Configure System Parameters

User Access Manager Help >> Operation Guide >> User Access Policy >> Service Parameters >> System Settings >> Configure System Parameters

The function allows you to configure and change system settings.

AAA Parameters

Aging Interval: Specify the interval at which the system polls each online user in order. The system clears a user's online information if the system does not receive the accounting update packets from the user upon expiration of the aging interval.
Authentication Lock Time: A time range from the time the user is authorized to the accounting start time in which the authenticated user cannot be reauthenticated.
Estimated Access Period: A time range in which multiple time periods are allowed in each access period. It is saved in a temporary table. When a user who has applied for the service is logging into the system, the system looks up the table to make sure whether the user is allowed or not.
Max. Session Duration: Specify the maximum session duration for accouting update communication between the user and the device. The default setting is 86400.
Max. Default Authorization Duration: The maximum session duration sent to the device during user billing updates is 315360000 by default.
Traffic Unit: Unit for user traffic statistics. The value of this parameter must be the same as that configured on the access device.
Unit of Remaining Traffic: Unit for the remaining usable traffic for the user. This setting is sent by the RADIUS server to the device.
Client Protection Against Cracks: With this option enabled, UAM requires endpoint users to use only the iNode PC client for network access if they are assigned a service that is configured with the iNode Client Only parameter. If the users do not use the iNode PC client, they cannot pass authentication or cannot correctly log online. To use this function, add and validate iNode Management Center on the User>>User Access Policy>>Service Parameters>>System Settings>>Client Anti-Crack page. The function is supported on the HP A-Series and Intelbras devices only.
Max. Authentication Attempts: The maximum number of consecutive failed password attempts for identity authentication of a user. Once the value is reached, the user is blocked and cannot initiate authentication from the same MAC address. If the Denylist Period parameter is configured, the user can initiate authentication when the denylist period expires. If the Denylist Period parameter is not configured, the user cannot initiate authentication until 03:30 next morning. If the value is set to 0, the number of attempts is not restricted.
AuthN Server Switchover: This setting takes effect when the policy server is enabled. Use this option to control the authentication packet handling strategy when the authentication server runs normally but the policy server runs abnormally. If this option is enabled, the AAA conductor/standby server switchover is triggered when the policy server runs abnormally. In this case, the conductor authentication server does not respond to authentication requests sent by the device, but will forward these requests to the standby authentication server instead. If this option is disabled, the conductor authentication server responds to authentication requests. As a result, the endpoints can pass the access authentication but will fail security authentication.
NAS Port for Control: The port number to which the system sends the control packets to the device. It must be the same as that configured on the device.
Control User Authentication: This function enables UAM to directly discard authentication requests from the user who failed authentication several successive times (1+max. authentication attempts) within a time interval. The function does not take effect if the max. authentication attempts is set to 0.
Username Prefix Conversion Mode : Select a method to convert the username prefix: Change to Suffix or Remove. The Change to Suffix option changes the backslash (\) and contents before it as the suffix of the username. The Remove option directly removes the backslash (\) and contents before it from the username. This parameter does not take effect on the usernames of the users that are authenticated by an LDAP server when Add Prefix is selected for the Account Format parameter of the LDAP server.
Log off Duplicate Account: Specifies whether or not to log off an existing online account to permit another login of the same account. This parameter is effective only when the value of the Max. Concurrent Logins parameter is 1. When this parameter is disabled with 1 set as the maximum concurrent logins, a user cannot access the network from any another terminal using an account that is online.
Add Invalid Client to Denylist: Specify whether to immediately block 802.1X users who access from an invalid client. Blocked users can be released by an administrator at any time or by the system on the next day.
Client Protection Password: Specifies the password to protect the iNode client. Whether or not the parameter is effective depends on the following rules:
1. The parameter is ineffective for the iNode client that does not support password protection, regardless of whether or not you set the client protection password.
