Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-63
Dynamically Changing the Policy List Assignment (User Role)
The QoS policy list assigned to a UNP profile determines the initial role (network access) for a user device
classified into the profile. This role can be dynamically changed for the user through the Captive Portal
authentication mechanism, when a different policy list is returned for the user from a RADIUS, Unified
Policy Access Manager (UPAM), or ClearPass Policy Manager (CPPM) server, or when the user is placed
into a Captive Portal pre-login, unauthorized, or quarantined state.
Configuring an Explicit Policy List
When the switch assigns a user device to one of the restricted role states (unauthorized, Quarantine
Manager, or Captive Portal pre-login), a built-in policy list associated with the restricted role is applied to
the user. To override the built-in policy list with an explicitly configured policy list, use the unp
restricted-role policy-list command. For example:
-> unp restricted-role unauthorized policy-list unauth1
-> unp restricted-role qmr policy-list quarantined1
-> unp restricted-role cp-prelogin policy-list cplogin1
When an explicit policy list assignment is removed, the switch reverts back to using the built-in policy list
that is associated with the restricted role state.
Use the show unp restricted-role command to display the explicit policy list configuration for restricted
roles. For example:
-> show unp restricted-role
Role name Qos Policy List Name
------------+------------------------
UNAUTHORIZED qlist-bad
QMR qlist-qmr
CP PRE-LOGIN qlist-cp
Total Restricted Role Count: 3
Configuring a User-defined Role
A user-defined role is used to define a list of conditions that a device must match and a QoS policy list
name that is applied to devices matching the specified conditions. When the current context of a user
device matches all of the role conditions, then the policy list associated with the role is applied to the
device.
Only one user-defined role per user is allowed because only one QoS policy list per user is allowed.
However, every time the user context changes for a device, all the user-defined roles are checked to see if
there is a role that matches the current user context.
A user-defined role consists of the following components:
• A role name.
• A precedence value used to determine precedence among other user-defined rules. The valid
precedence range is 1 (lowest) through 255 (highest).
• One or more of the following conditions:
– The name of a UNP profile to which the user must belong.
– The device is not authenticated.
– The type of authentication (802.1X or MAC) the device successfully passed or failed.
– The device is in a Captive Portal post-login state.
To Next Page
Loading...
