Specify the duration allowed in minutes to store the role mapping and posture results derived by the policy engine during a policy evaluation.

A value of 0 disables caching.

This result can then be used in subsequent evaluation of policies associated with a service, if the Use cached Roles and Posture attributes from previous sessions option is turned on for the service.

NOTE: The value of the Policy result cache timeout field must be greater than the highest value set in the Health Check Interval (in hours) fields.
For example, if you have created the profiles Student-Enforcement-Profile and Staff-Enforcement-Profile with health check interval configured, then the value of the Policy result cache timeout field must be greater than the highest value of the Health Check Quiet Period (in hours) value configured among the following profiles:

Global Agent Settings

Student-Enforcement-Profile

Staff-Enforcement-Profile

Specify the percentage below which disk usage warnings are issued in the Monitoring > Event Viewer page.

For example, a default value of 30% indicates a warning is issued when the available disk space is 30% or lower. However, an aggressive cleanup is triggered when the disk space available drops below 20% (the 30% default value minus an additional 10%). In this instance, the additional 10% is the hard coded threshold delta value implemented as part of an aggressive cleanup operation.

Specify the percentage below which RAM Random Access Memory. usage warnings are issued in the Policy Manager Event Viewer.

For example, a value of 30 indicates that a warning is issued only when the available RAM Random Access Memory. is 30% or lower.

Enter the interval in minutes between polling of endpoint context servers, between 1 and 10,500 minutes. (10,500 minutes is 175 hours, or a bit more than a week).

The default interval is 60 minutes.

Specify the Endpoint Context Servers polling start time in HH:mm:ss format.

This parameter provides the ability to configure a Syslog messaging batch interval. The default value is 120 seconds. The supported interval value is between 30 seconds to 120 seconds.

NOTE: The interval specified for this parameter is applied to all appliances in a cluster and to all the Syslog Export Filters that are in the enabled state. For related information, see Syslog Export Filters.

Specify whether to enable automatic checking for available software updates.

The default it TRUE. For related information, see Software Updates.

Specify whether to automatically download and install Posture Signature and Windows Hotfixes Updates. The default is FALSE. For related information, see Software Updates.

Specify whether to automatically download Endpoint Profile Fingerprints. The default is FALSE. For related information, see Software Updates.

Customize the banner text that appears on the Policy Manager login screen and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. access window.

NOTE: By default, if the login banner text and forced user acknowledgment are configured for Policy Manager, they are also displayed in ClearPass Guest operator logins and guest registrations. If you do not want these displayed in Guest logins and registrations, go to Guest > Administration > Operator Logins > Login Configuration. Under Banner Options, deselect the Login Banner check box.

Set this parameter to TRUE to require user consent before login. Once set to True, a banner displays requiring the user to select I agree to the terms and conditions and then click Proceed before continuing to the login.

Policy Manager allows Cluster Communication Mode to be set to IPv4 or IPv6. The default is IPv4.

If the value of this parameter is set to IPv6, all database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4.

Whenever the cluster communication mode is changed, it performs the following validations:

Configuration checks to verify an IP address in the correct format is configured for the interface.

Certificate checks to verify the database certificates have the correct IP address in the SAN field.

Certificate checks to verify the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certificates have the correct IP address in the SAN field.

For more information on setting the Cluster Communication Mode and the conditions for using IPv4 and IPv6 formatted IP addresses, go to Setting the Cluster Communication Mode.

NOTE: You can only use the network reset mgmt <v4|v6> command to reset an IPv4 or IPv6 management port address if the cluster communication mode is set to a different IP address format. For example, you cannot reset a management port IPv4 address, unless the cluster communication mode is set to IPv6.

NOTE: In a cluster with both IPv4 and IPv6 addresses (dual stack) configured on the management interface of every appliance, the ClearPass Zone Cache service always uses the IPv4 management address to keep the cache of each appliance synchronized across the cluster. The ClearPass Zone Cache service does not use the IPv6 management address for synchronization when the cluster communication mode parameter is set to IPv6 in a dual-stack scenario.

