Access Policy

Authentication Access Policies are used to define the mapping conditions for an authentication strategy. Through Access Policy configuration, authentication strategy is applied to different user groups, which can be divided by SSID or other attributes. The Access Policy Screen displays all configured UPAM Access Policies and is used to create, edit, and delete Access Policies.

Creating an Access Policy

Click on the Add icon to bring up the Create Access Policy Screen. Complete the fields as described below, then click on the Create button.

• Policy Name - User-configured policy name.
• Priority - Access Policy Priority. A user requesting authentication may match several access policies and the one with highest priority will take effect after passing the authentication. (Range = 1 - 99, 1 is the highest priority and 99 is the lowest)
• Mapping Condition - Select "Show Basic Attribute Selection" to display basic conditions, select Show Advanced Attribute Selection" to show advanced conditions. Select an Attribute and corresponding Operator, then select of enter a Value.
• Basic Attributes
  • Authentication Type
    • 802.1X - 802.1X authentication
    • MAC - MAC authentication.
  • Network Type
    • Wired - Wired network
    • Wireless - Wireless network.
  • SSID
    • Wireless network SSID.
  • NAS IP
    • Enter the NAS IP address.
  • NAS Identifier
    • Enter the NAS Identifier.
  • NAS Port ID
    • Enter NAS Port ID.
  • Port Desc /WLAN Name
    • Enter a port description of the switch, WLAN name of the wireless network. Note that "WLAN Name" refers either to the "SSID Service Name" in the “SSIDs” application or to the "WLAN Service Name" in the WLAN Service (Expert) application.
  • NAS Device Location
    • Enter the NAS Device location.
  • AP Group
    • Enter the AP Group defined in the AP Registration application.
• Advanced Attributes
  • NAS IP Address
    • Enter the NAS IP address.
  • Service Type - This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and must treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.
    • Login User - The user should be connected to a host.
    • Call Check - Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS Server should send back an Access-Accept to answer the cal, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes.  It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name.
    • Call Back Administrative - The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.
    • Voice - Voice service type.
    • Fax - Fax service type.
    • Modem Relay - Modem Relay service type.
    • IAPP Register - IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation, IEEE 802.11F, June 2003.
    • IAPP AP Check - IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation, IEEE 802.11F, June 2003.
    • Framed User - A Framed Protocol should be started for the User, such as PPP or SLIP.
      • EAP Type Restriction - Enables/Disables EAP Protocol Type Restriction. If enabled, you can restrict authentication to the selected EAP Protocol(s) below:
        • EAP-PEAP - Restricts authentication to EAP-PEAP Protocol.
        • EAP-TLS - Restricts authentication to EAP-TLS Protocol.
    • Callback Login User - The user should be disconnected and called back, then connected to a host.
    • Callback Framed User - The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.
    • Outbound User - The user should be granted access to outgoing devices.
    • Administrative User - The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. (IETF rfc2865)
    • NAS Prompt User - The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. (IETF rfc2865)
    • Authenticate Only - Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself). (IETF rfc2865)
    • Callback NAS Prompt - The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed. (IETF rfc2865)
• NAS Identifier
• Enter the NAS Identifier and click on the Add icon.
• NAS Port Type - This attribute indicates the type of physical port of the NAS that is authenticating the user. It can be used instead of, or in addition to, the NAS-Port attribute. It is only used in Access-Request packets. Either NAS-Port or NAS-Port-Type or both should be present in an Access-Request packet if the NAS differentiates among its ports.
• NAS Port ID
  • Enter the NAS port ID.
• Alcatel Port Description
• Enter the Alcatel Port Description.
• Alcatel Device Name
  • Enter the Alcatel Device Name.
• Alcatel Device Location
  • Enter the Alcatel Device Location.
• Alcatel AP Group
  • Enter the Alcatel AP Group Name.
• Authentication Strategy - Authentication strategy that will be utilized when the Access Policy is matched.  

Editing an Access Policy

Select a policy in the Access Policy List and click on the Edit icon. Edit the field(s) as described above, and click on the Apply button. Note that you cannot edit a Policy Name.

Deleting an Access Policy

Select a policy in the Access Policy List and click on the Delete icon. Click OK at the Confirmation Prompt.

Access Policy List

The Access Policy List displays information about all configured UPAM Access Policies.

• Policy Name - User-configured policy name.
• Authentication Strategy - Authentication strategy that will be utilized when the Access Policy is matched.  
• Mapping Condition - The mapping condition configured for the policy.
• Priority - The Access Policy Priority. (Range = 1 - 99, 1 is the highest priority and 99 is the lowest)