2. The parameter is effective for the iNode client that supports password protection and is configured with a default password. However, the client protection password is not effective until the iNode client passes authentication. Before the iNode client passes authentication, the default password applies.
3. If you do not set the client protection password, the default password applies to the iNode client that supports password protection and is configured with a default password.
4. If you clear the client protection password later, the latest effective password applies to the iNode client that supports password protection and is configured with a default password. For further network access, Rule 2 applies.
The client protection password feature requires cooperation with the policy server.
User Authentication Test Mode: Enables UAM to return an authentication success message to users who failed identity authentication. With this parameter enabled, UAM allows those users to access the network, but does not create online user accounts for them or generate access details after their logoff. This parameter does not appear when CAMS is installed.
Renew Access Details at Midnight: Specify whether to renew access details at midnight. With this option enabled, the UAM generates access details and starts to collect new access details for all online users at 00:00 of each day. When you deploy the CAMS, this option is always disabled.
Dynamic Password Length: Enter an integer in the range of 4 to 8 to limit the dynamic password length. For example, 4 indicates a 4-digit dynamic password.
Dynamic Password Type: If you select SMS, dynamic passwords are sent to users by SMS message. If you select Email, dynamic passwords are sent to users by mail.
Activate mute terminals before network access: Configure whether to require mute terminals to be activated for network access. When you enable this option, the operator needs to activate mute terminals before they can come online.
Detect IP Address Conflict for iNode Client: When you enable this feature, UAM checks whether the IP address of the connected iNode client conflicts with addresses of online users. If a conflict occurs, UAM informs the client of the username and MAC address of the conflicting user.
Logging Nonexistent MAC AuthN Users: If you select Yes, a failure log is generated for a user that fails MAC address authentication because no matching user exists on the server.
Match Username Suffixes: If Yes is selected, UAM will use the username suffixes to match service suffixes. If No is selected, username suffixes are ignored during the service match in user authentication and services without suffixes are assigned to users.
Encryption Algorithm for Dynamic Token Auth: Select an encryption algorithm for dynamic token authentication. Options are HMAC-SHA1-96 and HMAC-SM3-96. This parameter is available only after dynamic token authentication is enabled.
Invalidate Dynamic Token After Use: A dynamic token is immediately invalidated after it is used, and then it cannot be used for authentication any more.
Dynamic Token change Interval: Specify the interval (in seconds) at which the dynamic token changes.The new change interval takes effect only after you scan the dynamic token's QR code again or register the dynamic token again.
Bypass Authentication upon Third-Party Authentication Failures: If you disable this feature, a user fails to pass authentication when any third-party authentication failure occurs. If you enable this feature, EIA automatically bypasses the authentication for a user to ensure that the user can come online properly in either of the following conditions:
- The third-party authentication server is unreachable.
- The response from the third-party authentication server times out.
With this feature enabled, the user still fails to pass authentication when any other third-party authentication failure occurs. This feature is disabled by default.
EAP-SIM authentication: after this parameter is enabled, the binding parameters related to eap-sim authentication will appear when the access user binding information is added. EAP-SIM can be selected under the EAP type preferred in the access policy, and the SIM encryption algorithm version can be selected. This parameter is disabled by default.
Database Error Handling: Select a method of handling the authentication requests in case a database error occurs. When the Sends a Reject Message option is selected, UAM sends an authentication reject message to the access device. When the Discards the Request option is selected, UAM ignores and does not respond to the authentication request.
Send Session Timeout Attribute: Specify whether to carry the Session Timeout attribute in the authentication packets and accounting packets.
Check Cert Attributes for Account: Specify whether to enable UAM to check account name consistency against certificate attributes. When you select this option and specify one or more certificate attributes, UAM checks the account name against these certificate attributes during certificate authentication. If the account name matches a certificate attribute, the user passes the authentication. If the account name does not match any attribute, the user cannot pass the authentication. If you do not select this option, UAM does not check the account name against certificate attributes.
