Access Policy

User Access Manager Help >> Operation Guide >> User Access Policy >> Access Policy

An access policy specifies the requirements that a user must meet to use the network. More specifically, an access policy contains the basic information, authorization information, authentication binding information, and client information. A configured access policy can be referenced by services. When a user applies for a service and accesses the network, the user is restricted by the access policy of the service.

Functions

Parameters

Basic Information

Access Policy Name: Uniquely identifies an access policy in a service.
Service Group: Configure the service group to which the access policy belongs. An administrator or maintainer can add an access policy to a service group associated with himself.
Description: Description of the access policy to aid maintenance.

Authorization Information

Access Period: After you select an access period policy, a user using the rule is allowed to access the network only in the time range customized in the access period policy.
Allocate IP: Specifies whether to assign IP addresses to users. If you select Yes, enter an IP address for an access user when you configure the access service for the user to which the access policy is applied. When the user accesses the network, the RADIUS server assigns this IP address to the client of the user. The client will use this IP address as the endpoint IP address and initiate reauthentication. If you select Yes, do not select Dynamic for IP Address Assignment Method in the User Client Configuration area of the access policy. If you select Bind User IP in the access policy, add this IP address to the bound IP address list of the user so that the user can pass IP address check. If automatic learning of user binding information is enabled, make sure the system can automatically learn this IP address for the user.
Upstream/Downstream Rate: Specifies the maximum upstream rate and downstream rate for the access policy.
Priority: Specifies the priority of the packets to be forwarded in network congestion. A smaller value indicates a higher precedence. This value should be select from the priority values supported by the device. Otherwise, the terminal user might fail to access the network.
Preferred EAP Type/Subtype: Select an EAP authentication type and a subtype. During EAP authentication, UAM deploys this EAP type preferentially to the client. Options include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. When EAP-TTLS or EAP-PEAP is selected, select EAP-MSCHAPv2, EAP-MD5, or EAP-GTC as the subtype.
• EAP-MD5: Initiates EAP authentication by using the CHAP authentication mechanism.
• EAP-TLS: Certificate-based identification authentication, which needs to deploy the PKI to manage certificates. The server and client use the certificate for identity authentication. If authentication succeeds, the two sides negotiate for a shared key, session ID, cryptographic specifications (cipher, compression, and data integrity check) to set up a reliable communication channel. EAP-TLS uses the TLS protocol to implement identity authentication between the client and UAM. It uses the session ID for fast reauthentication, which greatly simplifies the authentication process. It also supports fragmentation of large TLS packets.
• EAP-TTLS: Initiates subauthentication on the security channel set up by TLS authentication between the client and UAM. The authentication method protects the user identity and the negotiation process of EAP authentication. Over the TLS channel, UAM can initiate EAP or non-EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC. Non-EAP authentication can be MSCHAPv2 or PAP. If EAP-TTLS is selected as the preferred EAP type for an access policy, you must select an EAP subtype. However, UAM always uses the same certificate authentication type as the setting on the user endpoint, and the actual authentication type can be non-EAP.
• EAP-PEAP: Initiates EAP authentication on the security channel set up by TLS authentication between the client and UAM. The authentication method protects the user identity and the negotiation process of EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC.

EAP Auto Negotiate: Automatic negotiation of EAP authentication types when the EAP authentication type configured on the client and the preferred EAP type on UAM do not match. When Enable is selected, UAM permits the authentication request from the client without considering the EAP type configured on the client. When Disable is selected, UAM rejects the authentication request of the client if the EAP authentication type configured on the client and the preferred EAP type on UAM do not match.
Sim Encryption Algorithm Version: Appears after selecting eap-sim. You can select the version of SIM encryption algorithm.
Maximum Online Duration for a Logon (Minutes): Maximum duration an authenticated access user that uses the access policy can be online. When this field is empty, the online duration is not limited. To specify this field, enter an integer in the range of 1 to 1440. If the online duration for an access user exceeds the specified value, UAM logs off the user.
Deploy VLAN: Specifies the VLAN to deploy to the user. After passing authentication, the user can access resources in the specified VLAN only. If the type of the access device is Intelbras(General), Huawei(General), HP(Comware), or 3Com(General), you can enter a VLAN ID or VLAN name. UAM considers any integer in the range of 1 to 4094 as a VLAN ID and deploys it as an integer-type string to the access device. Any other character string is considered as a VLAN name and deployed to the access device as a VLAN NAME string. If the access device is none of the previous types, UAM always deploys the entered value to the access device as a VLAN NAME string.
Deploy Address Pool: Enter an address pool name. UAM deploys the address pool name to the access device for IP address assignment to users. For successful address assignment, make sure an address pool with the same name exists on the access device.
Deploy User Profile: Deploy the user profile name to the device to perform the QoS functions based on users. This function takes effect only when the deployed user profile has been configured on the device.
Deploy User Groups: Deploy the user group to which the user belongs to the device after the user passes authentication. You can enter multiple user groups, separated by semi-colons (;). This function takes effect only when UAM works with an SSL VPN device or collaborates with ACG 1000.If you select Auto, the server will automatically obtain and deploy the domain controller security group.
Deploy ACL: Deploy ACL to users. Use one of the following methods:
1) Manually specify an ACL.
2) Manually specify a Dynamic ACL 3) Select an ACL from the ACL resource list.This function can only be used after the platform ACL resource component is installed.
4) Select an ACL from the access ACL list. For information about configuring an access ACL, see Access ACL.
Offline Check Interval (Hours): EIA issues this parameter to the device after a mute terminal passes authentication. The device checks whether the mute terminal is offline at the intervals. If no packet is received from a mute terminal within the interval, the device terminates the connection with the mute terminal and sends a user offline notification to the RADIUS server. If this parameter is not set, the device does not perform the offline check. This parameter must be an integer in the range of 0 to 596523, and applies only to mute terminals.

