Alcatel-Lucent 6850-48 Guida Di Rete
Access Guardian Overview
Configuring Access Guardian
page 34-16
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
configurable option for Access Guardian device classification policies. See
for more information.
In addition to configuring the UNP, the HIC feature requires the configuration of global HIC parameters to
enable the feature for the switch, identify the HIC server, and specify a server exception list. The HIC
exception list identifies servers, such as the Web-based agent download server or a remediation server, that
the host device is allowed access to during the verification process.
enable the feature for the switch, identify the HIC server, and specify a server exception list. The HIC
exception list identifies servers, such as the Web-based agent download server or a remediation server, that
the host device is allowed access to during the verification process.
The InfoExpress compliance agents are used by the host device to interact with the CyberGatekeeper
server. The desktop agent is installed on the device. If the desktop agent is not installed, then the switch
redirects the user’s Web browser to a download server to obtain the Web-based agent.
server. The desktop agent is installed on the device. If the desktop agent is not installed, then the switch
redirects the user’s Web browser to a download server to obtain the Web-based agent.
The CyberGatekeeper server is configured with information that defines the criteria a host device must
have installed to achieve compliance with network access requirements. The InfoExpress Policy Manager
is used to define such criteria. Additional servers are configured to provide the Web-based agent and any
remediation functions required to update the end user device.
have installed to achieve compliance with network access requirements. The InfoExpress Policy Manager
is used to define such criteria. Additional servers are configured to provide the Web-based agent and any
remediation functions required to update the end user device.
Note. The HIC feature is not available unless the feature is enabled for the switch. This is true even if HIC
servers are configured for the switch or the HIC attribute is enabled for a profile. See
servers are configured for the switch or the HIC attribute is enabled for a profile. See
How it Works
The Access Guardian HIC process is triggered when a device initially connects to an 802.1X port and a
device classification policy for that port applies a HIC-enabled UNP to the device. The host device is then
granted limited access to the network; only DHCP, DNS, ARP, and any IP traffic between the host and
any HIC-related servers is allowed. During this time, the host invokes the HIC compliance agent (desktop
or Web-based) to complete the verification process.
device classification policy for that port applies a HIC-enabled UNP to the device. The host device is then
granted limited access to the network; only DHCP, DNS, ARP, and any IP traffic between the host and
any HIC-related servers is allowed. During this time, the host invokes the HIC compliance agent (desktop
or Web-based) to complete the verification process.
If the HIC server determines the host is compliant, the host is then granted the appropriate access to the
network. If the HIC server determines the host is not compliant, the host’s network access remains
restricted to the HIC-related servers and any other remediation servers that can provide the host with the
necessary updates to achieve compliance.
network. If the HIC server determines the host is not compliant, the host’s network access remains
restricted to the HIC-related servers and any other remediation servers that can provide the host with the
necessary updates to achieve compliance.
This integrated solution to provide device integrity verification is also "always-on". The HIC agent contin-
ues to check the integrity of the host device as long as the device remains connected to the switch. If the
compliance agent detects a violation of the security policies or the agent itself is disabled or terminated,
the HIC server will notify the switch to limit the network access for that device.
ues to check the integrity of the host device as long as the device remains connected to the switch. If the
compliance agent detects a violation of the security policies or the agent itself is disabled or terminated,
the HIC server will notify the switch to limit the network access for that device.
User Network Profiles (Role-Based Access)
A User Network Profile (UNP) defines network access controls for one or more user devices. Each device
that is assigned to a specific profile is granted network access based on the profile criteria, instead of on an
individual MAC address, IP address, or port.
that is assigned to a specific profile is granted network access based on the profile criteria, instead of on an
individual MAC address, IP address, or port.
Assigning users to a profile provides greater flexibility and scalability across the network. Administrators
can use profiles to group users according to function. All users assigned to the same UNP become
members of that profile group. The UNP then determines what network access resources are available to a
group of users, regardless of source subnet, VLAN or other characteristics.
can use profiles to group users according to function. All users assigned to the same UNP become
members of that profile group. The UNP then determines what network access resources are available to a
group of users, regardless of source subnet, VLAN or other characteristics.
A User Network Profile consists of the following attributes: