Alcatel-Lucent 6850-48 ネットワークガイド
Configuring Access Guardian Policies
Configuring Access Guardian
page 34-24
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
-> 802.1x 2/12 supplicant policy authentication pass vlan 10 group-mobility
block fail vlan 10 default-vlan
The first command in the above example checks Group Mobility rules first then checks for VLAN 10 next.
The second command checks for VLAN 10 first then checks for Group Mobility rules.
The second command checks for VLAN 10 first then checks for Group Mobility rules.
Use the pass keyword to specify which options to apply when 802.1x authentication is successful but does
not return a VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica-
tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional
keyword. If the fail keyword is not used, the default action is to block the device.
not return a VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica-
tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional
keyword. If the fail keyword is not used, the default action is to block the device.
Note. When a policy option is configured as a fail condition, device classification is restricted to assigning
supplicant devices to VLANs that are not authenticated VLANs.
supplicant devices to VLANs that are not authenticated VLANs.
Supplicant Policy Examples
The following table provides example supplicant policy commands and a description of how the resulting
policy is applied to classify supplicant devices:
policy is applied to classify supplicant devices:
Supplicant Policy Command Example
Description
802.1x 1/24 supplicant policy authentication pass
group-mobility default-vlan fail vlan 43 block
group-mobility default-vlan fail vlan 43 block
If the 802.1x authentication process is successful
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
device is assigned to the default VLAN for
port 1/24.
port 1/24.
If the device fails 802.1x authentication, then the
following occurs:
1 If VLAN 43 exists and is not an authenticated
following occurs:
1 If VLAN 43 exists and is not an authenticated
VLAN, then the device is assigned to
VLAN 43.
VLAN 43.
2 If VLAN 43 does not exist or is an authenti-
cated VLAN, then the device is blocked from
accessing the switch on port 1/24.
accessing the switch on port 1/24.
802.1x 1/48 supplicant policy authentication
group-mobility vlan 127 default-vlan
group-mobility vlan 127 default-vlan
If the 802.1x authentication process is successful
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
device is assigned to VLAN 127.
3 If VLAN 127 does not exist, then the device is
assigned to the default VLAN for port 1/48.
If the device fails 802.1x authentication, the device
is blocked on port 1/48.
is blocked on port 1/48.