Configuring User Network Profiles Configuring Access Guardian
page 34-40 OmniSwitch AOS Release 6 Network Configuration Guide September 2009
Note that enabling the HIC feature for the switch is not allowed if the HIC server information is not
configured. Check to see if the server configuration exists before attempting to enable this feature.
Use the show aaa hic host command to see a list of host MAC addresses the switch has learned and the
HIC status for each host. The show aaa hic, show aaa hic server, and show aaa hic allowed commands
provide information about the HIC status and configuration for the switch.
For more information about HIC, see “Host Integrity Check (End-User Compliance)” on page 34-15.
Configuring User Network Profiles
User Network Profiles (UNP) are applied to host devices using Access Guardian device classification poli-
cies. However, configuring the profile name and the following associated attributes is required prior to
assigning the profile using device classification policies:
• VLAN ID. All members of the profile group are assigned to the VLAN ID specified by the profile.
• Host Integrity Check (HIC). Enables or disables device integrity verification for all members of the
profile group. See “Host Integrity Check (End-User Compliance)” on page 34-15 for more information.
• QoS policy list name. Specifies the name of an existing list of QoS policy rules. The rules within the
list are applied to all members of the profile group. Only one policy list is allowed per profile, but
multiple profiles may use the same policy list.
To configure a UNP, use the aaa user-network-profile command. For example, the following command
creates the “guest_user” profile to assign devices to VLAN 500, enable HIC, and apply the rules from the
“temp_rules” policy list:
-> aaa user-network-profile name guest_user vlan 500 hic enable policy-list-name
temp_rules
To verify the UNP configuration for the switch, use the show aaa user-network-profile command. For
more information about user profiles, see “User Network Profiles (Role-Based Access)” on page 34-16.
Configuring QoS Policy Lists
One of the attributes of a User Network Profile (UNP) specifies the name of a list of QoS policy rules.
This list is applied to a user device when the device is assigned to the user profile. Using policy lists
allows the administrator to associate a group of users to a set of QoS policy rules.
Configuring the QoS list is required prior to associating the list with a UNP. In addition, the policy rules
must exist before they are assigned to a policy list.
The policy list command is used to group a set of QoS policy rules into a list. For example, the following
commands create two policy rules and associates these rules with the “temp_rules” list:
-> policy condition c1 802.1p 5
-> policy action a1 disposition drop
-> policy rule r1 condition c1 action a1
-> policy condition c2 source ip 10.5.5.0
-> policy action a2 disposition accept
-> policy rule r2 condition c2 action a2
-> policy list temp-rules rules r1 r2 enable
-> qos apply
To Next Page
Loading...
