User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

271

272

273

274

275

276

277

278

279

280

OmniAccess SafeGuard OS Administration Guide

277

Chapter 6: Configuring Authentication and Role Derivation

Each rule in the rule map is evaluated, in order, against information in the user

authentication event. If the rule map's conditions are met, the rule map is said to match.

When a rule map matches, a role value can be assigned to the user.

The role value can be explicitly specified, or it can be derived based on the value of some

information in the authentication event. For example, an explicitly specified role value

would be where you place a user in group “systems”. The derived method would be to

indicate that the user's role should be equal to the value of the authentication attribute, if

one exists.

Rule maps are applied in order, based on their precedence. A rule map with a lower

precedence is evaluated before a rule map with a higher precedence. After a rule map

matches, the system can either stop evaluating rule maps or continue processing. The

decision to stop or continue processing rule maps is user configurable.

Within a rule map, each individual rule is evaluated in the order it was configured. When

the system determines that the current rule map matches, or cannot match, it stops

processing rules in the current rule map and either assigns the role value (in the case of a

match) or continues processing (in the case of a match failure). Some performance gains

can be obtained with careful ordering of rules and rule maps.

If a rule map specifies the role value as an attribute using the value-of syntax, an error can

occur if the specified attribute does not exist in the authentication attributes. For example,

if the role value was configured to be based on the value of radius.filterId and the user

did not use the RADIUS protocol, an error would occur. In this case, the system acts as if

the rule map failed to match; the system continues to process and evaluates the next rule

map. In addition, the system increments the “Hit Failure” counter to indicate a role-

assignment failure.

The derived role information is passed to the policy component to bind the role to the

network resource permissions. The importance of roles is further discussed in Role

Hierarchy on page 306.

Match conditions are evaluated against information in the login event. This information

is stored in attributes. All attributes are string values that are identified in the system by

an attribute class and an attribute name. The notation for attributes is:

class.name. The

attribute class identifies the source of the attribute, such as DHCP, RADIUS, or AD. The

attribute name is the protocol element that is unique to the authentication event.

System attributes are automatically created for each login event based on system

parameters. These parameters are common to all authentication types and protocols. For

example:

Attribute Description

system.userName The name of the user

system.srcIP IP of the user interface

system.authType Protocol used to authenticate