CPPM Quick Start Guide
CPPM Quick Start Guide
CPPM Quick Start Guide
Copyright Information
Copyright 2013 Aruba Networks, Inc. Aruba Networks trademarks include the Aruba Networks logo, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, Green Island. All rights reserved. All other trademarks are the property of their respective owners.
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS. Altering this device (such as painting it) voids the warranty.
Contents
5
5 5 5 7
9
10
11 13
13
19
19
25
25
This Quick Start Guide for the ClearPass Policy Manager System (Policy Manager) describes the steps for installing the appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required services are running.
Key
A
Port
Serial
Description
Configures the Policy Manager appliance initially, via hardwired terminal. Provides access for cluster administration and appliance maintenance via web access, CLI, or internal cluster communications. Configuration required. Provides point of contact for RADIUS, TACACS+, Web Authentication and other dataplane requests. Configuration optional. If not configured, requests redirected to the management port.
B - eth1
C - eth2
Item Information
Required Item
Management Port IP Address Management Port Subnet Mask Management Port Gateway Data Port IP Address (optional) Data Port Gateway (optional) Data Port Subnet Mask (optional) Primary DNS Secondary DNS NTP Server (optional)
Item Information
Data Port IP Address must not be in the same subnet as the Management Port IP Address
To set up the Policy Manager appliance: 1. Connect and power on. Using the null modem cable provided, connect a serial port on the appliance to a terminal, then connect power and switch on. The appliance immediately becomes available for configuration. Use the following parameters for the serial port connection:
l l l l l
Bit Rate: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: None
2. Login. Later, you will create a unique appliance/cluster administration password. For now, use the preconfigured credentials:
login: appadmin password: eTIPS123
This starts the Policy Manager Configuration Wizard. 3. Configure the appliance. Replace the bolded placeholder entries in the following illustration with your local information:
Enter Enter Enter Enter Enter Enter Enter Enter Enter hostname: hyperion.us.arubanetworks.com Management Port IP Address: 192.168.5.10 Management Port Subnet Mask: 255.255.255.0 Management Port Gateway: 192.168.5.1 Data Port IP Address: 192.168.7.55 Data Port Subnet Mask: 255.255.255.0 Data Port Gateway: 192.168.7.1 Primary DNS: 198.168.5.3 Secondary DNS: 192.168.5.1
Going forward, you will use this password for cluster administration and management of the appliance. 5. Change system date/time.
Do you want to configure system date time information [y|n]: y Please select the date time configuration options. 1) Set date time manually 2) Set date time by configuring NTP servers Enter the option or press any key to quit: 2 Enter Primary NTP Server: pool.ntp.org Enter Secondary NTP Server: time.nist.gov Do you want to configure the timezone? [y|n]: y
Once the timezone information is entered, you are asked to confirm the selection. 6. Commit or restart the configuration. Follow the prompts:
y[Y] to continue n[N] to start over again q[Q] to quit Enter the choice: Y Successfully configured Policy Manager appliance ************************************************************** * Initial configuration is complete. * Use the new login password to login to the CLI. * Exiting the CLI session in 2 minutes. Press any key to exit now.
To view the Policy Manager data and management port IP address, and DNS configuration:
[appadmin]# show ip
where:
Flag/Parameter
ip <mgmt|data> <ip address> netmask <netmask address> gateway <gateway address>
Description
l l
Netmask address.
Gateway address.
If you are using Active Directory to authenticate users, be sure to join the Policy Manager appliance to that domain as well.
ad netjoin <domain-controller.domain-name> [domain NETBIOS name]
where: Flag/Parameter
<domain-controller. domain-name> [domain NETBIOS name]
Description
Required. Host to be joined to the domain. Optional.
Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 1. Open the administrative interface. Navigate to https://<hostname>/tips (where <hostname> is the hostname you configured during the initial configuration). 2. Enter License Key. 3. Click on the Activate Now link.
