Configuring Access Guardian Policies Configuring 802.1X
page 27-14 OmniSwitch 6800/6850/9000 Network Configuration Guide March 2008
-> 802.1x 3/1 reauthentication re-authperiod 25
In this example, automatic re-authentication is enabled, and re-authentication will take place on the port
every 25 seconds.
To manually re-authenticate a port, use the 802.1x re-authenticate command. For example:
-> 802.1x re-authentication 3/1
This command initiates a re-authentication process for port 1 on slot 3.
Initializing an 802.1X Port
An 802.1X port may be reinitialized. This is useful if there is a problem on the port. The reinitialization
process drops connectivity with the supplicant and forces the supplicant to be re-authenticated. Connectiv-
ity is restored with successful re-authentication. To force an initialization, use the 802.1x initialize
command with the relevant slot/port number. For example:
-> 802.1x initialize 3/1
This command drops connectivity on port 1 of slot 3. The switch sends out a Request Identity message and
restores connectivity when the port is successfully re-authenticated.
Configuring Accounting for 802.1X
To log 802.1X sessions, use the aaa accounting 802.1x command with the desired RADIUS server
names; use the keyword local to specify that the Switch Logging function in the switch should be used to
log 802.1X sessions. RADIUS servers are configured with the aaa radius-server command.
-> aaa accounting 802.1x rad1 local
In this example, the RADIUS server rad1 will be used for accounting. If rad1 becomes unavailable, the
local Switch Logging function in the switch will log 802.1X sessions. For more information about Switch
Logging, see Chapter 36, “Using Switch Logging.”
Configuring Access Guardian Policies
The Access Guardian provides functionality that allows the configuration of 802.1x device classification
policies for supplicants (802.1x clients) and non-supplicants (non-802.1x clients). See “Using Access
Guardian Policies” on page 27-9 for more information.
Configuring device classification policies is only supported on mobile, 802.1x enabled ports. In addition,
the port control status for the port must allow auto authorization. See “Setting Up Port-Based Network
Access Control” on page 27-11 for specific information about how to enable 802.1x functionality on a
port.
As described in “Using Access Guardian Policies” on page 27-9, there are several types of policies that
when combined together create either a supplicant or non-supplicant compound policy. Consider the
following when configuring compound policies:
• A single policy can only appear once for a pass condition and once for a failed condition in a
compound policy.
• Up to three VLAN ID policies are allowed within the same compound policy, as long as the ID number
is different for each instance specified (e.g., vlan 20 vlan 30 vlan 40).
To Next Page
Loading...
