Configuring Access Guardian Access Guardian Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-14
For non-supplicant authentication, the client MAC address is sent as the username and password. The
administrator can configure the password and username on the authentication server as the MAC
address of the client. The calling-station-ID, accounting-session-ID are also sent for authentication. All
of these IDs can be in uppercase or lowercase.
• Internal Captive Portal authentication.
Internal Captive Portal authentication is a configurable option for a UNP profile that is applied after a
user is initially assigned to that profile (after the initial 802.1X or MAC authentication or classification
process). Captive Portal provides a secondary level of authentication that is used to apply a new role
(QoS policy list) to the user. This type of authentication may change the profile assignment for the user
device.
When a user is classified into a profile that has the Captive Portal option enabled, a Web page is
presented to the user device to prompt the user to enter login credentials. The credentials are then
authenticated through a RADIUS server. If the authentication process results in a new policy list or
new profile, that policy list or profile is applied to the user device. If a policy list or profile is not
assigned or authentication fails, the policy list associated with the initial profile is used to define the
network access role for the user.
• External Captive Portal authentication.
External Captive Portal authentication is provided through the OmniSwitch Bring Your Own Device
(BYOD) solution. Access Guardian, through the UNP port and profile framework, redirects user device
traffic to the Unified Policy Access Manager (UPAM) server or the ClearPass Policy Manager (CPPM)
server for Guest Access using the UPAM or CPPM Guest module.
802.1X and MAC authentication are Layer 2 mechanisms that are configured and invoked at the port
level. A UNP port is enabled with either 802.1X, MAC, or both types of authentication. Devices
connected to UNP ports undergo the type of authentication configured on the port.
Internal and external Captive Portal authentication are Layer 3 mechanisms that are invoked through the
UNP profile configuration. Devices connected to UNP ports initially undergo Layer 2 authentication and/
or classification at the port level to determine an initial UNP profile assignment. Then, based on the
profile settings, the user may be redirected for Layer 3 authentication.
The authentication functionality provided allows the administrator to assign the appropriate method of
authentication. Multiple authentication methods for multiple users (many users or different types of users,
such as IP phones) are supported on the same port.
Device Classification
Successful device authentication can result in a UNP profile assignment for the user device. However, if
authentication is not available or does not return a profile name for whatever reason, the following
additional UNP device classification methods are available to determine the profile assignment for the
user device:
• UNP classification rules. Switch-wide classification rules to classify users based on port and device
attributes (for example, source MAC, domain ID, IP address). Classification rules are associated with
profiles and are applied to traffic received on UNP-enabled ports. When any of the traffic matches one
of the classification rules, the user device is dynamically assigned to the matching profile.
• Alternate pass UNP. A UNP associated with a UNP port to which traffic is assigned when successful
802.1X or MAC authentication does not return a UNP name.
To Next Page
Loading...
