[x]

Configuring global system settings > Configuring system parameters

 

 Next

Configuring system parameters

System parameters are related to all services in UAM, and must be properly configured to guarantee normal operation of services.

To configure the system parameters:

  1. Click the User tab.

  2. From the navigation tree, select User Access Policy > Service Parameters > System Settings.

    The list includes all the system settings.

  3. Click the Configure icon for the System Parameters field.

  4. Configure the following AAA parameters:

    • Aging Interval (Minutes)—Set the time interval at which UAM checks the status of each online user. If the time since the Accounting-Request packet or the last Accounting-Update packet of a user was received exceeds the aging interval, UAM considers that the user is offline and deletes the user from the online user list. As a best practice, set the value to at least three times the sending interval of Accounting-Update packets. The sending interval of Accounting-Update packets is configured on the access devices.

    • Authentication Lock Time (Seconds)—Set the time span between the end of authorization and the start of accounting. User reauthentication is prohibited during this time span. Use the default value of 5 seconds.

    • Estimated Access Period (Days)—Set the estimated access period for access period policies. UAM computes at every 00:00 the permitted access period in the estimated access period for each access period policy, and stores the result in a temporary table. Then UAM checks the service used by each authenticating access user for the access period policy, and search the table to determine whether the user can access in the network in the current period. A large value can affect system performance. As a best practice, use the default value of 3 days.

    • Max. Session Duration (Seconds)—Configure how long access users can stay online. The value is delivered to users in Access-Accept packets or Accounting-Update packets. As a best practice, set the value to at least three times the sending interval of Accounting-Update packets. The sending interval of Accounting-Update packets is configured on the access devices.

    • Traffic Unit (Bytes)—Configure the unit to use for measuring user traffic. The parameter must be the same as what is configured on the access devices.

    • Unit of Remaining Traffic (Bytes)—Configure the unit to use for measuring the remaining user traffic.

    • Client Protection against Cracks—Select Enable or Disable from the list to enable or disable the function. For more information about the client anti-crack function, see "Configuring client anti-crack."

    • Max. Authentication Attempts—Set the maximum number of consecutive authentication attempts permitted for an access user with incorrect passwords. If the maximum authentication attempts are exceeded, UAM adds the user to the blacklist to block the user from the computer where the login attempts are performed. The user is released from the blacklist at 00:00 the next day. If you do not want to restrict the authentication attempts, set the parameter to 0.

    • Stateless Failover—Configure the stateless failover function. Options are Disable, Active, and Standby. To disable the stateless failover function, select Disable. To enable the stateless failover function and configure the current UAM server as the active server, select Active. To enable the stateless failover function and configure the current UAM server as the standby server, select Standby. The stateless failover function allows the standby UAM server to take over as the active server and complete user authentication in case the active UAM server fails.

    • NAS Port for Control—Set the port number that UAM uses to send control packets to the access devices. This parameter must be the same as what is configured on the access devices. Only HP Comware and H3C devices support the parameter.

    • Control User Authentication—Select Enable or Disable from the list to enable or disable the function. With the function enabled, UAM discards the authentication packets of the user with consecutive authentication failures in a short period of time.

    • Username Prefix Conversion Mode—Configure the conversion method for account names containing a backslash (\) or forward slash (/). Options are Change to Suffix and Remove. If you select Change to Suffix, UAM converts the content before the backslash or slash into the suffix, for example, aaa/bbb or aaa\bbb converted into bbb@aaa. If you select Remove, UAM removes the content before the backslash or forward slash, for example, aaa/bbb or aaa\bbb converted into bbb.

      UAM uses the following procedure to process with a user name in aaa/bbb or aaa\bbb format:

      1. UAM checks whether the user name format and converts the aaa\bbb format to the aaa/bbb format.

      2. UAM queries the user name in aaa/bbb format in the access user list or LDAP temporary user list.

      3. If the user name is matched, UAM uses the account name in aaa/bbb format for authentication. If no user name is matched, UAM converts the account name for authentication according to the username prefix conversion mode.

    • Log off Duplicate Account—Set whether or not to log off a duplicate account. This field takes effect only when the number of online access users is set to 1. If you select Enable, UAM logs off an online user when another user logs in by using the same account and another user using the same account can successfully logs on. If you select Disable, UAM does not log off the online user and another user using the same account fails to log in.

