Cluster-Wide Parameters

This section describes the following Cluster-Wide Parameters features:

General Parameters

You can configure the parameters that apply to all the nodes in a Policy Manager cluster by configuring the Cluster-Wide Parameters. To configure the Cluster-Wide parameters:

1. Navigate to the Administration > Server Manager > Server Configuration page.

2. Select the Cluster-Wide Parameters link. The Cluster-Wide Parameters page opens to the General page:

Figure 1  Cluster-Wide Parameters > General Page

3. Configure Cluster-Wide Parameters > General parameters as described in the following table, then click Save.

Table 1: Cluster-Wide Parameters > General Page Parameters

Parameter

Action/Description

Policy result cache timeout

Specify the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation.

A value of 0 disables caching.

This result can then be used in subsequent evaluation of policies associated with a service, if the Use cached Roles and Posture attributes from previous sessions option is turned on for the service.

NOTE: The value of the Policy result cache timeout field must be greater than the highest value set in the Health Check Interval (in hours) fields.
For example, if you have created the profiles Student-Enforcement-Profile and Staff-Enforcement-Profile with health check interval configured, then the value of the Policy result cache timeout field must be greater than the highest value of the Health Check Quiet Period (in hours) value configured among the following profiles:

Global Agent Settings

Student-Enforcement-Profile

Staff-Enforcement-Profile

Free disk space threshold value (Aggressive cleanup starts at 10% below this value)

Specify the percentage below which disk usage warnings are issued in the Monitoring > Event Viewer page.

For example, a default value of 30% indicates a warning is issued when the available disk space is 30% or lower. However, an aggressive cleanup is triggered when the disk space available drops below 20% (the 30% default value minus an additional 10%). In this instance, the additional 10% is the hard coded threshold delta value implemented as part of an aggressive cleanup operation.

Free memory threshold value

Specify the percentage below which RAM Random Access Memory. usage warnings are issued in the Policy Manager Event Viewer.

For example, a value of 30 indicates that a warning is issued only when the available RAM is 30% or lower.

Endpoint Context Servers polling interval

Enter the interval in minutes between polling of endpoint context servers, between 1 and 10,500 minutes. (10,500 minutes is 175 hours, or a bit more than a week).

The default interval is 60 minutes.

Endpoint Context Servers polling start time

Specify the Endpoint Context Servers polling start time in HH:mm:ss format.

Syslog Export Interval

This parameter provides the ability to configure a Syslog messaging batch interval. The default value is 120 seconds. The supported interval value is between 30 seconds to 120 seconds.

NOTE: The interval specified for this parameter is applied to all appliances in a cluster and to all the Syslog Export Filters that are in the enabled state. For related information, see Syslog Export Filters.

Automatically check for available Software Updates

Specify whether to enable automatic checking for available software updates.

The default it TRUE. For related information, see Software Updates.

Automatically download Posture Signature and Windows Hotfixes Updates

Specify whether to automatically download and install Posture Signature and Windows Hotfixes Updates. The default is FALSE. For related information, see Software Updates.

Automatically download minor updates for Extensions

Set this parameter to TRUE to download micro-services that can run on top of the ClearPass platform and provide access to some features not yet part of the current ClearPass version. The default is FALSE.

Automatically download Endpoint Profile Fingerprints

Specify whether to automatically download Endpoint Profile Fingerprints. The default is FALSE. For related information, see Software Updates.

Login Banner Text

Customize the banner text that appears on the Policy Manager login screen and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access window.

Force Enable User
Acknowledgment

Set this parameter to TRUE to require user consent before login. Once set to True, a banner displays requiring the user to select I agree to the terms and conditions and then click Proceed before continuing to the login.

Cluster Communication Mode

Policy Manager allows Cluster Communication Mode to be set to IPv4 or IPv6. The default is IPv4.

If the value of this parameter is set to IPv6, all database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4.

Whenever the cluster communication mode is changed, it performs the following validations:

Configuration checks to verify an IP address in the correct format is configured for the interface.

Certificate checks to verify the database certificates have the correct IP address in the SAN field.

Certificate checks to verify the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certificates have the correct IP address in the SAN field.

For more information on setting the Cluster Communication Mode and the conditions for using IPv4 and IPv6 formatted IP addresses, go to Setting the Cluster Communication Mode.

NOTE: You can only use the network reset mgmt <v4|v6> command to reset an IPv4 or IPv6 management port address if the cluster communication mode is set to a different IP address format. For example, you cannot reset a management port IPv4 address, unless the cluster communication mode is set to IPv6.

