Adding a Network Device

To add a network device:

1. Navigate to the Configuration > Network > Devices page. The Network Devices page opens.

Figure 1  Network Devices Page

2. Click the Add link. The Add Device page opens.

Figure 2  Add Device > Device Dialog

Configure Device Settings

Click the Device tab and configure the parameters as described in Table 1:

Table 1: Add Device > Device Parameters

Parameter

Action/Description

Name

Enter the name of the device.

IP Address or Subnet Subnet is the logical division of an IP network.

Specify the IPv4 or IPv6 address or the subnet Subnet is the logical division of an IP network. of the device.

You can use a hyphen to indicate the range of device IP addresses following the format a.b.c.d-e. For example, 192.168.1.1-20. IPv6 addresses can be entered in the formats 2001:db8:a0b:12f0::1/64 or 2001:db8:a0b:12f0::1fab-20ff.

The prefix length can be 0-128 bits. Link local, site local, loopback, and multicast addresses are not allowed. An IPv6 address or subnet Subnet is the logical division of an IP network. cannot be configured for network access devices (NADs) where RadSec is enabled.

NOTE: When a subnet Subnet is the logical division of an IP network. is added to a device through the fields on this tab, the network devices belonging to that subnet Subnet is the logical division of an IP network. will only be read if traps are received from those devices

Description

Enter a description that provides additional information to identify the device.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret

Enter the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  shared secret.

TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Shared Secret

Enter the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  shared secret.

Vendor Name

Specify the name of the vendor to load the dictionary associated with this vendor for this device.

NOTE: RADIUS:IETF, the dictionary containing the standard set of RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes, is always loaded. When you specify a vendor here, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary associated with this vendor is automatically enabled.

Enable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization

If RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization has not been automatically enabled, click the check box to enable this option.

RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization allows dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.

Dynamic Authorization Port

The access point's UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port for Dynamic Authorization must be reachable from your RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. The Dynamic Authorization Port is set by default to 3799.

Enable RadSec

To enable RadSec, click the Enable RadSec check box.

When RadSec is enabled, the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  shared secret is populated with a default shared secret with the string “radsec.”

NOTE: It is important that the controller is configured with the same shared secret. By default, RadSec communications use TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083. Therefore, when you enable RadSec, ClearPass automatically creates a policy rule to allow communication on port 2083.

Configure RadSec Settings

 

To configure the source override IP address:
1. Go to Configuration > Network > Devices and open the Edit Device Details form for the RadSec-enabled device.
2. On the RadSec Settings tab, in the Source Override IP Address field enter the same IP address as the network access device (NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch.) IP for RadSec.
3. This will need to be done for all NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. definitions on upgraded appliances; however, it will not need to be done thereafter for new NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. definitions.
To update the certificate usage:
1. Go to Administration > Certificates > Trust List.
2. For each Certificate Authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.) root certificate that will be used for RadSec, open the View Certificate Details form and add RadSec in the Usage list.

If you selected the you select the Enable RadSec option on the Device tab, select the RadSec Settings tab and configure RadSec parameters as described in Table 2. Note that this tab does not appear unless you select the Enable Radsec option.

Figure 3  Add Device > RadSec Settings Tab

Table 2: Add Device > RadSec Settings Parameters

Parameter

Action/Description

Source Override IP address

The default value is the IP address or subnet Subnet is the logical division of an IP network. of the device entered in the IP Address or Subnet field on the Device tab. If the NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP address is different from the source IP address, enter the source IP address or subnet Subnet is the logical division of an IP network. in this field to override the NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP with the desired source IP address.

NOTE: Subnets Subnet is the logical division of an IP network. must be defined by a slash, not a hyphen.

Supported format: 10.2.54/24

Not supported format: 10.2.14.0-24

IPv6 addresses are not allowed in NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. configurations when RadSec is enabled.

