Access Policies
Access Policies are used to define the mapping conditions for an authentication strategy. Through Access Policy configuration, authentication strategy is applied to different user groups, which can be divided by SSID or other attributes. The Access Policy Screen displays all configured UPAM Access Policies and is used to create, edit, and delete Access Policies.
To access the Access Strategy screen, click on Network Access > UPAM-NAC > Access Policies under the “Configure” section of the OmniVista Cirrus Menu.
Creating an Access Policy
Click on Create Access Policy to bring up the Create Access Policy Screen. Use this screen to define the following attributes for an Access Policy configuration:
Basic Information
Mapping Condition
Authentication Method
Authentication Strategy
Network Enforcement Policy
MAC Check Enforcement Policy
Web Redirection Enforcement Policy
When you are done configuring the attributes for the Access Policy, click on Create Access Policy.
Basic Information
Policy Name - User-configured policy name.
Precedence - Specify Access Policy Priority. A user requesting authentication may match several access policies and the one with highest priority will take effect after passing the authentication.
(Range = 1-99, 1 is the highest priority and 99 is the lowest priority)
The Access Policy that you create or select defines the Authentication Strategy that UPAM applies when a client connects to the SSID. However, the Access Policy displayed for the SSID configuration is not always the policy used for authentication when the client is connecting to the SSID. This can occur if there are multiple Access Policies with the same precedence and overlapping rules configured through the Access Policies screen (Configure > Network Access > UPAM-NAC > Access Policies).
When a client connects to the SSID, UPAM selects the Access Policy with the highest precedence and evaluates whether its mapping rules align with the client’s connection request. If a match is found, the associated authentication strategy is applied. If two Access Policies with the same precedence have identical mapping rules, UPAM defaults to the policy created first. This behavior may lead to unexpected results.
To prevent ambiguity, ensure that:
a) There are no Access Policies with overlapping rules, or
b) Access Policies with overlapping rules have different precedence. You can adjust the policy precedence configured for the Access Policies (Configure > Network Access > UPAM-NAC > Access Policies) to address these issues.
Mapping Condition
Mapping conditions specify the conditions that client traffic should match for this policy to be applied to the client. At least one condition is mandatory. When multiple conditions are specified, all conditions must match before the policy is applied.
Attribute - Select the Attribute (Basic or Advanced Attribute type) from the drop-down list.
Basic Attributes - Access Point Group, Authentication Type, NAS Device Location, NAS Device Name, NAS IP, NAS Port ID, Network Type, Port Desc/WLAN Name, SSID.
Advanced Attributes - Alcatel-AP-Group, Alcatel-Device-Location, Alcatel-Device-Name, Alcatel-Port-Desc, Called-Station-Id, Calling-Station-Id, NAS-IP-Address, NAS-Identifier, NAS-Port-Id, NAS-Port-Type, Service-Type, User-Name.
Operator - Select a condition operator.
Value - Select a condition value. Enter at least one value. A maximum of 32 values are allowed.
Click on Add Condition to add another mapping condition to the Access Policy.
Authentication Method
Allow All EAPs - Enables/Disables the use of all EAP methods supported by UPAM, Authenticator, and the client device. By default, this option is set to “Yes” (Enabled). When disabled, select the allowed EAP methods:
EAP-TLS - Restricts authentication to EAP-TLS Protocol.
EAP-PEAP - Restricts authentication to EAP-PEAP Protocol.
EAP-TTLS - Restricts authentication to EAP-TTLS Protocol.
Authentication Strategy
Authentication Source - Specify the source of the user profile (Account/Password). The user profile can reside different servers and is required to specified so that UPAM is able to obtain the user profile for authentication.
