Home > User Interface > Configuration > Policy Configuration > Authentication Rules
|
Menu path: Configuration > Policies and Access Control > Authentication Rules.
Authentication rules are associated with most authentication sources. They dictate what actions are performed when the authentication source is triggered.
There are four major fields in the rules description:
| Field | Usage | Example |
|---|---|---|
| Name | The name of the rule. | Catchall |
| Description | The intent of the rule. | Apply to all. |
| Matches | One of All or Any. All indicates that all of the conditions must be matched in order for the authentication source to be triggered. Any means that any of the conditions can be matched. | All |
| Conditions | The conditions that need to be met. The Matches field dictates whether all or just one of the conditions needs to be met. Conditions are further described below. | |
| Actions | The actions that should be performed if the conditions are met. Actions are further described below. |
Conditions are required; at a minimum a catchall condition should be used. The Matches field dictates
whether all or any of the conditions need to be met. New Conditions are added via the
Add Condition button.
After the first condition is created, additional conditions can be defined through
the use of the 
button and an entry can be deleted through the use of the
button. Conditions can be rearranged after creation. Conditions are divided into
three fields:
In this example, the condition is SSID equals Corporate. This will be matched if the SSID of the user is Corporate.
Condition Items
The condition items along with their operators and comparison values are described in the table below. The LDAP attributes in this list are controlled on the System Configuration > Main Configuration > Advanced page.
| Condition | Comparison Operators | Comparison Values |
|---|---|---|
| SSID | starts, equals, contains, ends, matches regexp | The SSID of the user's wireless connection. |
| Current time | is before, is after | HH:MM |
| Current time period | in time period | wd {Mon-Fri} hr {9am-5pm} |
| Connection type | is, is not |
|
| Computer name | starts, equals, contains, ends, matches regexp | The name of the user's computer. |
| MAC address | starts, equals, contains, ends, matches regexp | The MAC address of the user's computer. |
| Realm | starts, equals, contains, ends, matches regexp | The realm matching the user's authentication. |
| UserPrincipalName | starts, equals, contains, ends, matches regexp, is member of | The user's principal name matching. |
| cn | starts, equals, contains, ends, matches regexp, is member of | A common name (CN) component of an AD/LDAP distinguished name (DN). For example Users in CN=Users. |
| department | starts, equals, contains, ends, matches regexp, is member of | The department component of a DN. |
| description | starts, equals, contains, ends, matches regexp, is member of | The description component of a DN. |
| displayName | starts, equals, contains, ends, matches regexp, is member of | First, middle, and last name components of a DN. |
| distinguishedName | starts, equals, contains, ends, matches regexp, is member of | The full DN from an AD/LDAP entry. |
| eduPersonPrimaryAffiliation | starts, equals, contains, ends, matches regexp, is member of | When using Eduroam authentication, the user's primary institutional affiliation |
| givenName | starts, equals, contains, ends, matches regexp, is member of | The first name of a user's DN. |
| groupMembership | starts, equals, contains, ends, matches regexp, is member of | The group membership in the user's DN. |
| starts, equals, contains, ends, matches regexp, is member of | The mail attribute of the user's DN. | |
| memberOf | starts, equals, contains, ends, matches regexp, is member of | Matches the organization attributes of a DN, including CN and OU. |
| nested group | starts, equals, contains, ends, matches regexp | Matches a security groups whose members are other security groups as opposed to users. |
| postOfficeBox | starts, equals, contains, ends, matches regexp, is member of | The postOfficeBox attribute of the user's DN. |
| sAMAccountName | starts, equals, contains, ends, matches regexp | The account name in the user's DN. |
| sAMAccountType | starts, equals, contains, ends, matches regexp | The account type in the user's DN. |
| servicePrincipalName | starts, equals, contains, ends, matches regexp, is member of | The client's service principal name. |
| sn | starts, equals, contains, ends, matches regexp, is member of | The surname in the user's DN. |
| uid | starts, equals, contains, ends, matches regexp, is member of | The uid in the user's DN. |
| userAccountControl | starts, equals, contains, ends, matches regexp | The userAccountControl settings in the user's DN. |
Comparison Operators
The comparison operators used in conditions are described in the table below.
| Operator | Used in | Usage |
|---|---|---|
| starts | These operators are used for all text comparisons. | The string starts with the comparison value. |
| equals | The string matches the comparison value. | |
| contains | The string contains the comparison value. | |
| ends | The string ends with the comparison value. | |
| matches regexp | The string is matched against a regular expression (regexp). Regexp is a powerful language for expressing string matches. An introduction to regexps can be found here. | |
| is member of | Used within DN matching. | The string matches a group within the DN. |
| is before | Current time | The current time is before a particular hour and minute expressed as HH:MM. |
| is after | Current time | The current time is after a particular hour and minute expressed as HH:MM. |
| in time period | Current time period |
The current time is within a time period expressed as described here. For example, working hours can be expressed as wd {Mon-Fri} hr {9am-5pm}. |
| is | Connection type | Matches a particular connection type. |
| is not | Connection type | Ensure that the connection is NOT a particular connection type. |
Actions
Actions dictate what is to happen if the authentication rule rule applies and all/any Conditions are met. The possible actions and their settings are described in the table below:
| Action | Options |
|---|---|
| Role | Select one of the defined Roles. For example: guest. |
| Access duration | Select one of the available durations. This is a required action. |
| Unregistration date | The date on which the user will be unregistered, expressed as yyyy-mm-dd. Access will cease on that date. |
| Time balance | Select one of the available durations. The time balance can be used over multiple sessions. |
| Bandwidth balance |
The amount of data that can be transferred. The format is:[DIRECTION][LIMIT][INTERVAL(optional)]The DIRECTION can be set to inbound (IN), outbound (OUT), or total (TOT) bandwidth. The LIMIT number can be set in units of bytes (B), kilobytes (KB), megabytes (MB), gigabytes (GB), or petabytes (PB). The INTERVAL is the time window during which potential abuse will be measured; this can be set in number of days (D), weeks (W), months (M), or years (Y). For example, IN50GB1M limits incoming traffic to 50 GB per month. |
Copyright © 2021 Extreme Networks. All rights reserved. Published April 2021.