Alcatel-Lucent 6850-48 网络指南
Configuring Access Guardian
Access Guardian Overview
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 34-13
Authentication and Classification
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be
authenticated through the switch using port-based network access control. This control is available
through the IEEE 802.1X standard implemented on the switch.
authenticated through the switch using port-based network access control. This control is available
through the IEEE 802.1X standard implemented on the switch.
Access Guardian uses this implementation of 802.1X to provide configurable device classification poli-
cies for authenticating both 802.1x clients (supplicants) and non-802.1x clients (non-supplicants). Such
policies include the following options for authentication:
cies for authenticating both 802.1x clients (supplicants) and non-802.1x clients (non-supplicants). Such
policies include the following options for authentication:
• 802.1X authentication for supplicants.
Uses Extensible Authentication Protocol (EAP) between end device and network device (NAS) to
authenticate the supplicant via a RADIUS server. If authentication returns a VLAN ID, the supplicant
is assigned to that VLAN. If a VLAN ID is not returned or authentication fails, then the device classifi-
cation policy configuration for the port provides the network access control for the supplicant.
authenticate the supplicant via a RADIUS server. If authentication returns a VLAN ID, the supplicant
is assigned to that VLAN. If a VLAN ID is not returned or authentication fails, then the device classifi-
cation policy configuration for the port provides the network access control for the supplicant.
• MAC-based authentication for non-supplicants.
MAC-based authentication requires no agent or special protocol on the non-supplicant device; the
source MAC address of the device is verified via a remote RADIUS server. The switch sends RADIUS
frames to the server with the source MAC address embedded in the username and password attributes.
If authentication returns a VLAN ID, the non-supplicant is assigned to that VLAN. If a VLAN ID is
not returned or authentication fails, then the device classification policy configuration for the port
provides the network access control for the non-supplicant.
source MAC address of the device is verified via a remote RADIUS server. The switch sends RADIUS
frames to the server with the source MAC address embedded in the username and password attributes.
If authentication returns a VLAN ID, the non-supplicant is assigned to that VLAN. If a VLAN ID is
not returned or authentication fails, then the device classification policy configuration for the port
provides the network access control for the non-supplicant.
• Captive Portal Web-based authentication for supplicants and non-supplicants.
Captive Portal is a configurable option for both supplicant and non-supplicant policies. When the
Captive Portal option is invoked, a Web page is presented to the user device to prompt the user to enter
login credentials. If authentication returns a VLAN ID, the device is assigned to that VLAN. If a
VLAN ID is not returned or authentication fails, a separate Captive Portal policy then determines the
network access control for the supplicant or non-supplicant.
Captive Portal option is invoked, a Web page is presented to the user device to prompt the user to enter
login credentials. If authentication returns a VLAN ID, the device is assigned to that VLAN. If a
VLAN ID is not returned or authentication fails, a separate Captive Portal policy then determines the
network access control for the supplicant or non-supplicant.
The authentication functionality provided through device classification policies allows the administrator to
dynamically assign the appropriate method of authentication regardless of how many users are connected
to a port or the type of user (for example, IP phones). In other words, multiple authentication methods for
multiple users are supported on the same port.
dynamically assign the appropriate method of authentication regardless of how many users are connected
to a port or the type of user (for example, IP phones). In other words, multiple authentication methods for
multiple users are supported on the same port.
Device classification policies are applied to each device connected to an 802.1X port until the appropriate
method of authentication is determined. For example, an 802.1X capable device is challenged to provide
credentials required for 802.1X authentication. A non-802.1X device, such as a printer, is not challenged
but identified using MAC-based authentication. A device that fails authentication is prompted to provide
credentials using Captive Portal.
method of authentication is determined. For example, an 802.1X capable device is challenged to provide
credentials required for 802.1X authentication. A non-802.1X device, such as a printer, is not challenged
but identified using MAC-based authentication. A device that fails authentication is prompted to provide
credentials using Captive Portal.
Using Device Classification Policies
In addition to authentication, Access Guardian device classification policies are used to determine which
of the following actions are applied to a device if authentication does not return a VLAN ID, authentica-
tion fails, or no authentication is performed:
of the following actions are applied to a device if authentication does not return a VLAN ID, authentica-
tion fails, or no authentication is performed:
• Assign the user device to a specific VLAN. For example, all guest users are assigned to VLAN 500 or
are only allowed access to the default VLAN of the 802.1X port to which the device is connected.
• Apply a User Network Profile (UNP) to the device.