Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-45
• fail—802.1X authentication is attempted if the device fails the initial MAC authentication. If the
device passes MAC authentication, 802.1X authentication is bypassed (EAP frames are ignored) and
the device is classified as a non-supplicant.
• noauth—802.1X authentication is automatically attempted if there is no MAC authentication available
for the port.
Configuration Guidelines
Consider the following guidelines before configuring 802.1X authentication bypass:
• The 802.1X bypass operation is only supported on UNP ports with 802.1X authentication enabled. See
“Configuring UNP Port-Based Functionality” on page 28-38 for more information about configuring
the access control mode.
• If a port has supplicants connected and 802.1X bypass is enabled for that port, the supplicants are
automatically logged off to undergo authentication according to the enabled bypass configuration.
• When the 802.1X bypass configuration is modified or disabled, any non-supplicant devices are
automatically logged off the port. This will free up those devices to undergo the authentication
specified by the new bypass configuration.
• If re-authentication is configured for the UNP port and 802.1X bypass is enabled, the MAC
authentication followed by 802.1X authentication is initially performed as configured. However, only
802.1X authentication is performed during the re-authentication process, so there is no recheck to see if
the MAC address of the user device is restricted.
• Enabling 802.1X bypass is not allowed on UNP ports that are configured with an 8021X failure policy.
• When successful MAC authentication returns a UNP and the 802.1X bypass operation is configured to
initiate 802.1X authentication when a device passes MAC authentication, the device is not moved into
that UNP. Instead, the device is moved into the UNP returned by 802.1X authentication. If 802.1X
authentication does not provide such information, the device is moved based on the UNP port-based
configuration.
• When 802.1X bypass is enabled and after MAC authentication, the port will be in a waiting state until
the 802.1X authentication process complete.
• When 802.1X bypass is enabled but the allow EAP option is not configured, then subsequent 802.1X
authentication is not performed. Only the initial MAC authentication is performed and the device is
classified as a non-supplicant.
Configuration Example: 802.1X Bypass with MAC Authentication Fail Policy
The following CLI configuration example enables 802.1X authentication bypass on port 2/1 and triggers
subsequent 802.1X authentication if the initial MAC authentication process fails:
-> unp port 2/1 802.1x-authentication bypass-802.1x
-> unp port 2/1 mac-authentication allow-eap fail
In this example, the Access Guardian authentication process for a device connected to UNP port 2/1 is as
follows:
• MAC authentication is triggered when the first frame from the new user is received, whether it is an
EAP frame or not.
• EAP frames for this user are ignored until MAC authentication completes (RADIUS returns an Access-
Accept or a Access-Reject response).
To Next Page
Loading...
