Configuring Access Guardian Quick Steps for Configuring Access Guardian
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-10
Quick Steps for Configuring Access Guardian
The following procedure provides a brief tutorial for setting up the OmniSwitch implementation of Access
Guardian network access control. For additional configuration tutorials, see “Access Guardian Application
Examples” on page 28-95 and “Quick Steps for Configuring Captive Portal Authentication” on
page 28-78.
1 Configure the RADIUS server to use for device authentication (802.1X, MAC, or Captive Portal). For
example, the following commands define the RADIUS server for MAC device authentication:
-> aaa radius-server rad1_mac host 10.135.60.44 hash-key secret retransmit 3
timeout 2 auth-port 1812 acct-port 1813
-> aaa device-authentication mac rad1_mac
2 Configure the RADIUS server with the IP address of the OmniSwitch and the same shared secret that
was assigned through the AAA RADIUS server configuration in Step 1.
3 Add the user name and password details in the RADIUS server.
4 Enable the MAC authentication session timer to determine the amount of time the user session remains
active after a successful login (the default time is set to 12 hours). For example:
-> aaa mac session-timeout enable
5 Configure a UNP profile to which user devices will be assigned. Profile attribute values are applied to
devices that are associated with the profile. For example, the following commands create the
“na_employee” profile and assign the QoS policy list “naEmpList” to the profile. QoS policy rules
contained in the “naEmpList” list are applied to traffic assigned to the “na_employee” profile.
-> unp profile na_employee
-> unp profile na_employee qos-policy-list naEmpList
The QoS policy list name specified in the above example must already exist in the switch
configuration. See “UNP Profile Attributes” on page 28-18 for more information about assigning a
QoS policy list and other configurable options for a UNP profile.
6 Configure an additional UNP profile that will serve as a default profile for UNP port configuration. For
example, the following command creates the “def_unp” profile that is configured as a default profile for
UNP ports configured in Step 10:
-> unp profile def_unp
7 Configure a VLAN or service mapping for the profiles created in Step 5 and Step 6. Devices that are
assigned to a profile will automatically become members of the VLAN or service that is mapped to the
profile. For example, the following commands map VLAN 100 to the “na_employee” profile and VLAN
200 to the “def_unp” profile:
-> unp profile map na_employee vlan 100
-> unp profile map def_unp vlan 200
See “UNP Profile Mapping” on page 28-17 for more information about assigning a VLAN or service
parameters to a UNP profile.
8 Configure UNP classification rules that will identify the device traffic to assign to a specific profile.
For example, the following command creates a MAC address range rule for profile “na_employee”. Any
user device with a source MAC address that falls within the specified range is assigned to the profile.
To Next Page
Loading...