Default maximum authorization duration: Default maximum authorization duration: The maximum session duration sent to the device during user billing updates, with a default of 315360000.

User Data Management Parameters

Syslog Server IP: IP address of the syslog server. The syslog server receives authentication failure syslogs and security syslogs sent from INC.
Send Auth Failure Syslogs: If you select Yes, the system checks for new authentication failure logs every hour, and sends one syslog to the syslog server for each new authentication failure log, if any.
UAM Service Group: Allows you to enable or disable the UAM service hierarchical management function. If Disable is selected, administrators cannot add service groups. The Service Group parameter does not appear in any function modules of UAM. The Disable option appears only when the system has no service group except Ungrouped.
Access Details Lifetime: Specify the duration for which the system keeps the user access details. At 02:00 everyday, the system runs a task to delete the user access details that have been kept longer than the specified lifetime.
Cancelled User Lifetime: Period of time when an account remains in the system after being cancelled. After this period of time elapses, information about the account will be removed from the system automatically.
Log Lifetime: Specify the duration for which the system keeps the user authentication failure logs, user logs, device management user authentication logs, endpoint recognition audit records, and endpoint policy deployment history. At 03:30 everyday, the system runs a task to delete the logs and records that have been kept longer than the specified lifetime.
Enable IPv6: When IPv6 is enabled, RADIUS authentication and portal authentication support IPv6 addresses. Make sure IPv6 addresses are correctly configured on access devices and portal devices. Access User List, Online User List, Roaming Online Users, Blocked User List, List of Authentication Failure Logs, Access Details List, and Roaming Details List all record the IPv6 addresses of users and allow you to query records by IPv6 address. IPv6 addresses cannot be exported or imported, or modified in batches.
Generate Alarm for Full Queue of Authentication: If you select this option, the system checks every minute whether a log for the full access user authentication queue event was generated in the last minute. If a log is found, the system sends an alarm to the alarm server. Otherwise, the system does not send any alarm.
Alarm Server IP: Specifies the IP address of the server to receive SNMP alarms about critical events generated by access management, for example, full authentication queue of access users and the EIA license usage reaching 95%. EIA supports sending SNMP alarms to a specific alarm server or the INC alarm component. To enable EIA to send SNMP alarms to an alarm server, configure both the Alarm Server IP and Listening Port of Alarm Server fields. To enable EIA to send SNMP alarms to the INC alarm component, leave the Alarm Server IP field empty, and enter the listening port number of the alarm component in the Listening Port of Alarm Server field. The default port number is 162. Make sure the alarm component has been deployed. To disable alarm sending, leave both the Alarm Server IP and Listening Port of Alarm Server fields empty.
Listening Port of Alarm Server: Port that the alarm server uses to listen to SNMP alarms from EAD.
Remote Connection Wait Time: Time the administrator waits for a user to input the system username and password during remote desktop connection.
Remote Desktop Password Input Side: This parameter is relative to the remote desktop connection function of online users. Refer to Remote Desktop Connection for details.
Display the TopN User Groups: Specifies the number of user groups with the greatest number of online users to be displayed on the user home page. It must be an integer in the range 10 to 200.
INC Service Port: Sets the port number from which INC is accessed. The value is an integer in the range of 1 to 65535. The value must be the same as the http.port parameter in the http.properties file and the port attribute of the HTTP Connector tag in the server.xml file. Both files are located in the \client\conf directory of the installation path. To prevent access errors, do not change the INC service port unless the http.port parameter and the port attribute is changed. After you change the INC service port, restart INC to make the new setting effective.
Apply Service by User Group: If you select this option, you cannot select Apply For Service or Cancel Service when you add or modify an account. All access users except LDAP users using AD-group based synchronization automatically apply for services specified for the user group to which the users belong. If users are assigned to another group or the service specified for a user group changes, the system applies for a new service for the user group at 00:20 every day. You can specify the service that a user group must apply for on the page for adding or modifying a user group, or specify the user groups that must apply for the service on the page for adding or modifying service configuration. This parameter does not appear when CAMS is installed.
