Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual page 815

Configuring Access Guardian
5
Create the required UNP profile and map the profile to VLAN 20.
-> unp profile corporate
-> unp profile corporate map vlan 20
6
Create another UNP profile that will serve as a default profile; map the profile to VLAN 10.
-> unp profile def_unp
-> unp profile def_unp map vlan 10
7
Create an edge template to apply UNP port configuration parameters.
-> unp port-template 802.1X-template
8
Configure the template to enable 802.1X authentication and define an alternate UNP profile to use if
the RADIUS server does not return a UNP profile name upon successful authentication.
-> unp port-template 802.1x-template 802.1x-authentication
-> unp port-template 802.1x-template 802.1x-authentication pass-alternate
corporate
9
Assign the port template to a UNP port.
-> unp port 2/1/1 port-template 802.1x-template
How it Works
In this example, traffic received on the UNP port will trigger the following device authentication process
on the switch:
•
Supplicant device traffic will trigger 802.1 x authentications first.
•
If 802.1X authentication passes, the client is classified into to the "corporate" UNP profile and
assigned to VLAN 20 or classified into the UNP profile returned from RADIUS server.
•
If 802.1X authentication fails and classification is not enabled and a default profile is not assigned, the
MAC address of the user device is filtered (blocked).
•
In this example, MAC authentication and classification are not enabled on the UNP port, so neither
MAC authentication or classification will be triggered for a non-supplicant device. However, a default
UNP profile is configured for the port, so a non-supplicant device will get classified into that profile.
AAA Profile Example
In Application Example 2 (802.1X Authentication), individual CLI commands are used in Steps 1–3 to
configure AAA parameters. However, it is possible to create an AAA profile that defines the AAA server
configuration parameters and assigns these parameters to a profile name. The profile is then assigned to a
UNP port or a UNP port template.
1
Configure the AAA profile name.
-> aaa profile ag-aaa-profile
2
Configure the profile to specify the "alu-authserver" for 802.1X device authentication.
-> aaa profile ag-aaa-profile device-authentication 802.1x "alu-authserver"
OmniSwitch AOS Release 8 Network Configuration Guide
Access Guardian Application Examples
December 2017 page 28-98