NOTE: In a cluster using self-signed certificates, if the management IP address is changed the database certificate does not need to be regenerated. The generation of the database certificate and the restart of backend services are automatic. There may be a delay of up to 10 minutes while backend services are re-started, and configuration updates and replication setup are re-established. This change only applies to clusters with self-signed certificates, not to clusters with CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.-signed certificates.

When this field is set to TRUE (which is the default setting), an Admin user can log in to the same Policy Manager server concurrently from either the same device or a different device.

When this field is set to FALSE, and an Admin user logs into a Policy Manager server from one device, and then later logs into the same Policy Manager server from either the same device or a different device, the Admin user is logged out of all previous sessions on that Policy Manager server. When this occurs, the following message is displayed:

You have been logged out of previous active session(s)

Specify the maximum idle time permitted for admin users, beyond which the session times out.

The default value is 30 minutes. The allowed range is 5 to 1440 minutes (24 hours).

NOTE: HPE Aruba Networking recommends setting the Admin Session Idle Timeout as required to manage re-authentications.

Specify the maximum idle time permitted for CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. users, beyond which the session times out.

The default value is 10 minutes. The allowed range is 5 to 1440 minutes (24 hours).

When this parameter is changed, the changes take effect when the client opens a new CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. session. Any active CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. sessions will continue to use the old timeout setting—the sessions have to be disconnected and reconnected for the updated timeout value to take effect. Before performing any operations like make subscriber, drop subscriber, backup, restore, update, or upgrade operations from the appadmin CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. that take more than 15 minutes, first make sure to change the value of the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Session Idle Timeout parameter to the amount of time required for the operation.

NOTE: HPE Aruba Networking recommends setting the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Session Idle Timeout as required to manage re-authentications.

Specify the Console Session Idle Timeout duration in minutes. The default value is 360 minutes.

The Console Idle Session Timeout does not begin counting down until the admin user exits the admin session, or when the admin session has timed out. If the user is still logged in to the admin session, the Console Session Idle Timeout is not enforced. To impose an automatic log out from the Policy Manager server for an admin user connected to the console, you must set the idle timeout for the Admin Session Idle Timeout as well as the Console Session Idle Timeout.
The Console Session Idle Timeout:

Must have a valid integer value (for example, a setting of 10.5 wouldn't be valid).

The range of valid values is from 5 to 1,440 minutes (24 hours).

The Audit Viewer captures the details about changes in Console Session Idle Timeout.

NOTE: HPE Aruba Networking recommends setting the Console Session Idle Timeout as required to manage re-authentications.

On new Policy Manager installations, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 is disabled by default, so the default setting is All. To modify Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.0 support, select one of the following options:

None

Admin

Network

All

NOTE: Users cannot change into Common Criteria (CC) mode while the Disable TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.0 parameter is set to None. This parameter must be set to All for CC mode. This parameter is not configurable and does not appear in the Policy Manager WebUI when Policy Manager is in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

NOTE: The ClearPass OpenSSL cryptography library does not support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.0 when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. As part of this change, the Disable TLSv1.0 support option is hidden within the Cluster-Wide Parameters when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled.

NOTE: ClearPass 6.11 and 6.12 are the last Long Support Release (LSR) and Short Support Release (SSR) versions to support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.0 in any operating mode (they are already disabled in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. and CC modes). Customers can use Insight reports to identify clients that might be using these TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. versions in RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -related communications. After ClearPass 6.12, the system-wide cryptographic policy will be set to DEFAULT in non-FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

On new Policy Manager installations, TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.1 is disabled by default, so the default setting is All. To modify Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.1 support, select one of the following options:

None

Admin

Network

All

NOTE: Clusters in Common Criteria (CC) mode can have a value of None, so TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.1 is enabled on all devices. This is the default setting for clusters upgrading to Policy Manager 6.10 or above.