NOTE: In a cluster with both IPv4 and IPv6 addresses (dual stack) configured on the management interface of every appliance, the ClearPass Zone Cache service always uses the IPv4 management address to keep the cache of each appliance synchronized across the cluster. The ClearPass Zone Cache service does not use the IPv6 management address for synchronization when the cluster communication mode parameter is set to IPv6 in a dual-stack scenario.

NOTE: In a cluster using self-signed certificates, if the management IP address is changed the database certificate does not need to be regenerated. The generation of the database certificate and the restart of backend services are automatic. There may be a delay of up to 10 minutes while backend services are re-started, and configuration updates and replication setup are re-established. This change only applies to clusters with self-signed certificates, not to clusters with CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.-signed certificates.

Allow Concurrent Admin Login

When this field is set to TRUE (which is the default setting), an Admin user can log in to the same Policy Manager server concurrently from either the same device or a different device.

When this field is set to FALSE, and an Admin user logs into a Policy Manager server from one device, and then later logs into the same Policy Manager server from either the same device or a different device, the Admin user is logged out of all previous sessions on that Policy Manager server. When this occurs, the following message is displayed:

You have been logged out of previous active session(s)

Admin Session Idle Timeout

Specify the maximum idle time permitted for admin users, beyond which the session times out.

The default value is 30 minutes. The allowed range is 5 to 1440 minutes (24 hours).

CLI Session Idle Timeout

Specify the maximum idle time permitted for CLI users, beyond which the session times out.

The default value is 10 minutes. The allowed range is 5 to 1440 minutes (24 hours).

When this parameter is changed, the changes take effect when the client opens a new CLI session. Any active CLI sessions will continue to use the old timeout setting—the sessions have to be disconnected and reconnected for the updated timeout value to take effect. Before performing any operations like make subscriber, drop subscriber, backup, restore, update, or upgrade operations from the appadmin CLI that take more than 15 minutes, first make sure to change the value of the CLI Session Idle Timeout parameter to the amount of time required for the operation.

Console Session Idle Timeout

Specify the Console Session Idle Timeout duration in minutes. The default value is 360 minutes.

The Console Idle Session Timeout does not begin counting down until the admin user exits the admin session, or when the admin session has timed out. If the user is still logged in to the admin session, the Console Session Idle Timeout is not enforced. To impose an automatic log out from the Policy Manager server for an admin user connected to the console, you must set the idle timeout for the Admin Session Idle Timeout as well as the Console Session Idle Timeout.

The Console Session Idle Timeout:

Must have a valid integer value (for example, a setting of 10.5 wouldn't be valid).

The range of valid values is from 5 to 1,440 minutes (24 hours).

The Audit Viewer captures the details about changes in Console Session Idle Timeout.

Disable TLSv1.0 support

On new Policy Manager installations, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 is disabled by default, so the default setting is All. To modify Transport Layer Security (TLS) v1.0 support, select one of the following options:

None

Admin

Network

All

NOTE: Users cannot change into Common Criteria (CC) mode while the Disable TLS v1.0 parameter is set to None. This parameter must be set to All for CC mode. This parameter is not configurable and does not appear in the Policy Manager WebUI when Policy Manager is in FIPs mode.

NOTE: The ClearPass OpenSSL cryptography library does not support TLS 1.0 when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. As part of this change, the Disable TLSv1.0 support option is hidden within the Cluster-Wide Parameters when FIPS mode is enabled.

Disable TLSv1.3 support

To modify Transport Layer Security (TLS) v1.3 support, select one of the following options:

None: Enables TLS v1.3 communication for all servers. On new ClearPass installations, this is the default setting. When TLS v1.3 is enabled it is used as the preferred connection for systems that support it, and can be used for post-handshake authentications. If a system does not support TLSv1.3, TLS v1.2 or v1.1 will automatically be used instead.

Admin: Disables TLSv1.3 for all servers. On upgraded ClearPass servers, this is the default setting. This setting must be used in cases where client certificate-based authentications with SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts., OnGuard, or downloadable user roles are configured, as those do not work with TLSv1.3. Having Admin (TLSv1.3 disabled) as the default setting for upgraded servers ensures that if any of those configurations are present, the TLS setting will not interfere with them.

