Справочник Пользователя для Alcatel-Lucent omniaccess
Configuring Firewall Roles and Policies
65
C
HAPTER
8
Configuring Firewall Roles and Policies
This chapter discusses configuring firewall roles and policies in
an Alcatel network. The firewall roles and policies form the
cornerstone of all functionality in an Alcatel Mobility Controller.
Every “user” in the system is associated with a “role” and this
role determines the privileges associated with the “user”.
an Alcatel network. The firewall roles and policies form the
cornerstone of all functionality in an Alcatel Mobility Controller.
Every “user” in the system is associated with a “role” and this
role determines the privileges associated with the “user”.
Every user in an Alcatel network is associated with a user role.
The user role is defined as a set of network privileges permitted to
a user associated with the user role. This concept of users and
user-roles is central to the entire functioning of the Alcatel
network.
The user role is defined as a set of network privileges permitted to
a user associated with the user role. This concept of users and
user-roles is central to the entire functioning of the Alcatel
network.
In a practical scenario, the administrator can configure firewall
policies by creating a new firewall policy and adding rules to the
policy or by editing existing pre-defined firewall policies. The
administrator can then associate a set of these firewall policies
with a user role to define the network privileges associated with a
user role.
policies by creating a new firewall policy and adding rules to the
policy or by editing existing pre-defined firewall policies. The
administrator can then associate a set of these firewall policies
with a user role to define the network privileges associated with a
user role.
Every user that associates to the Alcatel network is placed in an
initial pre-defined role called “logon” role having enough privileges
to use one of the authentication methods to authenticate the user
and be placed in a user role accordingly. The role of an
authenticated user can be derived from the following
mechanisms:
initial pre-defined role called “logon” role having enough privileges
to use one of the authentication methods to authenticate the user
and be placed in a user role accordingly. The role of an
authenticated user can be derived from the following
mechanisms:
1. Server derivation rules: The administrator can configure these
rules to match attributes returned by the authentication server
(such as the RADIUS attributes) in different ways to values to
derive a role for the authenticated user.
rules to match attributes returned by the authentication server
(such as the RADIUS attributes) in different ways to values to
derive a role for the authenticated user.
As an example, consider a user abc authenticated using a RADIUS
server. The administrator can create a rule that says if attribute x
contains the string “xyz” , the user shall derive a role called
“Authenticated-user-role1”. Refer to “Configuring AAA Servers”
on page 81 for more explanation on how to configure these rules.
server. The administrator can create a rule that says if attribute x
contains the string “xyz” , the user shall derive a role called
“Authenticated-user-role1”. Refer to “Configuring AAA Servers”
on page 81 for more explanation on how to configure these rules.