Alcatel-Lucent 6600 Switch User Manual


 
Configuring 802.1X Configuring Access Guardian Policies
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 22-15
Configuring Supplicant Policies
Supplicant policies are used to classify 802.1x devices connected to 802.1x-enabled switch ports when
802.1x authentication does not return a VLAN ID or authentication fails. To configure supplicant poli-
cies, use the 802.1x supplicant policy authentication command. The following keywords are available
with this command to specify one or more policies for classifying devices:
If no policy keywords are specified with this command, then supplicants are blocked if 802.1x authentica-
tion fails or does not return a VLAN ID. When multiple policies are specified, the policy is referred to as a
compound supplicant policy. Note that the order in which parameters are configured determines the order
in which they are applied.
To configure a compound supplicant policy, use the pass and fail keywords to specify which policies to
apply when 802.1x authentication is successful but does not return a VLAN ID and which policies to
apply when 802.1x authentication fails or returns a VLAN ID that does not exist. The pass keyword is
implied and therefore an optional keyword. If the fail keyword is not used, the default action is to block
the device.
Note. When a policy is specified as a policy to apply when authentication fails, device classification is
restricted to assigning supplicant devices to VLANs that are not authenticated VLANs.
Supplicant Policy Examples
The following table provides example supplicant policy commands and a description of how the resulting
policy is applied to classify supplicant devices:
supplicant policy keywords
group mobility
vlan
default-vlan
block
pass
fail
Supplicant Policy Command Example Description
802.1x 1/24 supplicant policy authentication pass
group-mobility default-vlan fail vlan 43 block
If the 802.1x authentication process is successful
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
device is assigned to the default VLAN for
port 1/24.
If the device fails 802.1x authentication, then the
following occurs:
1 If VLAN 43 exists and is not an authenticated
VLAN, then the device is assigned to
VLAN 43.
2 If VLAN 43 does not exist or is an authenti-
cated VLAN, then the device is blocked from
accessing the switch on port 1/24.