Disable TLSv1.1 support

On new Policy Manager installations, TLS 1.1 is disabled by default, so the default setting is All. To modify Transport Layer Security (TLS) v1.1 support, select one of the following options:

None

Admin

Network

All

NOTE: Clusters in Common Criteria (CC) mode can have a value of None, so TLS v1.1 is enabled on all devices.

NOTE: The ClearPass OpenSSL cryptography library does not support TLS 1.1 when FIPS mode is enabled. As part of this change, the Disable TLSv1.1 support option is hidden within the Cluster-Wide Parameters when FIPS mode is enabled.

Content Security Policy (CSP)

When enabled, Content Security Policy (CSP) has significant impact on the way browsers renders pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the Content Security Policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections.

Allowed SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Modes

When specifying a particular cipher mode, each ClearPass server in the cluster will accept only SSH connections that use the selected cipher mode. Select one of the following to specify the SSH cipher mode in either FIPS or non-FIPS mode:

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC

AES-CTR

AES-GCM

All

NOTE: Unlike legacy releases, ClearPass now enables the selection of either AES-CBC, AES-CTR, AES-GCM or All to specify a specific SSH cipher mode in FIPS mode. With previous ClearPass releases, the Allowed SSH Modes parameter was disabled when FIPS mode is enabled.

Performance Monitor Rendering Port

Specify the port for performance monitor rendering. The default value is 80.

ICMPv6 Filters

When the ICMPv6 Filters parameter is set to Disable (the default), Policy Manager responds to all ICMPv6 (Internet Control Message Protocol) traffic. When this parameter is set to Enable, the following restrictions are applicable:

Policy Manager does not respond to ICMPv6 traffic sent to an anycast or multicast address.

Policy Manager does not transmit to ICMPv6 type-3 (Destination Unreachable) messages.

ClearPass Zone Cache Durability

For the ClearPass Zone Cache to survive abrupt shutdowns, set this to Normal or Full. The default value is OFF.

NOTE: Enabling this feature might result in some performance degradation.

Post-Authentication v2

When Post-Authentication v2 is enabled, it improves performance and scaling for post-authentication events when interoperating with third-party systems. This setting is enabled by default in IPv4-only, IPv6-only, or dual-stack mode (IPv4 and IPv6). Post-Authentication v2 can still be disabled when in IPv4-only mode. However, in an IPv6-only or dual stack environment, disabling Post-Authentication v2 is not permitted.

 

The following additional Post-Authentication v2 restrictions apply:

When you either enable or disable Post-Authentication v2, you must also manually restart the Async Network service. For more information on starting or stopping services, refer to Services Control Page

Post-Authentication v2 does not support Policy Manager Proxy.

When defining a context server action, the following HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. methods are supported: PATCH, DELETE, POST Power On Self Test. An HTTP request method that requests data from a specified resource., GET GET refers HTTP request method or an SNMP operation method. The GET HTTP request method submits data to be processed to a specified resource. The GET SNMP operation method obtains information from the Management Information Base (MIB)., and PUT.

Post-Authentication unsubscribes from the endpoint updates on Acct Stop

When using post authentication for NMAP trigger, enabling this option ensures endpoints are unsubscribed on an accounting stop. This ensures a payload is not sent to the NMAP service when the device reauthenticates and a different enforcement profile is applied.

This option must be disabled for firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. integration in general, and must be disabled for dual stack or pure IPv6 if multiple IP addresses are expected.

Post-Authentication v2 HTTP enforcement

Administrators have the option to enable or disable Post-Authentication v2 HTTP enforcement, when the Post-Authentication v2 parameter is enabled. Selecting Post-Authentication v2 HTTP enforcement lets administrators disable the Post-Authentication HTTP enforcement profile while the Session Notification Enforcement enforcement profile remains enabled. This can improve the scalability and performance of the Post-Authentication v2 HTTP enforcement in some deployments. If Post-Authentication v2 is changed from Enable to Disable, Post-Authentication v2 HTTP enforcement automatically changes to Disable as well.

Certificate Based Authentication is supported for VmWare AirWatch with Post-Authentication v2 HTTP Enforcement. To use this feature with AirWatch, both the Post-Authentication v2 and Post Authentication v2 HTTP enforcement settings must be enabled from the Cluster-Wide Parameters > General tab. In addition, go to: Administration > External Servers > Endpoint Context Servers > Server > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method. Lastly, go to: Administration > Dictionaries > Context Server Actions > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method.

EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  TLS Session Cache Policy

ClearPass supports TLS session cache persistence for EAP-based authentications. Use the EAP TLS Session Cache Policy parameter to specify whether the session cache should persist in internal memory only, or in both memory and disk. The duration of the session persistence can also be configured. Select Internal+Disk for the user session to be read from disk, so re-authentication is not required before the configured session timeout. The default setting is Internal, which retains the previous behavior of periodically clearing the session cache when roaming.

NOTE: To specify how long the session cache should be stored on disk, go to the Cleanup Intervals tab and enter the number of hours in the Parameter Value field for the TTL Time to Live. TTL or hop limit is a mechanism that sets limits for data expiry in a computer or network. Stale TLS session in Disk parameter. The default value is 24 hours.

Setting the Cluster Communication Mode

Cluster configuration operations (the CLI commands available under the cluster command section) support IPv4 or IPv6 communication depending on the cluster wide parameter called the Cluster Communication Mode.

If set to IPv6, cluster replication, database connections and internal API calls specific to the cluster operations listed above will use an IPv6 address, or otherwise use IPv4.

The default Cluster Communication Mode depends on the IP address configured on the node at the time of an upgrade or install. If the node has only an IPv6 address, the default Cluster Communication Mode will be IPv6.

If both IPv4 and IPv6 addresses are configured, or if only an IPv4 address is configured, the default Cluster Communication Mode will be IPv4.

Keep in mind, the following modules are not supported for cluster communication using IPv6:

Zone cache (Battery/Redis)

Insight database communication

Admin UI User Interface. features (Access Tracker, API calls etc.)

License usage computation on Publisher

Async-netd Monitor (tracks the sync status of other modules)

Set the Cluster Communication Mode from either the ClearPass UI or command line interface (CLI). To set the Cluster Communication Mode from the UI, go to Setting Cluster Wide Parameters.

To review the cluster specific commands supported by ClearPass, go to ClearPass Cluster Commands. For information on using the ClearPass command line to set the Cluster Communication mode, go to Cluster Communication Mode.

The Cluster Communication Mode performs 3 pre-checks to ensure cluster operations do not fail if the mode is changed. These pre-checks include:

1. Configuration checks - Ensure the IP address of a given format is configured on the interface.

2. Certificate checks for database - The database certs must have the correct IP address configured in the SAN field. Make sure the SAN field is updated to use the correct IP address format in the pattern DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.:<ip address>. Multiple IP addresses must be separated by a comma (,) delimiter. For example, DNS:<ipv6 address>, DNS:<ipv4 address>.

3. Certificate checks for HTTPS certs - The HTTPS certs must have the correct IP address configured in the SAN field. Make sure the SAN field is updated to use the correct IP address format in the pattern IP Address:<ip address>. Multiple IP addresses must be separated by a comma (,) delimiter. For example, DNS:<ipv6 address>, DNS:<ipv4 address>.

Cleanup Intervals Parameters

The following figure displays the Cluster-Wide Parameters > Cleanup Intervals dialog:

Figure 2  Cluster-Wide Parameters > Cleanup Intervals Dialog

Specify the Cluster-Wide Parameters > Cleanup Intervals parameters as described in the following table:

Table 2: Cluster-Wide Parameters > Cleanup Intervals Parameters

Parameter

Action/Description

Cleanup interval for Session log details in the database

Specify the duration in number of days to keep the following data in the Policy Manager database:

Session logs (found on the Monitoring > Live Monitoring > Access Tracker page)

Event logs (found on the Monitoring > Event Viewer page)

Machine authentication cache

The default value is 7 days.

Cleanup interval for information stored on the disk

Specify the duration in number of days to keep log files that are written to the disk.

The default value is 7 days.

Cleanup interval for CSRs and private keys

By default, ClearPass automaticaly performs a cleanup for Certificate Signing Requests (CSRs) older than 15 days. use this parameter to extend the cleanup interval for old CSRs and associated private keys from 15 days to up to 90 days. Network administrators should extend the cleanup interval for CRS and private keys in cases where the CA takes more than 15 days to create a certificate, as the CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. generated on the system would become invalid with the default 15 day setting, and would be removed automatically from the system.

Old Audit Records cleanup interval

Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting old audit records from the Audit Viewer page. The default value is 7 days.

Known endpoints cleanup interval

Specify the duration in number of days that Policy Manager uses to determine when to start deleting known or disabled entries from the Endpoint repository.

Known entries are deleted based on the when the endpoint was last seen. For example, if this value is 7, then known Endpoints that have not been seen within the last 7 days are deleted.