    • Add Invalid Client to Blacklist—Configure whether or not to immediately blacklist a user accessing from an invalid client. The Enable option allows UAM to immediately blacklist users who attempt to access the network using invalid clients. The user is automatically released the next day or manually released by an administrator. The Disable option does not provide the restrictions. A client is invalid if it does not meet the lowest version required by the access policy on UAM, or if its version is not uploaded to UAM.

    • Client Protection Password/Confirm Password—Specify a protection password. This parameter determines the protection password on the iNode client by cooperating with the password protection function in the iNode management center. To validate this parameter, you must enable the policy server (see "Configuring policy server parameters"). Follow these guidelines when you specify this parameter:

      • The parameter takes effect only when the iNode client supports client password protection.

      • The iNode client that supports client password protection must be configured with a default password. Before a user passes authentication through the iNode client for the first time, the default password applies. After the initial successful authentication, the client protection password takes effect.

      • If you do not set the client protection password, the default password configured for the iNode client applies.

      • If you clear the client protection password before it takes effect on the iNode client, the default password configured for the iNode client applies. If you clear the client protection password after it has taken effect on the iNode client, the password is still valid on the iNode client.

    • User Authentication Test Mode—If you enable the user authentication test mode, UAM replies with authentication success even when the authentication fails, and logs the failure event. The user authentication test mode helps you collect and analyze authentication failure causes without affecting network usage. It is typically used in the test phase of UAM deployment.

    • Renew Access Details at Midnight—If you select Enable, UAM generates two entries of the access details for each access user that is online at 00:00, one entry before 00:00 and the other entry after 00:00. If you select Disable, UAM generates the online details only after the user goes offline.

    • Dynamic Password Length—Set the length of the dynamic password sent to the user who clicks Obtain Verification Code in the iNode client during portal or SSL VPN authentication. This parameter applies to access policies that use Dynamic Password or Dynamic Password + Account Password as the password check mode.

    • Activate mute terminals before network access—Configure whether mute terminals are required to be activated before they can come online as mute terminal users. When this parameter is enabled, the mute terminal’s first authentication is always a failure. To activate a mute terminal, click Activate from the action menu on the account name details page of the mute terminal.

    • Detect IP Address Conflict for iNode Client—If you select Enable, UAM checks the IP address of the user who has passed the authentication using the iNode PC client. If the IP address conflicts with that of an existing online user, UAM provides the user name and MAC address of that user. If you select Disable, UAM does not detect conflicting IP addresses for the iNode client. This parameter applies only to the iNode PC client.

    • Database Error Handling—This parameter provides two options, Sends a Reject Message and Discards the Request. If you select Sends a Reject Message, access device does not send the same authentication requests to UAM. If you select Discards the Request, the access device will send authentication requests to UAM again. The discard action applies to the scenario where endpoint users roam among multiple APs.

    • Send Session Timeout Attribute—Configure how the session timeout attribute is sent. Options are In Both, In Access-Accept Packets, In Update-Accounting-Response Packets, and In None. The In Both option enables UAM to send the session timeout attribute in Access-Accept packets and Update-Accounting-Response packets. The In Access-Accept Packets option enables UAM to send the session timeout attribute in Access-Accept packets only. The In Update-Accounting-Response Packets option enables UAM to send the session timeout attribute in Update-Accounting-Response packets only. The In None option disables UAM from sending the session timeout attribute. Select In Both for the parameter unless in special scenarios.

    • Check Cert Attributes for Account—Specify whether to enable UAM to check account name consistency against certificate attributes. The certificate attributes include Subject-CN, Subject-Email, Subject Alternative Name-DNS, and Subject Alternative Name-UPN. When you select this option and specify one or more certificate attributes, UAM checks the account name against these certificate attributes during certificate authentication. If the account name matches a certificate attribute, the user passes the authentication. If the account name does not match any attribute, the user cannot pass the authentication.

  5. Configure the following user data management parameters:

    • Syslog Server IP—Specify the IP address of the syslog server. You can configure UAM to encapsulate authentication failure logs within syslogs and send them to the syslog server. You can also configure EAD to encapsulate security logs within syslogs and sent them to the syslog server.

    • Send Auth Failure Syslogs—Configure UAM to send new authentication failure logs as syslogs to the server. If you select Yes, UAM checks the user authentication failure logs generated in the last hour, encapsulates the content of each log as a syslog, and sends the syslogs to the syslog server. If you select No, UAM does not send authentication failure logs as syslogs.

