Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-53
• Profile location and time period policies are configurable on the switch or on the RADIUS server. If
the policies are configured on both the switch and the RADIUS server, then the switch policies take
precedence.
• Captive Portal authentication is applied as a post-authentication and/or post-classification mechanism
to devices assigned to the UNP profile. Captive Portal provides a Web-based authentication
mechanism to dynamically change the role-based access (policy list) for a user. See “Using Captive
Portal Authentication” on page 28-76 for more information.
• UNP profile redirection for BYOD is automatically made available to devices assigned to a VLAN-
mapped profile based on the status of Captive Portal authentication for the profile:
– When Captive Portal authentication is disabled (the default), BYOD redirection is automatically
triggered when the initial device authentication process returns the "Alcatel-Redirect-URL"
attribute. See “Bring Your Own Devices (BYOD) Overview” on page 28-115 for more information.
– When Captive Portal authentication is enabled, internal Captive Portal is enforced and BYOD
redirection is not available.
• To ensure proper BYOD redirection for devices classified into a UNP VLAN-mapped profile,
configure the redirection server as the preferred server through AAA commands for MAC and 802.1X
authentication. See “Setting Authentication Parameters for the Switch” on page 28-32 for more
information.
• The maximum ingress bandwidth, egress bandwidth, and depth attribute values are applied to the port
of a user device that is classified into the specified profile.
– If multiple user devices are classified into different profiles but learned on the same UNP port, the
profile bandwidth values that were applied for the last user learned are applied on the port.
Parameter values applied through previously learned users are overwritten.
– Bandwidth parameter values are not applied to UNP link aggregates that are assigned to the profile.
• UNP classification rules can be defined for a UNP profile to provide an additional method for
assigning a device into a profile. If authentication is not available or does not return a profile name,
classification rules are applied to determine the profile assignment. See “Configuring UNP
Classification Rules” on page 28-65 for more information.
• A UNP profile can be configured as a default profile for a UNP port. If authentication and
classification do not return a profile name, the device is then assigned to the default profile associated
with the UNP port on which the device was learned. See “Configuring UNP Port Parameters” on
page 28-38. for more information.
UNP profile attributes are configurable at the time a profile is created or for a profile that already exists.
For example, the following command creates a new “guest” profile with a QoS policy list and enables the
authentication flag and internal Captive Portal authentication:
-> unp profile guest qos-policy-list qlist1 authentication-flag captive-portal-
authentication
The next command example modifies the “guest” profile to disable the authentication flag:
-> unp profile guest no authentication-flag
The above command only changes the authentication flag status; the QoS policy list assignment and the
internal Captive Portal status remain unchanged for the “guest” profile.
To Next Page
Loading...
