the device to be automatically reconnected to the provisioned network. Automatic reconnect only applies when there is a single network configured to “Automatically join network.” Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Instructions for iOS and OS X | 111 3. In the Allow Manual Reconnect row, mark the check box if you want to allow the device to be manually reconnected to the provisioned network. Manual reconnect only applies when automatic reconnect is not allowed or not applicable. 4. In the Manual Reconnect Interface row, enter the text that will be shown to the user if manual reconnect is allowed and applicable. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the Connect Success row, enter the text that will be shown to the user after successful reconnect. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 6. In the Connect Failure row, enter the text that will be shown to the user after a failed reconnect or if the device does not support reconnection (for example, for iOS 4 and earlier devices). Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. 7. In the After Connect row, enter the text that will be shown after a reconnect attempt, regardless of success or failure. Enter the text as HTML code. You can use Smarty template functions. If this field is left empty, the default text will be displayed. To configure delay and timeout settings: 1. Mark the check box in the Advanced Settings row. The form expands to include these options. 2. In the Disconnect Delay row, enter the duration in seconds for the Web server to wait after receiving a disconnect request before it sends the request to the controller. This delay gives the client time to receive a valid HTTP response before begin disconnected from the network. 3. In the Reconnect Delay row, enter the duration in seconds for the client to wait after sending a disconnect request to the Web server before it sends a reconnect request. This duration must give the Web server and the controller adequate time to negotiate a disconnect for the device first. 4. In the Reconnect Timeout row, enter the duration in seconds for the client to wait for a valid response after sending a reconnect request to the Web server. This duration must allow enough time for the client to be reconnected to the network (using the newly-installed settings) and for the Web server to then acknowledge the HTTP request. 5. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Provisioning Settings for Legacy OS X Devices To specify provisioning settings related to legacy OS X 10.5 and 10.6 (Leopard and Snow Leopard) devices: 1. Go to Onboard > Provisioning Settings and click the Legacy OS X tab. 112 | Configuring Provisioning Settings for Legacy OS X Devices Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 2. To enable provisioning OS X 10.5 and 10.6 devices, mark the check box in the OS X 10.5/6 Devices row. 3. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 4. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. You may use the Insert content item drop-down list to add an image file or other content item. 6. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Provisioning Settings for Windows Devices To specify provisioning settings related to Windows devices: 1. Go to Onboard > Provisioning Settings and click the Windows tab. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Provisioning Settings for Windows Devices | 113 2. To enable provisioning Windows devices, mark the check box in the Windows Devices row. 3. In the Code-Signing Certificate drop-down list, select a certificate for signing the provisioning application, or leave the default setting of None-Do not sign the application. 4. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 6. You may use the Insert content item drop-down list to add an image file or other content item. 7. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Provisioning Settings for Android Devices To specify provisioning settings related to Android devices: 1. Go to Onboard > Provisioning Settings and click the Android tab. 114 | Configuring Provisioning Settings for Android Devices Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 2. To enable provisioning Android devices, mark the check box in the Android Devices row. 3. In the Android Rootkit Detection drop-down list, choose one of the following options: l Provision all devices— All Android devices will be provisioned. l Do not provision rooted devices—Onboard will detect a jailbroken Android device and will not provision the network if the device has been compromised. 4. In the Before Provisioning text box, enter the instructions that are shown to the user before they provision their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 5. In the Next Step text box, enter the instructions that are shown to the user after they download the application to their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Provisioning Settings for Android Devices | 115 6. In the Before Profile Install text box, enter the instructions that are shown to the user before they install the network profile on their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 7. In the After Provisioning text box, enter the instructions that are shown to the user after they have provisioned their device. The text can be entered as HTML code, and you can use Smarty template functions. If this field is left empty, the default text will be displayed. 8. You may use the Insert content item drop-down list to add an image file or other content item. 9. When your entries are complete in this tab, click Save Changes. You can click Next to continue to the next tab, or Previous to return to the previous tab. Configuring Options for Legacy OS X, Windows, and Android Devices The Onboard Client tab is used to edit basic configuration option for Windows, Android, and legacy OS X (10.5 and 10.6) devices. To specify provisioning settings related to these Onboard-capable devices: 1. Go to Onboard > Provisioning Settings and click the Onboard Client tab. 2. In the Provisioning Address drop-down list, choose the hostname or IP address to use for device provisioning: l The system’s hostname (requires DNS resolution) – Select this option to use the system hostname for device provisioning. NOTE: This option requires that the device be able to resolve the listed hostname at the time the device is provisioned. l The system’s IP address (network adapter name) – Select this option to use the IP address of the system for device provisioning. The drop-down list includes one option for each of the IP addresses detected on the system. Use this option when DNS resolution of the system’s hostname is not available for devices that are in a provisioning role. 116 | Configuring Options for Legacy OS X, Windows, and Android Devices Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Other IP address or hostname… – Select this option to override the hostname or IP address to be specified during device provisioning. The administrator must enter the hostname or IP address in the “Address” text field. Use this option when special DNS or NAT conditions apply to devices that are in a provisioning role. 3. If you chose Other IP address or hostname in the Provisioning Address drop-down list, use the Address field to enter a hostname or IP address. 4. The Provisioning Access warning message is displayed when HTTPS is not required for guest access. HTTPS is recommended for all deployments as it secures the unique device credentials that will be issued to the device. NOTE: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”. 5. The Validate Certificate drop-down list is used to specify whether the SSL server’s certificate should be validated as trusted. When this option is set to Yes, validate this web server’s certificate (recommended), a certificate validation failure on the client device will cause device provisioning to fail. This is the default option. You should change this option to No, do not validate this web server’s certificate only during testing, or if you are waiting for a commercial SSL certificate. 6. To display your enterprise’s logo, select an image from the list in the Logo Image field. Navigate to Administration > Content Manager to upload new images to use as the logo. The native size of the logo used in the QuickConnect client is 188 pixels wide, 53 pixels high. You may use an image of a different size and it will be scaled to fit, but for the best quality results it is recommended that you provide an image that is already the correct size. 7. The Wizard Title text field may be used to specify the text displayed to users when they launch the QuickConnect app to provision their device. 8. If provided, the Password Recovery URL and Helpdesk URL fields may be used to provide additional resources to users who encounter trouble in provisioning their devices. NOTE: Ensure that users in the provisioning role can access these URLs. 9. When your entries are complete in this tab, click Save Changes. You can click Previous to return to the previous tab. Configuring Network Settings for Device Provisioning To configure the network settings that will be sent to a provisioned device, go to Onboard > Network Settings, or click the Network Settings command link. The Network Settings list view opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Network Settings for Device Provisioning | 117 All networks that have been provisioned are included in the list. To view details for a network, or to configure a network, click the network’s row in the list. The row expands to include the Show Details, Edit, Disable or Enable, and Delete options. Configuring Basic Network Access Settings 1. To configure the network settings that will be provisioned to devices, click the network’s Edit link. To create a new network, click the Create new network link in the upper-right corner. The Network Access form opens with the Access tab displayed. The configuration process is the same for editing an existing network and for creating a new network. The Network Access form is divided into several tabs: l Access – Specifies basic network properties, such as the name of the wireless network and the type of security that is used. See "Configuring Basic Network Access Settings " on page 118. l Protocols – Specifies the 802.1X authentication protocols that are used by the network. See "Configuring 802.1X Authentication Network Settings" on page 120. l Authentication – Specifies the type of device authentication to be used for the network. See "Configuring Device Authentication Settings" on page 121. l Trust – Specifies options related to mutual authentication. See "Configuring Mutual Authentication Settings" on page 122. l Windows – Specifies networking options used only by devices using the Windows operating system. See "Configuring Windows-Specific Network Settings" on page 124. l Proxy – Specifies a proxy server to be used by devices connecting to the network. See "Configuring Proxy Settings" on page 125. NOTE: Navigating between different tabs will save the changes you have made. The modified settings are indicated with a “#” marker in the tab. The settings used for device provisioning are not modified until you click Create Network. 118 | Configuring Basic Network Access Settings Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 2. To edit the network’s basic and wireless network access options, click the Access tab. 3. If you need to edit the network’s name, enter the new name in the Name field. 4. You can use the check box in the Enabled row to enable or disable the network in the device profile. 5. (Optional) You may enter additional identifying information in the Description field. 6. The options available in the Network Type drop-down list are: l Both — Wired and Wireless – Configures both wired (Ethernet) and wireless network adapters. Use this option when you have 802.1X configured for all types of network access. l Wireless only – Configures only wireless network adapters. l Wired only – Configures only wired (Ethernet) network adapters. 7. The options available in the Security Type drop-down list are: l Enterprise (802.1X) – Use this option to setup a network that requires user authentication. l This option is the only available choice when the Network Type is set to “Wired only”. l Personal (PSK) – Use this option to setup a network that requires only a pre-shared key (password) to access the network. This option is only available when the Network Type is set to “Wireless only”. 8. The Security Type field lets you set the encryption version for the wireless network to WPA or WPA2. 9. If you have selected the Personal (PSK) security type, you must provide the pre-shared key in the Password field. Selecting this security type will hide the Protocols, Authentication, and Trust tabs. 10. In the Wireless Network Settings area: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Basic Network Access Settings | 119 l The drop-down list in the OS X Profile row allows you to select the type of profile to create when an OS X 10.7 (or later) device is provisioned. To create a per-user profile, select the User option. To create a system profile, select the System option. The System option can be used in settings where the device has several users and a single profile might be preferred to individual user profiles—for example, where an iMac in a high school classroom is used by all the students. l In the Auto Join row, you can mark the Automatically join network check box to specify that the device should be automatically connected to the network when it is provisioned. If only one network is available to the user, the device will be connected automatically. If multiple networks are available, the user will be able to choose the network to connect to. If the Automatically join network option is not selected on this form, an option to manually connect to the network will be shown to the user. 11. Do one of the following: l Click the Next button to continue to the Protocols tab. l Click the Create Network button to make the new network configuration settings take effect l Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Configuring 802.1X Authentication Network Settings Click the Protocols tab to display the Enterprise Protocols form. Use this form to specify the authentication methods required by your network infrastructure. l The iOS & OS X EAP option supports TLS, TTLS, PEAP, and EAP-FAST. l The Legacy OS X EAP option supports only PEAP with MSCHAPv2. l The Android EAP option supports PEAP with MSCHAPv2, PEAP with GTC, TTLS with MSCHAPv2, TTLS with GTC, TTLS with PAP, and TLS. l The Windows EAP option supports PEAP with MSCHAPv2 and TLS. These best practices are recommended when choosing the 802.1X authentication methods to provision: 120 | Configuring 802.1X Authentication Network Settings Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Configure PEAP with MSCHAPv2 for Onboard devices – Android, Windows, and legacy OS X (10.5/10.6). l Configure EAP-TLS for iOS devices and OS X (10.7 or later). l Other EAP methods, while possible, are limited in their applicability and should only be used if you have a specific requirement for that method. The Windows EAP options that may be specified include: l Enable Fast Reconnect – Fast Reconnect is a PEAP property that enables wireless clients to move between wireless access points on the same network without being re-authenticated each time they associate with a new access point. If TLS is selected, Fast Reconnect is not available. l Enforce Network Access Protection– Enable this option to obtain a system statement-of-health (SSoH) from the OnGuard or Microsoft NAP Agent and send it to the authentication server during the 802.1X authentication process. Use this option to enforce network access control (NAC) protections on the network. If TLS is selected, Enforce Network Access Protection is not available. l Enforce Cryptobinding – Cryptobinding is a process that protects the authentication protocol negotiation against man-in-the-middle attacks. The cryptobinding request and response performs a two-way handshake between the peer and the authentication server using key materials. If TLS is selected, Enforce Cryptobinding is not available. l Do one of the following: n Click the Previous button to return to the Access tab. n Click the Next button to continue to the l Click the Create Network button to make the new network configuration settings take effect n Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Authentication tab. Configuring Device Authentication Settings Click the Authentication tab to display the Enterprise Authentication form. 1. Select one of these options in the iOS & OS X Credentials drop-down list: l Certificate – A device certificate will be provisioned and used for EAP-TLS client authentication. When this option is selected, EAP-TLS must be selected on the l Protocols tab. Username & Password – A device certificate will be provisioned, but the client authentication will use unique device credentials (as for Onboard devices). When this option is selected, EAP-TTLS or PEAP must be selected on the Protocols tab. 2. The Windows Authentication options that may be selected are: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Device Authentication Settings | 121 l Machine Only – Use computer-only credentials. l User Only – Use user-only credentials l Machine Or User – Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication. l Guest – Use guest-only credentials. 3. Do one of the following: l Click the Previous button to return to the Protocols tab. l Click the Next button to continue to the l Click the Create Network button to make the new network configuration settings take effect l Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Trust tab. Configuring Mutual Authentication Settings Click the Trust tab to display the Enterprise Trust form. Use this form to create the network settings that will be sent to a provisioned device. Configuring Trust Settings Automatically 1. When you open this tab, the default selection in the Configure Trust field is Automatically configure trust settings (recommended). With this option selected, Onboard automatically determines the appropriate certificate trust configuration for your deployment. 2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. Do one of the following: l Click the Previous button to return to the l Click the Next button to continue to the l Click the Create Network button to make the new network configuration settings take effect l Click the interface Cancel button to discard your changes and return to the main Onboard configuration user 122 | Configuring Mutual Authentication Settings Authentication tab Windows tab Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Trust Settings Manually 1. To change the recommended default setting and configure trust settings manually, choose Manually configure certificate trust settings in the Configure Trust drop-down list. The form expands to include configuration options. 