IMC User Access Manager 7.1 (E0302P15) Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and its licensors.

Transcription

1 IMC User Access Manager 7.1 (E0302P15) Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and its licensors. Table of Contents 1. What's New in this Release 2. Problems Fixed in this Release 3. UAM Software Distribution Contents 4. Installation Prerequisites 5. Typical Installation 6. Upgrade Installation 7. Un-Installation 8. Multi-Language Support of IMC on Windows 9. Restrictions and Cautions 10. Port Usage 11. Known Problems What's New in this Release IMC UAM 7.1 (E0302P15) can be upgraded from IMC UAM 7.1 (E0302), IMC UAM 7.1 (E0302H03), IMC UAM 7.1 (E0302P06), IMC UAM 7.1 (E0302P07), IMC UAM 7.1 (E0302P08), IMC UAM 7.1 (E0302H09), IMC UAM 7.1 (E0302P10), IMC UAM 7.1 (E0302P13), and IMC UAM 7.1 (E0302P14). The following lists all features released after IMC UAM 7.0 (E0103). Features released in IMC UAM 7.1 (E0302P15) 1. The auto-cancel accounts tasks support canceling guests in a specific guest group based on the criteria Idle Days and Account Prefix of guests. 2. The last logoff time of accounts can be exported in batch. Features modified in IMC UAM 7.1 (E0302P15) 1. The shared key of the access device supports a maximum of 128 characters. Features released in IMC UAM 7.1 (E0302P14) None. Features released in IMC UAM 7.1 (E0302P13) 1. Comments can be added to guests who are registered by scanning a QR code. 2. A query criterion was added to filter out guests who never come online.

2 3. The Description field was added to the Add MAC Address Range page for mute terminal user configuration profiles. 4. The Top10 User Groups by Online Count widget was added.the 24-Hour Online History line chart can display the number of current online users. 5. The Creator field was added as an access user query criterion. 6. After a user modifies the password, the system automatically deletes the MAC address information that is bound to the user for transparent authentication. 7. A toggle switch was added to the self-service center to enable or disable transparent authentication for MAC addresses separately. Features released in IMC UAM 7.1 (E0302P10) 1. imc TAM provides RESTful APIs. Features released in IMC UAM 7.1 (E0302H09) None. Features released in IMC UAM 7.1 (E0302P08) 1. Unified authentication URL for logging in to the touch-version self-service center. This feature is configurable under User > User Access Policy > Service Parameters > Unified Authentication. 2. User self-service menu customization based on user groups. This feature is configurable under User > User Access Policy > Customize Terminal Pages > Self-Service Page. Features modified in IMC UAM 7.1 (E0302P08) 1. Portal authentication supports the two-factor authentication method by using account password + dynamic password. This feature is configurable under User > User Access Policy > Customize Terminal Pages > Portal Page. 2. The Domain Controller OS Version parameter was deleted from the User > User Access Policy > LDAP Service > LDAP Parameters page. Features released in IMC UAM 7.1 (E0302P07) 1. Information about the visited department and receptionist was added to guest registration notifications sent through s and SMS messages. This feature is configurable under User > Deliver Message > Configuration. 2. Third party authentication policies support account registration through third party systems. This feature is configurable under User > User Access Policy > Third-Party Authentication. 3. Endpoint aging policies support aging endpoints by binding time or by idle time. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > Endpoint Aging Policy. 4. The Modify Endpoint Aging Policy Type parameter with By OS and By User Group options was added. The parameter setting applies to all endpoint aging

3 policies. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > Endpoint Aging Policy. 5. The Blacklist Period parameter was added, enabling auto removal of users from the blacklist after the specified time interval. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > System Parameters. 6. EAP certificate authentication supports root certificate chains. This feature is configurable under User > User Access Policy > Service Parameters > Certificate. Features released in IMC UAM 7.1 (E0302P06) 1. The license agreement can be added to the customized pages for quick deployment. This feature is configurable under User > Quick Start > Service Fast Deploy. 2. Group-based admin privilege control. This feature is configurable under User > Guest Manager > Guest Manager Group. 3. CRL update through the LDAP protocol. This feature is configurable under User > User Access Policy > Service Parameters > Certificate > Root Certificate. 4. Random passwords can be generated and sent to guests through s or SMS messages during guest import. This feature is configurable under Guest Management > All Guests in Self-Service Center. 5. A system parameter was added to control whether or not UAM can reset the password that is retrieved by a guest through SMS. This feature is configurable under User > Guest Parameters. 6. Portal authentication and BYOD authentication support the two-factor authentication method of account password + dynamic password. This feature is configurable under User > User Access Policy > Customize Terminal Pages > Portal Page or User > User Access Policy > Customize Terminal Pages > BYOD Page. 7. The portal module provides RESTful APIs for registering guests and sending SMS messages. 8. The anti-crack feature is available on 64-bit Linux inode. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > Client Anti-Crack. 9. LDAP servers can use different domain controllers for MS-CHAPv2 authentication. The number of supported domain controller is up to 10. This feature is configurable under User > User Access Policy > LDAP Service > LDAP Server. 10. Device users can be bound to IPv6 addresses. This feature is configurable under User > Device User > Device User. 11. inode shortcut configuration by access users or user groups. This feature is configurable under User > User Access Policy > Service Parameters > Unified Authentication > inode Client Shortcut Configuration. 12. The IMC home page and access service report provide endpoint statistics charts by endpoint type, OS, and vendor. 13. The guest information printing configuration can be customized. This feature is configurable under User > Guest Information Printing Configuration.

