Check

Select the checkbox in this column for anti-virus software to check the installation state of that software.

Priority

When much anti-virus software is installed, you can adjust the anti-virus software priority to change the check priority. When the iNode client identifies whether a system is installed with anti-virus software, it checks the software in the supported software list based on the priority configured in the policy. If much software is available, the iNode client checks only the software with the highest priority and reports its state to the policy server. Software with a lower priority is ignored.

Second-Check Interval (s)

When the first check fails, the check result is not reported. The iNode client performs another check after the specified interval and reports the check result. The value is in the range of 0 to 60 seconds. To report the check result immediately when the first check fails, set the value to 0.

Version Check Mode

Select a version check mode. If the obtained virus library version is in date format, the iNode client identifies whether the date format is valid. If the obtained virus library version is in dotted format, the iNode client identifies whether the dotted format is valid.

Adaptation Period (in days)

Specify the number of days within which the anti-virus engine version or virus library version used by the endpoint must have been updated, counting from the current date. To perform no check on the anti-virus software engine or virus library version, set the value to 0.

Access Period

Select an access period policy from the list. A user using the access policy can access the network only in the time ranges defined in the access period policy.

Allocate IP

Specify whether to assign IP addresses to users.

Upstream Rate (Kbps)/Downstream Rate (Kbps)

Specify the maximum upstream rate and downstream rate for users that match the access policy.

Priority

Specify the traffic priority during network congestion. A smaller value indicates a higher priority. Select a priority value from the priority values supported by the device. An invalid value might result in failures of endpoint users to access the network.

Authentication Type/Subtype

Select an EAP authentication type. During EAP authentication, the RADIUS server deploys this EAP authentication type to the client. Options include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. If you select the EAP-TTLS or EAP-PEAP authentication type, select EAP-MSCHAPv2, EAP-MD5, or EAP-GTC as the subtype.

·     EAP-MD5: CHAP-based EAP authentication.

·     EAP-TLS: Certificate-based identity authentication, which uses the TLS protocol to implement identity authentication and requires PKI for certificate management. The server and client use certificates for identity authentication. If authentication succeeds, the two sides negotiate a shared key, session ID, and cipher suite (encryption, compression, and data integrity check) to set up a secure and reliable communication channel. EAP-TLS uses the session ID for fast reauthentication, which greatly simplifies the authentication process. It also supports fragmentation of large TLS packets.

·     EAP-TTLS: Certificate-based identity authentication, which initiates subauthentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. Subauthentication types include EAP or non-EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC. Non-EAP authentication can be MSCHAPv2 or PAP. If you select the EAP-TTLS authentication type, you must select an EAP subtype on EIA. However, in actual authentication, an endpoint can use a non-EAP subtype (PAP, for example) even if an EAP subtype is configured on EIA.

·     EAP-PEAP: Certificate-based identity authentication, which initiates EAP authentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. EIA only supports EAP-MSCHAPv2, EAP-MD5, and EAP-GTC authentication types.

EAP Auto Negotiate

Specify whether to enable automatic negotiation of EAP authentication types when the EAP authentication types specified on the client and EIA are different. With this feature enabled, EIA permits the client's authentication request without considering the EAP type configured on the client. With this feature disabled, EIA rejects the client's authentication request if the EAP authentication types specified on the client and EIA are different.

Maximum Online Duration for a Logon (Minutes)

Specify the maximum online duration in minutes for a successfully authenticated user that uses the access policy. The value is an integer in the range of 1 to 1440. If you leave this field empty, the online duration is not limited. If you specify a value and the online duration of an access user exceeds the specified value, EIA forces the user to go offline.

Deploy VLAN

Specify a VLAN ID or name for deployment to users. After passing authentication, users can access resources in the specified VLAN only. On the access device, configure the VLAN assignment mode as integer or string type accordingly:

·     If the type of the access device is H3C (General), HUAWEI (General), HP (Comware), or 3COM (General), you can enter a VLAN ID or VLAN name. EIA takes any integer in the range of 1 to 4094 as an integer-type VLAN ID and deploys it to the access device. Any other character string is taken as a string-type VLAN name and deployed to the access device.

·     If the access device is none of the previous types, EIA always deploys the entered value to the access device as a string-type VLAN name.

Deploy Address Pool

Enter an address pool name to be deployed to the access device for assigning IP address to users. For successful address assignment, make sure an address pool with the same name exists on the access device.

Deploy User Profile

Specify the name of the user profile for deployment to the device to perform user-based QoS functions. This feature takes effect only when the user profile to be deployed has been configured on the device.

Deploy User Group

Specify the name of the user group to which the users belong after they pass authentication. You can enter multiple user groups, separated by semi-colons (;). This feature takes effect only when EIA works with an SSL VPN device or collaborates with ACG 1000.