2. If the deployment is not using the built-in CA, you may use the Trusted Server Names text field to enter the certificate names to accept from the authentication server. Only certificates included in this list will be trusted. Enter each server name on a separate line. You can use wildcards. 3. In the Trusted Certificates row, mark the check box for each server certificate that the client should trust. You should include the root certificate that issued the authentication server’s certificate, and you should provide the certificate for each authentication server a provisioned device will use. 4. You can use the Upload Certificate options to import additional trusted certificates or certificate signing requests. Click Choose File to navigate to the file on your computer, then click Upload. The certificate is imported, and the certificate name is displayed above the form. You can click the Show certificate link next to the name to view certificate details. The certificate is also displayed in the Certificate Management list with the type “trusted.” 5. In the Dynamic Trust row, you should avoid marking the Allow trust exceptions check box – the network administrator should make all trust decisions. Users will not generally review certificates for potential issues before accepting them. If you wish to enable trust decisions to be made by the user, you may unmark the Allow trust exceptions check box. Be aware that this is an insecure configuration, as a user can override a security warning if a man-in-the-middle attack occurs. 6. In the Android Trust area, use the Trusted Certificate drop-down list to select a certificate the device should trust. Android supports only a single trusted certificate; this must be the root CA that issued the authentication server’s certificate. Be aware that if None is selected, 802.1x authentication might not work. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Trust Settings Manually | 123 7. In the Windows Trust area, mark the Validate the server certificate check box. This ensures that the provisioned device will check the server certificate is valid before using the server for authentication. If this check box is unmarked, the configuration will not be secure. An attacker could provide another server certificate which the client would not verify. 8. Do one of the following: l Click the Previous button to return to the Authentication tab. l Click the Next button to continue to the l Click the Create Network button to make the new network configuration settings take effect l Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Windows tab. Configuring Windows-Specific Network Settings Click the Windows tab to display the Windows Network Settings form. Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access. Deploying NAP requires a NAP-compatible authentication server, so that appropriate policies may be implemented based on the statement of health provided by the NAP client. To enable NAP for Microsoft Windows clients, mark the Enable NAP services check box on this tab. You will also need to mark the Enable Quarantine Checks check box on the l Protocols tab. Do one of the following: n Click the Previous button to return to the n Click the Next button to continue to the 124 | Configuring Windows-Specific Network Settings Trust tab. Proxy tab. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide n Click the Create Network button to make the new network configuration settings take effect n Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Configuring Proxy Settings Click the Proxy tab to display the Proxy Settings form. Select one of these options in the Proxy Type drop-down list: l None – No proxy server will be configured. l Manual – A proxy server will be configured, if the device supports it. Specify the proxy server settings in the Server and Server Port fields. l Automatic – The device will configure its own proxy server, if the device supports it. Specify the location of a proxy auto-config file in the PAC URL text field. l Do one of the following: n Click the Previous button to return to the Windows tab. l Click the Create Network button to make the new network configuration settings take effect n Click the interface. Cancel button to discard your changes and return to the main Onboard configuration user Configuring an iOS Device VPN Connection To configure the VPN settings that will be sent to a device, go to Onboard > VPN Settings, or click the VPN Settings command link. The VPN Settings page opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring Proxy Settings | 125 This page is used to automatically configure virtual private networking (VPN) settings on the iOS device. Use this option when you have deployed a VPN infrastructure and want to automatically provide the secure connection settings to users at the time of device provisioning. NOTE: ClearPass Onboard VPN settings can only be used with iOS 4 and iOS 5 devices. Other platforms are not supported. Mark the Add this VPN to the device profile check box to enable provisioning of VPN settings. The Display Name text field specifies the name for this VPN connection. This will be displayed on the device in the Settings app. To help the user identify the connection easily, include your organization’s name in the Display Name field. For example, use “ACME Sprockets VPN”. Select the appropriate Connection Type from the drop-down list: l L2TP – Connection uses the Layer 2 Tunneling Protocol. Complete the fields shown in the L2TP Connection Settings section of the form. l PPTP – Connection uses the Point-to-Point Tunneling Protocol. Complete the fields shown in the PPTP Connection Settings section of the form. l IPSec – Connection uses the Internet Protocol with security extensions. Complete the fields shown in the IPSec Connection Settings section of the form. The Authentication Type drop-down list provides these options when configuring an IPSec VPN: n Identity Certificate – The client certificate issued during device provisioning will also be used as the identity certificate for VPN connections. This option requires configuring your VPN server to allow IPSec authentication using a client certificate. 126 | Configuring an iOS Device VPN Connection Dell Networking W-ClearPass Guest 6.0 | Deployment Guide n Shared Secret / Group Name – An optional group name may be specified. A shared secret (pre-shared key) is used to establish the IPSec VPN. Authentication is performed with a username and password. The Proxy Settings section of the form specifies a proxy server that is used when the VPN connection is active. Select one of these options in the Proxy Setup drop-down list: l None – No proxy server will be configured with this VPN profile. l Manual – A proxy server will be configured with this VPN profile. Specify the proxy server settings in the Server and Port fields. If authentication is required to access this proxy, you may specify the username and password using the Authentication and Password text fields. l Automatic – The proxy server will be automatically configured with this VPN profile. Specify the location of a proxy auto-config file in the Proxy Server URL text field. Click the Save Changes button to save the VPN connection profile and return to the main Onboard configuration user interface. Configuring an iOS Device Email Account To configure the Exchange ActiveSync settings that will be sent to a device, go to Onboard > Exchange ActiveSync, or click the Exchange ActiveSync command link. The Exchange ActiveSync Settings page opens. This page is used to automatically configure an email account on the iOS device. Use this option when you have an Exchange mail server and want to automatically provide the email settings to users provisioning their mobile devices. NOTE: Onboard Exchange ActiveSync settings can only be used with iOS 4 and iOS 5 devices. Other platforms are not supported. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring an iOS Device Email Account | 127 Mark the Add this ActiveSync configuration to the device profile check box to enable email account provisioning. The Account Name text field specifies the name for this email account. This will be displayed on the device in the Settings app, and also within the Mail app to identify the mailbox. To help the user identify this mailbox easily, include your organization’s name in the Account Name field. For example, use “ACME Sprockets Mail”. In the Account Settings group, choose one of the following options from the Account Details drop-down list: l User provided — entered by user on device. This option requires the user to enter their credentials on the device to access their email. l Identity certificate — created during provisioning. This option uses the device’s TLS client certificate to authenticate the user. Using this option requires configuration of the ActiveSync server to authenticate a user based on the client certificate. l Shared preset values — testing only. This option provides a fixed set of credentials to the device. These settings cannot be modified for each user when provisioning a device, so it is recommended that these settings only be used when testing Exchange integration. 128 | Configuring an iOS Device Email Account Dell Networking W-ClearPass Guest 6.0 | Deployment Guide In the Sync Settings group, choose one of the following options from the Days of Mail drop-down list: l No Limit l 1 day l 3 days l 1 week l 2 weeks l 1 month Click the Save Changes button to save the Exchange ActiveSync profile and return to the main Onboard configuration user interface. Configuring an iOS Device Passcode Policy To make changes to the Passcode Policy configuration that will be sent to a device, go to Onboard > Passcode Policy, or click the Passcode Policy command link. The Passcode Policy Settings page opens. This page is used to configure a passcode policy that is applied to iOS devices when provisioned. Typically, you would enable this policy when provisioning a corporate-owned device, or if you are allowing a user to access sensitive information remotely. NOTE: Onboard Passcode Policy settings can only be used with iOS 4 and iOS 5 devices. Other platforms are not supported. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuring an iOS Device Passcode Policy | 129 To enable the passcode policy on all iOS devices, mark the Enable passcode policy check box and configure the remaining options according to your enterprise’s security requirements. Click the Save Changes button to save the passcode policy settings and return to the main Onboard configuration user interface. Resetting Onboard Certificates and Configuration To delete certificates, re-create the Onboard Web login page, or reset configuration to factory default settings, go to Onboard > Reset to Factory Defaults, or click the Reset to Factory Defaults command link. The Reset to Factory Defaults page opens. This page is used to delete certificates, or restore the default configuration for Onboard. These options are useful while trailing the Onboard workflow with a set of test devices. 130 | Resetting Onboard Certificates and Configuration Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Select one of the following options in the Reset Type drop-down list: l Delete all client certificates – Removes all client certificates from Certificate Management. The certificate authority’s root certificate, intermediate certificate, profile signing certificate, and any server certificates are not affected. The provisioning settings for iOS and Onboard-capable devices are not modified. l Delete all certificates – Removes all certificates from Certificate Management, including the certificate authority’s root certificate, intermediate certificate, profile signing certificate, and any server certificates. The default certificate authority certificate will be recreated. The provisioning settings for iOS and Onboard-capable devices are not modified. l Re-create the Onboard weblogin page – Select this option to create the default device_provisioning Web login page, if it has been deleted or has been modified and no longer functions correctly. All certificates and settings are left unmodified. l Delete all certificates and reset configuration to factory defaults – Removes all certificates from Certificate Management, including the certificate authority’s root certificate, intermediate certificate, profile signing certificate, and any server certificates. The provisioning settings for iOS and Onboard-capable devices are restored to the default settings. The default certificate authority will be recreated. Mark the Reset the specified items check box to indicate that the reset operation should be performed, and then click Reset to Factory Defaults to perform the operation. Onboard Troubleshooting If you encounter a problem that is not listed here, refer to the "Onboard Deployment Checklist " on page 66 and check each of the configuration steps listed there. iOS Device Provisioning Failures Symptom: Device provisioning fails on iOS with the message “The server certificate for https://… is invalid”. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Onboard Troubleshooting | 131 Resolution: When using HTTPS for device provisioning, you must obtain a commercial SSL certificate. Self-signed SSL certificates, and SSL server certificates that have been issued by an untrusted or unknown root certificate authority, will cause iOS device provisioning to fail with the message “The server certificate for … is invalid”. A workaround for this issue is to install an appropriate root certificate on the iOS device. This root certificate must be the Web server’s SSL certificate (if it is a self-signed certificate), or the certificate authority that issued the SSL certificate. This is not recommended for production deployments as it increases the complexity of deployment for users with iOS devices. 132 | Onboard Troubleshooting Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 5 Configuration Dell Networking W-ClearPass Guest’s built-in Configuration editor lets you customize many aspects of the appearance, settings, and behavior of the application. Areas you can customize include: l Guest Manager configuration l Fields, forms, and views in ClearPass Guest l Guest self-registration processes and forms l Format and appearance of visitor account receipts l Settings for emailing visitor account receipts l Self-provisioning features of your wireless network l Content asset management l Visitor account provisioning services for IP phones l SMS visitor account receipt settings l Web login pages Accessing Configuration To access Dell Networking W-ClearPass Guest’s application customization features, click the Configuration link in the left navigation. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Configuration | 133 Configuring ClearPass Guest Authentication You can use the Configuration module to modify authentication settings for the Dell Networking W-ClearPass Guest application. To configure ClearPass Guest’s authentication settings: 1. Go to Configuration > Authentication. The Authentication Settings form opens. 2. To send automatic disconnect or re-authorization messages when enabled or role values change, mark the check box in the Dynamic Authorization row. This requires a network access server (NAS) type that supports RFC3576. 3. In the NAS Type row, use the drop-down list to choose the default type for network access servers. 4. To force a specific bind address for RFC-3576 requests, enter a value in the RFC-3576 Bind Address row. This might be needed in an AirGroup environment. 5. In the Internal Auth Type row, choose a type from the drop-down list. Choices in list include PAP, CHAP, and MS-CHAP. The internal authentication type controls the RADIUS authentication used for internal RADIUS requests. 6. To redirect HTTP access to use HTTPS instead, mark the check box in the Security row. Content Manager The Content Manager allows you to upload content items to Dell Networking W-ClearPass Guest. Content items are assets such as text, images, and animations that are made available for guest access using the application’s builtin Web server. To work with your content items, go to Configuration > Content Manager. You can add content items by using your Web browser to upload them. You can also copy a content item stored on another Web server by downloading it. 134 | Configuring ClearPass Guest Authentication Dell Networking W-ClearPass Guest 6.0 | Deployment Guide To use a content item, you can insert a reference to it into any custom HTML editor within the application. To do this, select the content item you want to insert from the drop-down list located in the lower right corner of the editor. The item will be inserted using HTML that is most suited to the type of content inserted. To manually reference a content item, you can use the URL of the item directly. For example, an item named logo.jpg could be accessed using a URL such as: http://192.168.88.88/public/logo.jpg. Uploading Content To add a new content item using your Web browser: 1. Go to Configuration > Content Manager, then click the opens. Upload New Content tab. The Add Content form 2. In the File row, click Browse to navigate to the file you wish to upload. The Maximum file size is 15 MB. You can upload single content files, multiple content asset files and folders, or a Web deployment archive. To upload multiple assets, first compress the files as a “tarball” or zip file, then browse to it in the File field. Allowed file formats are .tgz, .tar.gz, .tb2, .tar.bz2, or .zip. When you have uploaded the file, the Extract option lets you create the new directory, navigate into it, and view and extract the files. Directory structure is preserved when extracting. 3. (Optional) You may enter a description of the content assets in the Description text area. 4. To overwrite a previous file of the same name, mark the Overwrite check box. 5. Click Upload Content to upload the file. The file is displayed in the list view and will be placed in the public directory on the Web server. You can reference the file when creating custom HTML templates. Downloading Content To download a file from the Internet for use in ClearPass Guest: 1. Go to Configuration > Content Manager, then click the form is displayed. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Download New Content tab. The Fetch Content Uploading Content | 135 After you have completed the form, click the Fetch Content button to have the file downloaded. The file is placed in the public directory on the Web server. You are then able to reference this file when creating custom HTML templates. Additional Content Actions To work with your content items: 1. Go to Configuration > Content Manager, then click the item’s row in the list. The row expands to include the Properties, Delete, Rename, Download, View Content, and Quick View options. 