Alcatel-Lucent 6600 Switch User Manual


 
Configuring Access Guardian Policies Configuring 802.1X
page 22-14 OmniSwitch 6600 Family Network Configuration Guide April 2006
Configuring Access Guardian Policies
The Access Guardian provides functionality that allows the configuration of 802.1x device classification
policies for supplicants (802.1x clients) and non-supplicants (non-802.1x clients). See “Using Access
Guardian Policies” on page 22-8 for more information.
Configuring device classification policies is only supported on mobile, 802.1x enabled ports. In addition,
the port control status for the port must allow auto authorization. See “Setting Up Port-Based Network
Access Control” on page 22-10 for specific information about how to enable 802.1x functionality on a
port.
As described in “Using Access Guardian Policies” on page 22-8, there are several types of policies that
when combined together create either a supplicant or non-supplicant compound policy. Consider the
following when configuring compound policies:
A single policy can only appear once for a pass condition and once for a failed condition in a
compound policy.
Up to three VLAN ID policies are allowed within the same compound policy, as long as the ID number
is different for each instance specified (e.g., vlan 20 vlan 30 vlan 40).
Compound policies must terminate. The last policy must result in either blocking the device or assign-
ing the device to the default VLAN. If a terminal policy is not specified then the block policy is used
by default.
The order in which policies are configured determines the order in which the policies are applied.
The following table provides examples of policies that were incorrectly configured and a description of the
problem:
Note that if no policies are configured on an 802.1x port, non-supplicants are blocked on the port and the
following classification process is performed for supplicants by default:
1 802.1x authentication via remote RADIUS server is attempted.
2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
3 If authentication is successful and returns a VLAN ID that exists in the switch configuration, suppli-
cant is assigned to that VLAN.
4 If authentication is successful but does not return a VLAN ID, Group Mobility rules are checked for
classification.
5 If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
Incorrect Policy Command Problem
802.1x 1/45 supplicant policy authentication pass
group-mobility vlan 200 group-mobility fail
block
The group-mobility policy is specified more than
once as a pass condition.
802.1x 1/24 non-supplicant policy authentication
pass vlan 20 vlan 30 vlan 40 vlan 50 fail block
More than three VLAN ID policies are specified
in the same command.