The default value is 0 days. This indicates that no cleanup interval is specified.

Unknown endpoints cleanup interval

Specify the duration in number of days that Policy Manager uses to determine when to start deleting unknown entries from the Endpoint repository. Unknown entries are deleted based on the when the endpoint was last seen. For example, if this value is 7, then unknown Endpoints that have not been seen within the last 7 days are deleted.

The default value is 0 days. This indicates that no cleanup interval is specified.

Expired guest accounts cleanup interval

The cleanup interval for expired guest accounts indicates the number of days after expiry that the cleanup occurs.

A value of 0 specifies no expired guest accounts cleanup interval. The default value is 365 days.

Profiled Unknown endpoints cleanup interval

Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting profiled unknown entries from the Endpoint repository. Profiled unknown entries are deleted based either the time the unknown Endpoint was last seen or the time it was last profiled, whichever is most recent.

The default value is 0,indicating that no cleanup interval is specified.

Profiled Known endpoints cleanup option

Specify whether to enable the option to clean up profiled known endpoints.

The default value is FALSE. Profiled known entries are deleted based either the time the known Endpoint was last seen or the time it was last profiled, whichever is most recent.

Static IP endpoints cleanup option

Specify whether to enable the option to clean up static IP endpoints.

The default option is FALSE.

Notifications Parameters

The following figure displays the Cluster-Wide Parameters > Notifications dialog:

Figure 3  Cluster-Wide Parameters > Notifications Dialog

Specify the Cluster-Wide Parameters > Notifications parameters as described in the following table:

Table 3: Cluster-Wide Parameters > Notifications Parameters

Parameter

Action/Description

System Alert Level

Specify the alert notifications that are generated for system events logged at this level or higher.

INFO: Alerts that provide Information, Warnings, and Error messages are generated.

WARN: Alerts that provide Warnings and Error messages are generated.

ERROR: Alerts that provide Error messages only are generated.

The default value is WARN.

Alert Notification Timeout

Specify the timeout in hours that determines how often alert messages are generated and distributed.

If you select Disabled, alert generation is disabled. The default value is 2 hours.

Alert Notification - eMail Address

Enter a comma-separated list of email addresses to which alert messages are sent.

Alert Notification - SMS Short Message Service. SMS refers to short text messages (up to 140 characters) sent and received through mobile phones. Address

Enter a comma-separated list of phone numbers to which alert messages are sent.

Standby Publisher Parameters

The standby publisher is the publisher in the cluster that is configured to come up in the event that the publisher is not reachable. The following figure displays the Cluster-Wide Parameters > Standby Publisher dialog:

 

During a failover, the standby publisher does not have to wait for all the servers in the cluster to fully resynchronize, and instead is available with complete publisher functionality within moments of the triggering failover event.

Figure 4  Cluster-Wide Parameters > Standby Publisher Dialog

Specify the following Cluster-Wide Parameters > Standby Publisher parameters:

Table 4: Cluster-Wide Parameters > Standby Publisher Parameters

Parameter

Action/Description

Enable Publisher Failover

To authorize a node in a cluster on the system to act as a publisher if the primary publisher fails, select TRUE. The default value is FALSE.

NOTE: To avoid false failover triggers, the Enable Publisher Failover value should be set to false before starting a cluster update.

Designated Standby Publisher

Select the server in the cluster to act as the standby publisher.

The default value is 0.

NOTE: If the standby publisher is on a different subnet Subnet is the logical division of an IP network. than the publisher, then ensure that a reliable connection between the two subnets is available to avoid unwanted network segmentation and potential data loss from a false failover.

Failover Wait Time

Specify the time (in minutes) that the standby publisher must wait before it assumes the role of publisher after the primary publisher becomes unreachable. The default failover wait time is 10 minutes.

This parameter prevents the standby publisher from taking over when the publisher is temporarily unavailable during a restart.

NOTE: Failover wait times vary based on the size of the data needing to synchronize, as well as the number of subscribers that need to be checked.

 

If a cluster is configured with a standby publisher, add the HTTPS server certificate of the standby publisher to the Trust list and ensure sure all the servers in the cluster have this certificate in the Trust list. Similarly, before you promote a subscriber to publisher, add the HTTPS server certificate of the subscriber to the Trust list and ensure sure all the servers in the cluster have this certificate in the Trust list. This step is not required if the HTTPS server certificates for all the nodes in the cluster are signed by a certificate authority (CA).