4 14. Device users can be imported, batch modified, and associated with sync policies. This feature is configurable under User > Device User > Device User. 15. New attribute Full Name was added to device users. This feature is configurable under User > Device User > Device User. 16. The manageable devices of a device user can be selected from a list of existing access devices. This feature is configurable under User > Device User > Device User. 17. Group-based device user management with the service type and EXEC priority configuration. This feature is configurable under User > Device User > Device User. 18. New attributes Device Name and Device Model were added to access devices. This feature is configurable under User > User Access Policy > Access Device Management > Access Device. 19. Access devices can be imported in batches. This feature is configurable under User > User Access Policy > Access Device Management > Access Device. 20. TAM provides the Enable Privilege-Increase Password option and parameters for setting password expiration dates for device users. This feature is configurable under User > Device User > All Device Users. Features modified in IMC UAM 7.1 (E0302P06) 1. Guest information can be printed from the self-service center by using a predefined template provided by UAM instead of customizing an.xml configuration file. Operators can edit the template and set a logo for the template. This feature is configurable under User > Guest Information Printing Configuration. 2. The maximum number of endpoints that can be bound to an account for transparent portal authentication was changed to 255. This feature is configurable under User > All Access Users. 3. The SSID Access Control, Hard Disk Serial Number, Access MAC Address, and Access ACL options are moved to the toolbar above the access policy list. This feature is configurable under User > User Access Policy > Access Policy. 4. The LDAP parameters were moved from the system parameter settings page to the LDAP Service menu. This feature is configurable under User > User Access Policy > LDAP Service > LDAP Parameters. 5. The Mobile Number parameter was changed to Account on the SMS message registration and authentication page for portal users. Features deleted from IMC UAM 7.1 (E0302P06) 1. Automatic backup and restoration of custom terminal pages using DBMan. Features released in IMC UAM 7.1 (E0302H03) None. Features released in IMC UAM 7.1 (E0302)

5 1. The Intelligent Security Proxy (ISP) component is changed to support only one deployment by default. If the pilot has R&D permissions to multiple deployments, deployments must be manually modified. 2. RESTful API is added for network devices. 3. New column fields are added to the guest statistics report. This feature is configurable under Report > Report Template List. 4. Restricting the inode version based on access services. This feature is configurable under User > User Access Policy > Access Policy. 5. Restricting the number of online guests. This feature is configurable under User > Guest Policy. 6. Restricting the number of online preregistered guests. This feature is configurable under User > Guest Policy. 7. The license peak value is added to the UAM license number legend on the IMC home page. This feature is configurable under Home > New Space > Edit. 8. Customizing contents. This feature is configurable under User>Deliver Message> Configuration. 9. Checking for duplicate user MAC address and IP address when an operator adds or modifies an access user. This feature is configurable under User > All Access Users. 10. Quick portal authentication for smart devices supports password changing at the first login through a Web page. 11. When an access user comes online, the system matches the endpoint MAC address to that in the last login and sends the mismatch information to the user. This feature is configurable under User>User Access Policy>Service Parameters>System Settings>System Parameters. 12. Providing a link to changing password on the IMC portal login page. 13. The Apply column is added to the user authentication failure page. This feature is configurable under User > User Access Log > Authentication Failure Log. 14. Customizing the display of UAM license usage on the home page and indicating the usage in green, yellow, orange, or red. This feature is configurable under Home > New Space > Edit. 15. UAM records the access policy being used in the user access details list and records endpoint information in authentication failure logs. This feature is configurable under User > User Access Log > Access Details. 16. Supporting batch modification of inner VLAN IDs when the user modifies account settings. This feature is configurable under User>Batch Operations. 17. Allowing MAC authentication users to hide optional settings and endpoint binding information. This feature is configurable under User > All Access Users. 18. The Validate Guest at field is added to the guest policy. Options are Specified Time and First Login. This feature is configurable under User > Guest Policy. 19. Automatically cancelling accounts based on user groups. This feature is configurable under User > User Access Policy > Service Parameters> System Settings> Auto-Cancel Accounts Tasks. 20. Endpoint aging time setting based on user groups. This feature is configurable under User > User Access Policy > Service Parameters> System Settings> User Endpoint Settings.

