Authentication Strategy
Authentication Strategy is used to set up a user profile source and login method (web page or not) for authentication, as well as the network attributes applied after passing the authentication. The Authentication Strategy Screen displays all configured authentication strategies and is used to create, edit, and delete Authentication Strategies.
Creating an Authentication Strategy Policy
Click on the Create icon to bring up the Create Authentication Strategy Screen. Complete the fields as described below, then click on the Create button.
General
- Strategy Name - User-configured name for the authentication strategy.
- Authentication Source - Specify the source of the user profile (Account/Password). The user profile can reside different servers and is required to specified so that UPAM is able to obtain the user profile for authentication.
- None - Authenticate against “None”. This is only supported for MAC authentication, which requires captive portal authentication. 802.1x Authentication is not supported. In this case, a user needs to pass captive portal authentication first (authentication method could be by Account + Password/Access Code/Terms of Use/etc.), the MAC address of the user will be stored and the user will complete the MAC authentication. For a guest user, the devices will be displayed in UPAM - Guest Access - Guest Device - Remembered Device Screen. For an Employee user, the devices will be displayed in UPAM - BYOD Access - BYOD Device - Remember Device Screen.
- Local Database - Authenticate against the user profile in the local UPAM database. An Employee or Guest user must be created before authentication. An Employee Guest User is created on the UPAM – Authentication - Employee Account Screen. A Guest User is created on the UPAM - Guest Access - Guest Account Screen.
- External Radius - Authenticate against the user profile in an external RADIUS Server. Select a server from the External Radius drop-down. If necessary, you can click on Add link (+) to go to the External Radius Screen to create a server.
Network Enforcement Policy
- Company Property Check - Whether or not OmniVista will check to see if the device MAC address is in the Company Property database. When check MAC address is enabled, you have the option to specify an Access Role Profile, Policy List, or other attributes for when the check is successful (MAC address is in the database) and for when the check fails (MAC address is not in the Company Property database).
- Default Access Role Profile - Default Access Role Profile for the authentication strategy.
- Default Policy List - Default Access Policy for the authentication strategy.
- Other Attributes
- Select an attribute as described below, enter a value, then click on the Add icon (+).
- Session-Timeout - Maximum number of consecutive seconds of connection allowed to the user before termination of the session or prompt. The Session Timeout attribute as defined in RFC 2865 is included in the Access-Accept message, and sets the maximum number of seconds of service to be provided to the user before termination of the session. (Range = 12000 - 86400, Default = 43200)
- Acct-Interim-Interval - Interval for RADIUS accounting, in seconds. (Range = 60 – 1200, Default = 600)
- WISPr-Bandwidth-Max-Up - Maximum upstream bandwidth, in kbit/s. By default, it is not limited.
- WISPr-Bandwidth-Max-Down - Maximum downstream bandwidth, in kbit/s. By default, it is not limited.
Web Redirection Enforcement Policy
- Web Authentication - Specify whether or not web redirection is required and which web login page is going to be used during the authentication.
- None - No web redirection during the authentication.
- Guest - Redirect to the guest login page during the authentication.
- Employee - Redirect to the employee login page during the authentication.
- Guest and Employee - Redirect to the guest and employee login page during the authentication (only applicable for wired access).
- Guest Access Strategy - Specify the access strategy for each user group.
- Guest Access Strategy - Specify the access strategy for guest users.
- BYOD Access Strategy - Specify the access strategy for employee users with BYOD devices.
- Guest and Employee - Specify the access strategy for guests and employees. Typically configured for wired port access
- Location Policy - Specify whether to change the enforcement policy when the location is different.
- New Enforcement Policy - Always apply new enforcement policy to clients when connecting.
- Remember New Enforcement Policy - Always apply the remembered enforcement policy to clients when connecting.
Recommended Combinations of Authentication Source and Web Authentication |
|
Authentication Source |
Web Authentication |
Use Case |
Combination 1 |
None |
Guest/Employee/Guest and Employee |
Captive Portal Authentication |
Combination 2 |
Local Database |
None |
802.1x / MAC Authentication |
Combination 3 |
Local Datatbase |
Guest/Employee/Guest and Employee |
Captive Portal Authentication |
Combination 4 |
External LDAP/AD |
None |
802.1x Authentication |
Combination 5 |
External RADIUS |
None |
802.1x / MAC Authentication |
Editing an Authentication Strategy
Select a strategy in the Authentication Strategy List and click on the Edit icon. Edit the field(s) as described above, and click on the Apply button. Note that you cannot edit a Strategy Name.
Deleting an Authentication Strategy
Select a strategy in the Authentication Strategy List and click on the Delete icon. Click OK at the Confirmation Prompt.
Authentication Strategy List
The Authentication Strategy List displays information about all configured Authentication Strategies.
- Strategy Name - User-configured name for the authentication strategy.
- Authentication Source - Specify the source of the user profile (Account/Password). The user profile can reside different servers and is required to specified so that UPAM is able to obtain the user profile for authentication.
- Enable Role Mapping - Enables/Disables the "Role Mapping for LDAP" function for authentication sources with external LDAP/AD.
- Company Property Check - Enables/Disables MAC address check. If enabled, the Company Property database is checked to see if it contains the device MAC address.
- Default Access Role Profile - Default Access Role Profile for the authentication strategy.
- Success Access Role Profile - If Company Property Check is enabled and the device MAC address was found in the Company Property database, the specified Access Role Profile is applied.
- Failed Access Role Profile - If the Company Property Check is enabled and the device MAC address was not found in the Company Property database, the specified Access Role Profile is applied.
- Default Policy List - Default Access Policy for the authentication strategy.
- Success Policy List - If the Company Property Check is enabled and the device MAC address was found in the Company Property database, the specified Policy List is applied.
- Failed Policy List - If the Company Property Check is enabled and the device MAC address is not found in the Company Property database, the specified Policy List is applied.
- Web Authentication - The Web Authentication Strategy used (None, Guest, Employee, Employee and Guest).
- Guest Access Strategy - The name of the Guest Access Strategy used.
- BYOD Access Strategy - The name of the BYOD Access Strategy used.
- Session Timeout Status - Enables/Disables session timeout attribute. The Session Timeout attribute as defined in RFC 2865 is included in the Access-Accept message and sets the maximum number of seconds of service to be provided to the user before termination of the session. If disabled, an empty value will be transferred to the NAS device and the device’s default session timeout policy will take effect.
- Session Timeout Interval - Maximum number of consecutive seconds of connection allowed to the user before termination of the session or prompt. (Range = 12000 - 86400, Default = 43200)
- Account Interim-Interval Status - Enables/Disables the accounting attribute. If disabled, an empty value will be transferred to NAS device and the device’s default accounting policy will take effect.
- Accounting Interim Interval - Interval for RADIUS accounting, in seconds. (Range = 60 – 1200, Default = 600)
- Upstream Bandwidth - Maximum upstream bandwidth, in kbit/s.
- Downstream Bandwidth - Maximum downstream bandwidth, in kbit/s.
- New Enforcement Policy - New Enforcement Policy administrative status (Enabled/Disabled).
- Remember New Enforcement Policy - Remember New Enforcement Policy administrative status (Enabled/Disabled).