NOTE: The ClearPass OpenSSL cryptography library does not support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. 1.1 when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled. As part of this change, the Disable TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.1 support option is hidden within the Cluster-Wide Parameters when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled.

NOTE: ClearPass 6.11 and 6.12 are the last Long Support Release (LSR) and Short Support Release (SSR) versions to support TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.1 in any operating mode (they are already disabled in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. and CC modes). Customers can use Insight reports to identify clients that might be using these TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. versions in RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -related communications. After ClearPass 6.12, the system-wide cryptographic policy will be set to DEFAULT in non-FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode.

To modify the cluster's Transport Layer Security (TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. ) v1.3 support, select one of the following options:

None: Enables TLSv1.3 communication for server node. When TLSv1.3 is enabled, it is used as the preferred connection for systems that support it, and can be used for post-handshake authentications as needed. If a system does not support TLSv1.3, TLSv1.2 or v1.1 will automatically be used instead. None is the default setting for legacy Policy Manager deployments.

Admin: Disables TLSv1.3 for each server node. On upgraded ClearPass servers, this is the default setting. This setting must be used in cases where client certificate-based authentications with SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts., OnGuard, or downloadable user roles are configured, as those do not work with TLSv1.3. Having Admin (TLSv1.3 disabled) as the default setting for upgraded servers ensures if any of those configurations are present, the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. setting will not interfere with them.

Network: Disables TLSv1.3 support, and is the Policy Manager default setting for new installations.

All: Set the TLSv1.3 parameter to All for CC mode support.

NOTE: Admins cannot disable each TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. protocol at the same time. In other words, admins cannot set TLSv1.0, 1.1, 1.2 and 1.3 to either Network or All at the same time. TLSv1.0, 1.1 and 1.3 are configured as cluster wide parameters, while TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.2 is configured as a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  service parameter.

When enabled, Content Security Policy (CSP) has significant impact on the way browsers renders pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the Content Security Policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections.

When specifying a particular cipher mode, each ClearPass server in the cluster will accept only SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. connections that use the selected cipher mode. Select one of the following to specify the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. cipher mode in either FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. or non-FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode:

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC (default setting)

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM

All

NOTE: Unlike legacy releases, ClearPass now enables the selection of either AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM or All to specify a specific SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. cipher mode in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode. With previous ClearPass releases, the Allowed SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Modes parameter was disabled when FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled.

Specify the port for performance monitor rendering. The default value is 80.

When the ICMPv6 Filters parameter is set to Disable (the default), Policy Manager responds to all ICMPv6 (Internet Control Message Protocol) traffic. When this parameter is set to Enable, the following restrictions are applicable:

Policy Manager does not respond to ICMPv6 traffic sent to an anycast or multicast address.

Policy Manager does not transmit to ICMPv6 type-3 (Destination Unreachable) messages.

For the Policy Manager Zone Cache to survive abrupt shutdowns, set this to Normal or Full. The default value is OFF.

NOTE: Enabling this feature might result in some performance degradation.

When Post-Authentication v2 is enabled, it improves performance and scaling for post-authentication events when interoperating with third-party systems. This setting is enabled by default in IPv4-only, IPv6-only, or dual-stack mode (IPv4 and IPv6). Post-Authentication v2 can still be disabled when in IPv4-only mode. However, in an IPv6-only or dual stack environment, disabling Post-Authentication v2 is not permitted.

The following additional Post-Authentication v2 restrictions apply:

When you either enable or disable Post-Authentication v2, you must also manually restart the Async Network service. For more information on starting or stopping services, refer to Services Control Page

Post-Authentication v2 does not support Policy Manager Proxy.

When defining a context server action, the following HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. methods are supported: PATCH, DELETE, POST Power On Self Test. An HTTP request method that requests data from a specified resource., GET GET refers HTTP request method or an SNMP operation method. The GET HTTP request method submits data to be processed to a specified resource. The GET SNMP operation method obtains information from the Management Information Base (MIB)., and PUT.