2. The Properties link allows you to view and edit the properties of the item. Editable properties include the content item’s filename and description. Read-only properties include the content type, modification time, file size, and other content-specific properties such as the image’s size. 3. You can use the Delete link to delete the content item. You will be asked to confirm the deletion. 4. You can use the using the Rename link to rename the content item. 5. To save a copy of the content item using your Web browser, click the 6. To open a new window to view the item, use the Download link. View Content link. 7. The Quick View link can be used to display certain types of content inline, such as images and text. The item is displayed below its row in the list. The Quick View link is not available for all content types. 136 | Additional Content Actions Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customizing Guest Manager Guest Manager allows the entire guest account provisioning process to be customized. This is useful in many different situations, such as: l Self-registration – Allow your guests to self-register and create their own temporary visitor accounts. l Visitor surveys – Define custom fields to store data of interest to you, and collect this information from guests using customized forms. l Branded print receipts – Add your own branding images and text to print receipts. l SMS and email receipts – Include a short text message with your guest’s username and password, or send HTML emails containing images. l Advanced customization – ClearPass Guest is flexible and can be used to provide location sensitive content and advertising. Default Settings for Account Creation The Guest Manager plugin configuration holds the default settings for account creation. To modify settings for the Guest Manager plugin configuration, go to Configuration and click the Guest Manager Settings command link, or, from the Guest Manager page, click the Guest Manager Settings command link. Figure 22: Customize Guest Manager Page (upper section) l Site SSID—The Site SSID is the public name of the wireless local area network (WLAN). The default setting for this field is Aruba, and can be changed. The site SSID is displayed in the guest receipt as the WiFi Network, as shown below: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customizing Guest Manager | 137 Figure 23: Sample Guest Receipt Showing Aruba as the Default Site SSID l Site WPA Key—The encryption key used to secure the wireless network. If a value is entered in this field, it will appear on guest print receipts. l Username Type—The default method used to generate random account usernames (when creating groups of accounts). This may be overridden by using the random_username_method field. l l n Username Length—This field is displayed if the Username Type is set to “Random digits”, “Random letters”, “Random letters and digits” or “Sequential numbering”. The default length of random account usernames (when creating groups of accounts). This may be overridden by using the random_username_ length field. n Username Format—This field is displayed if the Username Type is set to “Format picture”. It sets the format of the username to be created. See "Format Picture String Symbols" on page 297 for a list of the special characters that may be used in the format string. This may be overridden by using the random_ username_picture field. Random Password Type—The default method used to generate random account passwords (when creating groups of accounts). This may be overridden by using the random_password_method field. n Random Password Length—The default length of random account passwords (when creating groups of accounts). This may be overridden by using the random_password_length field n Password Format—This field is displayed if the Password Type field is set to “Format picture”. It sets the format of the password to be created. See "Format Picture String Symbols" on page 297 for a list of the special characters that may be used in the format string. This may be overridden by using the random_ password_picture field. Password Complexity—The policy to enforce when guests change their account passwords using the guest selfservice user interface. Different levels of password complexity can require guests to select passwords that contain different combinations of uppercase letters, lowercase letters, digits and symbols (!#$%&()*+,-./:;<=>?@ [\\]^_{|}~,). The available options for this setting are: n No password complexity requirement n At least one uppercase and one lowercase letter 138 | Default Settings for Account Creation Dell Networking W-ClearPass Guest 6.0 | Deployment Guide n At least one digit n At least one letter and one digit n At least one of each: uppercase letter, lowercase letter, digit n At least one symbol n At least one of each: uppercase letter, lowercase letter, digit, and symbol l Minimum Password Length—The minimum acceptable password length for guests changing their account passwords. l Disallowed Password Characters—Special characters that should not be allowed in a guest password. Spaces are not allowed by default. You can specify special characters, numbers, and letters to exclude from passwords—for example, letters and numbers that can look similar, such as i, l, 1, 0, O, o, 5, S. l Disallowed Password Words—Enter a comma- separated list of words that are disallowed and will not be created by the random words password generator. Figure 24: Customize Guest Manager Page, Continued (middle section) l Expiration Options—Default values for relative account expiration times. These options are displayed as the values of the “Expires After” field when creating a user account. l Lifetime Options—Default values for account lifetimes. These options are displayed as the values of the “Account Lifetime” field when creating a user account. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Default Settings for Account Creation | 139 Figure 25: Customize Guest Manager Page, Continued (lower section) l Terms of Use URL—URL of a terms and conditions page provided to sponsors. You may upload an HTML file describing the terms and conditions of use using the Content Manager (See "Content Manager " on page 134). If this file is called terms.html then the Terms of Use URL should be public/terms.html. l Active Sessions—Default maximum number of active sessions that should be allowed for a guest account. This may be overridden by using the simultaneous_use field when creating or editing a guest account. l Password Logging—By default, the passwords for created guest accounts are logged in the application log and may be recovered from there. For increased security, you may prevent this password from being logged by unselecting this check box. l Password Display—Select the “View guest account passwords” to enable the display of visitor account passwords in the user list. To reveal passwords, the password field must be added to the “guest_users” or “guest_edit” view, and the operator profile in use must also have the View Passwords privilege. l Initial Sequence—This field contains the next available sequence number for each username prefix that has been used. Automatic sequence numbering is used when the value of the multi_initial_sequence field is set to -1. The username prefix is taken from the multi_prefix field when usernames are automatically generated using the “nwa_ sequence” method. You can edit the values stored here to change the next sequence numbers that will be used. This is an automatically managed field; in most situations there is no need to edit it. l Receipt Printing—Select the “Require click to print” option to change the behavior of the receipt page. When this option is not selected, the default behavior is to provide a drop-down list of print templates and to open a new window when one is selected: When “Require click to print” is selected, the receipt page provides a drop-down list of print templates and a Print link that must be clicked to display the account receipt: 140 | Default Settings for Account Creation Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l About Guest Network Access—Allows the text displayed to operators on the Guest Manager start page to be customized, or removed (if a single hyphen “-” is entered). About Fields, Forms, and Views l A field is a named item of information. It may be used to display information to a user as static text, or it may be an interactive field where a user can select an option or enter text. l A form is a group of fields that is used to collect information from an operator. l A view is a grouping of fields that is used to display information to an operator. Business Logic for Account Creation When guest accounts are created, there are certain rules that must be followed in order to create a valid account. These rules apply to all accounts, regardless of how the account was created. The business logic rules that control all guest account creation are described below. To see the display name corresponding to a field name, go to Configuration > Fields and scroll to the field name. Display names are shown in the Column Title column. Verification Properties l creator_accept_terms: This field must be set to 1, indicating the creator has accepted the terms of use for creating the account. If the field is not present or is not set to 1, the visitor account is not created. l password2: If this field is specified, its value must be equal to the “password” field, or else the visitor account is not created. l auto_update_account: If this field is present and set to a non-zero value, account creation will not fail if the username already exists – any changes will be merged into the existing account using an update instead. Basic User Properties l username: This field is the name for the visitor account and may be provided directly. If this field is not specified, then use the email address from the email field, and if that is also not specified, then randomly generate a username (according to the value of the random_username_method and random_username_length fields). l modify_password: This field controls password modification for the visitor account. It may be set to one of these values: l n “reset” to randomly generate a new password according to the values of the random_password_method and random_password_length fields n “password” to use the password specified in the password field n “random_password” to use the password specified in the random_password field n If blank or unset, the default password behavior is used, which is to use any available value from the random_ password field and the password field, or assume that “reset” was specified otherwise. password: This field is the password for the visitor account and may be provided directly. If this field is not specified, then randomly generate a password (according to the values of the random_password_method and random_password_length fields). Dell Networking W-ClearPass Guest 6.0 | Deployment Guide About Fields, Forms, and Views | 141 l role_id: This field is the role to assign to the visitor account and may be specified directly. If this field is not specified, then determine the role ID from the role_name field. If no valid role ID is able to be determined, the visitor account is not created. l simultaneous_use: This field determines the maximum number of concurrent sessions allowed for the visitor account. If this field is not specified, the default value from the GuestManager configuration is used. l random_username_method – The method used to generate a random account username. If not specified, the default value from the GuestManager configuration is used. l random_username_length – The length in characters of random account usernames. If not specified, the default value from the GuestManager configuration is used. l random_password_method – The method used to generate a random account password. If not specified, the default value from the GuestManager configuration is used. l random_password_length – The length in characters of random account passwords. If not specified, the default value from the GuestManager configuration is used. Visitor Account Activation Properties l enabled: This field determines if the account is enabled or disabled; if not specified, the default is 1 (account is enabled). l do_schedule, modify_schedule_time, schedule_after and schedule_time: These fields are used to determine the time at which the visitor account will be activated. n If modify_schedule_time is “none”, then the account is disabled and has no activation time set. n If modify_schedule_time is “now”, then the account is enabled and has no activation time set. n If modify_schedule_time is a value that specifies a relative time change, for example “+1h”, then the visitor account’s activation time is modified accordingly. n If modify_schedule_time is a value that specifies an absolute time, for example “2010-12-31 17:00”, then the visitor account’s activation time is set to that value. n If modify_schedule_time is “schedule_after” or “schedule_time”, then the activation time is determined according to the schedule_after or schedule_time fields as explained below. n If schedule_after is set and not zero, then add that time in hours to the current time and use it as the activation time (setting do_schedule to 1); enabled will be set to zero. n Otherwise, if schedule_after is zero, negative or unset, and schedule_time has been specified, use that activation time (set do_schedule to 1 and enabled to 0). If the schedule_time specified is in the past, set do_schedule to 0 and enabled to 1. n Otherwise, if schedule_time if not specified, then the visitor account has no activation time and do_schedule will default to zero. Visitor Account Expiration Properties l do_expire, modify_expire_time, expire_after and expire_time: These fields are used to determine the time at which the visitor account will expire. n If modify_expire_time is “none”, then the account has no expiration time set. n If modify_expire_time is “now”, then the account is disabled and has no expiration time set. n If modify_expire_time is a value that specifies a relative time change, for example “+1h”, then the visitor account’s expiration time is modified accordingly. n If modify_expire_time is a value that specifies an absolute time, for example “2010-12-31 17:00”, then the visitor account’s expiration time is set to that value. n If modify_expire_time is “expire_after” or “expire_time”, then the expiration time is determined according to the expire_after or expire_time fields as explained below. 142 | Visitor Account Activation Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide n If expire_after is set and not zero and the account will be activated immediately, then add the value in hours to the current time to determine the expiration time. n If expire_after is set and not zero and account activation is set for a future time (schedule_time) instead of the current time, then the expiration time is calculated relative to the activation time instead of the current time. n Otherwise, if expire_after is zero, negative or unset, and expire_time has been specified, use that expiration time. If the expire_time specified is in the past, set do_expire to 0 and ignore the specified expiration time. n Otherwise, if expire_time is not specified, then the expire_time is not set and do_expire will always be set to zero. n If the do_expire field is not included in the form, the default expiration action is 4, Logout and Delete. This can be configured on the Customize Guest Manager page. l expire_postlogin: This field determines the amount of time after the initial login for which the visitor account will remain valid. If this field is not specified, the default value is 0 (account lifetime not set). l expire_usage: This field determines the total amount of login time permitted for the visitor account. If this field is not specified, the default value is 0 (account usage is unlimited). Other Properties l All other properties specified at creation time are stored with the visitor account (for example, email, visitor_ name, visitor_company, visitor_phone, sponsor_name as well as any custom fields that have been defined) Standard Fields See "Field, Form, and View Reference " on page 287 for a listing of the standard fields shipped with ClearPass Guest. Standard Forms and Views The figure below shows the standard forms and views in the application. The table below lists all the forms and views used for visitor management. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Other Properties | 143 Table 19: Visitor Management Forms and Views Name Type Visitor Management Function Editable? change_expiration Form Change Expiration Yes create_multi Form Create Multiple Yes create_user Form Create Account Yes guest_edit Form Edit Account Yes guest_export View Export Accounts Yes guest_multi View Edit Multiple Accounts Yes guest_multi_form Form Edit Multiple Accounts Yes guest_receipt Form Print Receipt No guest_register Form Guest Self-Registration Yes guest_register_receipt Form Guest Self-Registration Receipt Yes guest_sessions View Active Sessions Yes guest_users View List Accounts Yes remove_account Form Remove Account No reset_password Form Reset Password No These forms are accessed directly: l create_multi form – multiple account creation l create_user form – sponsored account creation l guest_register form – guest self-registration form These forms are accessed through the action row of the guest_users view: l change_expiration form – change expiration time for a single account l guest_multi_form form – editing multiple accounts l guest_edit form – editing single account l reset_password form – reset password for a single account These forms are the standard self-registration forms: l guest_register form – self-registration form l guest_register_receipt form – self-registration receipt These standard views are defined in Guest Manager: l guest_export view – view used when exporting guest account information l guest_multi view – displays a list of guest accounts optimized for working with multiple accounts l guest_sessions view – displays a list of current or historical sessions (See "Active Sessions Management " on page 59.) l guest_users view – displays a list of guest accounts optimized for working with individual accounts 144 | Standard Forms and Views Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customizing Fields Custom fields are fields that you define yourself to cater for areas of interest to your organization. You are able to define custom fields for your guest accounts as well as edit the existing fields. In addition you can delete and duplicate fields. For your convenience you are also able to list any forms or views that use a particular field. NOTE: Fields that have a lock symbol cannot be deleted. A complete list of fields is displayed when you click the Fields command link on the Customize Guest Manager page. To display only the fields that you have been created, click the list view. To return to displaying all fields, click the Custom Fields Only link in the bottom row of the All Fields link. Creating a Custom Field To create a custom field, click the Create tab at the top of the window or the bottom of the window. The Create Field form is displayed. Create a new field link at the The Field Name is not permitted to have spaces but you can use underscores. Enter a description in the Description field. You can enter multiple-line descriptions which result in separate lines displayed on the form. The Field Type can be one of String, Integer, Boolean or No data type. The No data type field would be used as a label, or a submit button. