Quick Tour/Authentication using Tag
This section describes how to configure authentication using Tag set to Device ID (Device) registered with AMF Security.
What is authentication using Tag
Authentication by AMF Security can be performed by policies set to Tag in addition to security policies set to devices and UnAuth Group.Normally, a terminal (MAC Address) is registered to the AMF Security device as follows and a policy is associated with it.
| Device ID (first) | |
|---|---|
| Device ID | User 1 |
| Interface (MAC Address) | 00:00:00:00:00:01 00:00:00:00:00:02 |
| Policies | VLAN100 |
| Device ID (second) | |
| Device ID | User 2 |
| Interface (MAC Address) | 00:00:00:00:00:03 00:00:00:00:00:04 00:00:00:00:00:05 |
| Policies | VLAN100 |
When managing the network to be connected by registering the terminal owned by the user as described above, when changing the network to be connected, it is necessary to change the setting (policy) of each user.
In such cases, authentication using tags can be used to change them all at once.
| Device ID (first) | |
|---|---|
| Device ID | User 1 |
| Interface (MAC Address) | 00:00:00:00:00:01 00:00:00:00:00:02 |
| Policies | None |
| Device ID (second) | |
| Device ID | User 2 |
| Interface (MAC Address) | 00:00:00:00:00:03 00:00:00:00:00:04 00:00:00:00:00:05 |
| Policies | None |
| Tag | |
|---|---|
| Tag | Group A |
| Policies | VLAN100 |
In this case, the basic operation is the same, but by changing the policy of a separately created tag, you can change the networks that users connect to at once.
Locations and schedules can be set for policies set to tags. For example, if the network to be connected changes depending on the location, this can be achieved by setting the location of the policy.
NoteTQ's AMF Application Proxy does not support location and schedule items.
About the judgment order of Tag
Policies assigned to tags are judged in ascending order of priority.If multiple tags are registered, judgment is made in the order of priority of the policy assigned to each tag. Therefore, set different priorities for each policy.
Note that tags without a policy are not subject to judgment. Regardless of only one tag registration or multiple tag registrations. Also, set a priority-only policy if you don't need networks, locations, or schedules.
Configuration example using Tag
Here, the description in Quick Tour/Authentication using tag > What is authentication using tag is set as an example.The information of the terminal to be registered with AMF Security is assumed to be as follows.
- User 1 (user_1) owns two terminals (PC-1, PC-2)
- User 2 (user_2) owns 3 terminals (PC-3, PC-4, PC-5)
- Each terminal is connected to VLAN100
- The network to which the terminal connects is VLAN100
- Device registers user 1 (user_1) and user 2 (user_2)
- Set common tags for devices
- Do not set policies on devices
- Set a policy for the tag (set network VLAN 100 to which the terminal connects)
For example, if you want to change the network that connects five terminals from VLAN100 to VLAN101, you can simply change the network to VLAN101 in the tag policy.
| Device ID (first) | |
|---|---|
| Device ID | user_1 |
| Tag | group_A |
| Interfaces | |
| MAC Address | 00:00:00:00:00:01 |
| Name | PC-1 |
| Interfaces | |
| MAC Address | 00:00:00:00:00:02 |
| Name | PC-2 |
| Policies | None |
| Device ID (second) | |
| Device ID | user_2 |
| Tag | group_A |
| Interfaces | |
| MAC Address | 00:00:00:00:00:03 |
| Name | PC-3 |
| Interfaces | |
| MAC Address | 00:00:00:00:00:04 |
| Name | PC-4 |
| Interfaces | |
| MAC Address | 00:00:00:00:00:05 |
| Name | PC-5 |
| Policies | None |
| Tag | |
|---|---|
| Tag | group_A |
| Policies | VLAN100 |
Flow of setting using Tag
The setting flow is shown below.- Register networks on the Policy Settings > Network List page
- Register tags on the Group > Tag List page
- Register devices on the Device > Add Device page
Registering Network
Register the network to connect to. Networks can be registered on the Policy Settings > Network List page.- Open the Policy Settings > Network List page.
- Click the "Add Tag" button at the top right corner to move to the Group > Add Tag page.
- Enter information for the network to add.
Configure the settings shown in the following table:
Table 6: Sample Configuration Data
Item Name Value Network ID VLAN100 VLAN ID 100 Note (empty) - Click the "Submit" button.
Once the network is registered, the added information is displayed on the Policy Settings > Network List page.
Registering Tag
Register tags based on the set policy. Tags can be registered on the Group > Tag List page.- Open the Group > Tag List page.
- Click the "Add Tag" button at the top right corner to move to the Group > Add Tag page.
- Enter information for the tag to add.
Configure the settings shown in the following table:
Table 7: Configurable fields
Item Name Value Tag group_A Note (empty) - Click the "Add" button next to "Policies" to open the Group > Edit Policy dialog.
- Enter information for the policy.
Configure the settings shown in the following table:
Table 8: Configurable fields
Item Name Value Priority 10 Network VLAN100 Location (empty) Schedule (empty) - Click the "Submit" button to return to the Group > Add Tag page.
- Click the "Submit" button.
Once the tag is registered, the added information is displayed on the Group > Tag List page.
Registering Device
Register the Device ID (Device) in AMF Security. Devices can be registered on the Device > Add Device page.- Open the Device > Device List page.
- Click the "Add Device" button at the top right corner of the Device > Device List page to move to the Device > Add Device page.
On this page, register the device ID and tag of the new device.
- Enter information about the new device.
Configure the settings shown in the following table:
Table 9: Configurable fields
Item Name Value Device ID user_1 Tag group_A Note (empty) - Next, you have to enter the interface MAC Address of the device. AMF Security denies all network connections from unregistered MAC Addresses.
Click the "Add" button next to "Interfaces" to open the Device > Edit Interface dialog.
- Register the MAC Address and name of the first terminal of "User 1 (user_1)".
Configure the settings shown in the following table:
Table 10: Configurable fields
Item Name Value MAC Address 00:00:00:00:00:01 Name PC-1 Note (empty) - Click the "Submit" button.
"Interfaces" section of the Device > Add Device page now shows the interface MAC Address which you just entered.
- Register the MAC Address and name of the other terminal using the same procedure as steps 4 to 6.
Configure the settings shown in the following table:
Table 11: Configurable fields
Item Name Value MAC Address 00:00:00:00:00:02 Name PC-2 Note (empty) - Since no policy is set for this device "user_1", just click the "Submit" button.
Once the device is registered, the newly added information is displayed on the Device > Device List page.
- Register the "Device ID" of "user_2" using the same procedure as steps 2 to 8.
For the tag to be registered in the "Device ID" of "user_2", register "group_A", which is common with "user_1".
Table 12: Configurable fields
Device Item Name Value Device ID user_2 Tag group_A * Same as "user_1" Note (empty) Interfaces Item Name Value MAC Address 00:00:00:00:00:03 Name PC-3 Note (empty) Interfaces Item Name Value MAC Address 00:00:00:00:00:04 Name PC-4 Note (empty) Interfaces Item Name Value MAC Address 00:00:00:00:00:05 Name PC-5 Note (empty) - Device > Add Device page
- Device > Device List page
- Device > Add Device page
19 Apr 2023 14:12