6 21. Control of account creation of mute terminal users by the mute terminal configuration. This feature is configurable under User > Mute Terminal User Configuration Profile. Features modified in IMC UAM 7.1 (E0302) 1. Resending packets for user online/offline notifications. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > Authentication Notify Parameters. 2. Recording automatic service changes of LDAP users in log files. This feature is configurable under System > Operation Log. 3. Displaying or hiding the QR code for a successful guest preregistration. This feature is configurable under User > Guest Policy > Add Guest Policy. 4. Implementing the topology by using HTML5, instead of Applet. This feature is configurable under User > Access Topology. 5. Unified SMS gateway settings. This feature is configurable under System > SMSC Settings. 6. The default setting of the heartbeat interval for a portal port group is 0 minutes. This feature is configurable under User > User Access Policy > Portal Service > Device > Configure Port Group. Features released in IMC UAM 7.0 (E0203P09) 1. Guests can be assigned to user groups and controlled by policies. This feature is configurable under User > Guest Policy. 2. Support for TLS authentication of Android 4.3 and Android 4.4 on Samsung mobile devices. This feature is configurable under User > Endpoint Configuration Templates. Features released in IMC UAM 7.0 (E0203H08) None. Features released in IMC UAM 7.0 (E0203H06) None. Features released in IMC UAM 7.0 (E0203H05) None. Features released in IMC UAM 7.0 (E0203P04) None. Features released in IMC UAM 7.0 (E0203P03)

7 1. Password policies can be deployed to Android endpoints through quick deploy. This feature is configurable under User > Endpoint Configuration Templates > Add Password Policy Template. 2. Manual confirmation of the license agreement is required before quick deploy can be performed on Android endpoints. This feature is configurable under User > Endpoint Configuration Templates > Add General Configuration Template. 3. Pushing portal pages to a user based on the combination of AP, SSID, and endpoint OS groups that the user matches. This feature is configurable under User > User Access Policy > Portal Service > Page Push Policy > Add Page Push Policy. 4. Specifying the Max. Number of Bound Endpoints and Max. Number of Online Endpoints in the access scenario configuration. This feature is configurable under User > User Access Policy > Access Service > Add Access Service. 5. The NAS_ID of the access device is displayed in the user access details. This feature is configurable under User > User Access Log > Access Details > Access Details - All. 6. Quick creation of access user accounts on the Platform user information page. This feature is configurable under Users>Basic User Information. 7. Sending approval notifications via to the guest manager after guest preregistration. This feature is configurable under User>Guest Manager>Add Guest Manager. 8. Access to user self-service from a mobile device. Users who use this feature can access the self-service center directly from a mobile phone. 9. Quick deploye can be performed on MAC OS endpoints. This feature is configurable under User > Endpoint Configuration Templates. 10. Service quick experience supports authenticating employees through MAC authentication or 802.1X authentication. This feature is configurable under User > Quick Start. Features released in IMC UAM 7.0 (E0203) None. Features released in IMC UAM 7.0 (E0202) 1. Guest managers can print information about the guests listed for registration approval. This feature is configurable under Guest Management>All Guests. 2. Quick configuration of the guest service. This feature is configurable under User > Quick Start. 3. Administrators can manually add endpoint information to endpoint MAC address management. This feature is configurable under User > Endpoint Profiling. 4. You can set the maximum number of password notifications that can be sent to each user by SMS messages in a day. This feature is configurable under User > User Access Policy > Service Parameters > System Settings > System Parameters. 5. You can set the interval for retrieving the password for a guest through SMS messages. The value range is 0 to 86400, in seconds. The default value is 60. This feature is configurable under User>Guest Parameters.

8 6. Guest registration can be approved by scanning a QR code. This feature is configurable under User> Guest Parameters. 7. Guest accounts support fast authentication. This feature is configurable under User> Guest Parameters. 8. The guest list displays the operator group to which a guest manager belongs. This feature is configurable under Guest Management>All Guests. 9. LDAP users support domain name authentication. This feature is configurable under User > User Access Policy > LDAP Service. 10. The PAP authentication method allows LDAP users that do not have accounts in UAM to be authenticated on the LDAP server in real time. When LDAP authentication is passed, UAM automatically generates accounts for the users. This feature is configurable under User > User Access Policy > LDAP Service. 11. One account can be bound to one or multiple endpoints. After being bound to an account, an endpoint can pass login authentication only by using the bound account. This feature is configurable under User>Endpoint Management. 12. UAM supports working with third-party systems. This feature is configurable under User > User Access Policy > Third-Party Authentication. 13. QR code verification. This feature is configurable under User> Guest Parameters. 14. MC client upgrade. This feature is configurable under User>User Access Policy>Service Parameters>Smart Client Upgrade. 15. The following messages are integrated into message delivery: accounting notification, balance notification, account expiration notification, client upgrade task, periodic and one-time notification. A link to the message delivery function is added to the online user list and access user list. This feature is configurable under User > Deliver Message. Features modified in IMC UAM 7.0 (E0202) 1. The maximum validity time of a guest account is extended to 10 years. This feature is configurable under User> Guest Parameters. 2. The maximum size of the imported CRL increases from 1 MB to 10 MB. This feature is configurable under User>User Access Policy>Service Parameters>Certificate. 3. UAM identifies device vendor information preferably by MAC OUI. This feature is configurable under User > Endpoint Fingerprint. 4. UAM automatically deletes the mapping between a guest account and a MAC address from the endpoint information when the guest account expires. This feature is configurable under User>All Guests. 5. You can configure UAM to delete accounts 1 day after they expire, or set the time longer. This feature is configurable under User>User Access Policy>Service Parameters>System Settings>Auto-Cancel Accounts Settings. 6. UAM sends SMS messages to the configured phone number without counting the digits to use. This feature is configurable under User>User Access Policy>Service Parameters>System Settings>SMS Settings. Features released in IMC UAM 7.0 (E0103)

