User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

261

262

263

264

265

266

267

268

269

270

OmniAccess SafeGuard OS Administration Guide

264

Chapter 6: Configuring Authentication and Role Derivation

If you plan to take advantage of the SafeGuard features, in addition to setting the

protection mode you need to control the port authorization state. You set the port’s

authorization state using the aaa dot1x port-control command, which works in either

Global Configuration mode or in Interface Configuration mode. The commands use the

following keywords:

Force Authorized

The port acts as if 802.1x is disabled. Any authorized host connected to the port does not

need to support 802.1x. The Authentication Manager does not receive the credentials for

the host but does receive the port’s traffic because the unauthenticated policy is still

applied.

Instead, the Authentication Manager derives the credentials using passive authentication

(Kerberos, RADIUS), active authentication (Captive Portal, MAC RADIUS, or a white

list), or from mapping information (DHCP, the SafeGuard processor.) When the user

authenticates and a policy and role are applied, the port remains in the authenticated

state even after the user clears the credentials.

Force Unauthorized

The port is blocked and is administratively unauthorized. Traffic is prohibited in all

directions for all clients.

Auto

The port enforced 802.1x authentication for 802.1x clients and grants controlled access to

an authenticated 802.1x client. 802.1x communicates status changes of clients with the

Authentication Manager. The Authentication Manager removes the unauthenticated

policy for 802.1x clients and applies the authentication policy and role after role

derivation.

If the SafeGuard Switch is set in protect or monitor mode, you must also set the 802.1x

port control mode to auto to take advantage of the SafeGuard features and 8021.x port

access control.

Configuring IEEE 802.1x Authentication

The primary process of configuring 802.1x authentication involves preparing for

authentication, enabling 802.1x globally on the switch, specifying the port to use, and

specifying the port control.

NOTE: One 802.1x client (supplicant) is supported on a physical port.

Clients/hosts attempting to access the port are permitted while the port is

authenticated for one 802.1x client. In protect and monitor mode the additional

hosts/clients can be authenticated with SafeGuard authentication features.

The number of hosts permitted on a port can be controlled using port (MAC)

security. Reference to chapter 5, page 156.