User Access Manager Help >> Operation Guide >> User Access Policy >> Page Push Policy

Page Push Policy

A push policy enables UAM to push different authentication pages to endpoint users in different conditions.
To push an authentication page to BYOD users, UAM uses the following guidelines:

• If a page push policy is configured for MAC authentication, UAM matches user information against conditions of the subpolicies in the page push policy. If a subpolicy is matched, UAM pushes the login page defined in the matching subpolicy. If no subpolicy is matched, UAM pushes the default MAC authentication page defined in the page push policy.
• If no page push policy is configured for MAC authentication, UAM pushes the default MAC authentication page.

To push an authentication page to portal users, UAM checks the Page Push Policy and Default Login Page settings of the port group that includes the users.

• If a page push policy is configured for the port group, UAM matches user information against conditions of subpolicies in the page push policy. If a subpolicy is matched, UAM pushes the login page defined in the matching subpolicy. If no subpolicy is matched, UAM pushed the default login page configured for the port group.
• If no page push policy is configured for the port group, UAM pushes the default login page configured for the port group. If the default login page is not configured either, UAM pushes the portal page defined for the portal server.

Functions

• Add/Modify Page Push Policy
  
  Perform this task to add or modify a page push policy for endpoint users.

  Operation Procedure

  1. Click the User tab. From the navigation tree, select User Access Policy > Page Push Policy.
  2. Click Add or the Modify icon for a page push policy to be modified.
  3. Configure parameters including the policy name, service group, authentication method, description, and page push subpolicies.
     Page Push Policy Parameters

     Key Parameters

     • Service Group: Select a service group that the page push policy belongs to. The list contains all service groups that the current operator has permissions to manage.
     • Authentication Method: Options are Portal and MAC. When you select MAC, also configure the Default Authentication Page parameter. A page push subpolicy provides different subpolicy conditions for portal and MAC authentication. Portal authentication supports the following conditions: SSID group, AP group, endpoint MAC group, endpoint vendor group, endpoint OS group, endpoint type group, access period policy, and HTTP user agent character. MAC authentication supports the following conditions: access location group, SSID group, AP group, endpoint IP group, endpoint MAC group, endpoint vendor group, endpoint OS group, endpoint type group, access period policy, and HTTP user agent character.
       
     • Default Authentication Page: This parameter appears only when the authentication method is set to MAC. UAM pushes this page to users who match none of the subpolicy conditions contained in the policy.
     
     Page Push Subpolicy Parameters
     • Condition

       Key Parameters

       • Access Location Group: Select an access location group from the list. Access device groups are managed on the User Access Policy > Access Condition > Access Location Group page. The default value is Unlimited. This parameter appears only when the authentication method is MAC.
       • SSID Group: Select an SSID group from the list. SSID groups are managed on the User Access Policy > Access Condition > SSID Group page. The default value is Unlimited.
       • AP Group: Select an AP group from the list. AP groups are managed on the User Access Policy > Access Condition > AP Group page. The default value is Unlimited.
       • Endpoint IP Group: Select an endpoint IP group from the list. Endpoint IP groups are managed on the User Access Policy > Access Condition > Endpoint IP Group page. The default value is Unlimited. This parameter appears only when the authentication method is MAC.
       • Endpoint MAC Group: Select an endpoint MAC group from the list. Endpoint MAC groups are managed on the User Access Policy > Access Condition > Endpoint MAC Group page. The default value is Unlimited.
       • Endpoint Vendor Group: Select an endpoint vendor group from the list. Endpoint vendor groups are managed on the User Access Policy > Access Condition > Endpoint Vendor Group page. The default value is Unlimited. This parameter appears only when EIP is deployed.
       • Endpoint OS Group: Select an endpoint OS group from the list. Endpoint OS groups are managed on the User Access Policy > Access Condition > Endpoint OS Group page. The default value is Unlimited. This parameter appears only when EIP is deployed.
       • Endpoint Type Group: Select an endpoint type group from the list. Endpoint type groups are managed on the User Access Policy > Access Condition > Endpoint Type Group page. The default value is Unlimited. This parameter appears only when EIP is deployed.
       • Access Period Policy: Select an access period policy from the list. Access period policies are managed on the User Access Policy > Access Condition > Access Period Policy page. The default value is Unlimited.
       • HTTP User Agent Character: Configure this parameter as the kernel version of the operating system. UAM compares this field with the endpoint operating system and pushes the login page defined for the HTTP user agent character of the longest match. Mappings between operating systems and kernel versions are:
         iOS:iOS&&iPhone *
         iOS:iOS&&iPad *
         Windows 7/8/8.1/10...:Windows NT *
         Windows mobile:Windows mobile*
         Windows phone:Windows phone*
         Android:Android *
         You can use a sniffer to check the User-Agent value in HTTP packets. The User-Agent value is in the format of browser version (operating system; browser language; kernel version of the operating system). For example, the User-Agent value in an HTTP packet from a Firefox browser on Windows XP is Mozilla/5.0 (Windows; U; Windows NT 5.1), where the kernel version is Windows NT 5.1.
     • Policy