9 1. UAM can kick out users by sending CoA packets to Cisco AirWlc2106K9 devices. This feature is configurable under User>> All Online Users. 2. TTLS authentication. This feature is configurable under User>User Access Policy>Access Policy>Add Access Policy. 3. Customizing portal pages. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 4. Previewing portal pages. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 5. Custom attributes of pages for smart devices. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 6. Custom pages for smart devices based on access scenarios. This feature is configurable under User>User Access Policy>Access Policy>Add Access Policy. 7. Custom preregistration pages. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 8. Custom attributes of preregistration pages. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 9. Custom the self-service center homepage. This feature is configurable under User > User Access Policy > Customize Terminal Pages. 10. Guest manager can import guest accounts in batches and configure whether to send passwords to the guests immediately or at specific time. This feature is configurable under In the self-service center. 11. Supports real-time LDAP authentication for LDAP users that do not have accounts in UAM. This feature is not available when services are synchronized by user group and user groups are synchronized by OU. 12. BYOD portal page supports https. Features modified in IMC UAM 7.0 (E0103) 1. The following feature is deleted: Modifying the DNS attribute in the DHCP ACK packets by the DHCP agent. [ Table of Contents ] Problems Fixed in this Release IMC UAM 7.1 (E0302P15) fixes the following problems, including all bugs fixed after IMC UAM 7.0 (E0103). Resolved Problems in IMC UAM 7.1 (E0302P15): 1. The self-service center might not display the left navigation tree when the following conditions exist: a. The IMC platform runs IMC PLAT 7.1 (E0301). b. The center is accessed during the restart of the jserver process. 2. LDAP users fail PEAP-MSCHAPv2 authentication when the following conditions exist:

10 a. The LDAP server restarts. b. If the upgrade is from 7.1 (E0302H03) and earlier, no configuration is needed. 3. The policy server obtains the IP address of a user that has passed authentication and updates the IP address on the online user list. However, UAM does not immediately send online notification messages to the thirdparty server based on the configuration of user online/offline notification parameters. 4. Transparent portal authentication no longer takes effect on a guest after the password of the guest exceeds the validity period set in the guest policy. 5. A user fails TLS authentication by using the computer name that is synchronized from the LDAP server to IMC. In the LDAP sync policy, the Auto Synchronization option is selected and the Filter out Computer Accounts option is cleared. 6. An LDAP user account is considered as nonexistent when the user attempts to log in to the self-service center. The account is synchronized from an LDAP server for which Add Prefix is enabled as the account format. 7. A newly added LDAP user fails the authentication when the following conditions exist: a. Sync policy A is enabled with the Synchronize Users as Needed option. b. Sync policy B is enabled with the Auto Synchronization option. c. Sync policy B includes a subset of the sub-base DN in sync policy A, and has a higher priority than sync policy A. d. Real-Time authentication is selected for LDAP On-Demand Authentication Mode. 8. The computer name on the LDAP server is synchronized to the access accounts when the following conditions exist: a. A sync policy is enabled with the Synchronize Users as Needed and Filter out Computer Accounts options. b. The computer name is used for authentication. 9. Online users fail reauthentication and are logged out when the device reauthenticates the online users. 10. LDAP users pass authentication regardless of whether or not they meet the filter criteria of an LDAP sync policy, and the services assigned to the LDAP users do not comply with the policy priority settings when the following conditions exist: a. Multiple sync policies are enabled with the Synchronize Users as Needed option. b. These policies have the same configuration except the filter criteria, applied services, and policy priority. 11. An endpoint fails authentication because the MAC address of the endpoint does not match the access scenario configuration when the following conditions exist: a. The access scenario uses the MAC address as the access criterion. b. In the access service, Do not use is selected for the default access policy. c. The access device sends the MAC address to IMC through the proprietary attribute hw_ip_host_addr(60). The standard attribute Calling-Station-ID is null. d. IMC obtains the MAC address preferentially from the standard attribute Calling-Station-ID.