Apply Service Configuration Immediately: If you select Enable, the system makes the most recent service configuration effective on a user immediately except LDAP user using AD-group based synchronization automatically after the user group changes or services of the user group are changed. On the configuration page of the service that has been applied for, the user group modification does not take effect immediately. When the Apply for Service by User Group parameter is disabled, this parameter is automatically set to Disable and cannot be configured. This parameter is not displayed when CAMS is installed.
Forcibly Set Bound IP Address and Access Services: With this option enabled, when you add/modify an access user or register a pre-registered user, if the access service selected for the user is configured with the Bind User IP option, an IP address must be configured for the user. With this option enabled and applying for services by user group disabled, when you add or modify an access user or register a pre-registered user, you must select at least one access service for the user. Do not enter an IP address that is already bound to another account when you add or modify an access user. This option does not apply to batch operations. With this option enabled and applying for services by user group enabled, when you add or modify a user group, you must select at least one access service for the user group.
Cancel Online User Services: This parameter cancels the service being used by a specific online user. With this parameter enabled, INC first clears the online information for the user and then cancels the service being used by the user. This parameter does not appear when CAMS is installed.
Trouble Ticket Hold Time: Specifies the time that the system keeps a trouble ticket. The system automatically clears all expired trouble tickets that are not typical. It must be an integer in the range 5 to 365, in days.
Verify IP Address: When this parameter is enabled, the IP address to be bound to an access user or a preregistered access user cannot be already bound to another user.Verify IP address only for a single user. Batch user operations do not support address verification.
Verify MAC Address: When this parameter is enabled, the MAC address to be bound to an access user or a preregistered access user cannot be already bound to another user.Verify MAC address only for a single user. Batch user operations do not support address verification.
MAC Address Consistency Check: Check whether the MAC address used for the current login of the user is the same as that used for the last login.
Automatic Failover upon Database Exception: After you select Enable for this parameter, UAM automatically switches to failover mode if the database has not started or an unknown error occurs. This mechanism ensures that users can access the network. The default setting for this parameter is Disable.
Support Megascale Users:The HPE version does not support this parameter. When this parameter is disabled, UAM can manage a maximum of 500000 users. When this parameter is enabled, UAM can manage a maximum of 2000000 users. When CAMS is installed, this parameter does not appear and cannot be modified. However, the parameter setting still takes effect. To ensure performance, UAM has the following restrictions after the parameter is enabled:
Display User Group Path: If you select Yes, the access user list displays the path of each user group in the user group column.
Daily Password SMS Messages: This parameter restricts the maximum number of SMS messages through which an endpoint user retrieves the password per day. The value must be an integer in the range of 1 to 1000. If the parameter is disabled, the number of password SMS messages is not limited.
Denylist Peirod: Select this option and set the amount of time that a user remains in the denylist. The value range is 5 to 1440 minutes or 1 to 24 hours. A time tolerance of 2 to 3 minutes might occur when this feature is enabled. For example, if you set the denylist period to 30 minutes, the system might remove a user from the denylist 28 to 33 minutes after the user is blocked. If you disable this parameter, the system automatically removes users from the denylist at 03:30 every day. This parameter does not take effect on manually blocked users and users with negative account balances, who will not be automatically removed from the denylist.
Displays Key in: Specifies whether the keys configured for authentication in UAM are displayed in plain text or cipher text. Keys are used when you configure access devices, user notifications, portal devices, and third-party RADIUS authentication. If Plaintext is selected, actual key contents are displayed. If Ciphertext (Displays ******) is selected, asterisks (*) are displayed.
