Add/Modify Access User

User Access Manager Help >> Operation Guide >> Access User >> All Access Users >> Add/Modify Access User

Use this function to add/modify an access user. To configure an access user, you need to configure parameters in the Basic Information, Additional Information, Access Information, and Access Service, and Binding Information areas.

In the Basic Information area, configure the basic user associated with the access user, including the username, identity number, contact address, telephone, email address, and user group.
In the Basic Information area, you can select a basic user, which can be searched out by username and identity number. If the selected basic user has been deleted, the system adds the user automatically.
In the Additional Information area, configure the additional information for the access user. For more information, see Additional Information.
In the Access Information area, configure the account name, password, and other access user information.
In the Access Service area, configure the services used by the user to access the network. A user can apply for one or more access services for network access in different scenarios.
In the Binding Information area, configure the access device binding settings (such as the access device SN) and endpoint binding settings (such as the endpoint IP) for the access user. Configure endpoint binding settings only if the access user uses a fixed IP address or MAC address for network access.

Operation Procedure

Follow these steps to add an access user:

Select the User tab. From the navigation tree, select User Management > Access User > All Access Users.
Click Add.
Configure the related parameters for the user.
Click OK.

Follow these steps to modify access user information:

Select the User tab. Select Access User > All Access Users from the navigation tree to enter the all access users page.
Click the Modify link corresponding to the access user that you want to modify to enter the access user modification page.
Edit the parameters. If referenced service is modified, what proceeding page appears after you click OK depends on whether CAMS is installed.

If CAMS is not installed, the operation result page appears.
If CAMS is installed and the cancelled service includes a charging plan, the page for editing the refund mode appears. Select a refund mode, and click OK. Then the page appears, displaying the service that you have cancelled.