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customizing Fields | 145 You can specify the default properties to use when adding this field to a view. See "View Field Editor" on page 169 for a description of the view display fields, including the Column Type and Column Format fields. You can specify the default properties to use when adding the field to a form. See "View Field Editor" on page 169 for a list of the available user interface types. You can specify the default validation rules that should be applied to this field when it is added to a form. See "Form Validation Properties" on page 162 in this chapter for further information about form validation properties. Select the Show advanced properties check box to reveal additional properties related to conversion, display and dynamic form behavior. See "View Field Editor" on page 169 in this chapter for more information about advanced properties. 146 | Creating a Custom Field Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Click the Save Changes button to complete the creation of a new field. The new field is added at the top of the field list. To change the position of the new field, you can re-sort the list or you can reload the page. Duplicating a Field To duplicate a field, click the field to be duplicated, then click the Duplicate link. The field is copied and a number appended to the end of the field name—for example, if you were to duplicate the card_code field, the duplicated field would be card_code_1. To rename the field, click Edit. Editing a Field You are able to alter the properties of the field by making changes to the Field Name, Field Type or Description when you click the Click the Edit link. This link is available when you click a field in the list view. Save Changes button to have the changes made permanent. Deleting a Field Fields that do not have a lock symbol can be deleted by clicking on the Delete link. You will be asked to confirm the deletion. If you want the deletion to take place you are informed when the deletion has been completed. A field that is currently in use on a form or view may not be deleted. Displaying Forms that Use a Field Click the Show Forms link to see a list of forms that use the selected field. The list displays the forms that use the selected field. It also allows you to edit the form’s fields by clicking on the Edit Fields link. Clicking on the Use link opens the form using that field. If the field is used on multiple forms, you are able to select which form you would like to view. Displaying Views that Use a Field You are able to click the Show Views link to see a list of views that use the selected field. The list displays the views that use the selected field. It also allows you to edit the view’s fields by clicking on the Edit Fields link. Clicking on the Use link displays the view. If the field is used on multiple views, you are able to select which view you would like to see. Customizing AirGroup Registration Forms AirGroup allows users to register their personal mobile devices on the local network and define a group of friends or associates who are allowed to share them. If AirGroup Services is enabled, AirGroup administrators can provision their organization’s shared devices and manage access, and AirGroup operators can register and provision a limited number of their own personal devices for sharing. For complete AirGroup deployment information, refer to the AirGroup Deployment Guide and the ClearPass Policy Manager documentation. On the device registration forms for AirGroup administrators and operators, the default Shared Locations and Shared Roles fields are text boxes where the user enters the information. These fields can be configured as selection options populated with existing locations or roles. Configuring the Shared Locations and Shared Role Fields To configure a predefined list of shared locations or shared roles: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Duplicating a Field | 147 1. Go to Configuration > Fields and click the airgroup_shared_location or airgroup_shared_role row. The form expands to include the Edit, Duplicate, Show Forms, and Show Views links. 2. Click the Edit link. The Define Custom Field form opens. Scroll to the Default Form Display Properties section. 3. In the User Interface drop-down list, select Checklist. 4. In the Description text box, delete the existing text, then enter Select the location IDs where this device will be shared. Leave blank to share with all locations. 5. Delete any text from the CSS Class and the CSS Style fields. 6. In the Options Generator drop-down list, select (Use options). 7. In the Options text box, enter a list of values to use as the checklist options that presented to the user. The values you enter in the Options text box control both the values stored in the shared_location field in the database as well as the text displayed to the user in the checklist. Use the following format: tag1=value1 | Option 1 tag2=value2 | Option 2 ...where the tag=value pair tag1=value1 represents the value stored in the shared_location field in the database, the pipe character ( | ) is a separator, and Option 1 represents the text displayed in the checklist. 8. (Optional) To sort the locations by key or value, choose an option from the Sort drop-down list. 9. (Optional) To control the layout of the checklist on the form, first use the Layout drop-down list to select either Vertical or Horizontal. The name of the next field changes to correspond to your choice in this field. Enter the appropriate number in the Vertical Rows or Horizontal Rows field. If the Layout field is left blank, the default layout of a single list of checklist options is displayed. To ensure the values are stored correctly as a comma-separated list: 148 | Configuring the Shared Locations and Shared Role Fields Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 1. Scroll to the Advanced Properties section of the form and mark the check box in the Advanced row. The form expands to include the advanced options. 2. In the Conversion drop-down list, select NwaImplodeComma. The form expands to include the Type Error row. 3. In the Display Function drop-down list, select NwaExplodeComma. The form expands to include the Display Param and Display Arguments rows. 4. In the Display Param text field, enter the value _self. Be sure to include the leading underscore character. 5. Click Save Changes. Example: If the layout is set to vertical and the following options are specified: AP-Group=Location-1 | Location One AP-Group=Location-2 | Location Two AP-Location-3 | Location Three The user interface appears as follows: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Example: | 149 Customizing Forms and Views You are able to view a list of forms and views. From this list view, you can change the layout of forms or views, add new fields to a form or view, or alter the behavior of an existing field. To view or customize forms and views, go to Configuration > Forms & Views. The Customize Forms and Views page opens. You can open a form or view directly from the Forms and Views page. To open form or view to use it, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Use link. The form or view opens in a separate browser tab, and the Forms and Views tab stays open so you can work in both. An asterisk (*) shown next to a form or view indicates that the form or view has been modified from the defaults. You can click the Reset to Defaults link to remove your modifications and restore the original form. Resetting a form or view is a destructive operation and cannot be undone. You will be prompted to confirm the form or view reset before it proceeds. 150 | Customizing Forms and Views Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Forms and Views You can change the general properties of a form or view such as its title and description. To edit the form or view, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Edit link. The row expands to include the Edit Properties form. The Width field is only displayed for views. It specifies the total width of the list view in pixels. If blank, a default value is used. You can customize the page title, header HTML, and footer HTML for many forms and views (for example, Create Guest Account, Edit Guest Accounts, and others). When these options are available, the Page Properties area is included on the Edit Properties form. Duplicating Forms and Views You can make a copy of a form or view to use as a template in order to provide different forms and views to different operator profiles. See "Role-Based Access Control for Multiple Operator Profiles" on page 242 for a description. This enables you to provide different views of the underlying visitor accounts in the database depending on the operator’s profile. To make a copy of the form or view, go to Configuration > Forms & Views, click the form’s or view’s row in the list, then click its Duplicate link. The copy is added to the Forms and Views list. The name of the duplicated form or view is the same as the original with a number appended. This name cannot be changed. Use the Title and Description properties of the duplicated item to describe the intended purpose for the form or view. Click the Show Usage link for a duplicated form or view to see the operator profiles that are referencing it. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Forms and Views | 151 Click the Delete link for a duplicated form or view to remove the copy. A duplicated item cannot be removed if it is referenced by an operator login account or an operator profile. Editing Forms To add a new field to a form, reorder the fields, or make changes to an existing field, go to Configuration > Forms & Views, click the form’s row in the Customize Forms & Views list, and then click the Edit Fields link. The Customize Form Fields view opens. Form fields have a Rank number, which specifies the relative ordering of the fields when displaying the form. The Customize Form Fields editor always shows the fields in order by rank. The Type of each form field is displayed. This controls what kind of user interface element is used to interact with the user. The Label and Description displayed on the form are also shown in the list view. To work with a form field, click its row in the list. The row expands to include the Edit, Edit Base Field, Remove, Insert Before, Insert After, and Disable Field options. To make changes to an existing field, click its Edit link. The Form Field Editor opens. Any changes made to the field using this editor will apply only to this field on this form. To make changes to an existing field’s definition, click its Edit Base Field link. Any changes made to the field using this editor will apply to all forms that are using this field (except where the form field has already been modified to be different from the underlying field definition). The Insert Before and Insert After links can be used to add a new field to the form. Clicking one of these links will open a blank form field editor and automatically set the rank number of the new field. Use the Preview Form tab at the top of the list view to see what the form looks like. This preview form can be submitted to test the field validation rules you have defined. If all fields are able to be validated, the form submit is successful and a summary of the values submitted is displayed. This allows you to verify any data conversion and formatting rules you have set up. Form Field Editor The form field editor is used to control both the data gathering aspects and user interface characteristics of a field. 152 | Editing Forms Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Each field can only appear once on a form. The Field Name selects which underlying field is being represented on the form. The remainder of the form field editor is split into three sections: l Form Display Properties l Form Validation Properties l Advanced Properties See "Form Display Properties" on page 153 for detailed descriptions of these form sections. Form Display Properties The form display properties control the user interface that this field will have. Different options are available in this section, depending on the selection you make in the User Interface drop-down list. The available user interface elements are listed below, together with an example of each. l (Use default) – The default user interface type defined for the field will be used. l No user interface – The field does not have a user interface specified. Using this value will cause a diagnostic message to be displayed (“Form element is missing the ‘ui’ element”) when using the form. l CAPTCHA security code – A distorted image of several characters will be displayed to the user, as shown below: The image may be regenerated, or played as an audio sample for visually impaired users. When using the recommended validator for this field (NwaCaptchaIsValid), the security code must be matched or the form submit will fail with an error. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Editor | 153 l Check box – A check box is displayed for the field, as shown below: The check box label can be specified using HTML. If the check box is selected, the field is submitted with its value set to the check box value (default and recommended value 1). If the check box is not selected, the field is not submitted with the form. l Checklist – A list of check boxes is displayed, as shown below: The text displayed for each check box is the value from the options list. Zero or more check boxes may be selected. This user interface type submits an array of values containing the option key values of each selected check box. Because an array value may not be stored directly in a custom field, you should use the conversion and value formatting facilities to convert the array value to and from a string when using this user interface type. To store a comma-separated list of the selected values, enable the Advanced options, select “NwaImplodeComma” for Conversion, select “NwaExplodeComma” for Display Function and enter the field’s name for Display Param. 154 | Form Field Editor Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The “Vertical” and “Horizontal” layout styles control whether the check boxes are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. When using these options, you may also specify the desired number of columns or rows to adjust the layout appropriately. For example, suppose the first two check boxes are selected (in this example, with keys “one” and “two”). The incoming value for the field will be an array containing 2 elements, which can be written as array("one", "two"). The NwaImplodeComma conversion is applied, which converts the array value into the string value “one,two”, which is then used as the value for the field. Finally, when the form is displayed and the value needs to be converted back from a string, the NwaExplodeComma display function is applied, which turns the “one,two” string value into an array value array("one", "two"), which is used by the checklist to mark the first two items as selected. l Date/time picker – A text field is displayed with an attached button that displays a calendar and time chooser. A date may be typed directly into the text field, or selected using the calendar: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Editor | 155 The text value typed is submitted with the form. If using a date/time picker, you should validate the field value to ensure it is a date. Certain guest account fields, such as expire_time and schedule_time, require a date/time value to be provided as a UNIX time value. In this case, the conversion and display formatting options should be used to convert a human-readable date and time to the equivalent UNIX time and vice versa. l Drop-down list – The field is displayed allowing a single choice from a drop-down list. The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. If the “Hide when no options are selectable” check box is selected, and there is only a single option in the dropdown list, it will be displayed as a static text item rather than as a list with only a single item in it. l File upload – Displays a file selection text field and dialog box (the exact appearance differs from browser to browser). File uploads cannot be stored in a custom field. This user interface type requires special form implementation support and is not recommended for use in custom fields. l Hidden field – If Hidden Field is selected in the User Interface drop-down list, the field is not displayed to the user, but is submitted with the form. This option is often used to force a specific value such as a user’s role or an expiration date. However, it is possible for someone to use browser tools to modify the initial value when the 156 | Form Field Editor Dell Networking W-ClearPass Guest 6.0 | Deployment Guide form is submitted. If the value should be forced, use the Force Value setting under Advanced Properties to ensure the value cannot be overridden. For more information, see "Advanced Form Field Properties" on page 165. To set the value to submit for this field, use the Initial Value option in the form field editor. l Password text field – The field is displayed as a text field, with input from the user obscured. The text typed in this field is submitted as the value for the field. l Radio buttons – The field is displayed as a group of radio buttons, allowing one to be selected, as shown below: The text displayed for each option is the value from the options list. When the form is submitted, the key of the selected value becomes the value of the field. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Editor | 157 The “Vertical” and “Horizontal” layout styles control whether the radio buttons are organized in top-to-bottom or left-to-right order. The default is “Vertical” if not specified. l Static text – The field’s value is displayed as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted. If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. 