Adding a Network Device

When adding a device, you must perform all tasks from a single browser tab. The Policy Manager WebUI uses server-side session caching during add or edit workflows, so performing add or edit actions on the same device from different tabs of the same browser can lead to data loss and impact network access.

To add a network device:

1. Navigate to the Configuration > Network > Devices page. The Network Devices page opens.

Figure 1  Network Devices Page

2. Click the Add link. The Add Device page opens.

Figure 2  Add Device > Device Dialog

Configure Device Settings

Click the Device tab and configure the parameters as described in Table 1:

Table 1: Add Device > Device Parameters

Parameter

Action/Description

Name

Enter the name of the device.

IP Address or SubnetSubnet is the logical division of an IP network.

Specify the IPv4 or IPv6 address or the subnetSubnet is the logical division of an IP network. of the device.

NOTE: IPv6 addresses are not allowed in NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. configurations when RadSec is enabled.

You can use a hyphen to indicate the range of device IP addresses following the format a.b.c.d-e. For example, 192.168.1.1-20. IPv6 addresses can be entered in long or short format.

NOTE: When a subnetSubnet is the logical division of an IP network. is added to a device through the fields on this tab, the network devices belonging to that subnetSubnet is the logical division of an IP network. will only be read if traps are received from those devices.

Description

Enter a description that provides additional information to identify the device.

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Shared Secret

Enter the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  shared secret.

TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Shared Secret

Enter the TACACS+Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  shared secret.

Vendor Name

Specify the name of the vendor to load the dictionary associated with this vendor for this device.

NOTE: RADIUS:IETF, the dictionary containing the standard set of RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes, is always loaded. When you specify a vendor here, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  dictionary associated with this vendor is automatically enabled.

Enable RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization

If RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization has not been automatically enabled, click the check box to enable this option.

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Dynamic Authorization allows dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.

Dynamic Authorization Port

The access point's UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port for Dynamic Authorization must be reachable from your RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

The Dynamic Authorization Port is set by default to 3799. This value may not be changed.

Enable RadSec

To enable RadSec, click the Enable RadSec check box.

When RadSec is enabled, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  shared secret is populated with a default shared secret with the string “radsec.”

NOTE: It is important that the controller is configured with the same shared secret. By default, RadSec communications use TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083. Therefore, when you enable RadSec, ClearPass automatically creates a policy rule to allow communication on port 2083.

Configure RadSec Settings

If you selected the you select the Enable RadSec option on the Device tab, select the RadSec Settings tab and configure RadSec parameters as described in Table 2. Note that this tab does not appear unless you select the Enable Radsec option.

Figure 3  Add Device > RadSec Settings Tab

Table 2: Add Device > RadSec Settings Parameters

Parameter

Action/Description

Source Override IP address

The default value for this setting is the IP address or subnetSubnet is the logical division of an IP network. of the device entered in the IP Address or Subnet field on the Device tab. If the NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP address is different from the source IP address, enter the source IP address or subnetSubnet is the logical division of an IP network. in this field to override the NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. IP with the desired source IP address.

NOTE: SubnetsSubnet is the logical division of an IP network. must be defined by a slash, not a hyphen.

Supported format: 10.2.54/24

Not supported format: 10.2.14.0-24

IPv6 addresses are not allowed in NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. configurations when RadSec is enabled. CP-34279

Validate Certificate

If you do not want any validation or authorization checks for this device, select the No Authorization Checks option.

To validate the certificate with a common name (CNCommon Name. CN is the primary name used to identify a certificate. ) or Subject Alternative Name (SAN) select Validate with CN or SAN and enter the following values

Common Name Regex: Enter the name associated with this entity. This can be a host name, IP address, or other name.

Subject Alternative Name Regex: Enter the Subject Alternative Name (SAN) for the specified Common Name in one of the following formats:

email: email_address

URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.: uri

IP: x.x.x.x

dns: dns_name

rid: id

For RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 6614-compliant validation using the issuer distinguished name (DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) and certificate serial number, select RFC Compliant (serial + Issuer) and enter the following values:

Issuer DNDistinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Serial Number

Common Name RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Subject Alternative Name RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

SNMP Read Settings Parameters

Click the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Settings tab to define values that allow ClearPass Policy Manager to read information from the device using SNMPv1Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in .