4. Activate the product. If the appliance is connected to the Internet, click on the Activate Now button. If not, click on the Download button to download the Activation Request Token. Send an email to [email protected] with the downloaded token as an attachment. Once you receive the Activation Key from Aruba, save it to a known location on your computer. Come back to this screen and click on the Browse button to select the Activation Key. Upload the key by clicking on the Upload button. The product is now activated.
6. Change the password. Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration password.
Accessing Help
The Policy Manager User Guide (in PDF format) is built within the help system here:
https://<hostname>/tipshelp/html/en/
(where <hostname> is the hostname you configured during the initial configuration.) All Policy Manager user interface screens have context-sensitive help. To access context-sensitive help, click on the Help link at the top right hand corner of any screen.
10
To check the status of service, navigate to Administration > Server Manager >Server Configuration, then click on a row to select a server:
l l
The System tab displays server identity and connection parameters. The Service Control tab displays all services and their current status. If a service is stopped, you can use its Start/Stop button (toggle) to restart it.
You can also start an individual service from the command line,
service start <service-name>
The Service Parameters tab allows you to change system parameters for all services. The System Monitoring tab allows you to configure SNMPparameters, ensuring that external MIBbrowsers can browse the system-level MIBobjects exposed by the Policy Manager appliance. The Network tab allows you to view and create GRE tunnels and VLANs.
The following three use cases illustrate the process of configuring Policy Manager for basic 802.1x, WebAuth, and MAC Bypass Services:
l l l
802.1x Wireless Use Case on page 13 Aruba Web Based Authentication Use Case on page 19 MAC Authentication Use Case on page 25
11
12
The basic Policy Manager Use Case configures a Policy Manager Service to identify and evaluate an 802.1X request from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. Figure 1 Flow of Control, Basic 802.1X Configuration Use Case
13
Settings
Name the Service and select a preconfigured Service Type: l Service (tab) > l Type (selector): 802.1X Wireless > l Name/Description (freeform) > l Upon completion, click Next (to Authentication)
Monitor Mode: Optionally, check here to allow handshakes to occur (for monitoring purposes), but without enforcement. Service Categorization Rule: For purposes of this Use Case, accept the preconfigured Service Categorization Rules for this Type.
2. Configure Authentication. Follow the instructions to select [EAP FAST], one of the pre-configured Policy Manager Authentication Methods, and Active Directory Authentication Source (AD), an external Authentication Source within your existing enterprise.
Policy Manager fetches attributes used for role mapping from the Authorization Sources (that are associated with the authentication source). In this example, the authentication and authorization source are one and the same.
14
Settings
Strip Username Rules: Optionally, check here to pre-process the user name (to remove prefixes and suffixes) before sending it to the authentication source.
To view detailed setting information for any preconfigured policy component, select the item and click View Details.
3. Configure Authorization. Policy Manager fetches attributes for role mapping policy evaluation from the Authorization Sources. In this use case, the Authentication Source and Authorization Source are one and the same. Table 3: 802.1X - Configure Authorization Navigation and Settings Navigation
l
Settings
Configure Service level authorization source. In this use case there is nothing to configure. Click the Next button. Upon completion, click Next (to Role Mapping).
