Configuring Access Guardian Access Guardian Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-13
3 Role-Based Access—Once a profile assignment is determined for a device through authentication or
classification, then the role of the device in the network is determined. The role assigned to a device
determines the network resources to which the device is entitled to access. See “Role-based Access” on
page 28-15 for more information.
4 Restrict or Block—Steps 1, 2, and 3 of the Access Guardian process may result in a restricted role or
even blocking network access for a specific device. Re-authentication and remediation methods are
available for such devices.
The Access Guardian feature is implemented through the following switch-based functionality:
• MAC-based and 802.1X-based authentication using a RADIUS-capable server.
• Internal Captive Portal for Web-based authentication. Provides dynamic role change for the user
device.
• The Universal Network Profile (UNP) framework to provide network access control and Quality of
Service (QoS) on a per-user basis.
• Switch-wide UNP classification rules to classify users based on port and device attributes (for
example, source MAC, domain ID, IP address). No authentication required.
• Default UNP classification for traffic not classified through other methods.
• Integration with the Unified Policy Access Manager (UPAM) or the ClearPass Policy Manager
(CPPM) as part of the OmniSwitch Bring Your Own Device (BYOD) network access solution.
This chapter documents the functionality of the Access Guardian feature and how it is configured on the
OmniSwitch.
Device Authentication
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection can be
authenticated through the switch using port-based network access control. This control is available
through the Universal Network Profile (UNP) feature implemented on the switch.
Access Guardian uses the UNP feature to provide configurable authentication and classification
mechanisms for both 802.1X clients (supplicants) and non-802.1X clients (non-supplicants). The
following options for authentication are available:
• 802.1X authentication for supplicants.
Uses Extensible Authentication Protocol (EAP) between an end device and a network device (NAS) to
authenticate the supplicant through a RADIUS server. If authentication returns a UNP, the supplicant is
assigned to that UNP. If a UNP name is not returned or authentication fails, then the UNP port and
classification rule configuration provides the network access control for the supplicant.
• MAC-based authentication for non-supplicants.
MAC-based authentication does not require any agent or special protocol on the non-supplicant device;
the source MAC address of the device is verified through a RADIUS server. The switch sends
RADIUS frames to the server with the source MAC address embedded in the username and password
attributes. If authentication returns a UNP name, the non-supplicant is assigned to that profile. If a
UNP name is not returned or authentication fails, then the UNP port and classification rule
configuration provides the network access control for the non-supplicant.
To Next Page
Loading...
