User Guide: AMF Security mini version 2.2.1

Providing Guest Network by the UnAuth Group

Quick Tour > Providing Guest Network by the UnAuth Group

What is the UnAuth Group
Judgment order when registering multiple UnAuth Groups
Adding the UnAuth Group
Registering AMF Members
Registering Guest Network
Registering Location
Registering Schedule
Adding the UnAuth Group

This section explains how to allow unregistered devices to temporarily use your network according to the specific security policy.
You can use the "UnAuth Group" to provide unregistered devices with the guest network service.


What is the UnAuth Group

Devices that fail normal authentication and that match specific Location and Schedule conditions are called the UnAuth Group, and are connected to a dedicated network.

Devices are regarded as unauthenticated if

To connect an UnAuth Group to the network, you can set Location and Schedule.
If you specify both Location and Schedule, the group can access the network only if the both conditions are met.

While a device is connecting to the network as a member of the UnAuth Group, the device is automatically moved to the other network prepared for the authorized devices when the device gets promoted to the authorized state (because the scheduled time has begun for example).

This section describes an example in which the security policies shown in the following table:

Table 1: A security policy for a registered device
Schedule Start Date / Time Schedule End Date / Time Network
20XX-04-01 00:00:00 20XX-09-30 23:59:59 VLAN10

Table 2: A security policy for the UnAuth Group.
Schedule Start Date / Time Schedule End Date / Time Network
None None VLAN20

When a device gets connected to a network for the first time at "20XX-04-01 10:00:00", AMF Member on the network do not have packet control flow for the device. Then the device is authenticated and assigned to the VLAN10 because it matches the security policy of the registered device (i.e. the access time is within the schedule of the policy).

But if the device gets connected before "20XX-04-01 00:00:00" (e.g. at "20XX-03-30 10:00:00"), it is put into the UnAuth Group and assigned to the VLAN20 because it does not match the security policy of the registered device (i.e. the access time is out of the schedule of the policy) but matches the policy of the UnAuth Group.

As the time goes on, the device is re-assigned to the VLAN10 at "20XX-04-01 00:00:00" because the time suddenly goes into the valid range of the security policy for the registered device.


Judgment order when registering multiple UnAuth Groups

If multiple UnAuth Groups are registered, the judgment is made in the order of the priority of the policy assigned to each UnAuth Group. Therefore, set different priorities for each policy.

Please note that if multiple UnAuth Groups are registered and some of them have no policy, the UnAuth Group is not be judged.

Also, set the priority even if you do not need to register Network, Location, and Schedule policies.

If there is only one UnAuth Group, there is no need to prioritize the policy of that UnAuth Group.

The above also applies to UnAuth Group (if the "Only detecting the device." checkbox is checked).


Adding the UnAuth Group

Here, after following the steps in the Quick Tour Manually Adding Devices > Registering AMF members, the following is an example of adding "AMF-Member_2" as an AMF Member and providing a guest network to devices connected via this AMF Member during a prescribed period.


Registering AMF Members

Register a host with the hostname "AMF-Member_2" as an AMF Member.
  1. Open the Switches > Active AMF Member List page.

  2. Before registration, Register Status column shows a string "Unregistered" and you can see the "Register" button next to it.
    To register the AMF-Member_2, click the "Register" in the row whose Register Status shows "AMF-Member_2" to open the Switches > AMF Member Add page.

  3. Enter something in Note.
    Note
    Account Group ID to which you belong must be set in advance. In this chapter, no Account Group ID is set.

    As an example, configure the settings shown in the following table:

    Table 3: Sample Configuration Data
    Item Name Value Description
    Name (Mandatory) AMF-Member_2 (Not Changed) Name of the AMF Member.
    The Name cannot be the one already used in the Switches > AMF Member List page.
    Max 255 characters. Can use alphanumeric, hyphen (-) and underscore (_).
    Account Group ID (None) Select Account Group ID to which AMF Member belongs.
    Note #1F Switch Arbitrary string (comment) for the AMF Member.
    Max 255 characters.
    Note
    Name must be the same as the host name of AMF Member. This is because AMF Member is managed by the host name of AMF Member.

  4. Click "Submit".
    Once the AMF Member is registered, the Switches > AMF Member List page reflects the newly added information.




Registering Guest Network

To separate unauthenticated devices from the production network, add a new network for guest access.

  1. Open the Policy Settings > Network List page.

    This page shows the list of networks registered in AMF Security mini's database.
    At this point, the network "Sales" (vlan123) is registered.

  2. Click the "Add Network" button at the top right corner to move to the Policy Settings > Add Network page.

    This page lets you specify a network ID (network name) and a VLAN ID for the network.
    Later you can use the network to specify which VLAN a device can belong to. AMF Security mini achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.

  3. Enter information for the network to add.

    As an example of registering the network "Guest", configure the settings shown in the following table:

    Table 4: Sample Configuration Data
    Item Name Value Description
    Network ID (Mandatory) Guest ID (Name) of the network.
    Network ID must be unique.
    Max 255 characters
    VLAN ID (Mandatory) 30 A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network.
    If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy.
    VLAN ID must be in the range of 0 to 4094.
    Note Guest Network Arbitrary string (comment) for the network.
    Max 255 characters.