 

When a database backup is made with a subscriber configured as the standby publisher, and the backup is restored without using the -s flag, then after the backup is restored the cluster list command could fail with an error message displaying Caught unexpected error while retrieving the Cluster Node List. If this occurs, navigate to the Standby Publisher tab and remove the server from the Designated Standby Publisher field. You can designate it as the standby again once the restoration is complete. If the subscriber is configured as the standby in the backup file, pass the -s flag during the restoration to restore the cluster configuration.

Common Criteria Mode Parameter

The Mode tab in the Cluster-Wide Parameters page allows you to enable or disable Common Criteria Mode and choose the mode devices within the cluster will communicate. Common Criteria is an international standard for security certification. Use Common Criteria Mode for deployments that require strict compliance to Common Criteria requirements.

Common Criteria Mode has the following restrictions and requirements:

When a user enables Common Criteria mode they must enter the existing cluster password, which is validated against existing Common Criteria password rules. If the existing cluster password meets the requirements, no action is needed for the password and Common Criteria mode can be enabled. If the existing password does not meet the requirements, the user is prompted to change the password. If the new cluster password provided is not strong enough, the requirements display so it can be corrected. The Change Cluster Password screen also includes this validation step when the cluster is in Common Criteria mode. The cluster password strenghth minimum requirements for Common Criteria mode include:

 

If a Password did not meet the minimum requirements error displays, change the password to include a stronger combination of letters, numbers and special characters.

At least one uppercase letter

At least one lowercase letter

At least one number

At least one special character { } & ! @ # $ % ^ ? _ = . , + < > - *

A minimum length of 15 characters

The password cannot include a dictionary word

The password cannot contain more than four consecutive repeating characters

The password cannot contain more than four consecutive repeating characters from the same character class

Common Criteria Mode cannot be enabled if there are less than three NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. servers configured (for information on configuring multiple NTP servers, see the Add More NTP Servers option in Table 1, Changing Date and Time Parameters).

Common Criteria Mode requires that all the Policy Manager servers in the cluster must have FIPS mode enabled (see FIPS Page ).

Server certificates must be updated before you enable Common Criteria Mode (see Certificate Store).

Only Certificate Authority (CA)-issued certificates can be used for Policy Manager server certificates.

No self-signed certificates are allowed as trusted certificates.

All X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. v3 trusted Certificate Authority (CA) certificates must satisfy the basic constraints.

X.509 is an important standard for a public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. infrastructure to manage digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. and public-key encryption. X.509 is a key part of the Transport Layer Security protocol used to secure web and email communication.

All HTTPS communication to external services using X.509 v3 certificates must pass the basic constraint checks.

Cipher suites that use RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet., DSA, or DH keys shorter than 2048 bits or ECC Elliptical Curve Cryptography or Error correcting Code memory. Elliptical Curve Cryptography is a public-key encryption technique that is based on elliptic curve theory used for creating faster, smaller, and more efficient cryptographic keys. Error Correcting Code memory is a type of computer data storage that can detect and correct the most common kinds of internal data corruption. ECC memory is used in most computers where data corruption cannot be tolerated under any circumstances, such as for scientific or financial computing. keys shorter than 224 bits are not supported in Common Criteria Mode.

If a cluster is using CA-signed certificates, the replication service remains in a stopped state until after a cluster communication mode change is completed. This is expected behavior, introduced as a safety measure to keep the cluster secure while the operation completes. Reboot the individual cluster nodes after changing the cluster communication mode using ca-signed certificates.

Figure 5  Cluster-Wide Parameters Page > Common Criteria Mode Parameter

Specify the Cluster-Wide Parameters > Mode parameter as described in the following table:

Table 5: Cluster-Wide Parameters > Mode Parameter

Parameter

Action/Description

Cluster Communication Mode

Click the drop-down list and select either IPv4 or IPv6 as the mode of commuication for all cluster operations.

If the value of this parameter is set to ipv6, all database and API calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4. Whenever the cluster communication mode is changed, it performs the following validations:

Configuration checks to verify an IP address in the correct format is configured for the interface.

Certificate checks to verify the database certificates have the correct IP address in the SAN field.

Certificate checks to verify the HTTPS certificates have the correct IP address in the SAN field

Common Criteria Mode

The Common Criteria Mode is for specific deployments that require strict compliance to Common Criteria requirements. To enable or disable Common Criteria Mode, select TRUE or FALSE. The default is FALSE. When you set Common Criteria Mode to TRUE, the following message appears: WARNING: Setting this value to TRUE enables strict validation of Certificates and changes to modules in order to comply with Common Criteria requirements.

