Table of Contents
Advertisement
Configuring Access Guardian
•
Internal Captive Portal pre-login role—applied when a user is classified into a UNP profile that has
the Captive Portal flag enabled. While in this pre-login state, only DHCP, DNS, ARP, and ICMP
traffic from the user device is allowed. In addition, HTTP/HTTPS traffic is trapped and redirected to
the internal Captive Portal server.
•
Unauthorized role—applied when a user classified into a UNP profile violates the location or time
policies configured for that profile. Traffic from "unauthorized" users is blocked.
•
QMR role—applied to quarantined MAC addresses. Traffic from quarantined devices is blocked and
HTTP traffic is trapped. When the user opens a browser, HTTP/HTTPS traffic is redirected to a
remediation server, if one is configured for QMR on the switch.
Explicit QoS Policy Lists for Built-in Roles
When an Access Guardian user is placed into one of the built-in restricted roles (unauthorized, Captive
Portal pre-login, or QMR), the QoS policy list associated with that role is applied to the user. However, it
is possible to define and apply an explicit (custom) policy list to a built-in restricted role. When this is
done, the explicit policy list will determine how traffic from the user is controlled.
User-Defined Roles
A user-defined role applies an explicit QoS policy list to an Access Guardian user based on the following
conditions:
•
The user was classified into a specific UNP profile.
•
The type of authentication applied to the user device (802.1X, MAC, or none). Can also define this
condition based on whether or not the user failed 802.1X or MAC authentication.
•
The user is in a Captive Portal post-login state.
The explicit policy list is not applied to a user unless all of the conditions configured for the user-defined
role are met.
In addition to these conditions, a precedence value is configured for user-defined roles. This value is used
to determine precedence among other user-defined roles. Every time the user context changes for a device,
all the user-defined roles are checked to see if there is a role that matches the current user context.
UNP Profiles
Access Guardian role-based network access is achieved through the OmniSwitch Universal Network
Profile (UNP) feature. A UNP profile defines network access for one or more user devices. Each device
that is assigned to a specific profile is granted network access based on the profile criteria, instead of on an
individual MAC address, IP address, or port basis.
Assigning users to a profile provides greater flexibility and scalability across the network. Administrators
can use profiles to group users according to function. All users assigned to the same UNP become
members of that profile group. The UNP then determines what network resources are available to a group
of users, regardless of source subnet, VLAN, or other characteristics.
Dynamic assignment of devices to UNP profiles is achieved through UNP port-based functionality that
provides the ability to authenticate and classify device traffic. Device authentication verifies the device
identity and provides a UNP name. In the event authentication is not available or is unsuccessful, the
following steps are triggered to determine the profile assignment:
OmniSwitch AOS Release 8 Network Configuration Guide
December 2017
Access Guardian Overview
page 28-16
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