158 | Form Field Editor Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Static text (Raw value) – The field’s value is displayed as a non-editable text string. HTML characters in the value are not escaped, which allows you to display HTML markup such as images, links and font formatting. Use caution when using this type of user interface element, particularly if the field’s value is collected from visitors. Allowing HTML from untrusted sources is a potential security risk. If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Editor | 159 To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static text (Options lookup) – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key, as a non-editable text string. An icon image may optionally be displayed before the field’s value. A hidden element is also included for the field, thereby including the field’s value when the form is submitted. If the Hide when no options are selectable check box is selected in the Collapse row, the field will be hidden if its value is blank. To set the value of this field, use the Initial Value option in the Form Validation Properties area of the form field editor. l Static group heading – The label and description of the field is used to display a group heading on the form, as shown below. The field’s value is not used, and the field is not submitted with the form. When using this user interface element, it is recommended that you use the “nwaImportant” CSS class to visually distinguish the group heading’s title. 160 | Form Field Editor Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Submit button – The field is displayed as a clickable form submit button, with the label of the field as the label of the button. The description is not used. The field’s value is ignored, and will be set to NULL when the form is submitted. To place an image on the button, an icon may be specified. To match the existing user interface conventions, you should ensure that the submit button has the highest rank number and is displayed at the bottom of the form. l Text area – The field is displayed as a multiple-line text box. The text typed in this box is submitted as the value for the field. It is recommended that you specify the desired minimum dimensions of the text area, either with the Rows and Columns options, or by specifying a width in the CSS Style option (for example, “width: 460px; height: 100px;” specifies a 460 x 100 pixel minimum area). l Text field – The field is displayed as a single-line text box. The text typed in this box is submitted as the value for the field. A short text label may be placed after the text box using the Label After option. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Editor | 161 Form Validation Properties The form validation properties control the validation of data entered into a form. By specifying appropriate validation rules, you can detect when users attempt to enter incorrect data and require them to correct their mistake. The initial value for a form field may be specified. Use this option when a field value has a sensible default. The initial value should be expressed in the same way as the field’s value. In particular, for drop-down list and radio button selections, the initial value should be the key of the desired default option. Likewise, for date/time fields that have a display function set, the initial value should be a value that can be passed to the display function. Select the Field value must be supplied check box to mark the field as a required field. Required fields are marked with an asterisk, as shown below: An optional field may be left blank. In this case, the field is not validated as there is no value for the field. However, any value that is supplied for an optional field is subject to validation checks. All values supplied for a required field are always validated, including blank values. Validation errors are displayed to the user by highlighting the field(s) that are in error and displaying the validation error message with the field: 162 | Form Validation Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide All fields must be successfully validated before any form processing can take place. This ensures that the form processing always has user input that is known to be valid. To validate a specific field, choose a validator from the drop-down list. See "Form Field Validation Functions" on page 298 for a description of the built-in validators. The Validator Param is the name of a field on the form, the value of which should be passed to the validator as its argument. This could be used to validate one field based on the contents of another. However, in most deployments this does not need to be set. Set the Validator Param to its default value, “(Use argument)”, to provide a fixed value as the argument to the validator. The Validator Argument is used to provide further instructions to the selected validator. Not all validators require an argument; a validator such as IsValidEmail is entirely self-contained and will ignore the Validator Argument. Validators such as IsEqual, IsInRange and IsRegexMatch use the argument to perform validation. Examples of Form field Validation Example 1 – To create a form field that requires an integer value between 1 and 100 (inclusive) to be provided, use the following settings in the form field editor: NOTE: The form field will contain an integer value, so you should set the field’s type to Integer when creating it. Use the PHP syntax array(1, 100) to specify the minimum and maximum values for the IsInRange validator. After saving changes on the form, this value will be internally converted to the equivalent code: array ( 0 => 1, 1 => 100, ) With these validator settings, users that enter an invalid value will now receive a validation error message: Furthermore, note that blank values, or non-numeric values, will result in a different error message: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Examples of Form field Validation | 163 The reason for this is that in this case, the validation has failed due to a type error – the field is specified to have an integer type, and a blank or non-numeric value cannot be converted to an integer. To set the error message to display in this case, use the Type Error option under the Advanced Properties. Example 2 – To create a form field that accepts one of a small number of string values, use the following settings in the form field editor: This example could be used for a string field named visitor_department. Because the values are known in advance, a drop-down list is the most suitable user interface. An initial value for the form field, as shown above, could be used if most visitors are in fact there to visit the sales team. To match against a list of options used for a drop-down list or set of radio buttons, you can use the IsInOptionsList validator. Example 3 – To create a form field that validates U.S. social security numbers using a regular expression, use the following settings in the form field editor: Notice that the regular expression used here includes beginning and ending delimiters (in this case the / character), and ensures that the whole string matches by the start-of-string marker ^ and the end-of-string marker $. The construct \d is used to match a single digit. Many equivalent regular expressions could be written to perform this validation task. See "Regular Expressions" on page 305 for more information about regular expressions. 164 | Examples of Form field Validation Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Advanced Form Field Properties The Advanced Properties control certain optional form processing behaviors. You can also specify JavaScript expressions to build dynamic forms similar to those found elsewhere in the application. On the Customize Form Fields page, select the Show advanced properties check box to display the advanced properties in the form field editor. The Conversion, Value Format, and Display Function options can be used to enable certain form processing behavior. See "Form Field Conversion Functions" on page 301 and "Form Field Display Formatting Functions" on page 301 . In the Force Value row, use the Always use initial value on form submit check box to prevent attempts to override the value set for a field. When this option is set, if a user modifies the field’s value, it reverts to the specified initial value when the form is submitted. A similar effect can be achieved by using appropriate validation rules, but selecting this check box is easier. Using this option is recommended for hidden fields, particularly those related to security, such as role ID or expiration date. For pre-registered guest accounts, some fields may be completed during pre-registration and some fields may be left for the guest to complete at registration. You can use the Pre-Registration field to specify whether the guest’s entry must match the preliminary value provided for a field during pre-registration. l If a value was not provided for a field when the account was created, choose Field was not pre-registered from the drop-down list. l If a preliminary value was provided for the field but the guest’s entered value does not need to match case or all characters, choose Guest must supply field from the drop-down list. For example, a bulk account creation might use random usernames, and each visitor’s entry in that field would not need to match exactly. l If a preliminary value was provided for the field and the guest’s entered value must match case or all characters, choose Guest must supply field (match case) from the drop-down list. If the guest’s entry does not successfully match the preregistered value, the account registration will not succeed. For example, if a list of email addresses Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Advanced Form Field Properties | 165 and phone numbers was imported for pre-registration, each visitor’s entries for those fields at registration must match. Form Field Validation Processing Sequence The following figure shows the interaction between the user interface displayed on the form and the various conversion and display options. Figure 26: Steps involved in form field processing . The Conversion step should be used when the type of data displayed in the user interface is different from the type required when storing the field. For example, consider a form field displayed as a date/time picker, such as the expire_time field used to specify an account expiration time on the create_user form. The user interface is displayed as a text field, but the value that is required for the form processing is a UNIX time (integer value). 166 | Form Field Validation Processing Sequence Dell Networking W-ClearPass Guest 6.0 | Deployment Guide In this case, the Conversion function is set to NwaConvertOptionalDateTime to convert the string time representation from the form field (for example, “2008-01-01”) to UNIX time (for example, 1199145600). The Validator for the expire_time field is IsValidFutureTimestamp, which checks an integer argument against the current time. The Value Formatter is applied after validation. This may be used in situations where the validator requires the specific type of data supplied on the form, but the stored value should be of a different type. In the expire_time field example, this is not required, and so the value formatter is not used. However, if the Conversion function had not been used, and the Validator had been set to IsValidFutureDateTime (which checks a string date/time value), then the Value Formatter would need to be set to NwaConvertOptionalDateTime to perform the data conversion before the form processing. A comparison of these two approaches is shown below to illustrate the difference: When using a Conversion or Value Format function, you will almost always have to set up a Display Function for the form field. This function is used to perform the conversion in the reverse direction – between the internal stored value and the value displayed in the form field. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Form Field Validation Processing Sequence | 167 See "Form Field Conversion Functions" on page 301 for a detailed list of the options available to you for the Conversion and Value Format functions. The Display Param is the name of a form field, the value of which will be passed to the Display Function. In almost all cases this option should contain the name of the form field. Display Arguments are available for use with a form field and are used to control the conversion process. In the case of the expire_time form field, the Display Function is set to NwaDateFormat to perform a conversion from a UNIX time to a date/time string, and the Display Argument specifies the format to use for the conversion. See "Form Field Display Formatting Functions" on page 301 for a detailed list of the options available to you for the Display Function and Static Display Function. The Enable If and Visible If options in the form field editor allow you to specify JavaScript expressions. The result obtained by evaluating these expressions is used to enable/disable, or show/hide the form field in real time, while an operator is using the form. Unlike the other parts of the form field editor, the Enable If and Visible If expressions are evaluated by the operator’s Web browser. These expressions are not used by the server for any other purpose. The expression must be a Boolean expression in the JavaScript language; statements and other code should not be included as this will cause a syntax error when the form is displayed in a Web browser. Because of the scoping rules of JavaScript, all of the user interface elements that make up the form are available as variables in the local scope with the same name as the form field. Thus, to access the current value of a text field named sample_field in a JavaScript expression, you would use the code sample_field.value. Most user interface elements support the value property to retrieve the current value. For check boxes, however, use the checked property to determine if the check box is currently selected. The most practical use for this capability is to hide a form field until a certain value of some other related field has been selected. For example, the default create_user form has an Account Expiration drop-down list. One of the values in this list is special: the -1 option displays the value Account expires at a specified time… When this option is selected, the form expands to include the Expires After row, allowing the user to specify a time other than one of the options in the list. The expire_time field uses the JavaScript expression expire_after.value < 0 for the Visible If option. When the -1 option has been selected, this condition will become true and the field will be displayed. Additional examples of the Visible If conditional expressions can be found in the guest_edit form. 168 | Form Field Validation Processing Sequence Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Views A view consists of one or more columns, each of which contains a single field. You can change which fields are displayed and how each field is displayed. You can also define your own fields using the Customize Fields page, and then add them to a view by choosing appropriate display options for each new column. To add a new field to a view, reorder the fields, or make changes to an existing field in a view, select the view in the Customize Forms & Views list and click the Edit Fields link. This opens the Customize View Fields editor. View fields have a Rank number, which specifies the relative ordering of the columns when displaying the view. The Customize View Fields editor always shows the columns in order by rank. The Type of each field is displayed. This controls what kind of user interface element is used to display the column, and whether the column is to be sortable or not. The Title of the column and the Width of the column are also shown in the list view. Values displayed in italics are default values defined for the field being displayed. Click a view field in the list view to select it. Use the Edit link to make changes to an existing column using the View Field Editor. Any changes made to the field using this editor will apply only to this field on this view. Use the Edit Base Field link to make changes to an existing field definition. Any changes made to the field using this editor will apply to all views that are using this field (except where the view field has already been modified to be different from the underlying field definition). The Insert Before and Insert After links can be used to add a new column to the view. Clicking one of these links will open a blank view field editor and automatically set the rank number of the new column. Use the Click the Enable Field and Disable Field links to quickly turn the display of a column on or off. Add Field tab to add a new column to the view. View Field Editor The view field editor is used to control the data-display aspects of a column within the view. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Views | 169 . Each column in a view displays the value of a single field. To use the default view display properties for a field, you only need to select the field to display in the column and then click the Save Changes button. To customize the view display properties, click the Advanced view options… check box. The column type must be one of the following: l Text – The column displays a value as text. l Sortable text – The column displays a value as text, and may be sorted by clicking on the column heading. l Sortable text, case-insensitive – The same as “Sortable text”, but the column sorting will treat uppercase and lowercase letters the same. l Sortable numeric – The column displays a numeric value, and may be sorted by clicking on the column heading. The Column Format may be used to specify how the field’s value should be displayed. You may choose from one of the following: l Field Value – The value of the field is displayed as plain text. l Field Value (Un-Escaped) – The value of the field is displayed as HTML. l Boolean – Yes/No – The value of the field is converted to Boolean and displayed as “Yes” or “No”. l Boolean – Enabled/Disabled – The value of the field is converted to Boolean and displayed as “Enabled” or “Disabled”. l Boolean – On/Off – The value of the field is converted to Boolean and displayed as “On” or “Off”. l Date – The value of the field is assumed to be a UNIX timestamp value and is displayed as a date and time. l Duration (from seconds) – The value of the field is assumed to be a time period measured in seconds and is displayed as a duration (for example, “23 seconds”, “45 minutes”) l Duration (from minutes) – The value of the field is assumed to be a time period measured in minutes and is displayed as a duration (for example, “45 minutes”, “12 hours”) l Use form options – The value of the field is assumed to be one of the keys from the field’s option list. The value displayed is the corresponding value for the key. l Custom expression… – The Display Expression text area is displayed allowing a custom JavaScript expression to be entered. See "View Display Expression Technical Reference" on page 303 for technical information about this display expression and a list of the functions that are available to format the value. 