 

Large or geographically-spread cluster deployments typically do not require each Policy Manager node to probe all SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  configured devices.

Figure 4  Add Device > SNMP Read Settings Dialog

Add Device > SNMP Read Settings Parameters

Parameter

Action/Description

Allow SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read

Toggle to enable or disable SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read operations.

NOTE: Network device polling is not dependent on SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  traps that are configured on NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. devices. In a cluster, Policy Manager will automatically load-balance NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Reads across all the nodes in a zone.

Policy Manager Zone

Use this field to can assign Network Access Devices to a zone, allowing the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  service to poll or query only the NADs that are in its zone.

OnConnect Enforcement is triggered when a trap from a NADNetwork Access Device. NAD is a device that automatically connects the user to the preferred network, for example, an AP or an Ethernet switch. is received by a Policy Manager node. If the zone assigned to a Policy Manager node is not the same as the zone configured here, OnConnect Enforcement is not triggered on that Policy Manager node.

NOTE: Assigning a Policy Manager Zone is mandatory for all devices if SNMP Read or OnConnect enforcement is enabled.

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Setting

Specify one of the following SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Read Settings:

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v1 with community strings

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 with community strings

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with no Authentication

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and no Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and with Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and no Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and with Privacy

NOTE: The MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. authentication type is not supported when you use Policy Manager in FIPS mode.

Community String

Enter the community string for sending the traps.

NOTE: Available in SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 only.

Verify

Reenter the community string for sending the traps.

Read ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Table Info

Enable the Read ARP table on this device check box on a Layer-3 device if you intend to use the ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. table on this device to discover endpoints in the network.

NOTE: When this option is selected, all ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. entries read during periodic Network Access Device reads are added to Policy Manager endpoints. SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. , WMIWindows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification., NMap, and SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. scans are not used in this process. When Device Insight Integration is enabled, this field is hidden (for more information, see Device Insight Integration Page).

Username

Specify the Admin user name to use for SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  read operations.

NOTE: Available in SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Authentication Key

Specify the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with authentication option (SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. or MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. ).

NOTE: The EAP-MD5 authentication type is not supported if you run Policy Manager in FIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

NOTE: Authentication Key is available in SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Key

Specify the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with privacy option.

NOTE: Available in SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 only.

Privacy Protocol

Choose one of the available privacy protocols:

DESData Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.-CBC

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-128

NOTE: This option is available in SNMP v3 with Privacy only. Privacy allows for encryption of SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 messages to ensure confidentiality of data.

SNMP Write Settings Parameters

Click the SNMP Write Settings tab to define values that allow Policy Manager to write to (manage) the device using SNMPv1Simple Network Management Protocol version 1. SNMPv1 is a widely used network management protocol., SNMPv2Simple Network Management Protocol version 2. SNMPv2 is an enhanced version of SNMPv1, which includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications., or SNMPv3Simple Network Management Protocol version 3. SNMPv3 is an enhanced version of SNMP that includes security and remote configuration features.. Available parameters are described in Table 3.

Figure 5  Add Device > SNMP Write Settings Dialog

Table 3: Add Device > SNMP Write Settings Parameters

Parameter

Action/Description

Allow SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write

Toggle to enable or disable SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  write.

Default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Specify the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. port setting after the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -enforced session expires.

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write Setting

Specify the SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  Write setting for the device. You can set any of the following options:

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v1 with community strings

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v2 with community strings

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with no Authentication

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and no Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. and with Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and no Privacy

SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  v3 with Authentication using SHASecure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. and with Privacy

NOTE: The MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. authentication type is not supported if you use ClearPass Policy Manager in FIPS mode.

Community String

Enter the community string for sending the traps.

Verify

Reenter the community string for sending the traps.

CLI Settings Parameters

From the Configuration > Network > Devices page, use the CLI Settings tab to enable or disable the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions., and define user names, passwords, and port settings for accessing the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Available parameters are described in Table 4.

Figure 6  Add Device > CLI Settings Dialog

Table 4: Add Device > CLI Parameters

Parameter

Action/Description

Allow CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Access

Toggle to enable or disable CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access.

Access Type

Select SSH or Telnet.

