Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
301302303304305306307308309310
OmniAccess SafeGuard OS Administration Guide
305
Chapter 7: Establishing a Security Policy
User Policies
User policies allow the control of user access to network resources. When a user logs on
to the network, the host starts authentication. It provides the user name and password
information to the authentication server, such as Microsoft AD or Kerberos.
The SafeGuard device notes the machine’s IP address, the user name and that it is in the
process of authenticating. When the authentication server sends back the response,
SafeGuard OS intercepts that information, which includes:
User name
Password credentials
IP address
MAC address
Authentication state
User role
The system matches the IP address and notes whether the user is authenticated or
unauthenticated. Using a set of configured role mapping rules and information
intercepted from the authentication server, a user role is derived for the user. The system
uses the role and the configured role mapping rules. Using a role hierarchical system, it
applies all of the policies or rules for that particular user based on the user role. A user
role is a designation for the user, for example, a job classification such as a software
engineer. If the role derived by applying the rule map is not configured in the system, The
user assumes the default 'authenticated' role.
Each policy is comprised of multiple rules, which is the how we match the traffic. A rule
has two parts: a filter and an action. When a filter condition is true, its action might be to
allow access or deny access to a resource. For example, all software engineers might be
allowed to use instant messaging (IM) but are not allowed to access any of the Human
Resources or Finance servers. Figure 10, shows the relationship between policies, roles,
and rules.