Configuring Access Guardian Policies Configuring 802.1X
page 22-16 OmniSwitch 6600 Family Network Configuration Guide April 2006
Configuring Non-supplicant Policies
Non-supplicant policies are used to classify non-802.1x devices connected to 802.1x-enabled switch ports.
There are two types of non-supplicant policies. One type uses MAC authentication to verify the non-
802.1x device. The second type does not perform any authentication and limits device assignment only to
those VLANs that are not authenticated VLANs.
To configure a non-supplicant policy that will perform MAC authentication, use the 802.1x non-suppli-
cant policy authentication command. The following keywords are available with this command to spec-
ify one or more policies for classifying devices:
When multiple policies are specified, the policy is referred to as a compound non-supplicant policy. Note
that the order in which parameters are configured determines the order in which they are applied.
To configure a compound non-supplicant policy, use the pass and fail keywords to specify which policies
to apply when MAC authentication is successful but does not return a VLAN ID and which policies to
apply when MAC authentication fails. The pass keyword is implied and therefore an optional keyword. If
the fail keyword is not used, the default action is to block the device when authentication fails.
Note. When a policy is specified as a policy to apply when authentication fails, device classification is
restricted to assigning non-supplicant devices to VLANs that are not authenticated VLANs.
To configure a non-supplicant policy that will not perform MAC authentication, use the 802.1x non-
supplicant policy command. The following keywords are available with this command to specify one or
more policies for classifying devices
:
802.1x 1/48 supplicant policy authentication
group-mobility vlan 127 default-vlan
If the 802.1x authentication process is successful
but does not return a VLAN ID for the device, then
the following occurs:
1 Group Mobility rules are applied.
2 If Group Mobility classification fails, then the
device is assigned to VLAN 127.
3 If VLAN 127 does not exist, then the device is
assigned to the default VLAN for port 1/48.
If the device fails 802.1x authentication, the device
is blocked on port 1/48.
supplicant policy keywords
group mobility
vlan
default-vlan
block
pass
fail
supplicant policy keywords
group mobility
vlan
default-vlan
block
Supplicant Policy Command Example Description