Configuring Access Guardian Policies Configuring Access Guardian
page 34-30 OmniSwitch AOS Release 6 Network Configuration Guide September 2009
Configuring the Captive Portal Policy
The Captive Portal device classification policy is similar to supplicant and non-supplicant policies in that it
determines the VLAN assignment for devices that were not assigned a VLAN through authentication or
for devices that failed 802.1x or MAC authentication. The difference is that the Captive Portal policy is
only invoked as a result of web-based authentication; supplicant and non-supplicant policies are triggered
off of 802.1x port-based authentication.
Web-based authentication is configured by specifying Captive Portal as a pass or fail case for port-based
supplicant and non-supplicant policies (see “Configuring Supplicant Policies” on page 34-23 and “Config-
uring Non-supplicant Policies” on page 34-26 for more information). When the web-based authentication
process is complete, the Captive Portal policy classifies the device into a specific VLAN based on the
results of that process.
When 802.1x is enabled for a port, a default supplicant, non-supplicant, and Captive Portal policy is auto-
matically configured for the port. The default Captive Portal policy assigns a device to the default VLAN
for the port if authentication was successful but did not return a VLAN ID or blocks a device on the port if
the device failed authentication. As a result, it is only necessary to change the policy if the default pass and
fail cases are not sufficient.
To change the Captive Portal policy configuration, use the 802.1x captive-portal policy authentication
command. The following keywords are available with this command to specify one or more policies for
classifying devices.
Note the following when configuring Captive Portal policies:
• The captive-portal parameter is not an option with this type of policy, as it is not possible to next
Captive Portal policies. In addition, the captive-portal parameter is used only in supplicant and non-
supplicant policies to invoke web-based authentication, not to classify a device for VLAN assignment.
802.1x 3/10 non-supplicant policy vlan 43 block No authentication process is performed.but the fol-
lowing classification still occurs:
1 If VLAN 43 exists and is not an authenticated
VLAN, then the device is assigned to
VLAN 43.
2 If VLAN 43 does not exist or is an authenti-
cated VLAN, then the device is blocked from
accessing the switch on port 3/10.
802.1x 1/10 non-supplicant policy user-network-
profile Engineering block
No authentication process is performed.but the fol-
lowing classification still occurs:
1 The “Engineering” UNP is applied.
2 If applying the UNP fails, the user is blocked
from accessing the switch on port 1/10.
Captive Portal keywords
group-mobility
user-network-profile
vlan
default-vlan
block
pass
fail
Supplicant Policy Command Example Description
To Next Page
Loading...
