Configuring Access Guardian Setting Up Port-Based Network Access Control
OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 34-21
Setting Up Port-Based Network Access Control
For port-based network access control, 802.1X must be enabled for the switch and the switch must know
which servers to use for authenticating 802.1X supplicants and non-supplicants.
In addition, 802.1X must be enabled on each port that is connected to a n 802.1X supplicant (or device).
Optional parameters may be set for each 802.1X port.
The following sections describe these procedures in detail.
Setting 802.1X Switch Parameters
Use the aaa authentication 802.1x command to enable 802.1X for the switch and specify an authentica-
tion server (or servers) to be used for authenticating 802.1X ports. The servers must already be configured
through the aaa radius-server command. An example of specifying authentication servers for authenticat-
ing all 802.1X ports on the switch:
-> aaa authentication 802.1x rad1 rad2
In this example, the rad1 server will be used for authenticating 802.1X ports. If rad1 becomes unavail-
able, the switch will use rad2 for 802.1X authentication. When this command is used, 802.1X is automati-
cally enabled for the switch.
If the Radius servers are not reachable a default policy can be configured, all users attempting to authenti-
cate will be assigned to the configured policy as shown below:
-> 802.1x auth-server-down enable
-> 802.1x auth-server-down policy user-network-profile
For more information on configuring policies see “Configuring Access Guardian Policies” on
page 34-22 and the 802.1x auth-server-down command.
Enabling MAC Authentication
Use the aaa authentication mac command to enable MAC authentication for the switch and specify an
authentication server (or servers) to be used for authenticating non-supplicants on 802.1x ports. As with
enabling 802.1x authentication, the servers specified with this command must already be configured
through the aaa radius-server command.
The following example command specifies authentication servers for authenticating non-supplicant
devices on 802.1x ports:
-> aaa authentication mac rad1 rad2
Note that the same RADIUS servers can be used for 802.1x (supplicant) and MAC (non-supplicant)
authentication. Using different servers for each type of authentication is allowed but not required.
For more information about using MAC authentication and classifying non-supplicant devices, see
“Authentication and Classification” on page 34-13 and “Configuring Access Guardian Policies” on
page 34-22.
Enabling 802.1X on Ports
To enable 802.1X on a port, use the vlan port 802.1x command. The port must also be configured as a
mobile port.
To Next Page
Loading...