Authentication Binding Information

Authentication Binding Information: UAM cooperates with the access device to check the binding information for each user account to be authenticated, including the IP address, port, VLAN, QinQ (or double VLAN tags), and SN of the access device, and the IP address, MAC address, IMSI, IMEI, wireless user SSID and the hard disk serial number of the user terminal. The iNode client cooperates with the policy server to check the following binding information for the user: user IP address, MAC address, computer name, computer domain, logon domain and the hard disk serial number. Among these items, user MAC address and IMSI are mutually exclusive and cannot be bound at the same time. The binding requirements can be set for a service which contains the binding policy. If no requirements are set for such service, auto-learning is adopted. Auto-learning is to bind the parameters used for the first login. For example, you set user IP address binding without specifying any IP address. If the user uses 10.100.10.10 for the first login through the service, it must always use the IP address for the future authentication.
Control Access MAC Address: With this function enabled, the UAM module checks the MAC address of an access user using this service when the user attempts to go online. If the MAC address is on the allowed access MAC address list, the user can go online. Otherwise, the access is denied. For more information about the access MAC address configuration, see Access MAC Address.
Control Hard Disk Serial Number: With this function enabled, the UAM module checks the hard disk serial number of an access user using this service when the user attempts to go online. If the serial number is permitted, the user is allowed to go online. Otherwise, the access is denied. If UAM cannot obtain the hard disk serial number, it allows the user to go online. This feature must work with the iNode PC client.
Enable SSID Access Control: When you enable this feature and select Permit from the SSID Filter list, UAM maintains an SSID Allowlist. Users can access the network when they connect to an SSID on the SSID Access Control list. When you enable this feature and select Deny from the SSID Filter list, UAM maintains an SSID denylist. Users cannot access the network when they connect to an SSID on the SSID Access Control list. This feature must work with the iNode PC client. The client receives the SSID access control configuration from UAM and saves the configuration to the PC. The configuration also applies to the Windows built-in 802.1X application.
Control Motherboard Serial Number: Enable this feature to use a motherboard serial number pool to control network access for endpoint users. If the endpoint has a motherboard serial number in the pool, the user can access the network. If the motherboard serial number does not match an entry in the pool, network access is denied. UAM collects the motherboard serial number information by using the iNode client. If the client cannot obtain the motherboard serial number, the pool is ignored. This feature takes effect only when the iNode PC client is used for network access.

User Client Configuration

Authentication Password:
1) When Account Password is selected, the server verifies only the password of the user account.
2) When Dynamic Password is selected, the server verifies only the dynamic password of the user account. Dynamic passwords are assigned to user accounts through SMS messages and Emails.
3) When Account Password + Dynamic Password is selected, the server verifies both the account password and the dynamic password. Dynamic passwords are assigned to user accounts through SMS messages.
4) When Account Password + Asynchronous SMS Verification Code is selected, the server first authenticates the account password for a user. After the account password passes authentication, the server authenticates the SMS verification code. The verification code is sent to the user by SMS message.
When dynamic token is disabled, use Table 1 to determine the authentication protocols to be used for different types of users if dynamic password authentication or account password + dynamic password authentication is used.
Table 1 Supported authentication protocols for users

User type	Supported authentication protocols	Remarks
Common access users	PAP EAP-PEAP/EAP-GTC	Other authentication protocols except PAP and EAP-PEAP/EAP-GTC can only validate the local passwords of the common access users. A common access user can pass authentication if its local password is correct.
LDAP and third-party users	PAP EAP-MD5 EAP-PEAP/EAP-MD5 EAP-PEAP/EAP-GTC	The EAP-MD5 and EAP-PEAP/EAP-MD5 authentication protocols must be used in conjunction with the iNode client.