If wanting to use certificate validation, rather than source IP validation, set the Source Override IP address to 0.0.0.0/0. Certificate validation provides the flexibility for devices with a valid RadSec client certificate to connect from anywhere.

NOTE: When setting the Source Override IP address, keep in mind the following warning message displays if the address is set to 0.0.0.0/0 or ::/0. "WARNING: Setting the Source Override IP address to 0.0.0.0/0 or ::/0 allows radsec traffic from any device trying to establish connection on the configured radsec port. It is recommended to enable certificate validation when setting the Source Override IP address to 0.0.0.0/0 or ::/0 to allow only authorized devices."

Validate Certificate

If you do not want any validation or authorization checks for this device, select the No Authorization Checks option.

To validate the certificate with a common name (CN Common Name. CN is the primary name used to identify a certificate. ) or Subject Alternative Name (SAN) select Validate with CN or SAN and enter the following values

Common Name Regex: Enter the name associated with this entity. This can be a host name, IP address, or other name.

Subject Alternative Name Regex: Enter the Subject Alternative Name (SAN) for the specified Common Name in one of the following formats:

email: email_address

URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.: uri

IP: x.x.x.x

dns: dns_name

rid: id

For RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 6614-compliant validation using the issuer distinguished name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) and certificate serial number, select RFC Compliant (serial + Issuer) and enter the following values:

Issuer DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Serial Number

Common Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Subject Alternative Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

 

Devices with valid RadSec client certificates have the ability to connect from different access points, regardless of location. Public IP addresses assigned by ISPs establish a RadSec connection with Policy Manager. Policy Manager does not check the source IP address of a connecting client. Aruba recommends enabling certificate validation to permit just authorized devices to create a tunnel. Enter 0.0.0.0./0 in the Source IP Override Address field. In the Validate Certificate field, select Validate with CN Common Name. CN is the primary name used to identify a certificate. or SAN. Otherwise, setting the Source IP Override Address to 0.0.0.0./0 or ::/0 allows RadSec traffic from any device establishing a connection on the configured RadSec port.

RadSec Certification Validation

To configure RadSec settings for RFC compliance (Serial + Issuer):

1. Navigate to Configuration > Network > Devices and select Add. Provide a default configuration for the device and be sure to select the Enable Radsec option to display the required RadSec Settings tab within the Add Device screen.

Figure 4  Add Device > Enable RadSec

2. Select the newly added device from the Network Devices tab. From the RadSec Settings tab, ensure No Authorization Checks is selected from the Validate Certificate drop-down menu.

3. Navigate to Administration > Certificates and select Trust List. From the Certificate Trust List, locate the certificate made available in the output of the access point's show cert all command and enable its Usage as RadSec.

4. Modify the existing network access device (NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch.) that was added for Instant AP (IAP) information. From the Edit Device Details > RadSec Settings screen, change the value of the Validate Certificate field to RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. Compliant (Serial + Issuer).

Figure 5  RadSec Settings > Validate Certificate

5. Select the certificate returned by the show cert all command from within the Device Certificate section.

6. In the Serial Number field, enter the serial number displayed in the Device Certificate section, and returned by the show cert all command.

7. In the Common Name Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. field, enter the value displayed for the Subject in the Device Certificate section and returned by the show cert all command.

8. Select Enable to confirm saving the updated RadSec related settings, this will re-establish all existing RadSec sessions. Click Save.

SNMP Read Settings Parameters

Click the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Settings tab to define values that allow ClearPass Policy Manager to read information from the device using SNMPv1 Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2 Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in .

 

Large or geographically-spread cluster deployments typically do not require each Policy Manager node to probe all SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  configured devices.

Figure 6  Add Device > SNMP Read Settings Dialog

Add Device > SNMP Read Settings Parameters

Parameter

Action/Description

Allow SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read

Toggle to enable or disable SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read operations.

NOTE: Network device polling is not dependent on SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  traps that are configured on NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. devices. In a cluster, Policy Manager will automatically load-balance NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Reads across all the nodes in a zone.