When using post authentication for NMAP trigger, enabling this option ensures endpoints are unsubscribed on an accounting stop. This ensures a payload is not sent to the NMAP service when the device reauthenticates and a different enforcement profile is applied.

This option must be disabled for firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. integration in general, and must be disabled for dual stack or pure IPv6 if multiple IP addresses are expected.

Administrators have the option to enable or disable Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement, when the Post-Authentication v2 parameter is enabled. Selecting Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement lets administrators disable the Post-Authentication HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement profile while the Session Notification Enforcement enforcement profile remains enabled. This can improve the scalability and performance of the Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement in some deployments. If Post-Authentication v2 is changed from Enable to Disable, Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement automatically changes to Disable as well.

Certificate Based Authentication is supported for VmWare AirWatch with Post-Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. Enforcement. To use this feature with AirWatch, both the Post-Authentication v2 and Post Authentication v2 HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. enforcement settings must be enabled from the Cluster-Wide Parameters > General tab. In addition, go to: Administration > External Servers > Endpoint Context Servers > Server > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method. Lastly, go to: Administration > Dictionaries > Context Server Actions > Add, and select VMWare AirWatch as the server type and Certificate as the authentication method.

ClearPass supports TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. session cache persistence for EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -based authentications. Use the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Session Cache Policy parameter to specify whether the session cache should persist in internal memory only, or in both memory and disk. The duration of the session persistence can also be configured. Select Internal+Disk for the user session to be read from disk, so re-authentication is not required before the configured session timeout. The default setting is Internal, which retains the previous behavior of periodically clearing the session cache when roaming.

NOTE: To specify how long the session cache should be stored on disk, go to the Cleanup Intervals tab and enter the number of hours in the Parameter Value field for the TTL Time to Live. TTL or hop limit is a mechanism that sets limits for data expiry in a computer or network. Stale TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. session in Disk parameter. The default value is 24 hours.

Use this parameter to log system events when the policy server endpoint cache reloads. These event messages provide troubleshooting information if there are delays in the reload process. This feature is disabled (set to FALSE) by default. When enabled (set to TRUE), a message is logged with the duration of the server endpoint cache reload once it is completed.

Use this parameter to configure Post-Authentication to combine API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. events when posting to the Palo Alto Networks Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. (PAN). Enable this setting when multiple servers in a cluster make near-simultaneous API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls to PAN, to reduce the number of calls and help avoid exceeding the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network.'s concurrency limit for an API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. session. This parameter is disabled by default.

Specify the duration in number of days to keep the following data in the Policy Manager database:

Session logs (found on the Monitoring > Live Monitoring > Access Tracker page)

Event logs (found on the Monitoring > Event Viewer page)

Machine authentication cache

The default value is 7 days.

Specify the duration in number of days to keep log files that are written to the disk.

The default value is 7 days.

By default, ClearPass automatically performs a cleanup for Certificate Signing Requests (CSRs) older than 15 days. use this parameter to extend the cleanup interval for old CSRs and associated private keys from 15 days to up to 90 days. Network administrators should extend the cleanup interval for CRS and private keys in cases where the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. takes more than 15 days to create a certificate, as the CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. generated on the system would become invalid with the default 15 day setting, and would be removed automatically from the system.

Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting old audit records from the Audit Viewer page. The default value is 7 days.

Specify the duration in number of days that Policy Manager uses to determine when to start deleting known or disabled entries from the Endpoint repository.

Known entries are deleted based on the when the endpoint was last seen. For example, if this value is 7, then known Endpoints that have not been seen within the last 7 days are deleted.

The default value is 0 days. This indicates that no cleanup interval is specified.

Specify the duration in number of days that Policy Manager uses to determine when to start deleting unknown entries from the Endpoint repository. Unknown entries are deleted based on the when the endpoint was last seen. For example, if this value is 7, then unknown Endpoints that have not been seen within the last 7 days are deleted.

