Skip to main content
Skip table of contents

Access Policies

Access Policies are used to define the mapping conditions for an authentication strategy. Through Access Policy configuration, authentication strategy is applied to different user groups, which can be divided by SSID or other attributes. The Access Policy Screen displays all configured UPAM Access Policies and is used to create, edit, and delete Access Policies.

To access the Access Strategy screen, click on Network Access > UPAM-NAC > Access Policies under the “Configure” section of the OmniVista Cirrus Menu.

image-20240315-125422.png

Creating an Access Policy

Click on Create Access Policy to bring up the Create Access Policy Screen. Complete the fields as described below, then click on the Create button.

image-20240327-045226.png

Basic Information

  • Policy Name - User-configured policy name.

  • Precedence - Specify Access Policy Priority. A user requesting authentication may match several access policies and the one with highest priority will take effect after passing the authentication.
    (Range = 1-99, 1 is the highest priority and 99 is the lowest priority)

  • Mapping Condition - Select "Basic Attribute Selection" to display basic conditions, select “Advanced Attribute Selection" to show advanced conditions. Select an Attribute and corresponding Operator, then enter a Value.

Specify the condition(s) that a client's traffic should match for this policy to be applied on it. At least one condition is mandatory. When multiple conditions are specified, all conditions must match for the policy to be applied.

Mapping Condition

Specify the conditions that a client's traffic should match for this policy to be applied on it. Atleast one condition is mandatory. When multiple conditions are specified, all conditions must match for the policy to become applicable.

  • Attribute type

    • Select the Attribute type, Basic Attribute or Advanced Attribute.

  • Attribute

    • Select the Attribute.

  • Operator

    • Select a condition operator.

  • Value

    • Select a condition value.

    • Enter at least one value. A maximum of 32 values are allowed.

Authentication Method

  • EAP Type Restriction - Enables/Disables/Allow all EAPs.

    • Enabled to allow all EAP methods supported by UPAM, Authenticator and Client's device.

    • When disabled, allow to select allowed EAP methods (EAP-TLS or EAP-PEAP or both) particularly:

      • EAP-PEAP - Restricts authentication to EAP-PEAP Protocol.

      • EAP-TLS - Restricts authentication to EAP-TLS Protocol.

  • Advanced Attributes

    • NAS IP Address

      • Enter the NAS IP address.

    • Service Type - This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and must treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.

    • Login User - The user should be connected to a host.

    • Call Check - Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS Server should send back an Access-Accept to answer the cal, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes.  It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name.

    • Call Back Administrative - The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.

    • Voice - Voice service type.

    • Fax - Fax service type.

    • Modem Relay - Modem Relay service type.

    • IAPP Register - IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation, IEEE 802.11F, June 2003.

    • IAPP AP Check - IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation, IEEE 802.11F, June 2003.

    • Framed User - A Framed Protocol should be started for the User, such as PPP or SLIP.

      • EAP Type Restriction - Enables/Disables EAP Protocol Type Restriction. If enabled, you can restrict authentication to the selected EAP Protocol(s) below:

        • EAP-PEAP - Restricts authentication to EAP-PEAP Protocol.

        • EAP-TLS - Restricts authentication to EAP-TLS Protocol.

    • Callback Login User - The user should be disconnected and called back, then connected to a host.

    • Callback Framed User - The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.

    • Outbound User - The user should be granted access to outgoing devices.

    • Administrative User - The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. (IETF rfc2865)

    • NAS Prompt User - The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. (IETF rfc2865)

    • Authenticate Only - Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself). (IETF rfc2865)

    • Callback NAS Prompt - The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed. (IETF rfc2865)

  • NAS Identifier

    • Enter the NAS Identifier and click on the Add icon.

  • NAS Port Type - This attribute indicates the type of physical port of the NAS that is authenticating the user. It can be used instead of, or in addition to, the NAS-Port attribute. It is only used in Access-Request packets. Either NAS-Port or NAS-Port-Type or both should be present in an Access-Request packet if the NAS differentiates among its ports.

  • NAS Port ID

    • Enter the NAS port ID.

  • Alcatel Port Description

  • Enter the Alcatel Port Description.

  • Alcatel Device Name

    • Enter the Alcatel Device Name.

  • Alcatel Device Location

    • Enter the Alcatel Device Location.

  • Alcatel AP Group

    • Enter the Alcatel AP Group Name.

Authentication Strategy

  • Strategy Name - User-configured name for the authentication strategy.

  • Authentication Source - Specify the source of the user profile (Account/Password). The user profile can reside different servers and is required to specified so that UPAM is able to obtain the user profile for authentication.

    • None - Authenticate against “None”. This is only supported for MAC authentication, which requires captive portal authentication. 802.1x Authentication is not supported. In this case, a user needs to pass captive portal authentication first (authentication method could be by Account + Password/Access Code/Terms of Use/etc.), the MAC address of the user will be stored and the user will complete the MAC authentication. For a guest user, the devices will be displayed in UPAM - Guest Access - Guest Device - Remembered Device Screen. For an Employee user, the devices will be displayed in UPAM - BYOD Access - BYOD Device - Remember Device Screen.

    • Local Database - Authenticate against the user profile in the local UPAM database. An Employee or Guest user must be created before authentication. An Employee Guest User is created on the UPAM – Authentication - Employee Account Screen. A Guest User is created on the UPAM - Guest Access - Guest Account Screen.

    • External Radius - Authenticate against the user profile in an external RADIUS Server. Select a server from the External Radius drop-down. If necessary, you can click on Add link (+) to go to the External Radius Screen to create a server.

    • Cloud Identity - Authenticate against the user profile with Azure Active Directory via the Certificate Connector for Microsoft. Azure AD has the ability to synchronize with on-premise Active Directory, providing authentication access to OmniVista Cirrus R10.

In this release of UPAM, cloud identity is only available for devices that use 802.1X authentication. Cloud identity cannot be used with BYOD or Guest Captive Portal at this time.

image-20240327-050133.png

Network Enforcement Policy

  • Select the Access Role Profile and create Unified Policy List.

image-20240327-050253.png

Other Attributes

  • Select the required attributes and provide values.

    • Acct-Interim-Interval - Interval for RADIUS accounting, in seconds. If not configured, the device's default accounting policy will take effect. (Range = 60 - 1200, Default = 600).

    • Session-Timeout - The Session Timeout Interval is the maximum number of consecutive seconds of connection allowed to the user before termination of the session or prompt. If not configured, the device's default session timeout policy will take effect. (Range = 12000 - 86400, Default = 43200).

    • WISPr-Bandwidth-Max-Down - The user downstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.

    • WISPr-Bandwidth-Max-Up - The user upstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.

Web Redirection Enforcement Policy

  • Web Authentication
    Specify whether or not web redirection is required, and which web login page is going to be used during the authentication.

    • Guest

    • Employee

    • Guest and Employee

  • Guest Access Strategy

    • Specify the access strategy for guest users to create a guest access strategy.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.