Alcatel-Lucent 6850-48 Guida Di Rete
Configuring Access Guardian Policies
Configuring Access Guardian
page 34-30
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Configuring the Captive Portal Policy
The Captive Portal device classification policy is similar to supplicant and non-supplicant policies in that it
determines the VLAN assignment for devices that were not assigned a VLAN through authentication or
for devices that failed 802.1x or MAC authentication. The difference is that the Captive Portal policy is
only invoked as a result of web-based authentication; supplicant and non-supplicant policies are triggered
off of 802.1x port-based authentication.
determines the VLAN assignment for devices that were not assigned a VLAN through authentication or
for devices that failed 802.1x or MAC authentication. The difference is that the Captive Portal policy is
only invoked as a result of web-based authentication; supplicant and non-supplicant policies are triggered
off of 802.1x port-based authentication.
Web-based authentication is configured by specifying Captive Portal as a pass or fail case for port-based
supplicant and non-supplicant policies (see
supplicant and non-supplicant policies (see
for more information). When the web-based authentication
process is complete, the Captive Portal policy classifies the device into a specific VLAN based on the
results of that process.
results of that process.
When 802.1x is enabled for a port, a default supplicant, non-supplicant, and Captive Portal policy is auto-
matically configured for the port. The default Captive Portal policy assigns a device to the default VLAN
for the port if authentication was successful but did not return a VLAN ID or blocks a device on the port if
the device failed authentication. As a result, it is only necessary to change the policy if the default pass and
fail cases are not sufficient.
matically configured for the port. The default Captive Portal policy assigns a device to the default VLAN
for the port if authentication was successful but did not return a VLAN ID or blocks a device on the port if
the device failed authentication. As a result, it is only necessary to change the policy if the default pass and
fail cases are not sufficient.
To change the Captive Portal policy configuration, use the
command. The following keywords are available with this command to specify one or more policies for
classifying devices.
classifying devices.
Note the following when configuring Captive Portal policies:
• The captive-portal parameter is not an option with this type of policy, as it is not possible to next
Captive Portal policies. In addition, the captive-portal parameter is used only in supplicant and non-
supplicant policies to invoke web-based authentication, not to classify a device for VLAN assignment.
supplicant policies to invoke web-based authentication, not to classify a device for VLAN assignment.
802.1x 3/10 non-supplicant policy vlan 43 block
No authentication process is performed.but the fol-
lowing classification still occurs:
1 If VLAN 43 exists and is not an authenticated
lowing classification still occurs:
1 If VLAN 43 exists and is not an authenticated
VLAN, then the device is assigned to
VLAN 43.
VLAN 43.
2 If VLAN 43 does not exist or is an authenti-
cated VLAN, then the device is blocked from
accessing the switch on port 3/10.
accessing the switch on port 3/10.
802.1x 1/10 non-supplicant policy user-network-
profile Engineering block
profile Engineering block
No authentication process is performed.but the fol-
lowing classification still occurs:
1 The “Engineering” UNP is applied.
2 If applying the UNP fails, the user is blocked
lowing classification still occurs:
1 The “Engineering” UNP is applied.
2 If applying the UNP fails, the user is blocked
from accessing the switch on port 1/10.
Captive Portal keywords
group-mobility
user-network-profile
vlan
default-vlan
block
pass
fail
user-network-profile
vlan
default-vlan
block
pass
fail
Supplicant Policy Command Example
Description