Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-44
Modifying Port Templates
Modifying UNP port parameter values that are applied through an existing port template is allowed.
Consider the following guidelines when changing template parameter values:
• Changing any template parameter value automatically applies the new value to all UNP ports to which
the template is assigned. This provides a quick and efficient method for modifying port parameters
across a large number of UNP ports all at once.
• Any attempt to explicitly configure a UNP port parameter for a port that is associated with a custom
template is not allowed. For example, when the explicit command is given to enable classification on
port 1/1/12 but a custom template is already assigned to that port, an error message is displayed:
-> unp port 1/1/12 classification
ERROR: Port Template already enforced on port, please remove it for manual
config on Port
• Explicitly changing a UNP port parameter value for a port to which one of the default templates is
assigned (“bridgeDefaultPortTemplate” or “accessDefaultPortTemplate”) removes the default template
assignment for that port. All port parameter options for that port will then require explicit commands to
change any of the parameter values, until the next time a template is assigned to that port.
For more information about the commands described in this section, see the “Access Guardian
Commands” chapter in the OmniSwitch AOS Release 8 CLI Reference Guide.
Configuring 802.1X Authentication Bypass
When a device is connected to a UNP port that has both 802.1X authentication and MAC authentication
enabled, the switch first attempts to identify and authenticate the device using 802.1X EAP frames. If the
device does not respond to EAP frames sent by the switch after a configurable number of attempts, then
the device is identified as a non-supplicant and undergoes MAC authentication.
In some cases, however, the network administrator may want to apply MAC authentication first to all
devices (supplicant or non-supplicant) connected to the UNP port. In other words, the switch does not
initiate 802.1X authentication; EAP frames are not sent and any EAP frames received are ignored.
The advantage to applying MAC authentication first is that the MAC address of the device is initially
verified (for example, checked against a RADIUS black list). Based on the outcome of the MAC
authentication, the user device is then classified accordingly or can undergo subsequent 802.1X
authentication.
To enforce MAC authentication as the initial authentication method for all devices connected to a UNP
port, an 802.1X bypass operation is provided. In addition, the bypass operation provides configurable
options that are used to specify if subsequent 802.1X authentication is performed on the device based on
the results of MAC authentication.
Configuring 802.1X authentication bypass is done using the unp 802.1x-authentication bypass-8021x
and unp mac-authentication allow-eap commands. The unp 802.1x-authentication bypass-8021x
command enables or disables the bypass operation. The following unp mac-authentication allow-eap
command parameters determine if subsequent 802.1X authentication is attempted on the device after
MAC authentication:
• pass—802.1X authentication is attempted if the device passes the initial MAC authentication. If the
device fails MAC authentication, 802.1X authentication is bypassed (EAP frames are ignored) and the
device is classified as a non-supplicant.
To Next Page
Loading...