The default value is 0 days. This indicates that no cleanup interval is specified.

The cleanup interval for expired guest accounts indicates the number of days after expiry that the cleanup occurs.

A value of 0 specifies no expired guest accounts cleanup interval. The default value is 365 days.

Specify the cleanup interval in number of days that Policy Manager uses to determine when to start deleting profiled unknown entries from the Endpoint repository. Profiled unknown entries are deleted based either the time the unknown Endpoint was last seen or the time it was last profiled, whichever is most recent.

The default value is 0,indicating that no cleanup interval is specified.

Specify whether to enable the option to clean up profiled known endpoints.

The default value is FALSE. Profiled known entries are deleted based either the time the known Endpoint was last seen or the time it was last profiled, whichever is most recent.

Specify whether to enable the option to clean up static IP endpoints.

The default option is FALSE.

Specify the alert notifications that are generated for system events logged at this level or higher.

INFO: Alerts that provide Information, Warnings, and Error messages are generated.

WARN: Alerts that provide Warnings and Error messages are generated.

ERROR: Alerts that provide Error messages only are generated.

The default value is WARN.

Specify the timeout in hours that determines how often alert messages are generated and distributed.

If you select Disabled, alert generation is disabled. The default value is 2 hours.

Enter a comma-separated list of email addresses to which alert messages are sent.

To authorize a node in a cluster on the system to act as a publisher if the primary publisher fails, select TRUE. The default value is FALSE.

NOTE: To avoid false failover triggers, the Enable Publisher Failover value should be set to false before starting a cluster update.

Select the server in the cluster to act as the standby publisher.

The default value is 0.

NOTE: If the standby publisher is on a different subnet Subnet is the logical division of an IP network. than the publisher, then ensure that a reliable connection between the two subnets Subnet is the logical division of an IP network. is available to avoid unwanted network segmentation and potential data loss from a false failover.

Click the drop-down list and select either IPv4 or IPv6 as the mode of communication for all cluster operations.

If the value of this parameter is set to ipv6, all database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls will use IPv6 addresses for cluster communication. If the value is set to ipv4, it will use IPv4 for database and API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. calls instead. The default value of the cluster communication mode will depend on the IP address configured on the appliance during installation or upgrade. If the appliance has only an IPv6 address, the default cluster communication mode will be IPv6. If the appliance has both IPv4 and IPv6 addresses configured, or if only an IPv4 address is configured, then the default cluster communication mode will be IPv4. Whenever the cluster communication mode is changed, it performs the following validations:

Configuration checks to verify an IP address in the correct format is configured for the interface.

Certificate checks to verify the database certificates have the correct IP address in the SAN field.

Certificate checks to verify the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. certificates have the correct IP address in the SAN field

NOTE: Before changing the cluster communication mode, carefully review the displayed warning message stating that resetting the cluster communication mode can cause the cluster to go out of sync by resetting the IP address format of the cluster communication interface. Resetting the certificates on each cluster node along with rebooting ensures the cluster is in sync.

Select any of the following auto-backup configuration options:

Off: Select this to not perform periodic backups.

Select Off before upgrading Policy Manager to avoid the interference between Auto backup and migration process.

Config: Performs a periodic backup of the configuration database that includes licensing information that would be required to restore a server to its original state. This is the default auto backup configuration option. In a cluster deployment, the backup file on the publisher also contains license information for all subscribers.

Config|SessionInfo: Performs a backup of the configuration database, certificates and licenses, and also the session log database.

Config|Extensions: Extensions are included in the backup, in addition to configuration data.

Config|SessionInfo|Extensions: Extensions are included in the backup, in addition to configuration data, session log, and Insight data.

NOTE: Keep in mind, if extensions are excluded from a backup file, and that backup file is restored on a system that already has extensions, that system's existing extensions remain and are not overwritten.

