Table of Contents
Advertisement
Configuring Access Guardian
•
Default UNP. A UNP associated with a UNP port to which traffic is assigned when other
authentication or classification attempts fail to provide a profile name.
•
Trust VLAN tag. Configured on a UNP port to specify whether or not to trust the VLAN tag of the
packets received on the port. If this option is enabled and the VLAN tag matches an existing VLAN in
the switch configuration, the traffic is assigned to that VLAN when other authentication or
classification attempts fail to provide a profile name.
•
Authentication server down UNP. A global UNP that provides a temporary profile for devices unable
to authenticate because the RADIUS server is unreachable. This profile is associated with a timer that
determines how long the device remains in the temporary profile before authentication is attempted
again.
Enabling 802.1X and/or MAC authentication on UNP ports is optional; an administrator may decide to use
UNP classification rules instead. When enabled, however, the authentication method takes precedence
over classification methods.
Role-based Access
When a user is authenticated and/or classified into a UNP profile, the initial role of that user is determined
by whether or not there is a QoS policy list associated with the profile.
•
If there is no policy list available, then the user has full access to the switch and network resources as
provided through the profile VLAN or service domain to which the user was assigned.
•
If a policy list is available, then the QoS policy rules associated with that list are applied to the port and
traffic of the user device.
Access Guardian provides the following post-authentication and post-classification mechanisms for
dynamically changing the role (QoS policy list) applied to a user device.
•
Internal Captive Portal. User undergoes a secondary authentication process through Captive Portal
Web-based authentication. Successful Captive Portal authentication applies the QoS policy list
returned from the RADIUS server or specified in the Captive Portal authentication pass configuration.
The newly obtained policy list overrides the policy list associated with the profile to which the device
was initially assigned. The outcome of this process may also change the profile assignment for the user
device. See
"Using Captive Portal Authentication" on page 28-76
•
Location and Time Policies. When a user classified into a UNP profile violates a location-based or
time-based policy that is associated with the profile, a built-in unauthorized restricted role is applied to
that user. The restricted role overrides the policy list associated with the profile.
•
Built-in Restricted Roles. When one of the built-in restricted roles is applied to a user device, an
implicit QoS policy list associated with that role is applied to that device instead of the UNP profile
policy list. A custom policy list can be associated with a restricted role to override the built-in role.
•
User-defined Roles. When the state of a device matches specific conditions configured for a user-
defined role, an explicit QoS policy list that is associated with this type of role is applied to the device
instead of the UNP profile policy list.
Built-in Restricted Roles
The following types of built-in roles are applied to the user device based on the state of the Access
Guardian user:
OmniSwitch AOS Release 8 Network Configuration Guide
for more information.
December 2017
Access Guardian Overview
page 28-15
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
