User Access Manager Help >> Operation Guide >> User Access Policy >> Access Policy >> Add/Modify Access Policy >> Parameters

Parameters

Basic Information

• Access Policy Name: Uniquely identifies an access policy in a service.
• Service Group: Select a service group for the access policy. The service group ensures privilege management of the access policy. The administrators and maintainers can add the access policy to one of the service groups to which they have the management privilege.
• Description: Description of the access policy to aid maintenance.

Authorization Information

• Access Period: After you select an access period policy, a user using the rule is allowed to access the network only in the time range customized in the access period policy.
• Allocate IP: Specifies whether to deploy user IP addresses. If you select Yes, enter an IP address for an access user when you configure the access service for the user to which the access policy is applied. When the user accesses the network, the RADIUS server assigns this IP address to the client of the user. The client will use this IP address as the endpoint IP address and initiate reauthentication. If you select Yes, do not select Dynamic for IP Address Assignment Method in the User Client Configuration area of the access policy. If you select Bind User IP in the access policy, add this IP address to the bound IP address list of the user so that the user can pass IP address check. If automatic learning of user binding information is enabled, make sure the system can automatically learn this IP address for the user.
• Upstream/Downstream Rate: Specifies the maximum upstream rate and downstream rate for the access policy.
• Priority: Specifies the priority of the packets to be forwarded in network congestion. A smaller value indicates a higher precedence. This value should be select from the priority values supported by the device. Otherwise, the terminal user might fail to access the network.
• Preferred EAP Type/Subtype: Select an EAP authentication type and a subtype. During EAP authentication, UAM deploys this EAP type preferentially to the client. Options include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. When EAP-TTLS or EAP-PEAP is selected, select EAP-MSCHAPv2, EAP-MD5, or EAP-GTC as the subtype.
  EAP-MD5: Initiates EAP authentication by using the CHAP authentication mechanism.
  EAP-TLS: Certificate-based identification authentication, which needs to deploy the PKI to manage certificates. The server and client use the certificate for identity authentication. If authentication succeeds, the two sides negotiate for a shared key, session ID, cryptographic specifications (cipher, compression, and data integrity check) to set up a reliable communication channel. EAP-TLS uses the TLS protocol to implement identity authentication between the client and UAM. It uses the session ID for fast reauthentication, which greatly simplifies the authentication process. It also supports fragmentation of large TLS packets.
  EAP-TTLS: Initiates subauthentication on the security channel set up by TLS authentication between the client and UAM. The authentication method protects the user identity and the negotiation process of EAP authentication. Over the TLS channel, UAM can initiate EAP or non-EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC. Non-EAP authentication can be MSCHAPv2 or PAP. If EAP-TTLS is selected as the preferred EAP type for an access policy, you must select an EAP subtype. However, UAM always uses the same certificate authentication type as the setting on the user endpoint, and the actual authentication type can be non-EAP.
  EAP-PEAP: Initiates EAP authentication on the security channel set up by TLS authentication between the client and UAM. The authentication method protects the user identity and the negotiation process of EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC.
EAP-SIM: It is an identity authentication based on gsm-sim card. Eap-sim provides two-way authentication, that is, the server authenticates the client, and the client authenticates the server. Only after the two-way authentication is passed, the server sends an EAP success message to the client, and the client can access the network. At the same time, eap-sim authentication mechanism also generates stronger session keys through multiple challenge response mechanisms.