    • UAM Service Group—Configure the service group function. To permit administrators to define service groups, select Enable. To prohibit administrators from defining service groups, select Disable. You can change the service groups function from Enable to Disable only when no user-defined service group exists in UAM.

    • Access Details Lifetime—Specify how long UAM keeps the user access details. When the time expires, the access details are automatically deleted. The default value is 90 days.

    • Cancelled User Lifetime—Specify how long UAM keeps the account information of an access user in database after the user is cancelled. This parameter also specifies how long UAM keeps user access details in the UAM console. When the time expires, UAM permanently deletes the account information and user access details of the access user from the UAM console and database.

    • Log Lifetime—Specify how long UAM keeps the user authentication failure logs, self-service center operation logs, and device management user logs in the database. UAM automatically deletes the logs that exceeds the log lifetime at 00:00 every day.

    • Enable IPv6—Select Yes or No from the list to enable or disable IPv6. If you select Yes, UAM checks the IPv6 addresses bound to users, records the IPv6 addresses in the access user list, online user list, roaming online user list, blacklisted users, authentication failure logs, access details, and roaming access details, and offers the IPv6 address as a query criteria. If you select No, UAM does not support IPv6 users. This parameter does not take effect on batch operations, and you cannot export, import, or modify IPv6 addresses in batches.

    • Send an alarm when the access user authentication queue is full—Select Yes or No from the list to configure the trap function for full access user authentication queue. If you select Yes, UAM checks whether a user authentication failure log is generated due to full authentication queue in the last minute. If a new log is found, UAM sends a trap to the alarm server. If you select No, UAM does not check for latest user authentication failure logs or send traps.

    • Alarm Server IP—Specify the IP address of the server to receive the trap.

    • Listening Port of Alarm Server—Specify the port that the alarm server listens to for traps.

    • Remote Connection Wait Time—Specify how long the UAM administrator can wait for a client to enter the user name and password for the operating system in a remote desktop connection. This parameter takes effect only when you select client for Remote Desktop Password Input Side.

    • Remote Desktop Password Input Side—Select Client or Server from the list to determine the password input side in remote desktop connections. If you select Client, a username/password window opens on the client PC in a remote desktop connection initiated by a UAM administrator to an online user, requiring the online user to enter the user name and password. If you select Server, a username/password window opens on the PC used by a UAM administrator in a remote desktop connection initiated by the administrator to an online user, requiring the administrator to enter the user name and password.

    • Display the TopN User Groups—Configure UAM to display on the user homepage the topN user groups with the most online users.

    • Apply for Service by User Group—Set whether or not a service can be assigned or cancelled when you add or modify a user account. If you select Enable, UAM automatically assigns services of a user group to the users in this group (except LDAP users synchronized to the user group based on AD group). When a user of a user group is moved to a new user group or the services assigned to the user group are changed, UAM re-assigns the services of the new user group to the user at 00:20 the next day. UAM allows you to specify the services that must be assigned to a user group on the Add/Modify User Group page, or specify the user groups that must apply for the specified service on the Add/Modify Service Configuration page.

    • Apply Service Configuration Immediately—If you select Enable, the system applies the most recent service configuration to a user immediately after the user group changes or services of the user group are changed. When you select Disable, UAM reassigns the services of the new user group to the user at 00:20 the next day after the change. This parameter is displayed only when the Apply for Service by User Group field is enabled.

    • iMC Service Port—Specify the port used to access the IMC console. The value must be consistent with that of the imc.http.port parameter in the self-service configuration file client\conf\http.properties in the IMC installation path, and changes along with the self-service configuration file. Do not modify the parameter in any other cases. Otherwise, the IMC console can be inaccessible.

    • Cancel Online User Services—Set whether or not a service being used by an online user can be cancelled. If you select Enable, the system logs off the user and then cancels the service. If you select Disable, the system prompts you that the service is being used and cannot be cancelled.

    • Forcibly Set Bound IP Address and Access Services—If you select Enable for this field and Disable for the Apply for Service by User Group field, you must bind at least one access service to the user account when you add or modify an access user or register a preregistered user. If you select Enable for both this field and the Apply for Service by User Group field, you must bind at least one access service to the user group when you add/modify a user group. If Bind User IP is selected in the selected services, you must specify a bound IP address for the user account. If you select Disable for this field, UAM does not provide the restrictions. This parameter takes effect only for single users and does not apply to batch operations. Enable this function only in special scenarios.