       Key Parameters

       • Login Page: Select a login page from the list. The list displays the predefined pages, and custom portal pages and BYOD pages for PCs and smartphones. The predefined login pages include:
         Portal Pages:
         
         • Default Web Login (PC): Default Web authentication page for PC users.
         • Default Web Login (PAD): Default web authentication page that applies to users from smart devices that have medium-sized screens, such as iPads.
         • Default Web Login (PDA): Default web authentication page that applies to users from early mobile digital devices such as PDAs.
         • Default Web Login (Phone): Default web authentication page that applies to users from smartphones such as iPhones.
         • Default Web Guest Login: Default simple guest registration page with the SMS message registration function. Compared with the Default Web Guest Login page, the SMS Message Registration and Authentication page is preferred for account registration by SMS message.
         • Default iNode DC Login (PC): Default iNode DC authentication page for PCs. This page is available only when iNode DC is installed.
         • Default Third Party Login: Default Authentication page that provides access to a third-party authentication system. Users can switch between the Intranet and Internet. This page does not provide popup windows.
         • Other Default Web Login (PC): Other default login page applies to all devices and has a different layout than the default Web authentication page.
         • QR Code Registration and Authentication: Access this page to automatically preregister a guest account. When the account is registered within a specific time interval, portal authentication is automatically triggered on the page.
         • SMS Message Registration and Authentication (PC): This page allows a guest to register an account through an SMS message and to use the account for authentication. It applies to endpoints that have large screens such as PCs and tablets.
         • SMS Message Registration and Authentication (Phone): This page allows a guest to register an account through an SMS message and to use the account for authentication. It applies to endpoints that have small screens such as smartphones.
         BYOD Pages:
         
         • QR Code Registration and Authentication: Access this page to automatically preregister a guest account. When the account is registered within a specific time interval, MAC authentication is automatically triggered on the page.
         • Default Page (PC): Default Web authentication page for PCs.
       • Guest Group: Registration group to which guests belong if they match the conditions. The guest group is assigned a guest policy that will apply to all guests in the group.
       • Guest Manager: Select a default guest manager to manage users. The guest manager can be modified during guest registration and preregistration.
  4. Click OK.
• Delete Page Push Policy
  
  Perform this task to delete a page push policy. You cannot delete page push policies that are assigned to port groups.

  Operation Procedure

  1. Click the User tab. From the navigation tree, select User Access Policy > Page Push Policy.
  2. Click the Delete icon for the page push policy to be deleted.
  3. In the confirmation dialog box, click OK.

Precautions

• To validate a new page push policy, select User Access Policy > Service Parameters > Validate from the navigation tree.
• In a page push policy, subpolicies are matched in a descending order of priority.
• You can configure up to 30 page push policies for portal authentication and only one page push policy for MAC authentication.
• Web Identity Authentication does not support IP reallocation.
• PDA user comes online through the portal page named index_pda_default.jsp, which does not support heartbeat packets. To prevent automatical disconnection, you must set the heartbeat interval of the port group to 0 for PDA users.
• If youuse the endpoint vendor, endpoint OS, and endpoint type as access conditionsfor a page push subpolicy, the default authentication page might be pushed toan endpoint at its first authentication.

Configuration Examples

Example 1: In the page push policy, configure a subpolicy with the highest priority. Select ssidGrp as the SSID group, which contains SSID lab. Configure the default login page as HtmlA, and use default settings for other parameters. When users with SSID lab attempt to access the network through portal authentication, UAM pushes the HtmlA login page to the users.

Example 2: In the page push policy, configure a subpolicy with the highest priority. Select apGrp as the AP group, which contains NAS ID lab. Configure the default login page as HtmlA and use default settings for other parameters. When users with NAS ID lab attempt to access the network through portal authentication, UAM pushes the HtmlA login page to the users.

Example 3: Configure two subpolicies for a page push policy. Assign the first subpolicy with the highest priority. Configure the HTTP User Agent Character parameter as Windows, configure the default login page as HtmlB, and use default settings for other parameters. In the second subpolicy, configure HTTP User Agent Character as Windows NT 5.1 (for Windows XP), configure the default login page as HtmlC, and use default settings for other parameters. If only the first subpolicy is configured and a Windows XP user attempts to access the network, UAM pushes the HtmlB login page. If both subpolicies are configured, UAM pushes the HtmlB login page based on priorities.