• EAP Auto Negotiate: Automatic negotiation of EAP authentication types when the EAP authentication type configured on the client and the preferred EAP type on UAM do not match. When Enable is selected, UAM permits the authentication request from the client without considering the EAP type configured on the client. When Disable is selected, UAM rejects the authentication request of the client if the EAP authentication type configured on the client and the preferred EAP type on UAM do not match.
• EAP Subtype Auto Negotiate: Control whether EAP subtypes can be negotiated automatically. (Non-EAP subtypes of TTLS are currently not supported for control.)
• Sim Encryption Algorithm Version: Appears after selecting eap-sim. You can select the version of SIM encryption algorithm.
• Maximum Online Duration for a Logon (Minutes): Maximum duration an authenticated access user that uses the access policy can be online. When this field is empty, the online duration is not limited. To specify this field, enter an integer in the range of 1 to 1440. If the online duration for an access user exceeds the specified value, UAM logs off the user.
• Max Online Duration Reminder (Minutes): With this reminder set, the system notifies iNode authentication users before their maximum online duration is reached. The default value is 20 minutes, which means a notification will be sent 20 minutes before the maximum online duration is reached.
• Deploy VLAN: Specifies the VLAN to deploy to the user. After passing authentication, the user can access resources in the specified VLAN only. If the type of the access device is Intelbras(General), Huawei(General), HP(Comware), or 3Com(General), you can enter a VLAN ID or VLAN name. UAM considers any integer in the range of 1 to 4094 as a VLAN ID and deploys it as an integer-type string to the access device. Any other character string is considered as a VLAN name and deployed to the access device as a VLAN NAME string. If the access device is none of the previous types, UAM always deploys the entered value to the access device as a VLAN NAME string.
• Deploy Address Pool: Enter an address pool name. UAM deploys the address pool name to the access device for IP address assignment to users. For successful address assignment, make sure an address pool with the same name exists on the access device.
• Deploy User Profile: Deploy the user profile name to the device to perform the QoS functions based on users. This function takes effect only when the deployed user profile has been configured on the device.
• Deploy VSI name: When the leaf device acts as an access device on a VXLAN network, it can deploy the specified VSI name to assign users to the associated VXLAN.
• Deploy User Group: Deploy the user group to which the user belongs to the device after the user passes authentication. You can enter multiple groups, separated by commas. This function takes effect only when working with an SSL VPN device. If you select Auto, the server will automatically obtain and deploy the domain controller security group.
• Deploy ACL: Deploy ACL to users. Use one of the following methods:
  1) Manually specify an ACL.
  2) Manually specify a Dynamic ACL 3) Select an ACL from the ACL resource list.This function can only be used after the platform ACL resource component is installed.
  4) Select an ACL from the access ACL list. For information about configuring an access ACL, see Access ACL.
  
• Offline Check Period (Hours): EIA issues this parameter to the device after a mute terminal passes authentication. The device checks whether the mute terminal is offline at the intervals. If no packet is received from a mute terminal within the interval, the device terminates the connection with the mute terminal and sends a user offline notification to the RADIUS server. If this parameter is not set, the device does not perform the offline check. This parameter must be an integer in the range of 0 to 596523, and applies only to mute terminals.
• Authentication Password:
  1) When Account Password is selected, the server verifies only the password of the user account.
  2) When Dynamic Password is selected, the server verifies only the dynamic password of the user account. Dynamic passwords are assigned to user accounts through SMS messages and Emails.
  3) When Account Password + Dynamic Password is selected, the server verifies both the account password and the dynamic password. Dynamic passwords are assigned to user accounts through SMS messages.
  4) When Account Password + Asynchronous SMS Verification Code is selected, the server first authenticates the account password for a user. After the account password passes authentication, the server authenticates the SMS verification code. The verification code is sent to the user by SMS message.
  To support authentication of dynamic passwords, use PAP, EAP-MD5, EAP-PEAP/EAP-MD5, or EAP-PEAP/EAP-GTCS as the password authentication protocol.
  The Account Password + Dynamic Password method is applicable only to iNode client authentication.
  
• Action At The End Of The Session:The action that the access device should take when the session service ends. By issuing the Termination Action attribute value in the Access Accept message.
  1) If By Device Manufacturer is selected, According to the type of access device, the processing method for Intelbras and Huawei devices is to offline users, while other manufacturers require users to re authenticate.
  2) If Offline is selected, the default action of the device (usually to offline the user).
  3) If RADIUS_REQUEST is selected, it means that the user is re authenticated. When the specified service terminates (such as when the user's online duration reaches the session timeout attribute value), the access device will re authenticate the user.
  

Authentication Binding Information

• Authentication Binding Information: UAM cooperates with the access device to check the binding information for each user account to be authenticated, including the IP address, port, VLAN, QinQ (or double VLAN tags), and SN of the access device, and the IP address, MAC address, IMSI, IMEI, wireless user SSID and the hard disk serial number of the user terminal. The iNode client cooperates with the policy server to check the following binding information for the user: user IP address, MAC address, computer name, computer domain, logon domain and the hard disk serial number. Among these items, user MAC address and IMSI are mutually exclusive and cannot be bound at the same time. The binding requirements can be set for a service which contains the binding policy. If no requirements are set for such service, auto-learning is adopted. Auto-learning is to bind the parameters used for the first login. For example, you set user IP address binding without specifying any IP address. If the user uses 10.100.10.10 for the first login through the service, it must always use the IP address for the future authentication.
• Control Access MAC Address: With this function enabled, the UAM module checks the MAC address of an access user using this service when the user attempts to go online. If the MAC address is on the allowed access MAC address list, the user can go online. Otherwise, the access is denied. For more information about the access MAC address configuration, see Access MAC Address.
• Control Hard Disk Serial Number: With this function enabled, the UAM module checks the hard disk serial number of an access user using this service when the user attempts to go online. If the serial number is permitted, the user is allowed to go online. Otherwise, the access is denied. If UAM cannot obtain the hard disk serial number, it allows the user to go online. This feature must work with the iNode PC client.
• Enable SSID Access Control: When you enable this feature and select Permit from the SSID Filter list, UAM maintains an SSID allowlist. Users can access the network when they connect to an SSID on the SSID Access Control list. When you enable this feature and select Deny from the SSID Filter list, UAM maintains an SSID denylist. Users cannot access the network when they connect to an SSID on the SSID Access Control list. This feature must work with the iNode PC client. The client receives the SSID access control configuration from UAM and saves the configuration to the PC. The configuration also applies to the Windows built-in 802.1X application.
• Control BIOS Serial Number: Enable this feature to use a BIOS serial number pool to control network access for endpoint users. If the endpoint has a BIOS serial number in the pool, the user can access the network. If the BIOS serial number does not match an entry in the pool, network access is denied. UAM collects the BIOS serial number information by using the iNode client. If the client cannot obtain the BIOS serial number, the pool is ignored. This feature takes effect only when the iNode PC client is used for network access.
• Enable JAMF Collaboration Check: When you select this option for an access policy, the system will send the endpoint MAC address of an access user to the JAMF server for the registration check if the access user uses the access policy to log in. For more information about configuring the JAMF server, see User > User Access Policy > Service Parameters > System Settings > JAMF Collaboration Configuration.

