Authentication Record

The Authentication Record Screen displays authentication information for all devices authenticated through UPAM. The Authentication Record List provides basic information. Click on an entry for detailed information. You can also select a record(s) and click on the Generate button at the top of the screen to quickly generate a PSK for a device(s), create an Employee Account(s), or add a device(s) to the Company Property List.

Authentication Record List

The Authentication Record List displays basic information for all Authentication Records. Click on an entry for the detailed information described below.

Basic

• Account Name - Indicates the user name of the user to be authenticated
• MAC Authentication - Account name is the MAC address of the user device.
• 802.1X Authentication - Account name is the user name of the employee user.
• Captive Portal Authentication - Account name is user name of the guest user or employee user.
• Account Type - Group to which the requesting authentication user belongs:
• Guest
• Employee
• BYOD
• Unknown (MAC authentication without captive portal)
• Client IPv4 - The IPv4 address of the client of the user device requesting authentication. Note that IP addresses are displayed only if they are known at the time the RADIUS Accounting packets are sent/received. For MAC Authentication, the Accounting Start packets typically do not contain client IP addresses.
• Client IPv6 - The IPv6 address of the client of the user device requesting authentication. Note that IP addresses are displayed only if they are known at the time the RADIUS Accounting packets are sent/received. For MAC Authentication, the Accounting Start packets typically do not contain client IP addresses.
• Device MAC - MAC address of the user device requesting authentication.
• Authentication Type - Authentication type from the user requesting authentication, including: MAC authentication, 802.1x authentication and Captive Portal authentication.
• Service Type -
• Auth Resource - User profile database used in authentication, including None, Local Database, LDAP/AD and external RADIUS server, can refer to the authentication strategy definition.
• Access Policy - Name of the Access Policy for the user.  
• Authentication Strategy - Name of the Authentication Strategy for the user.
• Web Access Strategy - Guest Strategy or BYOD Strategy.
• Authentication Result - Result for the user authentication request:
• Pass
• Fail.
• Session Start - The time when the user passed authentication and a connection session was created.
• Session Stop - The time when the connection session was terminated.
• Redirect URL - Redirect URL returned to NAS by UPAM when Captive Portal authentication is required. 

Enforcement Policy

• Access Role Profile - Access Role Profile used to authenticate the device.
• Policy List - Policy List used to authenticate the device.
• Final Access Role Profile - Access Role Profile assigned by NAS and in effect on the user device, but not the Access Role Profile returned by UPAM.
• Termination Action - Indicates what action should be taken when the service is completed. "RADIUS-Request (1)" indicates that re-authentication should occur on expiration of the Session-Time. "Default (0)" indicates that the session should terminate.
• Session Timeout - Specifies the maximum number of seconds of service provided prior to session termination.
  • When sent along in an Access-Accept without a Termination-Action attribute or with a Termination-Action attribute set to Default, the Session-Timeout attribute specifies the maximum number of seconds of service provided prior to session termination.
  • When sent in an Access-Accept along with a Termination-Action value of RADIUS-Request, the Session-Timeout attribute specifies the maximum number of seconds of service provided prior to re-authentication. In this case, the Session-Timeout attribute is used to load the reAuthPeriod constant within the Re-authentication Timer state machine of 802.1X. When sent with a Termination-Action value of RADIUS-Request, a Session-Timeout value of zero indicates the desire to perform another authentication (possibly of a different type) immediately after the first authentication has successfully completed.
  • When sent in an Access-Challenge, this attribute represents the maximum number of seconds that an IEEE 802.1X Authenticator should wait for an EAP-Response before retransmitting. In this case, the Session-Timeout attribute is used to load the suppTimeout constant within the backend state machine of IEEE 802.1X
• Acct Interim Interval - The number of seconds between each interim update, in seconds, for this specific session.
• Upstream Bandwidth - Device upstream bandwidth, in kbit/s.
• Downstream Bandwidth - Device downstream bandwidth, in kbit/s.