NOTE: It is recommended you set this option to Off or Config before starting an upgrade. This ensures the Auto Backup process does not interfere with migration post upgrade. If required, you can change this setting back to Config|SessionInfo 24 hours after upgrade completion. Evaluation and Subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. licenses which have expired will not be included in the backup.

Enter the password for the appexternal username for this connection to the database.

Configure the time interval (in seconds) at which the subscribers synchronize with the publisher. The default value is 5 seconds. The allowed range is 1 to 60 seconds.

To store passwords for admin and local users to Hash and NTLM hash formats (which enables RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  MSCHAP authentications against admin or local repositories), set this to TRUE.

If you set this to FALSE, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  MSCHAP authentications are not possible because the NTLM hash passwords are removed for all the users.

NOTE: When you set this value to TRUE, reset all the passwords to reenable RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  MSCHAP authentication against the user repositories.

To enable the Ignore Conflict (Network Boot Agents) parameter, choose TRUE. The default is FALSE.

To change the list of ports to scan and add custom fingerprints to classify based on them, enter the new TCP port numbers.

The TCP ports scanner checks to see if the specified Profiler Scan Ports are open. The default TCP ports are 135 and 3389.

Choose whether to process wired device information from the IF-MAP interface.

The default is FALSE.

Select from the following settings. The default value is medium.

high - Flag a Profiler conflict if the device category and the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  attributes or the hostname change.

medium - Flag a Profiler conflict if the device category changes.

low - Flag a Profiler conflict if the device category or the device family changes.

Set this option to TRUE to enable Endpoint scans using Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. (Network Mapper).

NOTE: The Open Ports scanner is disabled when Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on.-based port scanning is enabled.

When Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scan is enabled, the following warning is displayed:

WARNING: Setting this value to TRUE enables active scan of the host for open ports. This can be resource intensive. Also, the Profiler Scan Ports value is ignored when Nmap Network Mapper. Nmap is an open-source utility for network discovery and security auditing. Nmap uses IP packets to determine such things as the hosts available on a network and their services, operating systems and versions, types of packet filters/firewalls, and so on. scan is enabled.

Set this option to TRUE to enable Endpoint scans using WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. (Windows Management Instrumentation).

Set this parameter to TRUE to enable NT LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. Manager v1 for WMI Windows Management Instrumentation. WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. (Windows Management Instrumentation) scans. The default is FALSE.

For more information, see WMI Credentials Configuration.

When logging in for TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  user authentication:

If set to FALSE (the default setting), after entering a blank password, you are presented with an option to change the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  user password.

If set to TRUE, the option to enter the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  user password is displayed. The option to change the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  password is not displayed.

You can modify the text to be used for the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  username prompt as needed. The default TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  username prompt is UserName:

You can modify the text to be used for the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  password prompt as needed. The default TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  password prompt is Password:

An idle TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  login session is one in which the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. operational mode prompt is displayed but there is no input from the keyboard. To close idle sessions automatically, you must configure a time limit for each login class.

Specify the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  Connection Idle Timeout duration in seconds as needed.

The default value is 900 seconds (15 minutes).

The minimum allowed value is 60 seconds.

The maximum allowed value is 172800 seconds (two days).

Enable this setting to allow unencrypted communication in test environments. This parameter is disabled by default. When it is enabled, Policy Manager displays the warning message "Warning: Setting the "Allow Unencrypted Communication" value to "Enable" will allow unencrypted TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  requests to be processed. This is not recommended for production environments."

The default setting for this parameter is FALSE (disabled). If an HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. proxy server will use the X-Forwarded-For header value as the remote client IP address for the admin server or TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server, then the parameter should be set to True (enabled).

This option is used if you want the Policy Manager server to authenticate against a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server. In this case, the Policy Manager server is acting as a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  client and talking to the TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server in order to authenticate users.

Specify the IP address for the remote TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server.

Use this option if you want the Policy Manager server to authenticate against a TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server.

Enter the Shared Secret for the remote TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server.

Use this option to set a custom value for the remote TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS.  server port. The default server port value is 49.