Parameters

Access Information

Account Name: Uniquely identifies an account user, and is used to subscribe to and use services.The account name can contain a maximum of 200 characters and cannot include TAB or any of the following characters: # + / ? % & = * ' @ \ " [ ] () < > `. The account name contains space character is supported. The account name cannot be changed after the account is created, so this field cannot be modified on the Modify Access User page.
Note: An access user must type its login name for authentication when using a service to log in. The login name consists of an account name, an at sign "@", and a service suffix. For more information about the service suffix, see Access Service.
Trial Account : You can set a new user as a trial account access user. A trial account access user cannot go online even if the user has applied a service and the account has enough charge.
Default BYOD User: When you add an access user, you can configure the user as a default BYOD user (this option displays only when the system does not have a default BYOD user). The account name of the default BYOD user is fixed at byodanonymous, and you do not need to set the account password for the default BYOD user. In MAC authentication method, if an MAC address is not bound to any account name, the user logs in as the default BYOD user. After the user logs in, the user can access the INC registration page, register a guest account, or bind an existing account to the MAC address. After the MAC address is sucessfully bound to an account, the system forces to the user to log out. When the authentication is performed again, the account name bound to the MAC address is used.
Device State Probing User: Select this option to add the user as a device state probing user. This option is available only when device state probing is enabled and no device state probing user exists in the system. The system uses fixed account name detector for the device state probing user and does not require username or password configuration. The account applies only to device state probing and cannot be used for login authentication.
MAC Authentication User: Select this option to hide the following optional parameters and area: Password, Confirm Password, Allow User to Change Password, Enable Password Strategy, Modify Password at Next Login, Max. Concurrent Logins, Account Type, and Terminal Binding Information.
Fast Access User: You can set a new user as a fast access user (this option displays only when the system does not have a fast access user user). If you select Fast Access User, the account name is automatically set to anonymous, and the password configuration is unavailable. The total online fast access users are counted in the number of users permitted by the license.
Computer User: When you add access users, you can select the Computer User option to add a computer user (this option displays only when the system does not have a computer user). The account name of the computer user is computer. Any computer that accesses the network can be authenticated by the Computer User function. A computer can access the network after passing the authentication. To distinguish between computers, the name of a computer is used as the login name. One computer user can use only one access service. You must manually select a service for a computer user when you add the user even if you enable applying for service by user group.
Password: A password is used for authentication and cannot be null,The password must not be longer than 32 characters.
Allow User to Modify Password: Specifies whether to allow an end-user to change the password. If password is not allowed by the end-user, the options Enable User Password Strategy and Modify Password at Next Login are not available.
Enable User Password Strategy: Specifies whether a password change through the client or the user selfservice platform by an access user is subject to the password control policy. This parameter does not take effect when an operator sets an end-user's password. That is, the user password setting will not be subject to the password control policy. A password control policy includes password length limit and required characters in the password.
Modify Password at Next Login: Specifies whether the access user needs to change the password during the next access authentication. This parameter takes effect only after a user password control policy is enabled. Therefore, a password change is always subject to the password control policy. After the user changes the password successfully, this parameter is deselected automatically.
Start Time: Time on which the account becomes valid automatically. The maximum start time allowed is 2038-1-1 00:00, which is processed in the same way as when no start time is set. If no start time is set, the account after account opening valid immediately.
End Time: Time on which the account becomes invalid automatically. The maximum end time allowed is 2038-1-1 00:00, which is processed in the same way as when no end time is set. If no end time is set, the account will never become invalid.
Max. Idle Time: Maximum length of time for which an online user can remain idle before being logged off by the access device. If this parameter is not configured, the user will not be offline because of remaining idle for too long.
Max. Concurrent Logins: Maximum number of online users using the account concurrently. If this parameter is not configured, the number of concurrent online users using the account is not limited. For the Fast Access User, the value must be an integer in the range of 1 to 255.
Max. Transparent Portal Bindings : Enter the maximum number of smart devices that can be bound to the account for transparent portal authentication. The value must be an integer in the range of 0 to 255. A value of 0 indicates the system does not record transparent portal bindings for the account.
Account Type: CAMS supports two account types, prepaid and ordinary. A user using a prepaid account must pay at least one billing term of the charged service before using the service. When the balance goes down to 0, the service is not provided for the account any more. A user using an ordinary account can use the service before any pay. After a billing term (usually a month) or more, which is configurable, the user can pay for the used services. This field is available only after CAMS is installed.
Prepaid Money: The sum must not be less than the fixed fee of a charged service; otherwise, the service is not provided. This field is available only after CAMS is installed.
One-Time Charge Type: With this type defined, one-time charges can be paid when an account is added. This field is available only after the CAMS is installed.
One-Time Charge Amount: The amount to be paid for one-time charge. One-time charge amount does not go to the balance. This field is available only after the CAMS is installed.
Self-Service Recharge: Select an option to permit or deny users to recharge their own account through the selfservice platform. This field is available only after CAMS is installed.
Login Message: Prompt information displayed on the login window when a user using the account passes the authentication. You can customize the message as needed. For example, you can set a message Merry Christmas. The login message must not be longer than 60 characters.
Return unused fee: Return the fee that corresponds to the remaining days in the billing term. This field is effective to charged services with billing terms and is available only after CAMS is installed. If the current billing term is the first term for the user and the service has the Charge by Day in Initial Term option, the sum to be returned = deducted fixed fee - ( current date - service application date + 1) * deducted fixed fee/(billing term end date - service application date). Otherwise, the sum to be returned = deducted fixed fee - (current date - billing term start date + 1) * deducted fixed fee/(billing term end date - billing term start date).
For example, suppose that there is a flat rate service with the fixed fee of 60 dollars and the billing term from June 1, 2009 to July 1, 2009, and a user applied for the service on June 11, 2009 and cancelled the service on June 20, 2009. If the service has the Charge Whole Term in Initial Term option, the sum to be returned is 60-(20-1+1)*60/30=20 dollars, and the actual service cost is 40 dollars. If the service has the Charge by Day in Initial Term option, the fee deducted for the first billing term is 40 dollars, the sum to be returned is 40-(20-11+1)*40/20=20 dollars, and the actual service cost is 20 dollars.
Return the fixed fee: Return the fixed fee of the current billing term to the user. This field is effective to charged services with billing terms and is available only after CAMS is installed. For example, suppose that there is flat service with the fixed fee of 60 dollars and the billing term from June 1, 2009 to July 1, 2009, and a user applied for the service on June 11, 2009 and cancelled the service on June 20, 2009. If the service has the Charge Whole Term in Initial Term option, the fee deducted for the first billing term is 60 dollars and the sum to be returned is 60 dollars. If the service has the Charge by Day in Initial Term option, the fee deducted for the first billing term is 40 dollars and the sum to be returned is 40 dollars.
WLAN Cell Phone Number: Specify the WLAN cell phone number to be bound to the access user. One access user can be bound to only one WLAN cell phone number. The user can modify the bound WLAN cell phone number at the selfservice center.You can update the WLAN cell phone number once in the self-service center every month.
WLAN Password: Specify the WLAN password. This field cannot be empty if a bound WLAN cell phone number is specified for the user. The user can modify the bound WLAN password at the selfservice center.
Allow Self-Choice of Service: When this option is checked, users are allowed to select access service, which is not affected by applying for service by user group. This option will appear only after the system parameter "Apply Service by User Group" is turned on.

Access Service

The list of access services that a user can apply for can be displayed based on user group. To apply for a service, select the corresponding check box. With one account, one or more services can be applied for, ensuring these services have different service suffixes. If you select a service for assigning IP addresses, you need to set the user IP address. For more about services, refer to the related sections discussing service configuration management.

