Alcatel-Lucent 6850-48 Guida Di Rete
Configuring Access Guardian Policies
Configuring Access Guardian
page 34-26
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Configuring Non-supplicant Policies
Non-supplicant policies are used to classify non-802.1x devices connected to 802.1x-enabled switch ports.
There are two types of non-supplicant policies. One type uses MAC authentication to verify the non-
802.1x device. The second type does not perform any authentication and limits device assignment only to
those VLANs that are not authenticated VLANs.
There are two types of non-supplicant policies. One type uses MAC authentication to verify the non-
802.1x device. The second type does not perform any authentication and limits device assignment only to
those VLANs that are not authenticated VLANs.
To configure a non-supplicant policy that will perform MAC authentication, use the
command. The following parameter keywords are available with this
command to specify one or more policy options for classifying devices:
The order in which parameters are configured determines the order in which they are applied
.
For exam-
ple, the following commands apply Group Mobility rules at different times during the classification
process:
process:
-> 802.1x 2/12 non-supplicant policy authentication pass group-mobility vlan 10
block fail vlan 10 default-vlan
-> 802.1x 2/12 non-supplicant policy authentication pass vlan 10 group-mobility
block fail vlan 10 default-vlan
The first command in the above example checks Group Mobility rules first then checks for VLAN 10 next.
The second command checks for VLAN 10 first then checks for Group Mobility rules.
The second command checks for VLAN 10 first then checks for Group Mobility rules.
Use the pass keyword to specify which options to apply when 802.1x authentication is successful but does
not return a VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica-
tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional
keyword. If the fail keyword is not used, the default action is to block the device.
not return a VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica-
tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional
keyword. If the fail keyword is not used, the default action is to block the device.
Use the pass keyword to specify which options to apply when MAC authentication is successful but does
not return a VLAN ID. Use the fail keyword to specify which options to apply when MAC authentication
fails. The pass keyword is implied and therefore an optional keyword. If the fail keyword is not used, the
default action is to block the device when authentication fails.
not return a VLAN ID. Use the fail keyword to specify which options to apply when MAC authentication
fails. The pass keyword is implied and therefore an optional keyword. If the fail keyword is not used, the
default action is to block the device when authentication fails.
Note. When a policy option is configured as a fail condition, device classification is restricted to assigning
supplicant devices to VLANs that are not authenticated VLANs.
supplicant devices to VLANs that are not authenticated VLANs.
supplicant policy keywords
group-mobility
user-network-profile
vlan
default-vlan
block
captive-portal
pass
fail
user-network-profile
vlan
default-vlan
block
captive-portal
pass
fail