Configuring Access Guardian Access Guardian Application Examples
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-107
-> qos quarantine mac-group bad-macs
Make sure the name of this group on the OmniSwitch matches the group name used by OVQM
3 The Quarantine MAC address group is populated from the same group located on an LDAP server.
However, it is also possible to manually add MAC addresses to the MAC address group on the switch.
-> policy mac group Quarantined 00:9a:2d:00:00:10
4 Apply the QoS configuration for the MAC group name change (Step 2) and the manual MAC address
changes (Step 3) to take effect on the switch.
-> qos apply
5 Add the IP address and subnet of the remediation server to a list of allowed IP addresses using the qmr
quarantine allowed-name command. The allowed IP list specifies IP network addresses that a device is
allowed to communicate with while in a quarantined state.
-> qmr quarantine allowed-name it-helpdesk 10.1.1.0 ip-mask 255.255.255.0
6 Create the path to the remediation server using the qmr quarantine path command.
-> qmr quarantine path www.remediate.com
7 If there is no quarantine path to redirect to, use the qmr quarantine page command to direct the
switch to send a quarantine page to inform the user of the quarantined state.
-> qmr quarantine page enable
For more information about the QMR feature, see “Using Quarantine Manager and Remediation” on
page 28-93.
UNP Profile - Time Policy
A time-based policy is associated with a UNP profile to define a validity period during which the profile
applies a role (policy list) to the user. When a user classified into the UNP profile violates the validity
period, the user is moved into an Unauthorized role.
There is a built-in policy-list associated with the Unauthorized role that can be replaced with a user-
defined policy list. The following OmniSwitch configuration demonstrates assigning a different role to a
user in an Unauthorized state as well as an example of configuring time based policies:
1 Create different validity periods as required. Different validity periods can be defined and assigned to
different UNP profiles.
-> unp policy validity-period employee-shift-time days monday tuesday wednesday
thursday friday timezone PST hours 6:00 TO 18:00
-> unp policy validity-period guest-time days Monday tuesday wednesday thursday
friday saturday sunday timezone PST hours 9:00 TO 18:00
2 Assign the time policies created in Step 1 to an existing UNP profile.
-> unp profile UNP-employee period-policy employee-shift-time
-> unp profile UNP-guest period-policy guest-time
3 Assign a new policy list to replace the built-in policy list for the Unauthorized role.
-> unp restricted-role unauthorized policy-list unauthorized-time
To Next Page
Loading...