Authenticate

• Authentication Method - The method used to authenticate the device (e.g., PAP, EAP-MD5, EAP-PEAP, EAP-TLS).
• Access Device MAC - MAC address of the NAS to which the user device is attached.
• Access Device Name - System name of the NAS to which the user device is attached.
• Access Device SSID - Wireless service broadcast by the NAS and connected by user device (only valid for wireless access).
• Access Device Location - Location of the NAS.
• Called Station ID - Allows the NAS to send the phone number the user called, using Dialed Number Identification (DNIS) or similar technology inside the Access-Request packet:
• For Switch - Switch MAC Address.
• For AP - radio_MAC_address:SSID_NAME.
• Access AP Group - AP Group through which the user accesses the network
• NAS Port Type - The type of physical port type of the NAS authenticating the user:
• Wireless-IEEE 802.11
• Ethernet.
• NAS Port - The physical port number of the NAS authenticating the user.
• For Switch - if index
• For AP - Wireless radio index
• NAS Port ID - The NAS authenticating the user (The attribute can be configured in Unified Access - Unified Profile – Template - AAA Server Profile):
• For Switch - chassis/slot/port
• For AP - WLAN service.
• NAS ID – NAS Identifier, identify the NAS originating the Access-Request. (The attribute can be configured in Unified Access - Unified Profile – Template - AAA Server Profile.)
• NAS IP Address - The identifying IP Address of the NAS.
• Slot Port - Port number on the switch slot to which the device is connected (only for wired access).  
• Port Desc/Wlan Service
• For Switch - Port description
• For AP - WLAN service
• Framed MTU - The Maximum Transmission Unit to be configured for the user when it is not negotiated by some other means (e.g., PPP). It is a fixed value = 1400.
• Reject Reason - Reason for rejecting the authentication request from user device:
• Overdue license
• Invalid username or password
• Cannot match access policy according to the authentication request.
• Roaming Information - Client roaming historical information (indicates the client roamed a path from AP to AP).

COA

CoA-Request packets contain information for dynamically changing session authorizations.  This is typically used to change Access Role Profile or Policy List for the user.

• COA Status - The NAS responds to a CoA-Request sent by UPAM with a CoA-ACK if the NAS can successfully change the authorizations for the user session, or a CoA-NAK if the request is unsuccessful.
• COA Error Cause - It is possible that the NAS cannot honor Disconnect-Request or CoA-Request messages for some reason. The COA Error Cause Attribute provides more detail on the cause of the problem.  It may be included within Disconnect-ACK, Disconnect-NAK and CoA-NAK messages.

Accounting

• Acct Status Type - Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). Values: Start (1), Stop (2), Interim-Update (3), Accounting-On (7) Accounting-Off (8).
• Acct Session Time - Indicates how many seconds the user has received service, and can only be present in Accounting-Request records where the Acct Status Type is set to "Stop".
• Acct Session ID - Unique Accounting ID that makes it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct Session ID.
• Acct Input Packets - Indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop".
• Acct Output Packets - Indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop"..
• Acct Input Octets - Indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop".
• Acct Output Octets - Indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop".
• Acct Input Gigawords - Indicates how many gigawords have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop".
• Acct Output Gigawords - Indicates how many gigawords have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to "Stop".
• Tunnel Private Group ID - The Tunnel Private Group ID used to determine the UNP for the device, if applicable. The Tunnel Private Group ID is a RADIUS attribute that indicates the group ID for a particular tunnel session. It may be included in the Access-Request packet if the tunnel initiator can pre-determine the group resulting from a particular connection; and should be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. In most cases, L2 VLAN domain is a private group, and the Tunnel Private Group ID is pointing to the VLAN ID.
• Acct Terminate Cause - The reason the connection session was terminated.
• Acct Multi Session ID - This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. 

Using the Generate Button

You can quickly generate a PSK for a device(s), create an Employee Account(s), or add a device(s) to the Company Property List. Select a record(s) in the Authentication Record List and select an option as described below.

• PSK - Select the record(s) in the Authentication Record List. Click on the Generate button, click on PSK, then then click Save at the Confirmation Prompt. The device(s) associated with the record(s) will be added to the Company Property List as Device Specific PSK Devices. The PSK Passphrase for the device(s) is automatically generated by OmniVista based on the device MAC Address and Session Time. The PSK Passphrase can be obtained and printed from the Company Property Screen. You can generate a PSK for any Authentication Record. See the Company Property online help for more information.
• Employee Account - Select the record(s) in the Authentication Record List and click on the Generate button. Click on Employee Account, then then click Save at the Confirmation Prompt. OmniVista will create an Employee Account(s) for the selected Authentication Record(s). See the Employee Account online help for more information. The following conditions must be met to generate an Employee Account for an Authentication Record. If these conditions are not met, the Employee Account option will be grayed out.
  • Authentication Result = Fail
  • Auth Resource = Local Database
  • Service Type = 802.1X or Voice (User Account Authentication)
• Company Property - Select the record(s) in the Authentication Record List and click on the Generate button. Click on Company Property, then then click Save at the Confirmation Prompt. The device(s) associated with the selected record(s) will be added to the Company Property List. See the Company Property online help for more information. The following conditions must be met to generate an Company Property entry for an Authentication Record. If these conditions are not met, the Company Property option will be grayed out.
  • Authentication Result = Fail
  • Auth Resource = Local Database
  • Service Type = Call Check (MAC Authentication)