System Overview - D-Link DUA-2000 User Manual

D-Link DUA-2000 Policy Manager User Manual
4.

System Overview

The Policy Manager works by authenticating clients and devices using either a username
and password combination or a MAC address. Depending on the policy type, users will
either be authenticated using their username and password (if they are a configured user on
the system), be authenticated as a guest or be authenticated as a device.
The process begins with an unauthenticated client or device supplying a username and
password or a MAC address to the Wireless Controller. This is, in turn, supplied to the Policy
Manager, which will attempt to authenticate the client using various sources and policies. If it
is not possible to authenticate the client, then the client will be denied access to the network.
The Policy Rule on the Policy Manager is the configuration entity which binds all of the
configuration elements, such as the User Group, Device Type, Location Profile and
Schedule Profile, together. It is linked with the Authentication Database, which can
authenticate against LDAP, Active Directory, POP3, RADIUS and the Policy Manager's
internal SQL database. Once authentication is complete, then the Authorization Profile is
returned to the Wireless Controller, providing Layer 2 and Layer 3 network settings and
session timeout information to be applied to the client or device.
If a device MAC address is supplied to the Policy Manager as the username, the Policy
Device User Type is applied to the account and the device is authenticated using the Policy
Rule.
If a username and password is supplied to the Policy Manager, then either the Policy User
or Policy Guest User Types are applied to the account, depending on whether the user has
been configured as a guest. If it has, then the user is authenticated using the Policy Rule.
If a username has been supplied as a Policy User, then there are several more steps
required to authenticate the user and the device they are logging-in from.
The Group MAC Binding feature specifies whether any devices have been associated with
the user account. If they have, then the Property Group Usage field is used, if they have not,
then the user is authenticated using the Policy Rule.
If the device Usage is set to Single User or Multiple users then the Binding Device List on
the Account is consulted to verify that the user is logging-in from an approved device. If the
device Usage is set to Public Users, then the user is authenticated using the Policy Rule.
Once it has been verified that the configured user has supplied the correct username and
password and that they're logging-in from a permitted device, they are authenticated using
the Policy Rule.
Users or devices can be authenticated using either a web page, which allows them to supply
a username and password, or via software running on the directly attached switch, which
authenticates the device using the MAC address as the username.
Look at the diagram in Figure 5-1 for a logical system overview.
7