Policy Manager Zone

Use this field to can assign Network Access Devices to a zone, allowing the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  service to poll or query only the NADs that are in its zone.

OnConnect Enforcement is triggered when a trap from a NAD Network Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. is received by a Policy Manager node. If the zone assigned to a Policy Manager node is not the same as the zone configured here, OnConnect Enforcement is not triggered on that Policy Manager node.

NOTE: Assigning a Policy Manager Zone is mandatory for all devices if SNMP Read or OnConnect enforcement is enabled.

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Setting

Specify one of the following SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Settings:

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v1 with community strings

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 with community strings

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with no Authentication

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and no Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and with Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and no Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and with Privacy

NOTE: The MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. authentication type is not supported when you use Policy Manager in FIPS mode.

Community String

Enter the community string for sending the traps.

NOTE: Available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 only.

Verify

Reenter the community string for sending the traps.

Read ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Table Info

Enable the Read ARP table on this device check box on a Layer-3 device if you intend to use the ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. table on this device to discover endpoints in the network.

NOTE: When this option is selected, all ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. entries read during periodic Network Access Device reads are added to Policy Manager endpoints. SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. , WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification., NMap, and SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. scans are not used in this process. When Device Insight Integration is enabled, this field is hidden (for more information, see Device Insight Integration Page).

Username

Specify the Admin user name to use for SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  read operations.

NOTE: Available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Authentication Key

Specify the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with authentication option (SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. or MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. ).

NOTE: The EAP-MD5 authentication type is not supported in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

NOTE: Authentication Key is available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Key

Specify the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with privacy option.

NOTE: Available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Protocol

Choose one of the available SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features. privacy protocols for read operations:

DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.-CBC

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-128

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-256

NOTE: The Privacy Protocol option is available using SNMP v3 with Privacy only. Privacy allows for encryption of SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 messages to ensure confidential data.

SNMP Write Settings Parameters

Click the SNMP Write Settings tab to define values that allow Policy Manager to write to (manage) the device using SNMPv1 Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2 Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in Table 3.

Figure 7  Add Device > SNMP Write Settings Dialog

Table 3: Add Device > SNMP Write Settings Parameters

Parameter

Action/Description

Allow SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write

Toggle to enable or disable SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  write.

Default VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Specify the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. port setting after the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -enforced session expires.

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write Setting

Specify the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write setting for the device. You can set any of the following options:

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v1 with community strings

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 with community strings

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with no Authentication

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and no Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and with Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and no Privacy

SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and with Privacy

NOTE: The MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. authentication type is not supported in FIPS mode.

Community String

Enter the community string for sending the traps.

Verify

Re-enter the community string for sending the traps.

Username

Specify the Admin user name to use for SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  write operations.

NOTE: Available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Authentication Key

Specify the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with authentication option (SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. or MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. ).

NOTE: The EAP-MD5 authentication type is not supported in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

NOTE: Authentication Key is available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Key

Specify the SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with privacy option.

NOTE: Available in SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Protocol

Choose one of the available SNMPv3 Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features. privacy protocols for write operations:

DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.-CBC

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-128

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-256

NOTE: The Privacy Protocol option is available using SNMP v3 with Privacy only. Privacy allows for encryption of SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 messages to ensure confidential data.

CLI Settings Parameters

From the Configuration > Network > Devices page, use the CLI Settings tab to enable or disable the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., and define user names, passwords, and port settings for accessing the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Available parameters are described in Table 4.

Figure 8  Add Device > CLI Settings Dialog

Table 4: Add Device > CLI Parameters

Parameter

Action/Description

Allow CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Access

Toggle to enable or disable CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access.

Access Type

Select SSH or Telnet.

Policy Manager uses the selected access method to log into the device CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Port

Specify the SSH or Telnet TCP port number.

Username

Enter the username to log into the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Password

Enter the password to log into the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Username Prompt Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the username prompt.