Database Table Space Alarm Threshold (GB): The system examines the table space used by the EAD database at 4:00 a.m. every day and sends an alarm if the used space exceeds the threshold. The default threshold is 50 GB.
User Limit per User Group: If you select Enable, you can set the user upper limits on the user group page. The settings apply to all user groups. If you select Disable, the number of users in each user group is not limited.
Delete Associated Access Users Upon Mute Terminal User Configuration Profile Modification: This parameter determines whether to delete access user accounts of a MAC address range when the MAC address range is deleted from the mute terminal user configuration profile.
Access User Password Strategy:By default,this feature is disabled.If this feature is enabled,an operator must follow the password complexity requirements when adding or modifying access users.
Device User Password Strategy:By default,this feature is disabled.If this feature is enabled,an operator must follow the password complexity requirements when adding or modifying device users.
Police Advanced Perspective:By default,this feature is disabled.If this feature is enabled,please restart the Jserver process to activate the configuration.
Device State ProbingThis function enables UAM to periodically send probe packets to check connectivity to access devices. For device state probing to work correctly, you must also perform the following tasks:
1. Add a device state probing user on the access user configuration page under User > All Access Users.
2. Configure the device state probing parameters on the User Access Policy > Access Device Management > Access Device page.
3. Go to the device configuration page of the access device for which you want to enable periodic device state probing, and then select Yes for Device State Probing in the Access Configuration area.
Online Duration upon Password Modification (Minutes):Specify the number of minutes that the user can stay online upon password modification at next login. The value range for this parameter is 1 to 30.
Alarm Threshold for EIA License Usage(%):When the percentage of used EIA License reaches or exceeds this threshold, an alarm will be sent. Set the value to 0 to disable IP pool usage threshold alarming.Type an integer in the range of 0 to 100.
Binding Info Retention Period (Days):Enter an integer in the range of 0 to 365. The system removes the binding information when the retention period is reached. If you set the value to 0, the system never removes the binding information.
Server certificate expiration alarm threshold (Days):specifies the alarm threshold for server certificate expiration. An alarm will be generated after the expiration time. The value must be an integer between 0 and 365.

Self-Service Parameters

Authenticated Self-Service Users Only: Controls user access to the self-service center. Select No to enable any user to log in to the self-service center from any host. Select Yes to enable only authenticated users to log in to the self-service center. An authenticated user must log in to the self-service center from the authenticated host only. If Yes is selected, it is a good practice for an 802.1X user to select the Upload IPv4 Address option in the connection properties. Otherwise, the user may fail to use the SelfService feature. If the network has portal users that must traverse a NAT device, select No to ensure that they can log in to the self-service center.
Preregistered IP Limit:Specifies the maximum number of accounts (including access user accounts and guest accounts) that can use the same IP address for preregistration everyday. The value can be -1 or an integer in the range of 1 to 1000. -1 means no limit.
Reconfirm Preregistration: After you successfully register preregistered accounts, if this feature is not enabled, the accounts are effective; otherwise, the accounts are disabled and you need to activate them.
Password Strategy for User Preregistration: Strategy a user to be preregistered must comply with when setting the password. An approved preregistered user can change the password without the restriction of the password strategy.
Ticket Quantity Limit per Account per Day: Specifies the maximum number of trouble tickets that one account can report per day. It must be an integer in the range 1 to 20.
Self-Service Port: This port number is mainly used during self-service password changing and client upgrade. Its value range is 1 to 65535. The self-service port setting must be consistent with the http.port property in the INC installation directory\client\conf\http.properties file. You need to change this port number only when the setting of the http.port property is changed. For example, if the setting of the http.port property is changed from 8080 to 8088, you need to change this port number to 8088. After changing this port number, be sure to restart the JServer process in the Intelligent Deployment Monitoring Agent to make the change take effect. In distributed deployment, if the self-service center is deployed on a subordinate server, restart the WebServer process on that server only.
Modify Asset Information: This parameter determines whether or not a user can modify asset information in the self-service center.
