Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
System Page
Use this page to manage port configurations, join an Active Directory domain, or set a server password. For more information on ClearPass port interfaces, see also Data and Management Port Interfaces
To configure the
> page parameters:1. Navigate to > > .
2. Select the Policy Manager server of interest. The page opens onto the page (see Figure 1).
Figure 1 Server Configuration > System Page
3. Specify the > page parameters as described in the following table, then click :
Parameter |
Action/Description |
Hostname |
Specify the host name of the Policy Manager server. Although you do not need to enter the fully qualified domain name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.) in this field, when you create a certificate signing request, the request uses the information in the hostname field as the common name (CN Common Name. CN is the primary name used to identify a certificate. ) by default. If the hostname field does not use a FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet., the common name field in CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. requests must be manually updated to include a proper FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.. Users should be aware that, when configuring a hostname that includes a period character ( . ), the substring before the first period character must be unique for each appliance. This is because a hostname field that includes a period character is interpreted to be a Fully Qualified Domain Name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.), in which case the substring before the first period character is the hostname. Examples of valid hostname configurations: cppm1.arubanetworks.com cppm2.arubanetworks.com Examples of invalid hostname configurations: cppm1.santaclara.arubanetworks.com cppm1.bangalore.arubanetworks.com |
(Optional) Enter the Fully-Qualified Domain Name (FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.) of the Policy Manager server. |
|
Policy Manager Zone |
To specify a Policy Manager zone, select a previously configured zone from the drop-down list, then click the link. If you need to add a Policy Manager zone, click the link. For more information on adding zones, see Adding Policy Manager Zones. |
Enable Performance Monitoring Display |
To enable the ClearPass Policy Manager server to perform performance monitoring, select the check box. |
Insight Setting |
To enable the Insight reporting tool on this node, select the check box.
When you enable this check box for Insight on a node in a cluster, the [Insight Repository] configuration is updated automatically to point to the management IP address of that Policy Manager server. When this check box is enabled for other servers in the cluster, they are added as backups for the same authentication source. The order of the primary and backup servers in the [Insight Repository] is the same order in which the user enables Insight on the server. |
Enable as Insight Primary Server |
To specify the current server in the cluster as an Insight Primary server, select this check box. This option is available only when > is enabled. |
Check this check box to enable ingress events processing on this server. For more information, see Enabling Ingress Events Processing. |
|
Use this option to specify the current Policy Manager server as the Primary or Secondary master Policy Manager server within a Policy Manager zone. If no Primary master server for a zone is configured, the Policy Manager server with the lowest UUID is designated as the Primary master server. To do so, select or from the drop-down list.The Primary Policy Manager server in the zone distributes the scan requests to all the nodes in the zone, depending on the number of seed devices (Network Discovery) or the number of networks/subnets Subnet is the logical division of an IP network. (for subnet Subnet is the logical division of an IP network. scans) configured. If the Primary server goes down, the secondary server assumes the role of the Primary server. Each scan configuration that is added is distributed by the master Policy Manager server to a different node in the zone. If one scan configuration has multiple seed devices (Network Discovery), scan requests are distributed to other nodes in the zone based on the number of ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. entries received from the seed devices. If one scan configuration has multiple subnets Subnet is the logical division of an IP network. configured (Subnet Subnet is the logical division of an IP network. Scan), scan requests are distributed to other nodes in the zone. |
|
Span Port |
If necessary, select a port for DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. spanning. On selecting a port, the check box appears. This field is optional. Starting wiith Policy Manager 6.10.2, the Policy Manager server no longer needs to have Device Insight integration disabled in order to define a span port on a Policy Manager server. In Policy Manager 6.10.0 and 6.10.1, when is enabled, the Span Port option is not available. (for more information, see Device Insight Integration Page). |
Management Port |
To configure the Management Port parameters, click Management Port Configuration. The dialog opens. For details, see |
Data/External Port |
To configure the Data/External port, click For details, see Data/External Port Configuration. |
For details, see DNS Settings Configuration. |
|
AD Domains |
Displays a list of the joined Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domains. To join an active directory domain, click . |
To configure the Policy Manager server's Management port:
1. From the > > > > section, click . The dialog opens.
Figure 2 Configure Management Port Dialog (IPv4)
2. Specify the parameters for IPv4 as described in the following table:
Parameter |
Action/Description |
Select IP Version |
Select . |
IP Address |
Specify the IPv4 address is used to access the ClearPass Policy Manager server's management port. When a new hardware appliance is first powered on, it already shows an existing management IP address. This IP address is set during the manufacturing process, and is replaced when you enter your management IP address during appliance configuration. |
Subnet Subnet is the logical division of an IP network. Mask |
Specify the management interface subnet Subnet is the logical division of an IP network. mask for an IPv4 address. |
Default Gateway Gateway is a network node that allows traffic to flow in and out of the network. |
Specify the default gateway Gateway is a network node that allows traffic to flow in and out of the network. for the management interface. A default gateway Gateway is a network node that allows traffic to flow in and out of the network. serves as an access point or IP router that a networked device uses to send information to a device in another network or the Internet. |
Warning |
Changing IP details might cause the system to lose network connectivity and require re-login. The Database Server Certificate may need to be updated. Save the Server Configuration page for changes to take effect. |