Deploy ACL

Specify the ACL for deployment to access users.

Offline Check Period (Hours)

Specify the offline check interval for mute terminals, in hours. The value must be an integer in the range of 0 to 596523. After a mute terminal passes authentication, EIA deploys the configuration to the device and the device checks whether the mute terminal is offline at the specified periods. If you leave this field empty or set the value to 0, offline check will not be performed.

Authentication Binding Information

EIA cooperates with the access device to check the binding information for each user account to be authenticated, including the IP address, port, VLAN, QinQ double VLAN, and SN of the access device, and the IP address, MAC address, IMSI, IMEI, wireless user SSID and the hard disk serial number of the user endpoint. The iNode client cooperates with the policy server to check the following binding information of the user: user IP address, MAC address, computer name, computer domain, logon domain and hard disk serial number. Among the binding items, user MAC address and IMSI are mutually exclusive and cannot be bound at the same time. You can configure binding information for an access policy and apply the access policy in an access service. If a user uses an access service that applies an access policy without binding information, auto learning is adopted. In this case, EIA binds the parameters used in the first login of a user. For example, if a user uses 10.100.10.10 for the first login through the service, the user must always use the IP address for future authentication.

·     Control Access IP/MAC Address: With this feature enabled, EIA check the IP address or MAC address of an access user by using this service when the user attempts to come online. If the IP address or MAC address is on the allowed access address list, the user can come online. Otherwise, the access is denied.

·     Control Hard Disk Serial Number: With this feature enabled, EIA checks the hard disk serial number of a user endpoint when the user attempts to come online. If the serial number is permitted or EIA cannot obtain the hard disk serial number, the user is allowed to come online. Otherwise, the access is denied. This feature must work with the iNode PC client.

·     Enable SSID Access Control: When you enable this feature and set the SSID filter to Permit, EIA maintains an SSID allowlist. Users can access the network when they connect to an SSID on the SSID access control list. When you enable this feature and set the SSID filter to Deny, EIA maintains an SSID denylist. Users cannot access the network when they connect to an SSID on the SSID access control list. This feature must work with the iNode PC client. The client receives the SSID access control configuration from EIA and saves it to the PC. The configuration also applies to the Windows built-in 802.1X application.

·     Control BIOS Serial Number: With this feature enabled, EIA checks the BIOS serial number of an access user by using this service when the user attempts to come online. If the serial number is permitted, the user is allowed to come online. Otherwise, the access is denied. If EIA cannot obtain the BIOS serial number, it allows the user to come online. This feature must work with the iNode PC client.

Service Name

Enter a service name, which must be unique.

Service Suffix

Enter a service suffix, which identifies the name of the domain to be used for user authentication. The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 6.

Default Access Policy

Select a default access policy.

Default Security Policy

Select a default security policy.

Security Group

Select a security group.

Sub Security Group

Select a sub security group.

Default Proprietary Attribute Assignment Policy

Specify the default proprietary attribute assignment policy. If a user that uses the service does not match an access device group when the user accesses the network, the system deploys proprietary attributes to the access device according to the configuration of the default proprietary attribute assignment policy.

Default Max. Devices for Single Account

Specify the maximum number of endpoints to be bound to the same user account in access scenarios that are not included in the service. This field is available only when the EIP component is deployed.

EIA checks the maximum number of bound endpoints for a single account in the following order:

·     Matched access scenario: Checks the number of bound endpoints against the maximum number limit specified in the scenario. If the number reaches the limit, EIA denies the user authentication.

·     Scenarios in all services: Checks the number of bound endpoints in scenarios of all assigned services for the account. If the number reaches the value of Max. Device for Single Account specified in user endpoint settings on the Automation > User > Service Parameters > Access Parameters > System Settings page, EIA denies the user authentication.

Default Max. Number of Online Endpoints

Specify the maximum number of online endpoints using the same user account in access scenarios that are not included in the service.

Daily Max. Online Duration

Specify the total duration in a day that an account can access the network by using the service. When the limit is reached, the account is forced offline and cannot access the network this day. The value can be an integer in the range of 0 to 1440 minutes. A value of 0 means no limit.

Description

Enter a description for the access service.

X@Y

Y

user-name-format with-domain

Y

user-name-format without-domain

No suffix

X

[Default Domain]

Default domain on the device

user-name-format with-domain

[Default Domain]

user-name-format without-domain

No suffix

User Name/Identity Number

Enter the username and identity number of the user.

Account Name

Uniquely identifies an account user. The user uses the account name to apply for and use services. The account name is a string of up to 200 characters that cannot contain the Tab key or special characters #+/?%&=*'@\"[]()<>`

Password/Password Confirm

Enter the same password for identity verification.

Access Service

Select the previously configured access service.