Modify Transparent Authentication Status: Select Enable to allow users to modify transparent authentication status, bind online endpoints, and add or delete MAC addresses of endpoints. Select Disable to prohibit users from performing these operations.
Display Verification Code: Enable this feature to display the verification code on the self-service center login pages, user authentication information pages, and guest center login pages for both PC and mobile devices.
Clear Online Information: You can define that whether the end-user can clear online info in Self-Service system.
Max. Idle Time (Minutes): This parameter specifies the maximum length of time a user can stay idle after logging in to the Self-Service Center or Guest Center. Expired users will be automatically logged out.
Self-Service HTTPS Port: This port number is mainly used during self-service password changing and client upgrade. Its value range is 1 to 65535. The self-service port setting must be consistent with the https.port property in the INC installation directory\client\conf\http.properties file. You need to change this port number only when the setting of the https.port property is changed. For example, if the setting of the https.port property is changed from 8443 to 8444, you need to change this port number to 8444. After changing this port number, be sure to restart the JServer process in the Intelligent Deployment Monitoring Agent to make the change take effect. In distributed deployment, if the self-service center is deployed on a subordinate server, restart the WebServer process on that server only.
Preregistration Phone Number Format: This parameter uses a regular expression to restrict the format of phone numbers provided by users or guests for preregistration. By default, this parameter is not configured and the phone number format is not checked. The regular expression supports a maximum of 128 characters. For example, ^1[358][0-9]{9}$ means a string of 11 digits starting with 13, 15, or 18.
Password Retrieval Sending Mod: This parameter controls how the access user or visitor retrieves the password and sends it to the user. Selecting "MSM" will send the password to the user's phone through SMS, selecting "Email" will send the password to the user's email, and selecting "Note+Modify" will require the user to manually enter a new password after entering the SMS verification code for verification.
HTTPS Access Only: This parameter is available only when the self-service platform and the user access manager component are deployed in distributed mode. After you modify the parameter on the system management page of the INC platform, you must synchronously modify the parameter on the self-service platform to keep the parameter setting consistent on both sides. If you modify the parameter but do not restart the WebServer process in the Intelligent Deployment Monitoring Agent where the self-service platform resides and the jserver process of the user access manager component, the configuration does not take effect.
IP Address Approval Timeout (Days): Specify the timeout period in days for IP address approval. After an IP address application was submitted in the IP Address Management Process, the approver can approve or reject the request only within the specified timeout period. The value range for this parameter is 1 to 30 and the default is 10.
Level 2 Approval Only: This feature enables the IP address management process to skip level 1 approval.
Reset Password through Security Questions: If this feature is enabled, you can configure security answers in the self-service platform.
Guest Manager Display Type: Specify a type for guest manager display on the Guest Preregister page. When the number of guest managers is small, select Drop-Down List Selection as a best practice. If not, select Manual Input without Auto Completion or Manual Input with Auto Completion.
Select User Groups to be Blocked from Logging in to Self-Service Platform: The access users and guests in the selected user groups cannot log in to the self-service platform.

Precautions

It is recommended to set the Estimated Access Period to about 3 days. If the value is too large or small, system performance will be affected.
When IPv6 is disabled, IPv6 parameters do not appear on user and service configuration pages. If IPv6 is enabled, IPv6 parameters appear and make sure the correct IPv6 address is configured during subsequent UAM installation. Otherwise, user authentication might fail.
A user can stay online for a short period after you cancel the services used by the online user. When the CAMS component is installed, you cannot cancel services used by an online user even if the Cancel Online User Services parameter is enabled.
For the INC alarm module to receive the alarms sent by the policy server, you need to set the IP address and listening port of the alarm server to those of the INC platform alarm module.
After a user group is selected to be blocked from logging in to the self-service platform, it will not affect the users and guests that have already logged in. However, the subsequent login attempts will be blocked.