15
Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to the request for use by the Enforcement Policy. In the event of role-mapping failure, Policy Manager assigns a default role. In this Use Case, create the role mapping policy RMP_DEPARTMENT that distinguishes clients by department and the corresponding roles ROLE_ENGINEERING and ROLE_FINANCE, to which it maps: Table 4: Role Mapping Navigation and Settings Navigation
Create the new Role Mapping Policy: Roles (tab) > l Add New Role Mapping Policy (link) >
l
Settings
Add new Roles (names only): Policy (tab) > l Policy Name (freeform): ROLE_ ENGINEER > l Save (button) > l Repeat for ROLE_FINANCE > l When you are finished working in the Policy tab, click the Next button (in the Rules Editor)
l
Create rules to map client identity to a Role: l Mapping Rules (tab) > l Rules Evaluation Algorithm (radio button): Select all matches > l Add Rule (button opens popup) > l Add Rule (button) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions to Actions (drop-down list) > l Upon completion of each rule, click the Save button ( in the Rules Editor) > l When you are finished working in the Mapping Rules tab, click the Save button (in the Mapping Rules tab)
16
Navigation
Add the new Role Mapping Policy to the Service: l Back in Roles (tab) > l Role Mapping Policy (selector): RMP_ DEPARTMENT > l Upon completion, click Next (to Posture)
Settings
Policy Manager can be configured for a third-party posture server, to evaluate client health based on vendor-specific credentials, typically credentials that cannot be evaluated internally by Policy Manager (that is, not in the form of internal posture policies). Currently, Policy Manager supports the following posture server interface: Microsoft NPS (RADIUS). Refer to the following table to add the external posture server of type Micrsoft NPS to the 802.1X service: Table 5: Posture Navigation and Settings Navigation
Add a new Posture Server: Posture (tab) > l Add new Posture Server (button) >
l
Setting
Configure Posture settings: Posture Server (tab) > l Name (freeform): PS_NPS l Server Type (radio button): Microsoft NPS l Default Posture Token (selector): UNKOWN l Next (to Primary Server)
l
17
Navigation
Configure connection settings: Primary/ Backup Server (tabs): Enter connection information for the RADIUS posture server. l Next (button): from Primary Server to Backup Server. l To complete your work in these tabs, click the Save button.
l
Setting
Add the new Posture Server to the Service: l Back in the Posture (tab) > l Posture Servers (selector): PS_ NPS, then click the Add button. l Click the Next button.
6. Assign an Enforcement Policy Enforcement Policies contain dictionary-based rules for evaluation of Role, Posture Tokens, and System Time to Evaluation Profiles. Policy Manager applies all matching Enforcement Profiles to the Request. In the case of no match, Policy Manager assigns a default Enforcement Profile. Table 6: Enforcement Policy Navigation and Settings Navigation
Configure the Enforcement Policy: l Enforcement (tab) > l Enforcement Policy (selector): Role_Based_ Allow_Access_ Policy
Setting
For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" in the ClearPass Policy Manager User Guide. 7. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
18
This Service supports known Guests with inadequate 802.1X supplicants or posture agents. The following figure illustrates the overall flow of control for this Policy Manager Service. Figure 2 Flow-of-Control of Web-Based Authentication for Guests
Settings
19
Navigation
Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): Aruba Web-Based Authentication > l Name/Description (freeform) > l Upon completion, click Next.
Settings
3. Set up the Authentication. a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. b. Source: Administrators typically configure Guest Users in the local Policy Manager database. 4. Configure a Posture Policy.
For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server (external), or an Audit Server (internal or external). Each of the first three use cases demonstrates one of these options. This use case demonstrates the Posture Policy.
As of the current version, Policy Manager ships with five pre-configured posture plugins that evaluate the health of the client and return a corresponding posture token. To add the internal posture policy IPP_UNIVERSAL_XP, which (as you will configure it in this Use Case, checks any Windows XP clients to verify the most current Service Pack). Table 8: Local Policy Manager Database Navigation and Settings Navigation
Select the local Policy Manager database: l Authentication (tab) > l Sources (Select drop-down list): [Local User Repository] > l Add > l Strip Username Rules (check box) > l Enter an example of preceding or following separators (if any), with the phrase user representing the username to be returned. For authentication, Policy Manager strips the specified separators and any paths or domains beyond them. l Upon completion, click Next (until you reach Enforcement Policy).