Policy Manager looks for this pattern to recognize the Telnet username prompt.

Password Prompt Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the password prompt.

Policy Manager looks for this pattern to recognize the Telnet password prompt.

Command Prompt Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the command line prompt.

Policy Manager looks for this pattern to recognize the Telnet command-line prompt.

Enable Prompt Regex Regular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the command line in the enable prompt.

Policy Manager looks for this pattern to recognize the Telnet command-line prompt.

Enable Password

Enter then reenter the credentials for the Enable password in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Enabling OnConnect Enforcement on a Network Device

OnConnect Enforcement is an enforcement model that allows you to use non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. methods for device scans, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. placement, and so on. OnConnect Enforcement allows enforcement in non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. environments without the need for an agent (such as OnGuard) on the endpoint.

 

Assigning a Policy Manager Zone is mandatory for all devices if SNMP Read or OnConnect enforcement is enabled.

When this feature is enabled, Policy Manager performs the following actions:

Detects when a new endpoint connects to the network.

Scans the endpoint to identify the logged-in user and other device-specific information.

Triggers a Web-based authentication (WebAuth) for the device.

Performs SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement to change the network access profile for the device.

Use the OnGuard Enforcement tab on the Configuration > Network > Devices page to configure the settings described in Table 5.

Figure 9  Add Device > OnConnect Enforcement Dialog

Table 5: Add Device > OnConnect Enforcement Parameters

Parameter

Action/Description

Enable

Select this check box to enable OnConnect on the network access device being added.

Port Names

Specify the names and descriptions of the ports to be enabled for OnConnect Enforcement (see the next section for details). You can do so in two ways:

Click Query Ports.

Manually enter port names the the Port Names field as a comma-separated list.

Only the ports added in the Port Names field will have OnConnect Enforcement enabled.

For example, if you add the port names Fa1/0/3,Fa1/0/5, when clients connect to any of these ports on the specified network device, OnConnect Enforcement is triggered on that network device.

NOTE: An empty string will enable OnConnect on all ports. Policy Manager will attempt to determine the uplink or upstream trunk ports; however, it is recommended to explicitly remove those ports.

Query Ports

Click Query Ports to display the list of ports on the current server. Select the ports to use, then click Add to Port Names.The selected port names are added to the Port Names list. Only the ports added in the Port Names field will have OnConnect Enforcement enabled.

 

NOTE: This feature requires that you enable the Allow SNMP Read: Enable Policy Manager to perform SNMP read operations setting on the SNMP Read Settings tab.

Add to Port Names

Once a query displays the list of ports, select the desired ports from the list, then click Add to Port Names.

The selected ports are added to the Port Names field.

Attributes Parameters

Use the OnGuard Enforcement tab on the Configuration > Network > Devices page to add custom attributes for this device.

Figure 10  Adding Custom Device Attributes

1. From the Attribute field, click Click to add....

By default, the following custom attributes appear in the Attribute drop down:

Controller ID

Device Type

Device Vendor

Location

OS Version

sysContact

sysLocation

sysName

2. Select one of the default attributes or enter a new attribute. You can enter any name in the Attribute field. All attributes are of string datatype.

3. Specify the attribute's value. You can populate the Value field with any string.

4. Repeat this procedure as necessary.

5. When finished adding custom attributes, click Add. All attributes entered for a device are available in the role-mapping Rules Editor under the Device namespace.

Modifying a Network Device

To modify a Policy Manager managed network device:

1. Navigate to the Configuration > Network > Devices page. The Network Devices page opens.

Figure 11  Network Devices Page

2. In the Network Devices table, click the name of the network device you want to modify. The Edit Device Details dialog opens.

Figure 12  Modifying a Network Device

3. Modify any device settings as necessary. For details about all of the Network Device tabs and parameters, refer to the previous section, Adding a Network Device.

 

If you disable RadSec, the shared secret is removed, and you must re-enter the original shared secret.

4. Click Save.