When Policy Manager is in Common Criteria (CC) mode, TLS 1.2 is enforced with RadSec, and TLS 1.0 and TLS 1.1 are no longer supported.

NOTE: When Common Criteria Mode is enabled, the text [CC] is shown in the release version footer of the WebUI.

Database Parameters

The following figure displays the Cluster-Wide Parameters > Database dialog:

Figure 6  Cluster-Wide Parameters > Database Dialog

Configure the Cluster-Wide Parameters > Database parameters as described in the following table:

Table 6: Cluster-Wide Parameters > Database Parameters

Parameter

Action/Description

Auto backup configuration options

Select any of the following auto-backup configuration options:

Off: Select this to not perform periodic backups.

Select Off before upgrading Policy Manager to avoid the interference between Auto backup and migration process.

Config: Performs a periodic backup of the configuration database that includes licensing information that would be required to restore a server to its original state. This is the default auto backup configuration option. In a cluster deployment, the backup file on the publisher also contains license information for all subscribers.

Config|SessionInfo: Performs a backup of the configuration database, certificates and licenses, and also the session log database.

NOTE: Keep in mind, if extensions are excluded from a backup file, and that backup file is restored on a system that already has extensions, that system's existing extensions remain and are not overwritten.

NOTE: It is recommended you set this option to Off or Config before starting an upgrade. This ensures the Auto Backup process does not interfere with migration post upgrade. If required, you can change this setting back to Config|SessionInfo 24 hours after upgrade completion. Evaluation and Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. licenses which have expired will not be included in the backup.

Database user "appexternal" password

Enter the password for the appexternal username for this connection to the database.

Replication Batch Interval

Configure the time interval (in seconds) at which the subscribers synchronize with the publisher. The default value is 5 seconds. The allowed range is 1 to 60 seconds.

Store Password Hash for MSCHAP authentication

To store passwords for admin and local users to Hash and NTLM hash formats (which enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  MSCHAP authentications against admin or local repositories), set this to TRUE.

If you set this to FALSE, RADIUS MSCHAP authentications are not possible because the NTLM hash passwords are removed for all the users.

NOTE: When you set this value to TRUE, you must reset all the passwords to reenable RADIUS MSCHAP authentication against the user repositories.

Store Local User Passwords using reversible encryption

To enable cleartext password comparison against local users, set this to TRUE.

If you set this to FALSE, cleartext password comparison against local users is not possible because the reversible passwords for local users are removed.

NOTE: After setting this value to TRUE, you must reset all the local user passwords to reenable cleartext password comparison against local users.

 

The time it takes for subscribers to synchronize with the publisher in the event of downtime will depend on the duration of the subscriber's downtime and on when the replication recovery is next run on the subscriber after it is back online. It might take as much as 24 hours for the subscriber to synchronize with the publisher.

Profiler Parameters

The following figure displays the Cluster-Wide Parameters > Profiler dialog:

Figure 7  Cluster-Wide Parameters > Profiler Dialog

 

Starting with Policy Manager 6.10.2, the Policy Manager server no longer needs to have Device Insight integration disabled in order to run other types of scans that use ClearPass Profilerk so users can seamlessly run any type of Profiler scan even while Device Insight's device discovery is active. In Policy Manager 6.10.0 and 6.10.1, when Device Insight Integration is enabled, the Cluster-wide Parameters > Profiler tab is hidden because Device Insight functionality replaces the Policy Manager functions available through the Profiler tab (for more information, see Device Insight Integration Page).

Configure the Cluster-Wide Parameters > Profiler parameters as described in the following table:

Table 7: Cluster-Wide Parameters > Profiler Tab Parameters

Parameter

Action/Description

Ignore Conflict (Network Boot Agents)

To enable the Ignore Conflict (Network Boot Agents) parameter, choose TRUE. The default is FALSE.

Profiler Scan Ports

To change the list of ports to scan and add custom fingerprints to classify based on them, enter the new TCP port numbers.

The TCP ports scanner checks to see if the specified Profiler Scan Ports are open. The default TCP ports are 135 and 3389.

Process wired device information from IF-MAP interface

Choose whether to process wired device information from the IF-MAP interface.

The default is FALSE.