11 Resolved Problems in IMC UAM 7.1 (E0302P14): 1. Some access users are automatically canceled after they are resynchronized from LDAP when the following tasks are performed: a. Add a sync policy enabled with the Synchronize Users as Needed option. LDAP users are synchronized to EIA. b. Cancel access users that are synchronized from LDAP but keep the imc users associated with these access users. c. On UAM, add an access user account for the endpoint by using the MAC address of the endpoint as the username. 2. After page resources page are modified, Chinese messages appear on the BYOD custom page for SMS message authentication, which was configured in the English language environment. 3. Follow these guidelines for successful computer name authentication after EIA grades to 7.1 (E0302P14): a. If the upgrade is from 7.1 (E0302P06) and later, you must configure the LDAP server and the sync policy. b. If the upgrade is from 7.1 (E0302H03) and earlier, no configuration is needed. 4. The EIA report function cannot operate correctly when IMC is deployed in distributed mode on servers that run SQL Server with replication and distribution functions. 5. The inode PC client fails to establish an SSL tunnel with IMC to complete the certificate configuration required by IMC when a certificate deployment tool is delivered from IMC to the inode PC client. 6. The User Endpoint menu is not displayed after IMC restarts with the HP proprietary license registration. The HP proprietary license is registered after the trial license expires. Resolved Problems in IMC UAM 7.1 (E0302P13): 1. EIA does not ignore leading or trailing spaces in query criteria. 2. The page for adding or modifying an access user automatically refreshes when access services are selected. 3. An LDAP user synchronized from an LDAP server cannot pass RSA authentication and receives an incorrect password message when RSA authentication requires both dynamic and static passwords. 4. When Synchronize Users as Needed is enabled for the sync policy, LDAP users with the account names that do not have spaces cannot be authenticated. IMC can successfully synchronize LDAP users whose account names have spaces. 5. If IMC has been running for a long time, HTTPS access to IMC might require the jserver process to be restarted. 6. An LDAP user synchronized from an OpenLDAP server fails authentication with an incorrect password error when the OpenLDAP server does not support local authentication and is bound to a sync policy with Synchronize Users as Needed enabled. 7. EIA 7.1 (E0302) fails to update to EIA 7.1 (E0302P08) if an auto-registration guest service is added, deleted, and then re-added in the EIA 7.1 (E0302) version before the upgrade.

12 Resolved Problems in IMC UAM 7.1 (E0302P10): 1. An LDAP user synchronized based on an on-demand LDAP sync policy failed to pass MSCHAPv2 authentication when the following procedure is performed: a. On UAM, enable transparent MAC authentication in system settings, and then set an access user as the default BYOD user named byodanonymous. b. b. On the user PC, initiate MSCHAPv2 authentication as an LDAP user by using the Windows built-in client. 2. A guest manager failed to add a guest in the self-service center due to a Web service error. 3. After the database service is stopped, a start failure of the portal server process causes the error logs to grow quickly and consume disk space. 4. REST APIs for import operations are added to EIA for third-party system administrators to batch operate access devices and device users in EIA. 5. A third-party user cannot pass CHAP authentication with a third-party error message in the operation log. 6. A BYOD registration and authentication page is customized and published in IE. When the page is opened in Firefox, however, the scroll bar in the text box area of the page is not displayed. 7. In UAM, the Log off Duplicate Account parameter is enabled in system settings and the Max. Concurrent Logins is set to 2 for an access user account. When a user attempts to come online successively from a PC and a cell phone by using the account, the user comes online only from the PC. 8. After a large number of LDAP users are synchronized to UAM within 15 minutes based on an on-demand LDAP sync policy, some of the LDAP users cannot pass authentication. Resolved Problems in IMC UAM 7.1 (E0302H09): 1. UAM synchronizes user information based on AD group from the LDAP server that has 1000 AD groups and users. Some users are assigned incorrect services because synchronizing users from the LDAP server timed out. 2. The operator prints information about multiple guests. Printed guest information is in incorrect layout and logos are not displayed. 3. An on-demand LDAP sync policy is configured and portal SMS authentication is enabled for an LDAP user. However, an LDAP user fails to be authenticated because the on-demand LDAP sync policy does not support authenticating the LDAP user by using portal SMS. 4. A synchronized LDAP user fails to be authenticated because the OU name in the on-demand LDAP sync policy includes a backslash (\). 5. New RESTful API functions are added to enable third-party systems to perform operations for device users. 6. An SMS sender is configured on the SMSC Settings page. In the access policy, the authentication password is set to Account Password + Dynamic Password. A user clicks Obtain next to the Verification Code field, or clicks Get Password on the portal login page. The system displays a successful delivery message for an SMS password or verification code, but the user does not receive an SMS message.