User Client Configuration

• iNode Client Only: You can make restrictions on the authentication client here. If iNode Client Only is selected, end users must use iNode client for authentication. You can also select the other check boxes for more restrictions.
• Disable iNode DC for Windows: With this function enabled, the iNode Dissolvable Client (iNode DC) is forbidden if the operating system is Windows.
• Disable iNode DC for Linux/MacOS: With this function enabled, the iNode DC is forbidden if the operating system is Linux or MacOS.
• Forbid Modifying IP When Online: This function only takes effect under portal authentication. An online user is not allowed to modify the IP address of the authentication NIC. If an online user modifies the IP address, the following problems occur depending on your configuration:
  1) If you enable the policy server and select Forbid Modifying IP When Online, the client is immediately logged out.
  2) If you enable the policy server and have not selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
  3) If you have not enabled the policy server and have selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
  4) If you have not enabled the policy server and have not selected Forbid Modifying IP When Online, the client stays online.
  
• Disable Proxy Server: With this function enabled, the end users' PC are not allowed to be used as proxy server for other users.
• Disable Proxy Setting in IE: With this function enabled, the proxy settings in IE are not allowed.
• Disable Multiple NICs: With this function enabled, the end users cannot use multiple NICs at the same time.
• Prohibit Multiple OSs: Prohibits the user from installing multiple operating systems on the PC.
• Prohibit Multi-IP on Authenticated NIC: Prohibits the user from configuring multiple IP addresses for a single authenticated NIC.
• Forbid Modifying MAC: With this function enabled, the system checks whether the MAC address of end user is changed. The MAC address change is not allowed.
• Reject Duplicate MAC Addresses: With this function enabled, UAM disables the client PC that uses the same MAC address as an existing one from passing authentication.
• Block VMware NAT Service: Select this option to prevent users from setting vNICs to NAT mode on VMs and to prevent unauthenticated VMs from accessing the host machine's network.
• Block VMware USB Service: Select this option to prevent users from using the VMWareHostd and VMUSBArbService services. When this option is selected, VM users cannot use the USB devices that are connected to the host machine. You can select this option and the Block VMWare NAT Service option to prevent the host machine from sharing the wireless hotspots that are created on the vNICs of VMs.
• IP Address Assignment Method: Defines the ways to obtain IP address for users. If Static is selected, the terminal user can only be authenticated to access the network using the static IP address. If Dynamic is selected, terminal users must use the IP address allocated by DHCP to access the network.
• Action for Violation: This parameter specifies the action to take on a user who has compliance violations. Actions can be Kick Out, which logs out the user, or Monitor, which keeps the user online. UAM generates an endpoint violation log when any of the check items is inconsistent.
• Auto Reconnect after Network Failure: Enables the iNode client to automatically reconnect if the user connection is accidentally cut off because of a network failure. If you enable this function, also set the interval at which the client will automatically reconnect and the total number of retries. When you set the retry interval to 30 minutes and set the total number of retries to 3, the client will try to reconnect every 30 minutes for three times after the user is disconnected. To ensure normal system operation, consider the number of online users when you set the retry interval. For more information, see the table below.

Total Online Users	Retry Interval
<=1000	5 minutes
<=2000	10 minutes
<=3000	15 minutes
<=5000	25 minutes
>5000	If the number of online users exceeds 5000, it is not recommended to enable this function.

• Lowest Client Version: Enter an iNode PC client version. Users cannot pass authentication by using an iNode client lower than the specified version. This parameter is available only when the iNode Client Only option is selected.