Using Access Guardian Policies Configuring 802.1X
page 22-8 OmniSwitch 6600 Family Network Configuration Guide April 2006
Using Access Guardian Policies
In addition to the authentication and VLAN classification of 802.1x clients (supplicants), the Access
Guardian extends this type of functionality to non-802.1x clients (non-supplicants). Access Guardian
introduces configurable 802.1x device classification policies to handle both supplicant and non-supplicant
access to 802.1x ports.
By default non-supplicant devices are automatically blocked on 802.1x enabled ports. In some cases,
however, it is desirable to allow non-supplicant access on these ports. For example, using device classifi-
cation policies, a non-supplicant device may gain access to a pre-determined VLAN. Such a VLAN might
serve as a guest VLAN for non-supplicant devices that require restricted access to the switch.
Supplicant devices are initially processed using 802.1x authentication via a remote RADIUS server. If
authentication is successful and returns a VLAN ID, the supplicant is assigned to that VLAN. If not, then
any configured device classification policies for the port are applied to determine VLAN assignment for
the supplicant. If there are no policies, then the default port behavior for 802.1x ports is in affect (see
“Supplicant Classification” on page 22-5 for more information).
Policy Types
There are two type of policies: supplicant and non-supplicant. Supplicant policies use 802.1x authentica-
tion via a remote RADIUS server and provide alternative methods for classifying supplicants if the authen-
tication process either fails or does not return a VLAN ID.
Non-supplicant policies use MAC authentication via a remote RADIUS server or can bypass authentica-
tion and only allow strict assignment to specific VLANs. MAC authentication verifies the source MAC
address of a non-supplicant device via a remote RADIUS server. Similar to 802.1x authentication, the
switch sends RADIUS frames to the server with the source MAC address embedded in the username and
password attributes.
One supplicant and one non-supplicant policy is allowed for each 802.1x port. Configuring a new suppli-
cant or non-supplicant policy overwrites any policies that may already exist for the port. The following
types of device classification policies are available:
1 802.1x authentication—performs 802.1x authentication via a remote RADIUS server.
2 MAC authentication—performs MAC based authentication via a remote RADIUS server.
3 Group Mobility rules—uses Group Mobility rules to determine the VLAN assignment for a device.
4 VLAN ID—assigns the device to the specified VLAN.
5 Default VLAN—assigns a device to the default VLAN for the 802.1x port.
6 Block—blocks a device from accessing the 802.1x port.
The first policy applies only to supplicants; the second policy applies only to non-supplicants. The remain-
ing policies apply to both supplicants and non-supplicants. Policies three through six are combined with
policy one or two to provide alternative methods for classifying devices when successful authentication
does not return a VLAN ID. It is also possible to configure policies three through six without also specify-
ing policy one or two. In this case, no authentication is performed, but device classification is restricted to
non-authenticated VLANs.
When multiple policies are specified when configuring a device classification policy, they form a
compound policy. Compound policies that use 802.1x authentication are supplicant policies; all others are
non-supplicant policies.