170 | View Field Editor Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Display Expression is a JavaScript expression that is used to generate the contents of the column. Generally, this is a simple expression that returns an appropriate piece of data for display, but more complex expressions can be used to perform arbitrary data processing and formatting tasks. Customizing Self-Provisioned Access Guest self-registration allows an administrator to customize the process for guests to create their own visitor accounts. The registration process consists of a data collection step (the ‘register page’) and a confirmation step (the ‘receipt page’). You can define what information is collected from visitors on the registration page. New fields and data validation rules can be defined with the custom form editor. Specific details about the type of visitor accounts created are also set here. The receipt page also includes a form, although typically this form will only contain static information about the guest account. Several different actions can be included on the receipt page, enabling visitors to obtain their receipt in different ways. The receipt page can also be used to automatically log the guest into a Network Access Server, enabling them to start using the network immediately. Detailed user interface customization can be performed for all parts of the self-registration process. You can define page titles, template code for the page header and footer, and choose a skin that controls the overall look and feel of self-registration. The default user interface customization can be disabled. Self-Registration Sequence Diagram To set up a captive portal with guest self-registration, configure your Network Access Servers to redirect guests to the URL of the ‘Go To’ link. To complete the portal, ensure that the NAS is configured to authorize users with the ClearPass Guest RADIUS server, and set up the self-registration NAS login to redirect registered guests back to the NAS. This process is shown below. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customizing Self-Provisioned Access | 171 Figure 27: Sequence diagram for guest self-registration The captive portal redirects unauthorized users [1] to the register page [2]. After submitting the registration form [3], the guest account is created and the receipt page is displayed [4] with the details of the guest account. If NAS login is enabled, submitting the form on this page will display a login message [5] and automatically redirect the guest to the NAS login [6]. After authentication and authorization the guest’s security profile is applied by the NAS [7], enabling the guest to access the network [8]. Creating a Self-Registration Page To create a new guest self-registration page, go to Configuration > Guest Self-Registration and click the new self-registration page link. The Customize Guest Registration form is displayed. 172 | Creating a Self-Registration Page Create Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Register Page is the name of a page that does not already exist. There are no spaces in this name. This page name will become part of the URL used to access the self provisioning page. For example, the default “guest_ register” page is accessed using the URL guest_register.php. Click the displayed. Save Changes button to save the self registration page. A diagram of the self registration process is Click the Save and Continue button to proceed to the next step of the setup. Once a self registration page has been created you are able to edit, delete, duplicate or go to it, providing selfregistration has been enabled. Editing Self-Registration Pages The guest self-registration process is displayed in graphical form, shown below in Figure 28. The workflow for the guest is shown using solid orange arrows, while the administrator workflow is shown with dotted blue arrows. To access this page in the WebUI: 1. Navigate to Configuration > Guest Self-Registration 2. Select an entry in the Guest Self-Registration list, then click Edit. 3. The Customize Guest Registration workflow page appears, as shown below Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Self-Registration Pages | 173 Figure 28: Guest Self-Registration Workflow Diagram . A guest self-registration page consists of many different settings, which are divided into groups across several pages. Click an icon or label in the diagram to jump directly to the editor for that item. Configuring Basic Properties for Self-Registration Click the Master Enable, User Database, Choose Skin, or Rename Page links to edit the basic settings for guest self-registration. The Basic Properties window has configurable settings such as Name, Description, enabling guest-self registration, Register Page, Parent, and Authentication. Using a Parent Page To use the settings from a previously configured self-registration page, select an existing page name from the Parent drop-down menu. This is useful if you need to configure multiple registrations. You can always override parent page values by editing field values yourself. To create a self-registration page with new values, select the Guest SelfRegistration (guest_register) option from the Parent field drop-down menu. 174 | Configuring Basic Properties for Self-Registration Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Paying for Access If you select a standalone self -registration, (No parent- standalone) option you can also configure the Hotspot option. You can configure this setting so that registrants have to pay for access. Requiring Operator Credentials If you want to require an operator to log in with their credentials before they can create a new guest account, select the Require operator credentials prior to registering guest check box. The sponsor’s operator profile must have the Guest Manager > Create New Guest Account privilege already configured. If you choose this option, the authenticated page it produces for creating accounts is very simple, and does not include navigation or other links that would otherwise be available in the operator user interface. You can specify access restrictions for the self-registration page in the Access Control section of this form. The Allowed Access and Denied Access fields are access control lists that determine if a client is permitted to access this guest self-registration page. You can specify multiple IP addresses and networks, one per line, using the following syntax: l 1.2.3.4 – IP address l 1.2.3.4/24 – IP address with network prefix length l 1.2.3.4/255.255.255.0 – IP address with explicit network mask Use the Deny Behavior drop-down list to specify the action to take when access is denied. The Time Access field allows you to specify the days and times that self-registration is enabled. Times must be entered in 24-hour clock format. For example: l Mondays, Wednesdays and Fridays, 8:00 to 17:00 l Weekdays, 6:00 to 18:00 l Weekends 10:00 to 22:00 and Thursday 11:00 to 13:00 The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Paying for Access | 175 As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32). To determine the result of the access control list, the most specific rule that matches the client’s IP address is used. If the matching rule is in the Denied Access field, then the client will be denied access. If the matching rule is in the Allowed Access field, then the client will be permitted access. If the Allowed Access field is empty, all access will be allowed, except to clients with an IP address that matches any of the entries in the Denied Access field. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Allowed Access field. If the Denied Access list is empty, only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Denied Access list. Editing Registration Page Properties To edit the properties of the registration page: 1. Navigate to Configuration > Guest Self-Registration 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. Click the Register Page link, or one of the Title, Header, or Footer fields for the Register Page. Figure 29: Template code for the title, header, and footer may be specified. See "Smarty Template Syntax" on page 264 for details on the template code that may be inserted. Select the Do not include guest registration form contents check box to override the normal behavior of the registration page, which is to display the registration form between the header and footer templates. Click the Save and Reload button to update the self-registration page and launch or refresh a second browser window to show the effects of the changes. 176 | Editing Registration Page Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Click the Save Changes button to return to the process diagram for self-registration. Click the Save and Continue button to update the self-registration page and continue to the next editor. Editing the Default Self-Registration Form Settings Click the Form link for the Register Page to edit the fields on the self-registration form. The default settings for this form are as follows: l The visitor_name and email fields are enabled. The email address of the visitor will become their username for the network. l The expire_after field is hidden, and set to a value of 24 by default; this sets the default expiration time for a self-registered visitor account to be 1 day after it was created. l The role_id field is hidden, and set to a value of 2 by default; this sets the default role for a self-registered visitor account to the built-in Guest role. l The auto_update_account field is set by default. This is to ensure that a visitor who registers again with the same email address has their existing account automatically updated. Creating a Single Password for Multiple Accounts You can create multiple accounts that have the same password. In order to do this, you first customize the Create Multiple Guest Accounts form to include the Password field. To include the Password field on the Create Multiple Guest Accounts form: 1. Go to Configuration > Forms & Views. Click the create_multi row, then click its Edit Fields link. The Customize Form Fields view opens, showing a list of the fields included in the Create Multiple Guest Accounts form and their descriptions. At this point, the Password field is not listed because the Create Multiple Guest Accounts form (create_multi) has not yet been customized to include it. You will create it for the form in the next step. 2. Click on any field in the list to expand a row, then click the Insert After link (you can modify this placement later). The Customize Form Field form opens. 3. In the Field Name row, choose password from the drop-down list. The form displays configuration options for this field. 4. In the Field row, mark the Enable this field check box. 5. To adjust the placement of the password field on the Create Multiple Guest Accounts form, you may change the number in the Rank field. 6. In the User Interface row, choose Password text field from the drop-down list. The Field Required check box should now be automatically marked, and the Validator field should be set to IsNonEmpty. 7. Click Save Changes. The Customize Form Fields view opens again, and the password field is now included and can be edited. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing the Default Self-Registration Form Settings | 177 To create the multiple accounts that all use the same password, see "Creating Multiple Guest Accounts " on page 30. Editing Guest Receipt Page Properties To edit the properties of the guest receipt page: 1. Navigate to Configuration > Guest Self-Registration 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. Click the Receipt Page link or one of the Title, Header, or Footer fields for the Receipt Page to edit the properties of the receipt page. This page is shown to guests after their visitor account has been created. Click the Save Changes button to return to the process diagram for self-registration. Editing Receipt Actions To edit the actions that are available once a visitor account has been created: 1. Navigate to Configuration > Guest Self-Registration. 2. Select an entry in the Guest Self-Registration list and click its Edit link. The Customize Guest Registration workflow page appears. 3. In the Receipt Page area of the diagram, click the 178 | Editing Guest Receipt Page Properties Actions link. The Receipt Actions form opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide . Enabling Sponsor Confirmation for Role Selection You can allow the sponsor to choose the role for the user account at the time the sponsor approves the self-registered account. To enable role selection by the sponsor: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Enabling Sponsor Confirmation for Role Selection | 179 3. In the Sponsorship Confirmation area at the bottom of the form, mark the Enabled check box for Require sponsor confirmation prior to enabling the account. The form expands to let you configure this option. 4. In the Authentication row, mark the check box for Require sponsors to provide credentials prior to sponsoring the guest. 5. In the Role Override row, choose (Prompt) from the drop-down list. 6. Complete the rest of the form with the appropriate information, then click Save Changes. The Customize Guest Registration diagram opens again. 7. You can click the Launch this guest registration page link at the upper-right corner of the Customize Guest Registration diagram to preview the Guest Registration login page. The Guest Registration login page is displayed as the guest would see it. When a guest completes the form and clicks the Register button, the sponsor receives an email notification. 8. To confirm the guest’s access, the sponsor clicks the click here link in the email, and is redirected to the Guest Registration Confirmation form. 180 | Enabling Sponsor Confirmation for Role Selection Dell Networking W-ClearPass Guest 6.0 | Deployment Guide 9. In the Account Role drop-down list, the sponsor chooses the role for the guest, then clicks the Confirm button. Editing Download and Print Actions for Guest Receipt Delivery To enable the template and display options to deliver a receipt to the user as a downloadable file, or display the receipt in a printable window in the visitor’s browser: 1. Go to Configuration > Guest Self-Registration. Click the Guest Self-Registration row, then click its Edit link. The Customize Guest Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Actions link. The Receipt Actions form opens. 3. Select either the Enable download of guest receipt check box in the Download area, or the Enable print window for guest receipts check box in the Print area. The form expands to include configuration options. Editing Email Delivery of Guest Receipts The Email Delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Download and Print Actions for Guest Receipt Delivery | 181 When email delivery is enabled, the following options are available to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address. l Auto-send guest receipts by email with a special field set – If the Auto-Send Field available for this delivery option is set to a non-empty string or a non-zero value, an email receipt will be generated and sent to the visitor’s email address. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_smtp field and add it to the create_user form, or a guest self-registration instance, and email receipts will be sent to the visitor only if the check box has been selected. l Display a link enabling a guest receipt via email – A link is displayed on the receipt page; if the visitor clicks this link, an email receipt will be generated and sent to the visitor’s email address. l Send an email to a list of fixed addresses – An email receipt is always generated using the selected options, and will be sent only to the list of email addresses specified in “Copies To”. Editing SMS Delivery of Guest Receipts The SMS Delivery options available for the receipt page actions allow you to specify the print template to use, the field containing the visitor’s phone number, and the name of an auto-send field. These options under Enabled are available to control delivery of SMS receipts: 182 | Editing SMS Delivery of Guest Receipts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l Disable sending guest receipts by SMS – SMS receipts are never sent for a guest registration. l Always auto-send guest receipts by SMS – An SMS receipt is always generated using the selected options, and will be sent to the visitor’s phone number. l Auto-send guest receipts by SMS with a special field set – If the Auto-Send Field is set to a non-empty string or a non-zero value, an SMS receipt will be generated and sent to the visitor’s phone number. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected. l Display a link enabling a guest receipt via SMS – A link is displayed on the receipt page; if the visitor clicks this link, an SMS receipt will be generated and sent to the visitor’s phone number. Only one SMS receipt per guest registration can be sent in this way. Enabling and Editing NAS Login Properties To enable and edit the properties for automatic NAS login: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2. In the lower-right corner of the diagram, click the NAS box or the NAS Vendor Settings link. The NAS Login form opens. 3. Mark the Enabled check box to expand the form. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Enabling and Editing NAS Login Properties | 183 If automatic guest login is not enabled, the submit button on the receipt page will not be displayed, and automatic NAS login will not be performed. Editing Login Page Properties The login page is displayed if automatic guest login is enabled and a guest clicks the submit button from the receipt page to log in. To edit the properties of the login page: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2. In the Receipt Page area of the diagram, click the Title or Login Message fields for the login page to edit the properties of the login page, then mark the Enable guest login to a Network Access Server check box.The form expands to include configuration options. The login page is also a separate page that can be accessed by guests using the login page URL. The login page URL has the same base name as the registration page, but with _login appended. To determine the login page URL for a guest self-registration page, first ensure that the Enable guest login to a Network Access Server option is checked, and then use the Launch network login link from the self-registration process diagram, as shown below: The options available under the Login Form heading may be used to customize the login page. 184 | Editing Login Page Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The login page consists of two separate parts: the login form page, and a login message page. The login form page contains a form prompting for the guest’s username and password. The title, header and footer of this page can be customized. If the Provide a custom login form option is selected, then the form must also be provided in either the Header HTML or Footer HTML sections. The login message page is displayed after the login form has been submitted, while the guest is being redirected to the NAS for login. The title and message displayed on this page can be customized. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Editing Login Page Properties | 185 The login delay can be set; this is the time period, in seconds, for which the login message page is displayed. Click the Save Changes button to return to the process diagram for self-registration. Self-Service Portal Properties To edit the properties of the self-service portal: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2. Click the Self-Service Portal link or one of the Login Page, Summary Page, Change Password, or Reset Password links for the Self-Service Portal. 3. Mark the Enable self-service portal check box.The form expands to include configuration options. The self-service portal is accessed through a separate link that must be published to guests. The page name for the portal is derived from the registration page name by appending “_portal”. When the self-service portal is enabled, a Go To Portal link is displayed on the list of guest self-registration pages, and may be used to determine the URL that guests should use to access the portal. The portal offers guests the ability to log in with their account details, view their account details, or change their password. Additionally, the Reset Password link provides a method allowing guests to recover a forgotten account password. 186 | Self-Service Portal Properties Dell Networking W-ClearPass Guest 6.0 | Deployment Guide To adjust the user interface, use the override check boxes to display additional fields on the form. These fields allow you to customize all text and HTML displayed to users of the self-service portal. The behavioral properties of the self-service portal are described below: l The “Enable self-service portal” check box must be selected for guests to be able to access the portal. Access to the portal when it is disabled results in a disabled message being displayed; this message may be customized using the “Disabled Message” field. l The “Disabled Users” check box controls whether a user account that has been disabled is allowed to log in to the portal. l The “Change Password” check box controls whether guests are permitted to change their account password using the portal. l The “Reset Password” check box controls whether guests are permitted to reset a forgotten account password using the portal. If this check box is enabled, the “Required Field” may be used to select a field value that the guest must match in order to confirm the password reset request. If the “Auto login by IP address” option is selected, a guest accessing the self-service portal will be automatically logged in if their client IP address matches the IP address of an active RADIUS accounting session (that is, the guest’s HTTP client address is the same as the RADIUS Framed-IP-Address attribute for an active session). The Password Generation drop-down list controls what kind of password reset method is used in the portal. The default option is “Passwords will be randomly generated”, but the alternative option “Manually enter passwords” may be selected to enable guests to select their own password through the portal. Click the Save Changes button to return to the process diagram for self-registration. Resetting Passwords with the Self-Service Portal The self-service portal includes the ability to reset a guest account’s password. The default user interface for the self-service portal is shown below: Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Resetting Passwords with the Self-Service Portal | 187 Clicking the I’ve forgotten my password link displays a form where the user password may be reset: Entering a valid username will reset the password for that user account, and will then display the receipt page showing the new password and a login option (if NAS login has been enabled). This feature allows the password to be reset for any guest account on the system, which may pose a security risk. It is strongly recommended that when this feature of the self-service portal is enabled, guest registrations should also store a secret question/secret answer field. To enable a more secure password reset operation, first enable the secret_question and secret_answer fields to the registration form. The default appearance of these fields is shown below: Next, enable the Required Field option in the Self-Service Portal properties. Setting this to (Secret Question) will ask the guest the secret_question and will only permit the password to be reset if the guest supplies the correct secret_answer value. With these settings, the user interface for resetting the password now includes a question and answer prompt after the username has been determined: 188 | Resetting Passwords with the Self-Service Portal Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Selecting a different value for the “Required Field” allows other fields of the visitor account to be checked. These fields should be part of the registration form. For example, selecting the visitor_name field as the “Required Field” results in a Reset Password form like this: Email Receipts and SMTP Services With SMTP Services, you can configure ClearPass Guest to send customized guest account receipts to visitors and sponsors by email. Email receipts may be sent in plain text or HTML format. You may also send email receipts using any of the installed skins to provide a look and feel. To use the email sending features, you must have the SMTP Services Plugin installed. About Email Receipts You can send email receipts for guest accounts that are created using either sponsored guest access or selfprovisioned guest access. This is convenient in situations where the visitor may not be physically present to receive a printed receipt. ClearPass Guest may be configured to automatically send email receipts to visitors, or to send receipts only on demand. Email receipts may be sent manually from the guest account receipt page by clicking the receipt link displayed there. Send email When using guest self-registration, the email delivery options available for the receipt page actions allow you to specify the email subject line, the print template and email format, and other fields relevant to email delivery. To configure these email delivery options: 1. Go to Configuration > Guest Self-Registration. Click to expand the Guest Self-Registration row in the form, then click its Edit link. The Customize Guest Self-Registration diagram opens. 2. In the Receipt Page area, click the Actions link. The Receipt Actions form opens. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Email Receipts and SMTP Services | 189 3. Scroll to the Email Delivery section of the form and choose one of the options from the Enabled drop-down list. The form expands to include configuration options for email delivery. The following options are available in the Enabled drop-down list to control email delivery: l Disable sending guest receipts by email – Email receipts are never sent for a guest registration. l Always auto-send guest receipts by email – An email receipt is always generated using the selected options, and will be sent to the visitor’s email address. l Auto-send guest receipts by email with a special field set – If the Auto-Send Field is set to a non-empty string or a non-zero value, an email receipt will be generated and sent to the visitor’s email address. The auto-send field can be used to create an “opt-in” facility for guests. Use a check box for the auto_send_sms field and add it to the create_user form, or a guest self-registration instance, and SMS messages will be sent to the specified phone number only if the check box has been selected. l Display a link enabling a guest receipt via email – A link is displayed on the receipt page; if the visitor clicks this link, an email receipt will be generated and sent to the visitor’s email address. l Send an email to a list of fixed addresses – An email receipt is always generated using the selected options, and will be sent only to the list of email addresses specified in the “Copies To” field. Configuring Email Receipts You can configure the default settings used when generating an email receipt by going to Configuration > Email Receipt. See "Email Receipt Options" on page 190 for details about the email receipt options. Email Receipt Options The Customize Email Receipt form may be used to set default options for visitor account email receipts. To configure email receipt options, go to Configuration > Email Receipt. The Customize Email Receipt form opens. 190 | Configuring Email Receipts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Figure 30: Customize Email Receipt page 1. The Subject Line may contain template code, including references to guest account fields. The default value, Visitor account receipt for {$email}, uses the value of the email field. See "Smarty Template Syntax" on page 264 for more information on template syntax. 2. The Skin drop-down list allows you to specify a skin to be used to provide the basic appearance of the email. You may select from one of the installed skins, or use one of these special options: l No skin – Plain text only – A skin is not used, and the email will be sent in plain text format. Use this option to remove all formatting from the email. l No skin – HTML only – A skin is not used, but the email will be sent in HTML format. Use this option to provide a basic level of formatting in the email. l No skin – Native receipt format – A skin is not used. The email will be sent in either plain text or HTML format, depending on the type of print template that was selected. l Use the default skin – The skin currently marked as the default skin is used. When sending an email message using HTML formatting, the images and other resources required to display the page will be included in the message. 3. Use the Copies To field to create a list of additional email addresses that are designated to receive copies of the generated email receipts. 4. Choose a value from the Send Copies drop-down list to specify how copies of the email receipts will be sent to the additional email addresses listed in the Copies To field: l Do not send copies – The Copies To list is ignored and email is not copied. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Email Receipt Options | 191 l Always send using ‘cc:’ – The Copies To list is always sent a copy of any guest account receipt (even if no guest account email address is available). l Always send using ‘bcc:’ – The Copies To list is always sent a blind copy of any guest account receipt (even if no guest account email address is available). l Use ‘cc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be copied. l Use ‘bcc:’ if sending to a visitor – If a guest account email address is available, the email addresses in the Copies To list will be blind copied. 5. To preview and verify the appearance of the email receipt, you can send yourself or another person a test message. In the Test Mail Settings area, enter the test message recipient’s email address, then click Send Test Message. The test message is sent immediately. Figure 31: Example of Email Receipt Test Message Content 6. When all fields on the form are completed, click Save and Close. About Customizing SMTP Email Receipt Fields The behavior of email receipt operations can be customized with certain guest account fields. You do this on a peruser basis. l smtp_enabled – This field may be set to a non-zero value to enable sending an email receipt. If unset, the default value from the email receipt configuration is used. The special values “_Auto” (Always auto-send guest receipts by email), “_AutoField” (Auto-send guest receipts by email with a special field set), “_Click” (Display a link enabling a guest receipt via email), and “_Cc” (Send an email to a list of fixed addresses) may also be used. l smtp_subject – This field specifies the subject line for the email message. Template variables appearing in the value will be expanded. If the value is “default”, the default subject line from the email receipt configuration is used. 192 | About Customizing SMTP Email Receipt Fields Dell Networking W-ClearPass Guest 6.0 | Deployment Guide l smtp_template_id – This field specifies the print template ID to use for the email receipt. If blank or unset, the default value from the email receipt configuration is used. l smtp_receipt_format – This field specifies the email format to use for the receipt. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin. If blank or unset, the default value from the email receipt configuration is used. l smtp_email_field – This field specifies the name of the field that contains the visitor’s email address. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special value “_None” indicates that the visitor should not be sent any email. l smtp_auto_send_field – This field specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the email receipt configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send email or always send email, respectively. l smtp_cc_list – This field specifies a list of additional email addresses that will receive a copy of the visitor account receipt. If the value is “default”, the default carbon-copy list from the email receipt configuration is used. l smtp_cc_action – This field specifies how to send copies of email receipts. It may be one of “never”, “always_ cc”, “always_bcc”, “conditional_cc”, or “conditional_bcc”. If blank or unset, the default value from the email receipt configuration is used. The logic used to send an email receipt is: l If email receipts are disabled, take no action. l Otherwise, check the auto-send field. l n If it is “_Disabled” then no receipt is sent. n If it is “_Enabled” then continue processing. n If it is any other value, assume the auto-send field is the name of another guest account field. Check the value of that field, and if it is zero or the empty string then no receipt is sent. Determine the email recipients: n Address the email to the value specified by the email field in the visitor account. If the email field is “_ None” then do not send an email directly to the visitor. n Depending on the value of the Send Copies setting, add the email addresses from the Copies To: list to the email’s “Cc:” or “Bcc:” list. l If there are any “To:”, “Cc:” or “Bcc:” recipients, generate an email message using the specified print template and send it to the specified recipient list. l smtp_warn_before_subject – This field overrides what is specified in the subject line under Logout Warnings on the email receipt. If the value is “default”, the default subject line under the Logout Warnings section on the email receipt configuration is used. l smtp_warn_before_template_id – This field overrides the print template ID specified under Logout Warnings on the email receipt. If the value is “default”, the default template ID under the Logout Warnings section on the email receipt configuration is used. l smtp_warn_before_receipt_format – This field overrides the email format under Logout Warnings to use for the receipt. It may be one of “plaintext” (No skin – plain text only), “html_embedded” (No skin – HTML only), “receipt” (No skin – Native receipt format), “default” (Use the default skin), or the plugin ID of a skin plugin to specify that skin. If blank or unset, the default value in the Email Field under the Logout Warnings on the email receipt configuration is used. l smtp_warn_before_cc_list – This overrides the list of additional email addresses that receive a copy of the visitor account receipt under Logout Warnings on the email receipt.If the value is “default”, the default carboncopy list under Logout Warnings from the email receipt configuration is used. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide About Customizing SMTP Email Receipt Fields | 193 l smtp_warn_before_cc_action – This field overrides how copies are sent as indicated under Logout Warnings on the email receipt. to send copies of email receipts. It may be one of “never”, “always_cc”, “always_bcc”, “conditional_cc”, or “conditional_bcc”. If blank or unset, the default value from the email receipt configuration is used. l warn_before_from_sponsor – This field overrides the Reply To field (that is, the sponsor_email field of a user, or the admin's email) under the Logout Warnings on the email receipt. If the value is “default”, the Reply To field under Logout Warnings from the email receipt configuration is used. l warn_before_from – This field overrides the Override From field under the Logout Warnings on the email receipt. If the value is “default”, the Override From field under Logout Warnings from the email receipt configuration is used. Customizing Print Templates Print templates are used to define the format and appearance of a guest account receipt. To work with print templates, go to Configuration > Print Templates. The Print Templates view opens. Click a print template’s row in the list to select it. The template’s row expands to include the Edit, Duplicate, Delete, Preview, Show Usage, and Permissions options. The Edit code action is displayed for a print template when it has been created using the wizard, but subsequently modified. See "Modifying Wizard-Generated Templates" on page 196 in this chapter for further information. Options to show where a print template is being used, and to control individual permissions for a print template, are also available when selecting a print template. See "Setting Print Template Permissions " on page 197. Plain text print templates may be used with SMS services to send guest account receipts; see"About SMS Guest Account Receipts " on page 233 for details. Because SMS has a 160 character limit, the number of character used in the plain text template will be displayed below the preview. If you are including a guest account’s email address in the SMS, remember to allow for lengthy email addresses (up to 50 characters is a useful rule of thumb). Creating New Print Templates To define a new print template, click the Create new print template link. This opens a window with four parts. The first part lists the variables that can be used in the template together with their meaning and an example of each. 194 | Customizing Print Templates Dell Networking W-ClearPass Guest 6.0 | Deployment Guide This section is followed by three other sections: the body, the header and the footer. Each section must be written in HTML. There is provision in each section for the insertion of multiple content items such as logos. You are able to add Smarty template functions and blocks to your code. These act as placeholders to be substituted when the template is actually used. See "Smarty Template Syntax" on page 264 for further information on Smarty template syntax. You are able to use an {if} statement to define a single print template that caters for multiple situations. For example if you want to customize the print template to display different content depending on the action that has been taken, the following code could be used: {if $action == "create"} Your guest account has been created and is now ready to use!