None - Authenticate against “None”. This is only supported for MAC authentication, which requires captive portal authentication. 802.1x Authentication is not supported. In this case, a user needs to pass captive portal authentication first (authentication method could be by Account + Password/Access Code/Terms of Use/etc.), the MAC address of the user will be stored and the user will complete the MAC authentication. Guest user devices are displayed in the Guest Devices - Guest Remembered Device list. Employee user devices are displayed in the BYOD Devices - Remember Devices list.
Local Database - Authenticate against the user profile in the local UPAM database. An Employee or Guest user must be created before authentication. An Employee Guest User is created on the Employee Accounts screen. A Guest User is created on the Guest Accounts Screen.
External Radius - Authenticate against the user profile in an external RADIUS Server. Select a server from the External Radius drop-down. If necessary, you can click on Create External RADIUS Server to go to the Create External Radius Server screen to create a server.
Cloud Identity - Authenticate against the user profile with Azure Active Directory via the Certificate Connector for Microsoft. Azure AD has the ability to synchronize with on-premise Active Directory, providing authentication access to OmniVista Cirrus R10.
In this release of UPAM, cloud identity is only available for devices that use 802.1X authentication. Cloud identity cannot be used with BYOD or Guest Captive Portal at this time.
Network Enforcement Policy
Access Role Profile - Select the Access Role Profile from the drop-down list. If necessary, you can click on Create Access Role Profile to go to the Create Access Role Profile screen to create a profile.
Unified Policy List - Select a Unified Policy List from the drop-down list. If necessary, you can click on Create Unified Policy List to go to the Create Unified Policy List screen to create a policy list.
Other Attributes - Select the required attributes and provide values.
Acct-Interim-Interval - Interval for RADIUS accounting, in seconds. If not configured, the device's default accounting policy will take effect. (Range = 60 - 1200, Default = 600).
Session-Timeout - The Session Timeout Interval is the maximum number of consecutive seconds of connection allowed to the user before termination of the session or prompt. If not configured, the device's default session timeout policy will take effect. (Range = 12000 - 86400, Default = 43200).
Tunnel-Private -Group-ID - The Tunnel Private Group ID is used to determine the UNP for the device, if applicable. Tunnel Private Group ID is a RADIUS attribute that indicates the group ID for a particular tunnel session. It may be included in the Access-Request packet if the tunnel initiator can pre-determine the group resulting from a particular connection, and should be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. In most cases, L2 VLAN domain is a private group, and the Tunnel Group ID is pointing to the VLAN ID. (Range = 1 - 4094)
WISPr-Bandwidth-Max-Down - The user downstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.
WISPr-Bandwidth-Max-Up - The user upstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.
Mac Check Enforcement Policy
Specifies whether or not to check to see if the device MAC address is in the Company Property database. By default MAC Check Enforcement Policy is disabled. When it is enabled, you have the option to specify an Access Role Profile, Policy List, or other attributes for when the check is successful (MAC address is in the database) and for when the check fails (MAC address is not in the Company Property database).
Enable Company Property Check - Enables/Disables checking to see if the device MAC address is in the Company Property database. The Company Property Check is disabled (“No”) be default. When enabled, configure the following:
Access Role Profile - Select the Access Role Profile from the drop-down list. If necessary, you can click on Create Access Role Profile to go to the Create Access Role Profile screen to create a profile.
Unified Policy List - Select a Unified Policy List from the drop-down list. If necessary, you can click on Create Unified Policy List to go to the Create Unified Policy List screen to create a policy list.
Other Attributes - Select the required attributes and provide values.
Acct-Interim-Interval - Interval for RADIUS accounting, in seconds. If not configured, the device's default accounting policy will take effect. (Range = 60 - 1200, Default = 600).
Session-Timeout - The Session Timeout Interval is the maximum number of consecutive seconds of connection allowed to the user before termination of the session or prompt. If not configured, the device's default session timeout policy will take effect. (Range = 12000 - 86400, Default = 43200).
