Access Guardian Overview Configuring Access Guardian
page 34-14 OmniSwitch AOS Release 6 Network Configuration Guide September 2009
• Use Group Mobility to dynamically assign a device to a VLAN or apply a UNP. VLAN rules and UNP
mobile rules are used by Group Mobility to classify user devices.
• Perform a Host Integrity Check (HIC) to determine if the end user device is compliant with network
access requirements. For example, is the device using a specific version of anti-virus software. HIC is
enabled or disabled through a User Network Profile.
• Apply a list of QoS policy rules to end user device traffic. A QoS policy list is associated with a UNP
and applied to all devices that are associated with that profile.
• Do not perform any type of authentication on the device; only apply classification policies to deter-
mine what the end user can access on the network.
• Redirect the end user device to a Web-based login page for authentication.
• Block the device from accessing the network.
Device Classification Policy Types
There are four types of Access Guardian device classification policies: 802.1X authentication (suppli-
cants), MAC-based authentication (non-supplicants), Captive Portal authentication (supplicant and non-
supplicant), and non-supplicant (no authentication). These policies provide the following configurable
policy options for classifying devices:
1 Captive Portal—redirects the user device to a Web-based login screen and requires the user to enter
credentials to gain network access. This option is used only with the 802.1X, MAC, or Non-supplicant
policies. The Captive Portal policy is applied after Web-based authentication is attempted, so this option is
not valid for Captive Portal policies. See “Configuring the Captive Portal Policy” on page 34-30.
2 Group Mobility—uses Group Mobility VLAN rules and User Network Profile (UNP) mobile rules to
determine the VLAN assignment for a device. UNP rules apply a profile to any device that matches the
UNP rule criteria. Note that UNP mobile rules take precedence over VLAN rules. See “What are UNP
Mobile Rules?” on page 34-18.
3 VLAN ID—assigns the device to the specified VLAN.
4 Default VLAN—assigns a device to the default VLAN for the 802.1x port.
5 User Network Profile (UNP)—applies a pre-configured profile to a user device. The profile specifies
a required VLAN ID, the optional Host Integrity Check (HIC) status, and an optional QoS policy list
name. See “User Network Profiles (Role-Based Access)” on page 34-16.
6 Block—blocks a device from accessing the 802.1x port.
It is possible to configure one or more of the above options for a single policy. The order in which the
policy options are applied to a device is determined by the order in which the option was configured. For
example, if a MAC-based authentication policy is configured to use the Group Mobility and default
VLAN options, then the policy actions are applied in the following sequence:
1 MAC-based authentication is performed.
2 If authentication was successful and provided a VLAN ID, the client is assigned to that VLAN and no
further policy options are applied.
3 If a VLAN ID was not provided or authentication failed, then Group Mobility applies VLAN rules or
UNP mobile rules.
To Next Page
Loading...