{if $site_ssid}
{elseif $action == "edit"}- Connect to the wireless network named: {$site_ssid}
{/if}- Make sure your network adapter is set to 'DHCP - Obtain an IP address Automatically'.
- Open your Web browser.
- Enter your username and password in the spaces provided.
Your guest account has been updated.
{elseif $action == "delete"} {/if}{if $u.guest_name}
{/if} If this code is placed in the User Account HTML section it will cater for the create, edit and delete options. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Creating New Print Templates | 195 Print Template Wizard The Create new print template using wizard link provides a simplified way to create print templates by selecting a basic style and providing a logo image, title and content text, and selecting the guest account fields to include. A real-time preview allows changes made to the design to be viewed immediately. To use the Print Template Wizard, first select a style of print template from the Style list. Small thumbnail images are shown to indicate the basic layout of each style. There are four built-in styles: l Table – Best for square or nearly square logo images, and well suited for use with “scratch card” guest accounts. l Simple – Best for wide or tall logo images and for situations where an operator will print a page with guest account details. l Centered – Best for wide logo images; less formal design. l Label Printer – These print template styles are designed for small thermal printers in various widths. On-screen assistance is provided when printing to ensure that a consistent result can be obtained. Click the Preview at right or the print template. Preview at bottom link at the top of the page to move the real-time preview of Each of the basic styles provides support for a logo image, title area, subtitle area, notes area, and footer text. These items can be customized by typing in an appropriate value in the Print Template Wizard. NOTE: As the print template is a HTML template, it is possible to use HTML syntax as well as Smarty template code in these areas. See the "Reference" on page 261 chapter for reference material about HTML and Smarty template code. The print template may also contain visitor account fields. The value of each field is displayed in the print template. By default, the wizard sets up the template with the username, password and role_name fields, but these may be customized. Options in the Fields row let you add, remove, or change the order of fields. Use the drop-down list to choose the field name, then click the icon at the left of the drop-down list. The field’s row expands to include the option links. Use the Remove, Move Up, Move Down, that are to be included on the print template. Click the Insert Before, and Insert After links to adjust the fields Create Template button to save your newly created print template and return to the list. Modifying Wizard-Generated Templates Once you have created a print template using the print template wizard, you can return to the wizard to modify it. Click the Edit print template code (Advanced) link to use the standard print template editor. See "Creating New Print Templates" on page 194 for a description. 196 | Print Template Wizard Dell Networking W-ClearPass Guest 6.0 | Deployment Guide NOTE: If you use the wizard to edit a print template after changes have been made to it outside the wizard, those changes will be lost. This is indicated with the warning message “The print template code has been modified. Making changes using the wizard will destroy any changes made outside of the wizard.” Setting Print Template Permissions On the Configuration > Print Templates list view, the Permissions link for a template can be used to control access to an individual print template at the level of an operator profile. The Permissions link is only displayed if the current operator has the Object Permissions privilege. This privilege is located in the Administrator group of privileges. The permissions defined on this screen apply to the print template identified in the “Object” line. The owner profile always has full access to the print template. To control access to this print template by other entities, add or modify the entries in the “Access” list. To add an entry to the list, or remove an entry from the list, click one of the icons in the row. A Delete icon and an Add icon will then be displayed for that row. Select one of the following entities in the Entity drop-down list: l Operator Profiles – a specific operator profile may be selected. The corresponding permissions will apply to all operators with that operator profile. Other Entities l n n Authenticated operators – the permissions for all operators (other than the owner profile) may be set using this item. Permissions for an individual operator profile will take precedence over this item. Guests – the permissions for guests may be set using this item. The permissions for the selected entity can be set using the Permissions drop-down list: n No access – the print template is not visible in the list, and cannot be used, edited, duplicated, or deleted. n Visible-only access – the print template is visible in the list, but cannot be edited, duplicated, or deleted. n Read-only access – the print template is visible in the list, and the settings for it may be viewed. The print template cannot be edited or deleted. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Setting Print Template Permissions | 197 n Update access – the print template is visible in the list, and may be edited. The print template cannot be deleted and the permissions for the print template cannot be modified. n Update and delete access – the print template is visible in the list, and may be edited or deleted. The permissions for the print template cannot be modified. n Full access (ownership) – the print template is visible in the list, and may be edited or deleted. The permissions for the print template can be modified, if the operator has the Object Permissions privilege. Customize SMS Receipt Navigate to Configuration > SMS Receipts to configure SMS receipt options. These fields are described for the SMS plugin configuration page. Use the SMS receipt page for further customization. For information on standard SMS services, see "SMS Services " on page 228. Figure 32: Customize SMS Receipt page 198 | Customize SMS Receipt Dell Networking W-ClearPass Guest 6.0 | Deployment Guide SMS Receipt Fields The behavior of SMS receipt operations can be customized with certain guest account fields. You can override global settings by setting these fields. l sms_enabled – This field may be set to a non-zero value to enable sending an SMS receipt. If unset, the default value is true. l sms_handler_id – This field specifies the handler ID for the SMS service provider. If blank or unset, the default value from the SMS plugin configuration is used. l sms_template_id – This field specifies the print template ID for the SMS receipt. If blank or unset, the default value from the SMS plugin configuration is used. l sms_phone_field – This field specifies the name of the field that contains the visitor’s phone number. If blank or unset, the default value from the SMS plugin configuration is used. l sms_auto_send_field – This field specifies the name of the field that contains the auto-send flag. If blank or unset, the default value from the SMS plugin configuration is used. Additionally, the special values “_Disabled” and “_Enabled” may be used to never send an SMS or always send an SMS, respectively. The logic used to send an SMS receipt is: l If SMS receipts are disabled, take no action. l Otherwise, check the auto-send field. n If it is “_Disabled” then no receipt is sent. n If it is “_Enabled” then continue processing. n If it is any other value, assume the auto-send field is the name of another guest account field. Check the value of that field, and if it is zero or the empty string then no receipt is sent. l Determine the phone number – if the phone number field is set and the value of this field is at least 7 characters in length, then use the value of this field as the phone number. Otherwise, if the value of the auto-send field is at least 7 characters in length, then use the value of this field as the phone number. l If the phone number is at least 7 characters long, generate a receipt using the specified plain-text print template and send it to the specified phone number. Configuring Access Code Logins This section explains how to configure Guest Manager to create multiple accounts that have the ability to log in with only the username. We will refer to this as an Access Code. Customize Random Username and Passwords In this example we will set the random usernames and passwords to be a mix of letters and digits. 1. Navigate to Configuration > Guest Manager. The Configure Guest Manager form opens. 2. In the Username Type field, select Random Letters and digits. The generator matching the complexity will also include a mix of upper and lower case letters. 3. In the Username Length field, select 8 characters. 4. Configure other settings. See "Default Settings for Account Creation" on page 137 for a description. Click Save Configuration to save your changes. Create the Print Template By default, the print templates include username, password, and expiration, as well as other options. For the purpose of access codes, we only want the username presented. This access code login example bases the print template off Dell Networking W-ClearPass Guest 6.0 | Deployment Guide SMS Receipt Fields | 199 an existing scratch card template. 1. Navigate to Configuration > Print Templates. 2. Select Two-column scratch cards and click Duplicate. 3. Select the Copy of Two-column scratch cards template, then click Edit. 4. In the Name field, substitute Access Code for Username as shown below. 5. Remove extraneous data from the User Account HTML field. Example text is shown below. guest name {$u.guest_name} 6. Click Save Changes to save your settings. 7. To preview the new template, select the template in the Guest Manager Print Templates list, then click Preview. The template created in this example appears as shown below. 200 | Create the Print Template Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customize the Guest Accounts Form Next, modify the Guest Accounts form to add a flag that to allows access-code based authentication. 1. Navigate to Configuration > Forms & Views. 2. In the Customize Forms & Views list, select create_multi and then click Edit Fields. 3. In the Edit Fields list, look for a field named username_auth. If the field exists, but is not bolded and enabled, select it and click Enable Field. If the field does not exist, select any field in the list (for example, num_accounts) and select Insert After. Click the Field Name drop-down list, select username_auth and allow the page to refresh. The defaults should be acceptable, but feel free to customize the label or description. 4. Click Save Changes to save your settings. Once the field is enabled or inserted, you should see it bolded in the list of fields. Create the Access Code Guest Accounts Once the account fields have been customized, you can create new accounts. 1. Navigate to Guest > Create Multiple. 2. Mark the check box in the Username Authentication row that was added in the procedure above. (If you do not select this check box and if the username is entered on the login screen, the authentication will be denied.) The example shown below will create 10 accounts that will expire in two weeks, or fours hours after the visitors first log in, whichever comes first. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Customize the Guest Accounts Form | 201 3. Click Create Accounts to display the Finished Creating Guest Accounts page. If you create a large number of accounts, they are created at one time but might not all be displayed at the same time. (This will not affect the printing action in the following step.) 4. Confirm that the accounts settings are as you expected with respect to letters and digits in the username and password, expiration, and role. 5. Click the Open print window using template drop-down list and select the new print template you created using this procedure See "Create the Print Template" on page 199 for a description of this procedure. A new window or tab will open with the cards. 202 | Create the Access Code Guest Accounts Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Chapter 6 Hotspot Manager The Hotspot Manager controls self-provisioned guest or visitor accounts. This is where the customer is able to create his or her own guest account on your network for access to the Internet. This can save you time and resources when dealing with individual accounts. Accessing Hotspot Manager To access Dell Networking W-ClearPass Guest’s hotspot management features, click the Configuration link in the left navigation, then click Hotspot Manager. About Hotspot Management The following diagram shows how the process of customer self provisioning works. Dell Networking W-ClearPass Guest 6.0 | Deployment Guide Hotspot Manager | 203 Figure 33: Guest self-provisioning l Your customer associates to a local access point and is redirected by a captive portal to the login page. l Existing customers may log in with their Hotspot username and password to start browsing. l New customers click the Hotspot Sign-up link. l On page 1, the customer selects one of the Hotspot plans you have created. l On page 2, the customer enters their personal details, including credit card information if purchasing access. l The customer’s transaction is processed, and, if approved, their visitor account is created according to the appropriate Hotspot plan. l On page 3, the customer receives an invoice containing confirmation of their transaction and the details of their newly created visitor account. l The customer is automatically logged in with their username and password, providing instant Hotspot access. Managing the Hotspot Sign-up Interface You can enable visitor access self provisioning by navigating to Configuration > Hotspot Manager and selecting the Manage Hotspot Sign-up command. The Hotspot Preferences form opens. This form allows you to change user interface options and set global preferences for the self-provisioning of visitor accounts. 204 | Managing the Hotspot Sign-up Interface Dell Networking W-ClearPass Guest 6.0 | Deployment Guide The Enable visitor access self-provisioning check box must be ticked for self-provisioning to be available. The Require HTTPS field, when enabled, redirects guests to an HTTPS connection for greater security. The Service Not Available Message allows a HTML message to be displayed to visitors if self-provisioning has been disabled. See "Smarty Template Syntax" on page 264 in the Reference chapter for details about the template syntax you may use to format this message. Click the Save Changes button after you have entered all the required data. Captive Portal Integration To start the visitor self-provisioning process, new visitor registration is performed by redirecting the visitor to the URL specified on the Hotspot Preferences page; for example: https://guest.spiffywidgets.com/hotspot_plan.php. The Hotspot Sign-Up page opens to the first page of the wizard, Choose Plan. The hotspot_plan.php page accepts two parameters: l The source parameter is the IP address of the customer. l The destination parameter is the original URL the customer was attempting to access (that is, the customer’s home page). This is used to automatically redirect the customer on successful completion of the sign-up process. For browsers without JavaScript, you may use the
Access Details {if $u.create_result.error} Access Code {$u.username|htmlspecialchars} {/if} Error {$u.create_result.message}