User Access Manager Help >> Operation Guide >> User Access Policy >> Service Parameters >> System Settings >> User Endpoint Settings

User Endpoint Settings

Configure User Endpoint settings to implement simple network access control.

Parameters

• VXLAN Networking: If Yes is selected, you can configure the MAC Portal Authentication parameter for BYOD users in a VXLAN network. If No is selected, you can configure only the Transparent Authentication parameter that applies to transparent MAC authentication and transparent portal authentication.
• Authentication ACL: This parameter is available when VXLAN Networking is set to Yes. Configure this parameter to provide temporary access to the network between an endpoint and INC, so the endpoint can access the identification verification page at the first login.The ACL is used for the assignment to the BYOD anonymous user.
• MAC Portal Authentication: This parameter is available when VXLAN Networking is set to Yes. When both MAC portal authentication and transparent authentication are enabled, BYOD users need to provide usernames and passwords only at the first login. When MAC portal authentication is enabled and transparent authentication is disabled, BYOD users must provide usernames and passwords at each login. Transparent authentication is not configurable when VXLAN Networking is set to Yes and MAC Portal Authentication is set to Disable.
• Transparent Authentication: UAM supports transparent portal authentication and transparent MAC authentication. To enable transparent authentication for a user endpoint, select Enable for this parameter, and then enable transparent authentication in the service assigned to the user. If you select Disable for this parameter, endpoints in the self-service center cannot be operated. When VXLAN Networking is set to No, this parameter setting applies only to transparent MAC authentication and transparent portal authentication. When VXLAN Networking is set to Yes, this parameter, together with other parameters, determine the BYOD authentication type.
• Max. Device for Single Account: Set the maximum number of MAC addresses that can be bound to a single account. The value must be an integer in the range of 0 to 999999. The value 0 indicates the number of bound devices is not limited.
• Non-Smart Device Transparent Portal AuthN: When this function is disabled, non-smart device users cannot pass transparent portal authentication. However, they can perform other types of authentication.
• Endpoint Conflict Handling: Select a method for UAM to handle the network request of a user from an endpoint inconsistent with information stored in the database. Options include the following:
• Reject Authentication—Rejects user authentication.
• Log Conflict and Continue Authentication—Records endpoint conflict in a log entry and continues to authenticate the user.
• Issue Blackhole MAC Address Entries—Issues a blackhole MAC address entry to the access device through session control. The access device then isolates the user mapped to the entry to prevent the user from accessing the network. To use this method, the access device must support the blackhole MAC address function.
• Rebind Endpoint for Account: This parameter takes effect in one of the following conditions:
• The Max. Devices for Single Account parameter is set to 1 in user endpoint settings or an access scenario.
• The Default Max. Devices for Single Account parameter is set to 1 in an access service. Enable this parameter to permit endpoint rebinding for user authentication. After a user passes authentication, the user account is unbound from the original endpoint and rebound to the new endpoint. Disable this parameter if you do not permit user authentication from new endpoints.
• Certificate Expiration Alarm (Days): Number of days before certificate expiration that daily alarm of impending expiration begins. Based on the alarm, operators can inform the relevant endpoint user to reapply for the certificate. The value range for this parameter is 0 to 30. Value 0 means no alarm is generated.This parameter applies to BYOD fast deployment.
• Criterion for Clearing Online Info: If Access Devices Included is selected, UAM can clear the online information of a user on the online user list only when the user comes online again through the same access device as the last login. If the user uses a different access device, UAM does not clear the online information of the user. If Access Devices Excluded is selected, UAM does not use the user access device as a criterion for clearing user online information when the user comes online again.
• Director Controller Configuration: IP binding is enabled for the director controller after you set VXLAN Networking to Yes. IP Binding Management is displayed on the left navigation tree if you refresh the page. If you set VXLAN Networking to No later, IP binding is disabled, and IP Binding Management is hidden after you refresh the page.
• Service Type ID: The device determines the authentication mode or carrier according to the selected service type.
• Service Type: The service type ID is used by the device. The service type is displayed on the MAC Portal login homepage and explains the service type ID. This field can neither be empty nor be identical with any existing service type. You can configure a maximum of 64 service types.