Configuring 802.1X Configuring Access Guardian Policies
OmniSwitch 6800/6850/9000 Network Configuration Guide March 2008 page 27-15
• Compound policies must terminate. The last policy must result in either blocking the device or assign-
ing the device to the default VLAN. If a terminal policy is not specified, the block policy is used by
default.
• The order in which policies are configured determines the order in which the policies are applied.
The following table provides examples of policies that were incorrectly configured and a description of
the problem:
Note that if no policies are configured on an 802.1x port, non-supplicant devices are blocked on the port
and the following default classification policy is applied to supplicant devices:
1 802.1x authentication via remote RADIUS server is attempted.
2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
3 If authentication is successful and returns a VLAN ID that exists in the switch configuration, suppli-
cant is assigned to that VLAN.
4 If authentication is successful but does not return a VLAN ID, Group Mobility rules are checked for
classification.
5 If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
Configuring Supplicant Policies
Supplicant policies are used to classify 802.1x devices connected to 802.1x-enabled switch ports when
802.1x authentication does not return a VLAN ID or authentication fails. To configure supplicant poli-
cies, use the 802.1x supplicant policy authentication command. The following keywords are available
with this command to specify one or more policies for classifying devices:
If no policy keywords are specified with this command, then supplicants are blocked if 802.1x authentica-
tion fails or does not return a VLAN ID. When multiple policies are specified, the policy is referred to as a
compound supplicant policy. Note that the order in which parameters are configured determines the order
in which they are applied.
Incorrect Policy Command Problem
802.1x 1/45 supplicant policy authentication pass
group-mobility vlan 200 group-mobility fail
block
The group-mobility policy is specified more than
once as a pass condition.
802.1x 1/24 non-supplicant policy authentication
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
More than three VLAN ID policies are specified
in the same command.
supplicant policy keywords
group mobility
vlan
default-vlan
block
pass
fail
To Next Page
Loading...