3. Click .
Figure 3 Configure Management Port Dialog (IPv6)
4. Specify the parameters for IPv6 as described in the following table:
Parameter |
Action/Description |
Select IP Version |
Select . |
IPv6 Address/Mask |
Specify the IPv6 address that is used to access the ClearPass Policy Manager server's management port. To configure the IPv6 address, specify the IPv6address with prefix length: < ipv6address\prefixlength > IPv6 addresses don't require a netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. as they use Classless Inter-Domain Routing (CIDR Classless Inter-Domain Routing. CIDR is an IP standard for creating and allocating unique identifiers for networks and devices. The CIDR IP addressing scheme is used as a replacement for the older IP addressing scheme based on classes A, B, and C. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address ends with a slash followed by the IP network prefix, for example, 192.0.2.0/24.). |
IPv6 Default Gateway Gateway is a network node that allows traffic to flow in and out of the network. |
Specify the default gateway Gateway is a network node that allows traffic to flow in and out of the network. for the management interface. A default gateway Gateway is a network node that allows traffic to flow in and out of the network. serves as an access point or IP router a networked device uses to send information to a device in another network or the Internet. |
Warning |
Changing IP details might cause the system to lose network connectivity and require re-login. The Database Server Certificate may need to be updated. Save the Server Configuration page for changes to take effect. |
To configure the Policy Manager server's Data/External port:
1. From the > > section, click .
The
dialog opens.Figure 4 Configure Data/External Port Dialog (IPv4)
2. Specify the parameters for IPv4 as described in the following table:
Parameter |
Action/Description |
Select IP Version |
Select . |
IP Address |
Specify the IPv4 address of the Policy Manager server's data interface. |
Subnet Subnet is the logical division of an IP network. Mask |
Specify the management interface subnet Subnet is the logical division of an IP network. mask for an IPv4 address. |
Default Gateway Gateway is a network node that allows traffic to flow in and out of the network. |
Specify the IPv4 address of the default gateway Gateway is a network node that allows traffic to flow in and out of the network. for the data interface. |
3. Click .
Figure 5 Configure Data/External Port Dialog (IPv6)
4. Specify the parameters for IPv6 as described in the following table:
To configure the Policy Manager server's DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. (Domain Name System) settings:
1. From the page > tab > , click .
The
dialog opens.
Figure 6 Configure DNS Settings Dialog
2. Specify the parameters as described in the following table:
3. To save your changes, select Enable restart services for changes to take effect, then click . Note that you also have to save changes to the server configuration page to update your DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. settings.
You can join Policy Manager to an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. (AD) domain to authenticate users and computers that are members of an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain. If you join Policy Manager to an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain, it creates an account for the Policy Manager node in the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. database. Users can then authenticate into the network using 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. and EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. methods, such as PEAP Protected Extensible Authentication Protocol. PEAP is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS.-MSCHAPv2, with their own their own Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. credentials.
If you need to authenticate users belonging to multiple Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. forests or domains in your network, and there is no trust relationship between these entities, then you must join Policy Manager to each of these untrusted forests or domains.
|
Policy Manager is not required to join multiple domains belonging to the same Active Directory forest because a one-way trust relationship exists between those domains. In this case, Policy Manager can join the root domain. |
Policy Manager can join or leave an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain by using the following two buttons in the page > tab:
Join Domain: Click Policy Manager appliance to an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain.
to join thisLeave Domain: If the server is already part of multiple Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domains, click to disassociate this Policy Manager appliance from an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain.
|
For most use cases, if you have multiple nodes in the cluster, you must join each node to the same Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain. Always join to the domain controller that is physically closest to the Policy Manager server, otherwise authentication might fail or the performance might be impacted. |
To join the selected Policy Manager server to an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain:
1. From the page > tab > , click .
The
dialog opens:Figure 7 Join AD Domain Dialog
2. Specify the parameters as described in the following table.
3. Click .
The Adding host to AD domain,” The screen displays status during the joining process.
status screen opens. During the joining process, the screen displays the messages "Checking whether <name> domain controller is co-located with this ClearPass Policy Manager server." and then “When the joining process completes successfully, you see the message “Added host to the domain.”
If Policy Manager cannot identify the domain controller because Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. has not been configured with site information, this form displays the warning "Unable to identify which Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. site this Policy Manager server is located in. Authentications might fail or be impacted if the selected domain controller is not co-located."
If Policy Manager determines that you are not joining the closest domain controller, the form displays both a warning message and a button that you can use to find the closest domain controllers.
4. To display a list of available controllers, click the button .
You can then select a controller from the available list, or proceed with the domain controller you originally selected.
5. Click .
You return to the Policy Manager server is joined to the domain.
page, and it now shows that theNow that the Policy Manager server has joined the domain, the server can authenticate users with Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed..
After an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Domain is added, the domain controller can be set up as a password server (as described in the next section).
After Policy Manager successfully joins an Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain, you can configure a restricted list of domain controllers to be used for MSCHAP authentication. If this is not configured, then all available domain controllers obtained from DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. will be included.
1. Navigate to > > , then select the Policy Manager server of interest.
2. In the section of the page, click the icon: .
This icon appears only after Policy Manager joins at least one Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain (see Figure 8).
Figure 8 Add Active Directory Password Server Icon
The
dialog opens.Figure 9 Active Directory Password Server Added
3. Specify the following:
Domain controller
Password servers: Enter IP Address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Domain Controller (ADDC) in the password servers text box, one entry per line.
4. To complete adding the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. password servers, click .