8 configuring user access policies – H3C Technologies H3C Intelligent Management Center User Manual
Page 142
124
8 Configuring user access policies
The access policy is another important concept in BYOD, which specifies rules and policies to control
network access of endpoint users.
BYOD also uses the following important concepts:
•
Access Condition—Specifies the conditions to meet for network access such as time, location,
endpoint device, and network type.
•
Access Scenario—Defines the access policy to take effect on a specific access condition.
To implement BYOD, the following workflow applies:
1.
In UAM, the operator defines access conditions and access policies.
2.
In UAM, the operator defines one or more access scenarios for a specific service, and maps
access conditions to access policies in each access scenario.
3.
When an endpoint user attempts to access the network by using the service, UAM identifies the
access conditions for the endpoint user and applies the correct access policy to the endpoint user.
For more information about configuring access conditions, see "
7 Configuring access conditions
An access policy provides the following access control information:
•
Authorization—Controls authorization information such as the access time period, download and
upload rates, VLANs, ACLs, and certificate authentication settings.
•
Binding check—Compares the IP address, MAC address, computer name, and domain used by the
endpoint, the IP address and MAC address of the access device, the user VLAN, and other binding
information with those binding information configured for the user account.
•
Network check—Requires the iNode client be used, and checks the proxy, multi-NIC, and other
network settings.
•
Security check—Works with EAD to check software information such as anti-virus, anti-spyware,
anti-phishing, and firewall software, system patches, and software blacklist/whitelist on the
terminals. For more information, see HP IMC EAD Security Policy Administrator Guide.
•
Proprietary-attribute assignment—Deploys vendor-specific RADIUS attributes to the access devices
to complete special network access schemes. For more information, see "
•
Internet access lock—Works with EAD to prevent endpoint users from accessing other networks. For
more information, see HP IMC EAD Security Policy Administrator Guide.
UAM integrates the authorization, binding check, and network check functions into access policies. It
also provides the User Access Policy module to manage the following contents for access policies: access
period policy, SSID address control, hard disk serial number, access MAC address, and access ACL.
Except the access ACL, an endpoint user cannot access the network if it is prohibited by any of the
previous contents in the access policy.
Table 14 Access policy contents
Access policy contents Description
Access period policy
This function controls user access by time period. For more information, see
"