Alcatel-Lucent 6850-48 Guida Di Rete
Configuring Access Guardian
Configuring Access Guardian Policies
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 34-23
The following table provides examples of policies that were incorrectly configured and a description of
the problem:
the problem:
Note that if no policies are configured on an 802.1x port, access from non-supplicant devices is blocked
and the following default classification policy is applied to supplicant devices:
and the following default classification policy is applied to supplicant devices:
1 802.1x authentication via remote RADIUS server is attempted.
2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
blocked.
3 If authentication is successful and returns a VLAN ID that exists in the switch configuration, the
supplicant is assigned to that VLAN.
supplicant is assigned to that VLAN.
4 If authentication is successful but does not return a VLAN ID, Group Mobility checks if there are any
VLAN rules or User Network Profile mobile rules that will classify the supplicant.
VLAN rules or User Network Profile mobile rules that will classify the supplicant.
5 If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
port.
Configuring Supplicant Policies
Supplicant policies are used to classify 802.1x devices connected to 802.1x-enabled switch ports when
802.1x authentication does not return a VLAN ID or authentication fails. To configure supplicant poli-
cies, use the
802.1x authentication does not return a VLAN ID or authentication fails. To configure supplicant poli-
cies, use the
available with this command to specify policy options for classifying devices:
If no policy keywords are specified with this command (for example, 802.1x 1/10 supplicant policy
authentication), then supplicants are blocked if 802.1x authentication fails or does not return a VLAN ID.
authentication), then supplicants are blocked if 802.1x authentication fails or does not return a VLAN ID.
Note that the order in which parameters are configured determines the order in which they are applied
.
For
example, the following commands apply Group Mobility rules at different times during the classification
process:
process:
-> 802.1x 2/12 supplicant policy authentication pass group-mobility vlan 10
block fail vlan 10 default-vlan
Incorrect Policy Command
Problem
802.1x 1/45 supplicant policy authentication pass
group-mobility vlan 200 group-mobility fail
block
group-mobility vlan 200 group-mobility fail
block
The group-mobility option is specified more than
once as a pass condition.
once as a pass condition.
802.1x 1/24 non-supplicant policy authentication
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
More than three VLAN ID options are specified
in the same command.
in the same command.
supplicant policy keywords
group mobility
user-network-profile
vlan
default-vlan
block
captive-portal
pass
fail
user-network-profile
vlan
default-vlan
block
captive-portal
pass
fail