User Access Manager Help >> Operation Guide >> User Access Policy >> Access Policy >> Add/Modify Access Policy

Add/Modify Access Policy

This function allows you to add or modify an access policy.

Operation Procedure

1. Enter the access policy management page.
   Approach 1: On the top navigation bar, select User > User Access Policy > Access Policy.
   Approach 2: Select the User tab, click the User Access Policy > Access Policy from the navigation tree.
2. Click Add or click the link for an access policy.
3. Enter the basic information, authorization information, authentication binding information, and user client information of the access policy to be added or modified.
4. Click OK to complete the operation.

Parameters

• Parameters

Precautions

• The access policy name cannot be empty, and cannot be the same as any existing access policy name.
• You can configure the upstream rate, downstream rate, and priority at the same time, or any of them.
• When certificate authentication is disabled on the client, UAM allows the client to perform PAP or CHAP authentication through the access device on which PAP or CHAP is configured. In this case, the EAP type configured on UAM is ignored.
• In EAP-TTLS authentication, UAM automatically adapts to the non-EAP subtype configured on the endpoint. For example, UAM accepts PAP authentication requests from iOS or Android endpoints that use EAP-TTLS authentication.
• iOS endpoints automatically use the EAP authentication type configured on UAM: EAP-TLS, EAP-PEAP, or EAP-TTLS.
• To implement EAP-TTLS authentication for Android endpoints, select TTLS and one of the following types for certificate authentication:
  None: Auto adaptive. Use the certificate authentication type that is specified by the server.
  PAP: PAP authentication that does not work with EAP. This type ignores the certificate authentication type configured on the server.
  MSCHAP: MSCHAP authentication that does not work with EAP. This type is not supported on UAM.
  MSCHAPv2: MSCHAPv2 authentication that does not work with EAP. This type ignores the certificate authentication type configured on the server.
  GTC: EAP-GTC authentication.
• When UAM works with the EAP-PEAP-MSCHAPv2 certificate type, LDAP users can not modify their passwords at the first login. To make LDAP users pass authentication, make sure the LDAP server does not require passwords to be changed at next logins.
• Make sure the parameters for VLAN deployment have been already specified on the switch beforehand.
• The binding with device IP and the device port restricts end users to be authenticated through specific device port. If a VLAN is bound, end users can be authenticated only through the port in the VLAN. If a QinQ double VLAN is bound, end users can be authenticated only through the device that is enabled with QinQ and the QinQ outer and inner tag configuration is consistent with the binding. If a static IP address or MAC address is bound, end users can be authenticated only through the specified address (if dynamic IP allocation is enabled, the IP address binding does not take effect). If a computer name is bound, end users can be authenticated only through the specified computer. If a computer domain is bound, end users can be authenticated only after the user PC is added to the specified domain. If logging in to a domain is required for a user, the user can be authenticated only after the user logs in to the domain.
• Do not bind both a VLAN and a QinQ double VLAN for one access policy.
• When you modify an access policy, you cannot modify the service group of the access policy.
• The device ACL of te security policy will be deployed preferentially when the device ACL of a security policy and deploying ACL both configured at the same time for a service.
• The authentication binding checks fall into the following types: 1) Binding check by identity authentication (for example, binding the access device IP and access device port); 2) Binding check by policy server (including only the computer name, domain bound to computer, and that a user must log in to domain). Because the identity authentication is performed before the policy server performs binding checks, the identity authentication can auto-learn the contents for binding check even if the policy server binding check fails.
• To check whether the Block VMware NAT Service and Block VMware USB Service requirements are met, the client disables the VMware NAT and USB services. If the services are disabled, the check is passed. If the services cannot be disabled, the client logs off the user (in Kick Out mode) or reports the violation (in Monitor mode).
• When Authentication Password is set to Dynamic Password, for the first authentication attempt of a user without an account created, UAM verifies the account password before creating the account. After creating the account, UAM verifies only the verification code for subsequent authentications.
• The password authentication method used for portal Web authentication is defined when the portal authentication page is customized. To use the dynamic password authentication method, select Account Password from the Authentication Password list on the access policy configuration page. The portal server verifies the validity of the dynamic password provided by the portal authentication user.
• BYOD anonymous users do not support authentication password type Account Password + Dynamic Password. Do not select this option for BYOD anonymous users.
• MAC portal authentication does not support the iNode Client Only option and user information binding options.
• Dynamic ACL rules: the order of the first 6 groups of parameters(aclrule?same?acl-name?acl-type?ver-type?rule-id) is fixed and unadjustable, the rest of the following parameters are in variable order, and multiple rules are separated by ; , reference format:aclrule?same?test?1?1?2?protocol=1?dst-ip=1.1.1.2?src-ip=1.1.1.1?action=1?counting .
• iNode Client Only: As a best practice, do not enable transparent authentication in the access services that use an access policy with the iNode Client Only option selected. If you enable transparent authentication in these access services, users that match the access policy will fail authentication when they come online through transparent authentication.