Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual page 822

Configuring Access Guardian
8
Map the default UNP profile to VLAN 10.
-> unp profile def_unp map vlan 10
9
Create a UNP port template to pre-define and apply configuration parameters to the UNP port.
-> unp port-template voice-template
10
Set the default profile parameter for the port template to "def_unp".
-> unp port-template voice-template default-profile def_unp
11
Set the MAC and 802.1X authentication parameters to "enable" for the port template. Can also define a
pass alternate UNP profile for the template in case the RADIUS server does not return a UNP profile
name when 802.1X or MAC authentication passes.
-> unp port-template voice-template mac-authentication
-> unp port-template voice-template 802.1x-authentication
-> unp port-template voice-template mac-authentication pass-alternate corporate
-> unp port-template voice-template 802.1x-authentication pass-alternate profile
corporate
12
Assign the port template to a UNP port.
-> unp port 3/1/1-2 port-template voice-template
13
Enable LLDP IP Phone classification.
-> unp classification lldp med-endpoint ip-phone profile1 corporate-voice
14
Configure LLDP on the port.
-> lldp port 3/1/1-2 lldpdu tx-and-RX
-> lldp network-policy 1 application voice vlan 40 l2-priority 6
-> lldp port 3/1/1-2 med network-policy 1
How it Works
The expected traffic flow for this application example is as follows:
•
EAP frames are the first frames sent by the IP phone on link up. The EAP frames are untagged.
•
If the IP phone is a supplicant, 802.1X authentication is initiated. If the phone is a non-supplicant,
MAC authentication is initiated.
•
If the RADIUS server is configured to return the correct UNP profile name for the voice device, then
that profile is applied when the device passes authentication.
•
If the RAIDUS server is not configured to return the UNP profile name, then the 802.1X or MAC
authentication pass alternate UNP profile is applied. Mobile tagging is enabled for the authentication
pass alternate UNP profile.
•
If 802.1X authentication fails, the device is blocked. If MAC authentication fails, the device must be
enabled for LLDP IP phone classification.
•
The VLAN assigned after the authentication and classification pass should be the same VLAN referred
to in the configuration steps for this application example—the VLAN in the LLDP Network TLV
advertisement and the VLAN associated with the UNP profile assigned to the IP phone. This VLAN
should also be tagged on the UNP port, so that the traffic to or from the IP phone can be tagged.
OmniSwitch AOS Release 8 Network Configuration Guide
Access Guardian Application Examples
December 2017 page 28-105