Alcatel-Lucent 6850-48 Guida Di Rete

Pagina di 1162
Configuring Access Guardian
Setting Up Port-Based Network Access Control
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 34-21
Setting Up Port-Based Network Access Control
For port-based network access control, 802.1X must be enabled for the switch and the switch must know 
which servers to use for authenticating 802.1X supplicants and non-supplicants. 
In addition, 802.1X must be enabled on each port that is connected to a n 802.1X supplicant (or device). 
Optional parameters may be set for each 802.1X port.
The following sections describe these procedures in detail.
Setting 802.1X Switch Parameters
Use th
 command to enable 802.1X for the switch and specify an authentica-
tion server (or servers) to be used for authenticating 802.1X ports. The servers must already be configured 
through the 
 command. An example of specifying authentication servers for authenticat-
ing all 802.1X ports on the switch:
-> aaa authentication 802.1x rad1 rad2
In this example, the rad1 server will be used for authenticating 802.1X ports. If rad1 becomes unavail-
able, the switch will use rad2 for 802.1X authentication. When this command is used, 802.1X is automati-
cally enabled for the switch.
If the Radius servers are not reachable a default policy can be configured, all users attempting to authenti-
cate will be assigned to the configured policy as shown below: 
-> 802.1x auth-server-down enable
-> 802.1x auth-server-down policy user-network-profile
For more information on configuring policies see 
 and the 
 command.
Enabling MAC Authentication 
Use th
 command to enable MAC authentication for the switch and specify an 
authentication server (or servers) to be used for authenticating non-supplicants on 802.1x ports. As with 
enabling 802.1x authentication, the servers specified with this command must already be configured 
through the 
The following example command specifies authentication servers for authenticating non-supplicant 
devices on 802.1x ports:
-> aaa authentication mac rad1 rad2
Note that the same RADIUS servers can be used for 802.1x (supplicant) and MAC (non-supplicant) 
authentication. Using different servers for each type of authentication is allowed but not required.
For more information about using MAC authentication and classifying non-supplicant devices, see 
.
Enabling 802.1X on Ports
To enable 802.1X on a port, use the 
 command. The port must also be configured as a 
mobile port.