Policy Manager uses the selected access method to log into the device CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Port

Specify the SSH or Telnet TCP port number.

Username

Enter the username to log into the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Password

Enter the password to log into the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Username Prompt RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the username prompt.

Policy Manager looks for this pattern to recognize the Telnet username prompt.

Password Prompt RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the password prompt.

Policy Manager looks for this pattern to recognize the Telnet password prompt.

Command Prompt RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the command line prompt.

Policy Manager looks for this pattern to recognize the Telnet command-line prompt.

Enable Prompt RegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.

Specify the regular expression for the command line in the enable prompt.

Policy Manager looks for this pattern to recognize the Telnet command-line prompt.

Enable Password

Enter then reenter the credentials for the Enable password in the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Enabling Policy Manager OnConnect Enforcement on a Network Device

OnConnect Enforcement is an enforcement model that allows you to use non-802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. methods for device scans, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. placement, and so on. OnConnect Enforcement allows enforcement in non-802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. environments without the need for an agent (such as OnGuard) on the endpoint.

 

Assigning a Policy Manager Zone is mandatory for all devices if SNMP Read or OnConnect enforcement is enabled.

When this feature is enabled, Policy Manager performs the following actions:

Detects when a new endpoint connects to the network.

Scans the endpoint to identify the logged-in user and other device-specific information.

Triggers a Web-based authentication (WebAuth) for the device.

Performs SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. -based enforcement to change the network access profile for the device.

Use the OnGuard Enforcement tab on the Configuration > Network > Devices page to configure the settings described in Table 5.

Figure 7  Add Device > OnConnect Enforcement Dialog

Table 5: Add Device > OnConnect Enforcement Parameters

Parameter

Action/Description

Enable

Select this check box to enable Policy Manager OnConnect on the network access device being added.

Port Names

Specify the names and descriptions of the ports to be enabled for OnConnect Enforcement (see the next section for details). You can do so in two ways:

Click Query Ports.

Manually enter port names the the Port Names field as a comma-separated list.

Only the ports added in the Port Names field will have OnConnect Enforcement enabled.

For example, if you add the port names Fa1/0/3,Fa1/0/5, when clients connect to any of these ports on the specified network device, OnConnect Enforcement is triggered on that network device.

NOTE: An empty string will enable OnConnect on all ports. Policy Manager will attempt to determine the uplink or upstream trunk ports; however, it is recommended to explicitly remove those ports.

Query Ports

Click Query Ports to display the list of ports on the current server. Select the ports to use, then click Add to Port Names.The selected port names are added to the Port Names list. Only the ports added in the Port Names field will have OnConnect Enforcement enabled.

 

NOTE: This feature requires that you enable the Allow SNMP Read: Enable Policy Manager to perform SNMP read operations setting on the SNMP Read Settings tab.

Add to Port Names

Once a query displays the list of ports, select the desired ports from the list, then click Add to Port Names.

The selected ports are added to the Port Names field.

Attributes Parameters

Use the OnGuard Enforcement tab on the Configuration > Network > Devices page to add custom attributes for this device.

Figure 8  Adding Custom Device Attributes

1. From the Attribute field, click Click to add....

By default, the following custom attributes appear in the Attribute drop down:

Controller ID

Device Type

Device Vendor

Location

OS Version

sysContact

sysLocation

sysName

2. Select one of the default attributes or enter a new attribute. You can enter any name in the Attribute field. All attributes are of string datatype.

3. Specify the attribute's value. You can populate the Value field with any string.

4. Repeat this procedure as necessary.

5. When finished adding custom attributes, click Add. All attributes entered for a device are available in the role-mapping Rules Editor under the Device namespace.

Modifying a Network Device

To modify a Policy Manager network device:

1. Navigate to the Configuration > Network > Devices page. The Network Devices page opens.

Figure 9  Network Devices Page

2. In the Network Devices table, click the name of the network device you want to modify. The Edit Device Details dialog opens.

Figure 10  Modifying a Network Device

3. Modify any device settings as necessary. For details about all of the Network Device tabs and parameters, refer to the previous section, Adding a Network Device.

 

If you disable RadSec, the shared secret is removed; you will have to reenter the original shared secret.

4. Click Save.