    • Trouble Ticket Hold Time—Specify how many days UAM can keep the trouble tickets. UAM automatically deletes the trouble tickets that exceed the hold time, but does not delete the trouble tickets that are changed into typical cases.

    • Verify IP Address—If you select Enable for this field, you must bind to the user account a unique IP address that is not bound to any other user accounts when you add or modify an access user or register a preregistered user. This parameter does not take effect when you add, modify, or register users in batches.

    • Verify MAC Address—If you select Disable for this field, you must bind to the user account a unique MAC address that is not bound to any other user accounts when you add or modify an access user or register a preregistered user. This parameter does not take effect when you add, modify, or register users in batches.

    • Daily Password SMS Messages—Select this option and specify the upper limit of password SMS messages to be sent for a single user in a day. If you do not select this option, the number of password SMS messages is not limited.

    • Blacklist Period—Select this option and specify the time period in hours or minutes after which the blacklist users are released automatically. If you do not select this option, users in the blacklist will be automatically released at 03:30 the next day, except manually blacklisted users and users with an overdue payment.

    • MAC Address Consistency Check—If you select Enable, UAM checks whether the MAC address used for the current login of the user is the same as that used for last login. If the MAC addresses are different, UAM notifies the user of the inconsistency. The feature is available only when both of the following conditions are true:

      • The MAC addresses used for the current and last logins of the user can be obtained by UAM.

      • The user is logged in through 802.1X authentication on iNode PC or portal authentication on the webpage.

    • Displays Key in—Enable UAM to display keywords in either cipher text or plain text on the following pages: adding/modifying/querying access devices, adding/modifying/querying portal devices, adding/modifying roaming configuration, user online/offline notification parameter configuration, single-point login configuration, and adding general/Wi-Fi configuration templates.

  6. Configure the following self-service parameters:

    • Authenticated Self-Service Users Only—Select Yes from the list to allow only authenticated users to use self-services on PCs. Select No from the list to allow all users to use self-services on any PC. When Yes is selected, make sure that the Upload IPv4 address box is selected for each 802.1X connection to enable 802.1X users to use self-services. If a NAT device exists between the access device and UAM, select No for the parameter. Otherwise, the user cannot use self-services.

    • Preregistered IP Limit Times—Specify the total number of access users and guests that users from the same IP address can preregister in the self-service center each day. The parameter does not count the access users and guests that are formally registered the same day they are preregistered. The value for this field is an integer in the range of –1 to 1000. The value of –1 indicates that the total number of preregistered users is not limited. The value of 0 indicates that no preregistration is allowed, and user preregistration is disabled.

    • Reconfirm Preregistration—Select Enable or Disable from the list to enable or disable the function. If you select Enable, a preregistered user becomes an inactive access user after it is formally registered, and must be activated by an administrator to become a normal user. If you select Disable, a preregistered user directly becomes a normal access user after it is formally registered.

    • Clear Online Info Through Self-Service—Select Enable from the list to enable users to clear the user online information through the self-service center to remove fake online users. Select Disable from the list to prohibit users from clearing the user online information through the self-service center.

    • Ticket Quantity Limit per Account per Day—Specify the maximum number of trouble tickets a user can submit on the same day. This field takes effect only when you select Enable for Trouble Report Service.

    • Password Strategy for User Preregistration—Select Enable or Disable to enable or disable the password strategy for user preregistration. If you select Enable, the password set by a user for preregistration must meet the requirements of the password stragetry. This restriction does not apply when a user modifies the password after approval. For information about configuring the password strategy, see "Configuring global system settings."

    • Self-Service Port—Set the self-service port number. This parameter is mainly used in iNode client upgrade. The value must be consistent with that of the imc.http.port parameter in the self-service configuration file client\conf\http.properties in the IMC installation path, and changes along with the self-service configuration file. If you change the self-configuration file, restart the jserver process in Intelligent Deployment Monitoring Agent to make the new settings effective.

    • Modify Asset Information—Configure whether to allow endpoint users to modify the asset information in the Self-Service Center. This parameter is displayed only when EAD Security Policy is installed.

    • Modify transparent authentication status in self-service center—Configure whether to allow endpoint users to modify the transparent authentication state of endpoints in the Self-Service Center.

  7. Click OK.

prev

 

up

 next

Configuring global system settings 

home

 Configuring policy server parameters

© Copyright 2015, 2016 Hewlett Packard Enterprise Development LP