Conflict Detection Strict Mode

Select from the following settings. The default value is medium.

high - Flag a Profiler conflict if the device category and the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  attributes or the hostname change.

medium - Flag a Profiler conflict if the device category changes.

low - Flag a Profiler conflict if the device category or the device family changes.

Enable Endpoint Port Scans using Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on.

Set this option to TRUE to enable Endpoint scans using Nmap (Network Mapper).

NOTE: The Open Ports scanner is disabled when Nmap-based port scanning is enabled.

When Nmap scan is enabled, the following warning is displayed:

WARNING: Setting this value to TRUE enables active scan of the host for open ports. This can be resource intensive. Also, the Profiler Scan Ports value is ignored when Nmap scan is enabled.

Enable Endpoint Port Scans using WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.

Set this option to TRUE to enable Endpoint scans using WMI (Windows Management Instrumentation).

Enable NTLMv1 for WMI scans

Set this parameter to TRUE to enable NT LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. Manager v1 for WMI (Windows Management Instrumentation) scans. The default is FALSE.

For more information, see WMI Credentials Configuration.

Netflow/sFlow Reprofile Interval

Specify the interval after which endpoints will be reprofiled. The default value is 24 hours. The minimum value is one hour. This setting requires the Access license. If you have an Entry license only, this field will not appear.

For more information about the Netflow and sFlow collectors, see Endpoint Information Collectors.

TACACS+ Parameters

The following figure displays the Cluster-Wide Parameters > TACACS+ dialog:

Figure 8  Cluster-Wide Parameters > TACACS+ Dialog

Configure the Cluster-Wide Parameters > TACACS+ parameters as described in the following table, then click Save.

 

Clearpass will not save a Cluster-Wide TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  configuration if the primary TACACS Terminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. + server is not configured, but secondary/tertiary TACACS+ servers are configured. The primary TACACS+ server must be configured to configure the secondary TACACS+ server, and the secondary TACACS+ server must be configured to configure the tertiary TACACS+ server.

Table 8: Cluster-Wide Parameters > TACACS+ Parameters

Parameter

Action/Description

Disable Change Password for TACACS+

When logging in for TACACS+ user authentication:

If set to FALSE (the default setting), after entering a blank password, you are presented with an option to change the TACACS+ user password.

If set to TRUE, the option to enter the TACACS+ user password is displayed. The option to change the TACACS+ password is not displayed.

TACACS+ User Prompt Text

You can modify the text to be used for the TACACS+ username prompt as needed. The default TACACS+ username prompt is UserName:

TACACS+ Password Prompt Text

You can modify the text to be used for the TACACS+ password prompt as needed. The default TACACS+ password prompt is Password:

TACACS+ Connection Idle Timeout

An idle TACACS+ login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. To close idle sessions automatically, you must configure a time limit for each login class.

Specify the TACACS+ Connection Idle Timeout duration in seconds as needed.

The default value is 900 seconds (15 minutes).

The minimum allowed value is 60 seconds.

The maximum allowed value is 172800 seconds (two days).

Allow Unencrypted Communication

Enable this setting to allow unencrypted communication in test environments. This parameter is disabled by default. When it is enabled, Policy Manager displays the warning message "Warning: Setting the "Allow Unencrypted Communication" value to "Enable" will allow unencrypted TACACS+ requests to be processed. This is not recommended for production environments."

Admin UI Login TACACS+ Client IP set by X-Forwarded-For (XFF) header

The default setting for this parameter is FALSE (disabled). If an HTTP proxy server will use the X-Forwarded-For header value as the remote client IP address for the admin server or TACACS+ server, then the parameter should be set to True (enabled).

Admin UI Login Remote TACACS+ Server IP

This option is used if you want the Policy Manager server to authenticate against a TACACS+ server. In this case, the Policy Manager server is acting as a TACACS+ client and talking to the TACACS+ server in order to authenticate users.

Specify the IP address for the remote TACACS+ server.

Admin UI Remote TACACS+ Server Shared Secret

Use this option if you want the Policy Manager server to authenticate against a TACACS+ server.

Enter the Shared Secret for the remote TACACS+ server.

Admin UI Remote TACACS+ Server Port

Use this option to set a custom value for the remote TACACS+ server port. The default server port value is 49.

Allow Unauthenticated TACACS+ User Request Processing

If enabled, TACACS+ authorization and accounting requests will be processed using an authenticated session based on username. Users should be aware the authenticated session lifetime expires when the TACACS+ service restarts, or when the cache times out.