13 7. The guest information printed by a guest manager on the self-service center contains a Close button and a Print link. 8. If the certificate user name is stored in the subject alternative attribute instead of the subject CN, user authentication fails with a message that the user name and certificate user name do not match. 9. The computer user cannot pass MS-CHAPv2 authentication. Resolved Problems in IMC UAM 7.1 (E0302P08): 1. If multiple access services are assigned to the third-party authentication policy, third-party users who do not have access user accounts on UAM cannot pass third-party authentication. 2. If the Calling_Station_Id attribute includes an invalid MAC address, UAM ignores the attribute without obtaining the SSID from the attribute, and cannot authenticate users from access scenarios identified by SSID. 3. When IMC contains over 1000 user groups, it responds slowly to operations such as moving users between user groups or adding guest policies. 4. A page push policy is configured for portal users based on a user SSID group. However, it does not push a portal page to portal users attempting to access the network. 5. A REST API is used to retrieve information about an online user with a specified account name. However, the retrieved information does not contain the Deploy User Group information. 6. The system performs certificate authentication for access users. A Denial of Service attack might be launched and causes a server memory leak by exploiting security vulnerability CVE , CVE , CVE , or CVE The guest information printed by a guest manager on the self-service center contains a Close button and a Print link. 8. A REST API is used to add an access user with the expiration time in the format yyyy-mm-dd. The system cannot add the access user and displays an "invalid expiration time" message. 9. On the third-party authentication settings page, third-party authentication is enabled and the Third-Party Web Service option is selected. However, the Password Encryption Type field does not support the 3DES option. 10. IMC does not dynamically adjust the heap memory settings according to the OS bit version. It uses the 32-bit heap memory settings when running on a 64- bit OS. 11. A user in a guest manager group cannot manage guests after logging in to the touch-version self-service center as a guest manager. 12. On the access topology page, an operator clicks an option such as Query Online Users on the right-click menu of a node. The system opens the page in a new tab instead of displaying the page directly in the topology. 13. UAM receives an account-on packet from a restarted access device and clears information about online users logged in from the device without informing the third-party system. The accounting-on feature is enabled on the device by configuring the accounting-on enable command in RADIUS scheme view. 14. A user who have passed MAC authentication is bound to the byodanonymous account instead of the access user account configured for the user endpoint when the following procedure is performed:

14 a. On UAM, enable transparent MAC authentication in system settings, and then set an access user as the default BYOD user named byodanonymous. b. Connect an endpoint to the network through MAC authentication. c. On UAM, add an access user account for the endpoint by using the MAC address of the endpoint as the username. d. Connect the endpoint to the network again through MAC authentication. 15. UAM cannot log off online users who have come online from an ACG device with the access device type of H3C(General), unless the device type is changed. Resolved Problems in IMC UAM 7.1 (E0302P07): 1. Fixed the security vulnerability coded CVE Fixed the XSS security vulnerability. 3. An LDAP sync policy is executed to sync users from an LDAP server that uses a service sync type of Based On Active Directory Group. After synchronization, users in an AD group that contains more users than the value specified for MaxValRange are assigned the default service instead of the service of the AD group. 4. The Web page takes a long time to respond when a guest manager queries guest information in an IMC system that contains large numbers of access users. 5. An LDAP server uses the service sync type of Based On Active Directory Group and is assigned an on demand LDAP sync policy. After an LDAP user in the primary AD security group comes online, the service that is assigned to the user based on the AD group does not take effect. 6. Large numbers of users failed to pass portal authentication in an IMC system that has IMC EIP deployed. 7. A page push policy uses the Portal authentication method and is assigned to service group A. In Add Page Push Subpolicy window of the policy, the Login Page list does not contain the login pages assigned to service group A. 8. IMC uses the Oracle database. The operation result page displays an error when an operator adds an endpoint MAC group with the same name as that of an existing endpoint MAC group. 9. Guest manager A uses the approval notification type of Send Approval Notification via SMS. After a guest account is preregistered with the guest manger set to A, the guest manager does not receive an approval notification message. 10. An LDAP server uses the service sync type of Based On Active Directory Group. After a user is synchronized from an LDAP server, the service of the user is changed because the user has moved to a different AD group since last synchronization. However, the operation log does not record the reason for the user's change of service. 11. In an IMC system where IMC UAM is deployed on the same server with the IMC platform, the Select User page displays an error when the following procedure is performed: a. On the Add Access User page, click Select next to the User Name field. b. Query users on the Select User page.

15 12. No page push policies are configured for portal port groups in Release E0203P04. After UAM is upgraded from Release E0203P04 to Release E0203P07, it cannot push the correct portal login page to portal users. 13. An LDAP server uses the service sync type of Based On Active Directory Group and is assigned an on demand LDAP sync policy. After an LDAP user in the primary AD security group comes online, the service that is assigned to the user based on the AD group does not take effect. 14. Third-party authentication is enabled in U. Sometimes users failed to pass third-party authentication with a timeout message for calling the third-party authentication IMF interface. 15. This symptom occurs when the following procedure is performed: a. Select Enable Authentication Notify in UAM system settings. b. Configure an access policy and select a user group from the Deploy User Group list. c. Bring a user online. UAM applies the access policy to the user. The system sends a logon message to the user. 16. The LDAP user synchronization succeeds partially when the following procedure is performed: a. Configure an LDAP server and select Synchronize by OU from the User Group list. b. Assign the LDAP server to an LDAP sync policy. c. Execute the LDAP sync policy. During synchronization, the LDAP server returns incomplete distinguished names in the OU information. 17. A page push policy is configured to push a BYOD page that uses the registration and authentication type of By SMS Message to endpoint users. When a user attempts to access the BYOD page for SMS message registration and authentication, the system displays a BYOD page that contains Chinese characters. Resolved Problems in IMC UAM 7.1 (E0302P06): 1. IMC displays the default BYOD page for a user based on a page push policy. After the user provides a guest account and a password that does not take effect or has expired on the page, the user is then redirected to an authentication success page. However, the user cannot access the network and does not receive any error message. 2. An LDAP server uses the service sync type of Based On Active Directory Group. The service that is assigned to LDAP users does not take effect if the users belong to the primary security group. 3. The guest information printing settings are configured in IMC. A guest manager failed to print the guest information from the self-service center with a message that printing configuration is incorrect. 4. In HP IMC, a guest manager changes a guest's password in the self-service center, but the password notification sent to the guest does not contain the new password. 5. The default guest policy has a Max. Transparent Portal Bindings value greater than 5, but the setting is not applied to guests registered or added in the self-service center.

