Table of Contents
Advertisement
Configuring Access Guardian Policies
Configuring Access Guardian Policies
The Access Guardian provides functionality that allows the configuration of 802.1x device classification
policies for supplicants (802.1x clients) and non-supplicants (non-802.1x clients). See
Guardian Policies" on page 22-8
Configuring device classification policies is only supported on mobile, 802.1x enabled ports. In addition,
the port control status for the port must allow auto authorization. See
Access Control" on page 22-10
port.
As described in
"Using Access Guardian Policies" on page
when combined together create either a supplicant or non-supplicant compound policy. Consider the
following when configuring compound policies:
A single policy can only appear once for a pass condition and once for a failed condition in a
•
compound policy.
Up to three VLAN ID policies are allowed within the same compound policy, as long as the ID number
•
is different for each instance specified (e.g., vlan 20 vlan 30 vlan 40).
Compound policies must terminate. The last policy must result in either blocking the device or assign-
•
ing the device to the default VLAN. If a terminal policy is not specified then the block policy is used
by default.
The order in which policies are configured determines the order in which the policies are applied.
•
The following table provides examples of policies that were incorrectly configured and a description of the
problem:
Incorrect Policy Command
802.1x 1/45 supplicant policy authentication pass
group-mobility vlan 200 group-mobility fail
block
802.1x 1/24 non-supplicant policy authentication
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
Note that if no policies are configured on an 802.1x port, non-supplicants are blocked on the port and the
following classification process is performed for supplicants by default:
1
802.1x authentication via remote RADIUS server is attempted.
2
If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
3
If authentication is successful and returns a VLAN ID that exists in the switch configuration, suppli-
cant is assigned to that VLAN.
4
If authentication is successful but does not return a VLAN ID, Group Mobility rules are checked for
classification.
5
If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
page 22-14
for more information.
for specific information about how to enable 802.1x functionality on a
Problem
The group-mobility policy is specified more than
once as a pass condition.
More than three VLAN ID policies are specified
in the same command.
OmniSwitch 6600 Family Network Configuration Guide
"Setting Up Port-Based Network
22-8, there are several types of policies that
Configuring 802.1X
"Using Access
April 2006
Hide quick links:
Advertisement
Table of Contents
