Configuring Access Guardian Configuring Access Guardian Policies
OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 34-23
The following table provides examples of policies that were incorrectly configured and a description of
the problem:
Note that if no policies are configured on an 802.1x port, access from non-supplicant devices is blocked
and the following default classification policy is applied to supplicant devices:
1 802.1x authentication via remote RADIUS server is attempted.
2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
3 If authentication is successful and returns a VLAN ID that exists in the switch configuration, the
supplicant is assigned to that VLAN.
4 If authentication is successful but does not return a VLAN ID, Group Mobility checks if there are any
VLAN rules or User Network Profile mobile rules that will classify the supplicant.
5 If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
Configuring Supplicant Policies
Supplicant policies are used to classify 802.1x devices connected to 802.1x-enabled switch ports when
802.1x authentication does not return a VLAN ID or authentication fails. To configure supplicant poli-
cies, use the 802.1x supplicant policy authentication command. The following parameter keywords are
available with this command to specify policy options for classifying devices:
If no policy keywords are specified with this command (for example, 802.1x 1/10 supplicant policy
authentication), then supplicants are blocked if 802.1x authentication fails or does not return a VLAN ID.
Note that the order in which parameters are configured determines the order in which they are applied
. For
example, the following commands apply Group Mobility rules at different times during the classification
process:
-> 802.1x 2/12 supplicant policy authentication pass group-mobility vlan 10
block fail vlan 10 default-vlan
Incorrect Policy Command Problem
802.1x 1/45 supplicant policy authentication pass
group-mobility vlan 200 group-mobility fail
block
The group-mobility option is specified more than
once as a pass condition.
802.1x 1/24 non-supplicant policy authentication
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
More than three VLAN ID options are specified
in the same command.
supplicant policy keywords
group mobility
user-network-profile
vlan
default-vlan
block
captive-portal
pass
fail
To Next Page
Loading...
