User Guide

OmniAccess SafeGuard OS Administration Guide

207

Chapter 6: Configuring Authentication and Role Derivation

Configuring Layer 3 Devices for Mapping

Because SafeGuard OS assumes that all traffic with the same MAC address has originated

from the same host, it implies that a change in authentication status for one IP on a MAC

changes the authentication status for all IPs on that MAC address. When a Layer 3 device

(such as a router) is placed downstream of the SafeGuard device, all Layer 3 traffic is

incorrectly mapped to a single user device.

To ensure correct mapping for Layer 3 devices, use the Global Configuration aaa session-

tracking l3device command. This command instructs SafeGuard OS to use IP addresses

to map to hosts rather than the default process of mapping MAC addresses to hosts in

session tracking mode.

To specify up to 32 MAC addresses as Layer 3 addresses, use the aaa session-tracking

l3device description command. Traffic from these MAC addresses is not assumed to be

from the same host and authentication is processed by IP address only.

aaa session-tracking l3device mac description {description}

The following example identifies a Cisco Systems router to the mapping table:

(SafeGuardOS) # aaa session-tracking l3device 00:11:11:ea:8b:7d description

“Cisco 811”

(SafeGuardOS) #

To remove a Layer 3 device from the mapping table, use the no version of the command:

Syntax Description mac MAC addresses may be specified in any of

the following formats:

■ aa:bb:cc:dd:ee:ff

■ aabb:ccdd:eeff

■ aa-bb-cc-dd-ee-ff

■ aabb.ccdd.eeff

■ aabbccddeeff

description (Optional) A string description for the MAC

address. The length of the string can be up to

30 characters. Specify descriptions in double

quotation marks.