Settings
20
Setting
Name the Posture Policy and specify a general class of operating system: l Policy (tab) > l Policy Name (freeform): IPP_ UNIVERSAL > l Host Operating System (radio buttons): Windows > l When finished working in the Policy tab, click Next to open the Posture Plugins tab Select a Validator: Posture Plugins (tab) > l Enable Windows Health System Validator > l Configure (button) >
l
21
Navigation
Configure the Validator: l Windows System Health Validator (popup) > l Enable all Windows operating systems (check box) > l Enable Service Pack levels for Windows 7, Vista, XP Server 2008, Server 2008 R2, and Server 2003 (check boxes) > l Save (button) > l When finished working in the Posture Plugin tab click Next to move to the Rules tab) Set rules to correlate validation results with posture tokens: l Rules (tab) > l Add Rule (button opens popup) > l Rules Editor (popup) > l Conditions/ Actions: match Conditions(Select Plugin/ Select Plugin checks) to Actions (Posture Token)> l In the Rules Editor, upon completion of each rule, click the Save button > l When finished working in the Rules tab, click the Next button.
Setting
22
Navigation
Add the new Posture Policy to the Service: Back in Posture (tab) > Internal Policies (selector): IPP_ UNIVERSAL_XP, then click the Add button
Setting
Default Posture Token. Value of the posture token to use if health status is not available. Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for remediation. Remediation URL. URL of remediation server.
5. Create an Enforcement Policy. Because this Use Case assumes the Guest role, and the Aruba Web Portal agent has returned a posture token, it does not require configuration of Role Mapping or Posture Evaluation.
The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and limited guest access.
Setting
6. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
23
24
This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device Figure 3 Flow-of-Control of MAC Authentication for Network Devices
25
Settings
Name the Service and select a pre-configured Service Type: l Service (tab) > l Type (selector): MAC Authentication > l Name/Description (freeform) > l Upon completion, click Next to configure Authentication
2. Set up Authentication Note that you can select any type of authentication/authorization source for a MAC Authentication service. Only a Static Host list of type MAC Address List or MAC Address Regular Expression shows up in the list of authentication sources (of type Static Host List). Refer to "Adding and Modifying Static Host Lists" in the ClearPass Policy Manager User Guide for more information. You can also select any other supported type of authentication source. Table 12: Authentication Method Navigation and Settings Navigation
Select an Authentication Method and two authentication sources - one of type Static Host List and the other of type Generic LDAP server (that you have already configured in Policy Manager): l Authentication (tab) > l Methods (This method is automatically selected for this type of service): [MAC AUTH] > l Add > l Sources (Select drop-down list): Handhelds [Static Host List] and Policy Manager Clients White List [Generic LDAP] > l Add > l Upon completion, Next (to Audit)
Settings
26
This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an audit. An audit server determines health by performing a detailed system and health vulnerability analysis (NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy Manager to determine client identity. Table 13: Audit Server Navigation and Settings Navigation
Configure the Audit Server: Audit (tab) > l Audit End Hosts (enable) > l Audit Server (selector): NMAP l Trigger Conditions (radio button): For MAC authentication requests l Reauthenticate client (check box): Enable
l
Settings
Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which follows the same path until it reaches Role Mapping/Posture/Audit; this appends cached information for this client to the request for passing to Enforcement. Select an Enforcement Policy. 4. Select the Enforcement Policy Sample_Allow_Access_Policy: Table 14: Enforcement Policy Navigation and Settings Navigation
Select the Enforcement Policy: Enforcement (tab) > l Use Cached Results (check box): Select Use cached Roles and Posture attributes from previous sessions > l Enforcement Policy (selector): UnmanagedClientPolicy l When you are finished with your work in this tab, click Save.
l
Setting
Unlike the 802.1X Service, which uses the same Enforcement Policy (but uses an explicit Role Mapping Policy to assess Role), in this use case Policy Manager applies post-audit rules against attributes captured by the Audit Server to infer Role(s). 5. Save the Service. Click Save. The Service now appears at the bottom of the Services list.
27
28