16 6. Forty-five days after UAM deployment and IMC UAM license registration, the BYOD page does not contain the Guest Preregister link although guest preregistration is enabled in the guest parameter settings. 7. The system periodically clears users if they have been online for more than 24 hours and access from devices that do not support accounting-update and accounting-stop packets. Resolved Problems in IMC UAM 7.1 (E0302H03): 1. An LDAP user synchronized to UAM from an SSL-enabled LDAP server cannot log in to the self-service center with the following error message: Incorrect password. If the incorrect attempts exceed the threshold, the user is added to the blacklist. 2. A user comes online through an access device that doesn't send the user IP address in accounting packets to UAM. However, the User IP Address field of the user in the online user list is not empty. 3. Some access device models do not include the user MAC addresses in accounting-start packets. They only include the addresses in user authentication packets. When UAM receives accounting update packets for a user who has come online through such an access device, it logs off the user. 4. The system does not verify the phone number entered for SMS message registration and authentication. 5. A user receives multiple SMS password messages after clicking Get Password during SMS registration and authentication. 6. After a guest in the default guest group comes online, the guest is assigned the default guest policy instead of the guest policy of the default guest group. 7. A user comes online through an access device that doesn't send the device IP address in accounting packets to UAM. The Device IP field of the user in the online user list is empty. 8. A maintainer has permissions to manage a sync policy but does not have permissions to manage the synchronized user groups. After user groups are synchronized by OU from the LDAP server, the maintainer can no longer modify the sync policy. 9. The Max. Transparent Portal Bindings parameter cannot be set to a value greater than 5 for a user to bind with endpoints for transparent portal authentication. 10. If IMC contains more than 1000 user groups and over 2000 guests, it responds slowly to a query for guests or change to the SMS notification content. 11. An operator attempts to import guests including the Max. Concurrent Logins parameter from a file through the self-service center. However, the guest import fails with an "invalid import file" error. 12. The UAM subcomponent User SelfService is deployed on a server and uses a different HTTP port number than the IMC service port specified on the master server. Guest authentication fails after the following procedure is performed: a. On the BYOD login page, an endpoint user clicks Guest Registration to register a guest account. The registration result page displays a QR code after the registration is complete. b. The guest manager approves the guest registration in the self-service center. c. The endpoint user clicks the QR code on the registration result page.

17 13. In an IMC system where TAM is deployed on a Windows server and UAM is not deployed, an operator cannot import certificates to an SSL-enabled LDAP server in TAM. 14. If a user does not receive a response from the LDAP server within 3 seconds after initiating LDAP authentication, the following error message appears: LDAP server connection timed out due to invalid server IP or port. Please retry later or contact the administrator. Resolved Problems in IMC UAM 7.1 (E0302): 1. On TAM, an OpenLDAP server and an LDAP synchronization policy are configured. The synchronization mode is on-demand synchronization, and user passwords are synchronized from the LDAP server. A user fails the authentication and the CLI prompts a login failure. 2. When a Cisco access device is used, the acct_session_id attribute sent by the device includes apostrophes (') and cannot be correctly identified by IMC. The client comes online successfully. However, the user does not appear in the online user list. 3. On IMC system parameter settings page, configure Username Prefix Conversion Mode to Change to Suffix. On the PEAP domain controller configuration page, set Domain Controller OS Version to Windows 2003 or earlier, select PEAP-MSCHAPV2 for the authentication mode, and set the account in the prefix\username format. The user cannot come online through the inode client with an incorrect password prompt. 4. User synchronization is performed based on a policy to synchronize field values from the LDAP server. The LDAP attribute value of the field does not meet IMC check rules. Foreground logs increase quickly. For example, a synchronization of users can generate log files of 1 GB. 5. Guests can be assigned to user groups and controlled by policies. This feature is configurable under User > Guest Policy. 6. Support for TLS authentication of Android 4.3 and Android 4.4 on Samsung mobile devices. This feature is configurable under User > Endpoint Configuration Templates. 7. Password policies can be deployed to Android endpoints through quick deploy. This feature is configurable under User > Endpoint Configuration Templates > Add Password Policy Template. 8. Manual confirmation of the license agreement is required before quick deploy can be performed on Android endpoints. This feature is configurable under User > Endpoint Configuration Templates > Add General Configuration Template. 9. Pushing portal pages to a user based on the combination of AP, SSID, and endpoint OS groups that the user matches. This feature is configurable under User > User Access Policy > Portal Service > Page Push Policy > Add Page Push Policy. 10. Specifying the Max. Number of Bound Endpoints and Max. Number of Online Endpoints in the access scenario configuration. This feature is configurable under User > User Access Policy > Access Service > Add Access Service. 11. The NAS_ID of the access device is displayed in the user access details. This feature is configurable under User > User Access Log > Access Details > Access Details - All.