When dynamic token is enabled, use Table 2 to determine the authentication protocols to be used for different types of users if dynamic password authentication or account password + dynamic password authentication is used.
Table 2 Supported authentication protocols for users

Authentication method	User type	Supported authentication protocols	Remarks
Dynamic password Account password + dynamic password	Common access users	All authentication protocols are supported.	N/A
Dynamic password	LDAP and third-party users	All authentication protocols are supported.	N/A
Account password + dynamic password	LDAP and third-party users	If the system can obtain plaintext user passwords from the LDAP server or third-party server, the system supports all authentication protocols. If the system cannot obtain plaintext user passwords from the LDAP server or third-party server, it supports only the PAP, EAP-MD5, EAP-PEAP/EAP-MD5, and EAP-PEAP/EAP-GTC authentication protocols.	The EAP-MD5 and EAP-PEAP/EAP-MD5 authentication protocols must be used in conjunction with the iNode client.

iNode Client Only: You can make restrictions on the authentication client here. If iNode Client Only is selected, end users must use iNode client for authentication. You can also select the other check boxes for more restrictions.
Disable iNode DC for Windows: With this function enabled, the iNode Dissolvable Client (iNode DC) is forbidden if the operating system is Windows.
Disable iNode DC for Linux/MacOS: With this function enabled, the iNode DC is forbidden if the operating system is Linux or MacOS.
Forbid Modifying IP When Online: This function only takes effect under portal authentication. An online user is not allowed to modify the IP address of the authentication NIC. If an online user modifies the IP address, the following problems occur depending on your configuration:
1) If you enable the policy server and select Forbid Modifying IP When Online, the client is immediately logged out.
2) If you enable the policy server and have not selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
3) If you have not enabled the policy server and have selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
4) If you have not enabled the policy server and have not selected Forbid Modifying IP When Online, the client stays online.
Disable Proxy Server: With this function enabled, the end users' PC are not allowed to be used as proxy server for other users.
Disable Proxy Setting in IE: With this function enabled, the proxy settings in IE are not allowed.
Disable Multiple NICs: With this function enabled, the end users cannot use multiple NICs at the same time.
Prohibit Multiple OSs: Prohibits the user from installing multiple operating systems on the PC.
Prohibit Multi-IP on Authenticated NIC: Prohibits the user from configuring multiple IP addresses for a single authenticated NIC.
Forbid Modifying MAC: With this function enabled, the system checks whether the MAC address of end user is changed. The MAC address change is not allowed.
Reject Duplicate MAC Addresses: With this function enabled, UAM disables the client PC that uses the same MAC address as an existing one from passing authentication.
Block VMware NAT Service: Select this option to prevent users from setting vNICs to NAT mode on VMs and to prevent unauthenticated VMs from accessing the host machine's network.
Block VMware USB Service: Select this option to prevent users from using the VMWareHostd and VMUSBArbService services. When this option is selected, VM users cannot use the USB devices that are connected to the host machine. You can select this option and the Block VMWare NAT Service option to prevent the host machine from sharing the wireless hotspots that are created on the vNICs of VMs.
IP Address Assignment Method: Defines the ways to obtain IP address for users. If Static is selected, the terminal user can only be authenticated to access the network using the static IP address. If Dynamic is selected, terminal users must use the IP address allocated by DHCP to access the network.
Action for Violation: This parameter specifies the action to take on a user who has compliance violations. Actions can be Kick Out, which logs out the user, or Monitor, which keeps the user online. UAM generates an endpoint violation log when any of the check items is inconsistent.
Auto Reconnect after Network Failure: Enables the iNode client to automatically reconnect if the user connection is accidentally cut off because of a network failure. If you enable this function, also set the interval at which the client will automatically reconnect and the total number of retries. When you set the retry interval to 30 minutes and set the total number of retries to 3, the client will try to reconnect every 30 minutes for three times after the user is disconnected. To ensure normal system operation, consider the number of online users when you set the retry interval. For more information, see the table below.

Total Online Users	Retry Interval
<=1000	5 minutes
<=2000	10 minutes
<=3000	15 minutes
<=5000	25 minutes
>5000	If the number of online users exceeds 5000, it is not recommended to enable this function.

Lowest Client Version: Enter an iNode PC client version. Users cannot pass authentication by using an iNode client lower than the specified version. This parameter is available only when the iNode Client Only option is selected.

User Access Manager Help >> Operation Guide >> User Access Policy >> Access Policy

Access Policy

Functions

Parameters

Related Topics