  4. Click "Submit".
    Once the network is registered, the Policy Settings > Network List page reflects the newly added information.


Registering Location

Add a new location where the AMF Member are installed.
Location can be added on the Policy Settings > Add Location page.
This time, AMF Member "AMF-Member_2" is added to the new location "1F Conference Room".

  1. Open the Policy Settings > Location List page.

    This page lists registered locations in AMF Security mini. At this point, only location "1F" is registered.

  2. Click the "Add Location" button at the top right corner of the Policy Settings > Location List page to move to the Policy Settings > Add Location page.


  3. Enter information about the new location.

    As an example of registering the location "1F Conference Room", configure the settings shown in the following table:

    Table 5: Sample Configuration Data
    Item Name Value Description
    Location ID (Mandatory) 1F Conference Room ID (Name) of the location.
    Location ID must be unique.
    Max 255 characters
    Note 1F Conference Room Arbitrary string (comment) for the location.
    Max 255 characters.

  4. Click the "Select" button next to "OpenFlow Switches / AMF Members".
    The Policy Settings > OpenFlow Switches / AMF Members dialog appears and shows the AMF Member "AMF-Member_2".
    Assuming that the already registered "AMF-Member_2" is installed at the physical location "1F Conference Room", check the check box at the left end of the "AMF-Member_2" line.


  5. Click "Submit".
    In the Policy Settings > Add Location page, the selected "AMF-Member_2" is displayed in the "OpenFlow Switches / AMF members".


  6. Click "Submit".
    Once the location was added, the Policy Settings > Location List page reflects the newly added information.


Registering Schedule

Add a new schedule to define a time period when the guest network can be accessible. By adding the schedule, you can permit unauthorized devices only in that period.
  1. Open the Policy Settings > Schedule List page.

    This page shows the list of schedules.
    At this point, the schedule "March Events" is registered.

  2. Click the "Add Schedule" button at the top right corner of the Policy Settings > Schedule List page to move to the Policy Settings > Add Schedule page.

    By adding schedules, you can control when a device can connect to the network. If one of the Starting or End Date / Time is not specified in a schedule, AMF Security mini treats it as if it has no time limitation.

  3. Enter information about the new schedule.

    As an example of registering the schedule "October Event", configure the settings shown in the following table:

    Table 6: Sample Configuration Data
    Item Name Value Description
    Schedule ID (Mandatory) October Event ID (Name) of the schedule.
    Schedule ID must be unique.
    Max 255 characters
    Start Date / Time 2020-10-10 00:00:00 The beginning of the time range when a device is allowed to connect to the network.
    Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
    End Date / Time 2020-10-31 00:00:00 The end of the time range when a device is allowed to connect to the network.
    Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
    Note (empty) Arbitrary string (comment) for the schedule. Max 255 characters.

  4. Click "Submit".
    Once the schedule was added, the Policy Settings > Schedule List page reflects the newly added information.


Adding the UnAuth Group

Create the UnAuth Group using the newly added security policy elements.

  1. Open the Group > UnAuth Group List page.


  2. Click the "Add UnAuth Group" button at the top right corner to move to the Group > Add UnAuth Group page.


  3. Make sure that "Enabled" is checked.

  4. Enter a Group ID and a Note for the group.
    In this example, set the Group ID to "Event Guest" and set the Note to blank.


  5. Make sure that "Only detecting the device." checkbox is unchecked.
    If checked, MAC Addresses that match the security policy of the UnAuth Group are only detected, and no flow is created to connect to the network.

  6. Click the "Add" button next to "Policies" to open the Group > Edit Policy dialog.


  7. Now let's specify a priority for the security policy.
    In this example, set the priority to "30".

  8. Specify a network for the UnAuth Group.
    In this example, set the network to "Guest".

  9. Then specify conditions for devices to be in the UnAuth Group.
    In this example, set the location to "1F Conference Room" and set the schedule to "October Event".


  10. Click "Submit" to go back to the Group > Add UnAuth Group page.
    "Policies" section of the Group > Add UnAuth Group page shows the security policy which you have just added.


  11. Click "Submit" to go back to the Group > UnAuth Group List page.
    With those settings, devices with MAC address which are not in AMF Security mini device authentication data can access the network "Guest" (vlan30) through the AMF Member "AMF-Member_2" in the location "1F Conference Room" during the time period from 2020/10/10 to 2020/10/31 specified by the UnAuth Group "Event Guest".


  12. To view the list of devices belonging to the UnAuth Group, go to the Device > Active Device List page.
    The MAC addresses of devices connected to AMF Members managed by AMF Security mini are listed.
    You can see "Event Guest" in the Device ID column and "vlan=30 id=Guest" in the Connecting Network column. You can also see "Authorized" in the Status column.



(C) 2022 Allied Telesis, Inc. All rights reserved.

C613-04126-00 Rev A

28 Jan 2022 14:19