Binding Information

Auto-Learned Number

Access Device Binding Information

Port: Specifies a port through which a user connects to a network. You can enter a port number in the format of ip/slot/subslot/port or ip/unit/slot/subslot/port (for IRF device). For example, 10.153.3.154/1/0/10 represents port 1/0/10 on the device with IP address 10.153.3.154. You can also enter a port number in the format of slot/subslot/port or an integer as the port number. For example, 1 represents port 1 on any device.
Device SN: Device serial number of the device the access user must connect for network access.
VLAN ID/Inner VLAN ID: VLAN ID or inner VLAN ID that the access port of the user belongs to. After the user is bound to the VLAN ID or inner VLAN ID, the access port of the user must belong to the VLAN ID or inner VLAN ID for the user to pass the authentication.
Outer VLAN ID: Outer VLAN ID of the user's authentication packets. After the user is bound to the outer VLAN ID, the user's authentication packets must carry the outer VLAN ID for the user to pass the authentication.
User SSID: SSID that the access user must use to access a wireless network.The SSID is case insensitive.
Device IP: IPv4 address of the device the access user must connect for network access.
Device IPv6 Address: IPv6 address of the device the access user must connect for network access.

Terminal Binding Information

Computer Name: Name of the computer used by the user. You can enable the Bind Computer Name feature in the service configuration to require that the user endpoint must use the bound computer name for authentication. If no bound computer name is specified, the system automatically sets the first computer name used by the user to pass authentication as the bound computer name. This feature is available only when the policy server is enabled.
Windows Domain: Domain that must be bound to the computer of the user to access the network. The binding requirements can be set for a service which contains the binding policy. If no requirements are set for such service, auto-learning is adopted. If the binding is set, the computer of the user must be bound to a Windows domain that has the same name with the Windows domain set for the access user. The policy server must be enabled to support this function.
IMSI: International Mobile Subscriber Identity (IMSI) that a mobile subscriber uses for logon. The IMSI uniquely identifies a mobile subscriber and is stored in the Subscriber Identity Module (SIM). The binding requirements can be set for a service which contains the binding policy. If no requirements are set for such service, auto-learning is adopted. If the IMSI binding is set, the IMSI that the user uses for logon should be the same as the IMSI bound to the user.
IMEI: International Mobile Equipment Identification (IMEI) is saved on a mobile device as a unique identifier of the mobile device. When Bind IMEI Number is enabled, UAM checks the IMEI number for a user. If a list of bound IMEI numbers has been configured for the user, the used IMEI number must match a bound IMEI number for logon. If no IMEI number is configured for the user, UAM binds the used IMEI number to the user account for future binding check.
Terminal IP Address: IP address that the user must use to access the network. You can configure one IP address or an IP address range in the format of X.X.X.X-X.X.X.X. The IP addresses in the range must have a mask length of 24.
Terminal IPv6 Address: IPv6 address that the user must use to access the network. You can configure only one IP address.
Terminal MAC Address: MAC address that the user must use to access the network. The MAC address format is XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, or XXXX-XXXX-XXXX. Valid characters include letters (A to F or a to f) and digits.
Hard Disk Serial Number: Serial number of the hard disk of a user PC. You can bind the hard disk serial number of a user in an access policy. When the user goes online, UAM checks the consistency of the bound hard disk serial number with that of the user. UAM supports automatic learning of hard disk serial numbers. To bind a hard disk serial number, you must enable the policy server.
Sim Rand: the mobile phone uses hellosim.apk to read the RAND value of the SIM card.
Sim-ki: the mobile phone uses hellosim.apk to read the Ki value of the SIM card.
Sim SREs: the mobile phone uses hellosim.apk to read the SREs value of the SIM card.
Sim-kc: the mobile phone uses hellosim.apk to read the KC value of the SIM card.

Precautions

You can associate a basic user with multiple access users. When configuring those access users, configure the same basic user information in the Basic Information area.
When you modify an access user, make sure the combination of the user name and identity number is unique in the system.
To avoid affecting INC server performance during operations such as user regrouping, do not associate a basic user with more than 1000 access users.
When setting the system parameters, if you select Yes in the Enable IPv6 list, you can configure the bound IP/MAC/IPv6 addresses. If you select No in the Enable IPv6 list, you can configure only the bound IP/MAC addresses.
If you apply for a service with the Billing Term Start Type set to Date and the application time is before 4:00 a.m. of the billing term start date, you may fail to use the service for authentication and login because the bills are being processed at that time.
When you assign a service to users that need not pass third-party authentication, make sure the service suffix is different from the suffix of the Internet service for third-party authentication.
If an assigned service has the billing term start type set to Date or Open date, the billing cycle is not affected by the user status. The billing starts even if the user is not yet validated.
The format of an account name for MAC address authentication must be consistent with the configured MAC address format on the device. For example, use account name 643150434cd6 if the device-side MAC address format excludes hyphens. Use account name 64-31-50-43-4c-d6 if the device-side MAC address format includes hyphens.
The Max. Concurrent Logins parameter for an access user and the Default Max. Number of Online Endpoints parameter of the user-specific service take effect as follows:
- If the value of the Default Max. Number of Online Endpoints parameter is 0, the value of the Max. Concurrent Logins parameter takes effect on the user.
- If the Max. Concurrent Logins parameter is null, the value of the Default Max. Number of Online Endpoints parameter takes effect on the user.
- If the two parameters have different values, the parameter with a smaller value takes effect on the user.