Tunnel-Private -Group-ID - The Tunnel Private Group ID is used to determine the UNP for the device, if applicable. Tunnel Private Group ID is a RADIUS attribute that indicates the group ID for a particular tunnel session. It may be included in the Access-Request packet if the tunnel initiator can pre-determine the group resulting from a particular connection, and should be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. In most cases, L2 VLAN domain is a private group, and the Tunnel Group ID is pointing to the VLAN ID. (Range = 1 - 4094)
WISPr-Bandwidth-Max-Down - The user downstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.
WISPr-Bandwidth-Max-Up - The user upstream bandwidth, in kbit/s. Value must be in range [0 - 2147483]. By default or set it to 0, it is not limited.
Consider the following when an Access Policy with Company Property Check enabled is applied:
If the device MAC address is found in the Company Property database (MAC check is successful), UPAM applies the Access Role Profile or Unified Policy List associated with the matching Company Property entry to the device. If the matching Company Property entry does not specify an Access Role Profile or Unified Policy List, then the profile and list specified in the MAC Check Enforcement Policy for the Access Policy is applied.
If the device MAC address is not found in the Company Property database (MAC check fails), the following occurs:
For Poral Authentication, UPAM checks the following (in order) to obtain an Access Role Profile or Unified Policy List to apply to the device:
The Access Role Profile or Unified Policy List for the Account (LDAP Role mapping/Guest/BYOD).
The Access Role Profile or Unified Policy List under “Post Portal Authentication Enforcement” for BYOD/Guest Strategy.
The Access Role Profile or Unified Policy List specified in “Network Enforcement Policy” of the Access Policy.
Web Redirection Enforcement Policy
Web Authentication
Specify whether or not web redirection is required, and which web login page is going to be used during the authentication.Guest - Specifies an access strategy for guest users.
Guest Access Strategy - Select the access strategy from the drop-down list. If necessary, you can click on Create Guest Access Strategy to go to the Create Guest Access Strategy screen to create a guest access strategy.
Employee - Specifies an access strategy for employee users with BYOD devices.
BYOD Access Strategy - Select the access strategy from the drop-down list. If necessary, you can click on Create BYOD Access Strategy to go to the Create New BYOD Access Strategy screen to create a BYOD access strategy.
Guest and Employee - Specify both a Guest and Employee access strategy.
Both of the Authentication Source and Web Authentication must not be None.
Editing an Access policy
You can edit the parameter values for an existing Access Policy by accessing the Edit Access Policy screen.
Use one of the following methods to access the Edit Access Policy screen (as shown above):
Select the policy to edit by clicking on the checkbox next to the policy name, click on Actions, then select Edit from the drop-down menu.
Click on the pencil icon under the “Actions” column next to the policy name that you want to edit.
The following Edit Access Policy screen displays. Edit the fields as described above, then click on Save.
Delete an Access Policy
To delete an Access Policy, use one of the following methods to select the policy you want to delete:
Select the policy to delete by clicking on the checkbox next to the policy name, click on Actions, then select Delete from the drop-down menu.
Click on the trash can icon under the “Actions” column next to the policy name that you want to delete.
When you select the policy you want to delete, the following confirmation prompt appears:
Click on Delete to confirm that you want to delete the Access Policy.
Display Access Policy List
The Access Policy list displays information for the configured Access Policies. To display detailed information about a specific policy, click on the Additional Information icon under the “Actions” column. The information displayed on this screen is defined below.
The following information is displayed for each Access Policy:
Policy Name - User configured policy name.
Authentication Source - Specify the source of the user profile (Account/Password). The user profile can reside different servers and is required to specified so that UPAM is able to obtain the user profile for authentication.
Created At - The date and time when the policy is created.
External Radius Server - Authenticate against the user profile in an external RADIUS Server. You can select a server from the External Radius drop-down menu while creating the profile.
Mapping Condition - It specify the conditions that client traffic should match for this policy to be applied to the client. At least one condition is mandatory.
For Additional Information, see the description above.