18 12. Quick creation of access user accounts on the Platform user information page. This feature is configurable under Users>Basic User Information. 13. Sending approval notifications via to the guest manager after guest preregistration. This feature is configurable under User>Guest Manager>Add Guest Manager. 14. Access to user self-service from a mobile device. Users who use this feature can access the self-service center directly from a mobile phone. 15. Quick deployment can be performed on MAC OS endpoints. This feature is configurable under User > Endpoint Configuration Templates. 16. Service quick experience supports authenticating employees through MAC authentication or 802.1X authentication. This feature is configurable under User > Quick Start. 17. In IMC, an access device is added with the RADIUS Accounting parameter set to Partially/Not Supported and the policy server is enabled X EAP authentication in the inode client fails with an "Access time limit" error message. This feature is configurable under User > User Access Log > User Access Policy > Access Device Management>Access Device. 18. During user authentication, platform users are created based on an on-demand sync policy. If an operator manually synchronizes platform users before their registration is approved, the platform username and identity number are not updated based on the LDAP attributes. 19. In the guest service settings, a user group is specified as the default guest group and is assigned a guest policy with guest auto-registration disabled. After a guest from the user group is preregistered on the guest preregistration page, the guest is automatically registered and is assigned the default guest policy rather than the matching guest policy. 20. IMC does not identify the endpoint information when the endpoint comes online through an HP Commware OEM device. 21. The LDAP user's services are not updated with the AD group when the following procedure is performed: a. Synchronize a user from an LDAP server whose service sync type is set to Based on Active Directory Group. After the synchronization, the user is assigned the services of the AD group to which the user belongs. b. Change the services assigned to the user's AD group in the LDAP sync policy. c. Synchronize the user again. 22. When an operator attempts to add more rules to an ACL that contains 32 rules, IMC displays a message that the number of rules in the ACL already reaches the limit. This feature is configurable under User > User Access Log > User Access Policy > Access ACL. 23. After an expired access user is deleted, UAM cancels all other access users who associated with the same platform user as the expired user. 24. A sync policy is executed to synchronize parameters from the LDAP server, including the user SSIDs. However, the access user details page of each synchronized user displays an empty User SSID field. 25. The system displays a message that the client and server certificates cannot be verified when Certificate Verification is used to verify root (a certificate chain), server, and client certificates. This feature is configurable under User > User Access Log > User Access Policy > Service Parameters > Certificate.

19 Resolved Problems in IMC UAM 7.0 (E0203P09): 1. Fixed the security vulnerability coded CVE Configure a client ACL in a security policy and apply the policy to a user. When the user comes online, the online user list and access user details display the client ACL ID for the user, not the client ACL name. Resolved Problems in IMC UAM 7.0 (E0203H08): 1. A third-party client is used for network access. EAP authentication is configured on the access device. A user attempts to access the network through the client by entering a username with a space at the end. User authentication fails with a "RADIUS server no response" error. 2. The device triggers a user authentication process and sends an authentication request that includes an empty username attribute. User authentication fails and the UAM background process restarts. 3. Access the page for customizing a user authentication page of the SMS authentication type in the Customize Terminal Pages > Portal Page function of UAM. The page does not have the Save Password option. 4. IMC uses an Oracle database that stores more than entries of UAM access details. UAM is upgraded to 7.0 (E0203H02) or a later patch version. After the upgrade, the jserver process cannot start. Resolved Problems in IMC UAM 7.0 (E0203H06): 1. On the Add LDAP Server page, the General option is selected as the server type. On the Add LDAP Server page, the Add Prefix option disappears from the Account Format list. The operator cannot configure a prefix to be added to the account names that are synchronized from the LDAP server. 2. A large number of portal users come online. Due to frequent database connection errors, slow responses occur when operations require notification packets to be sent to the portal server. 3. On an AD, a user account is created with the User must change password at next logon option selected. Then the account is synchronized to IMC. When a user comes online by using the account, the system displays a dialog box requiring the user to change the password. However, the user receives an operation failure message after providing the correct old password and a new password. 4. To implement cold backup, IMC UAM primary and backup servers are deployed. In the user self-service center provided by the primary server, a user cannot query online details that are stored on the backup server. 5. To implement cold backup, UAM primary and backup servers are deployed. In the user self-service center provided by the backup server, a user can modify user information and recharge the account. Resolved Problems in IMC UAM 7.0 (E0203H05): 1. Deploy the portal configuration to a device that is managed by the platform but is not added to UAM as an access device. The deployment fails with a "deployment to the device is not supported" error.