Specifications
Alcatel-Lucent Page 23
OmniSwitch 6850 Series
802.1X enhancements on the OmniSwitch 6850
(Synonymous with the feature titled
“Alcatel Access Guardian support”)
Note: The Alcatel Access Guardian is supported in
Release 6.1.2r02 and in 6.1.2r03.
Note: the implementation of 802.1x on the OmniSwitch 6850 as described below is also synonymous
with the feature titled “Alcatel Access Guardian support”:
In addition to the authentication and VLAN classification of 802.1x clients (supplicants), the
OmniSwitch 6850 implementation of 802.1x secure port access extends this type of functionality to
non-802.1x clients (non-supplicants). To this end device classification policies are introduced to
handle both supplicant and non-supplicant access to 802.1x ports. By default non-supplicant devices
are automatically blocked on 802.1x-enabled ports. In some cases, however, it is desirable to allow
non-supplicant access on these ports. For example, using device policies a non-supplicant may gain
access to a pre-determined VLAN. Such a VLAN might serve as a guest VLAN for such devices
requiring restricted access to the switch. Supplicant devices are initially processed using 802.1x
authentication via a remote RADIUS server. If authentication is successful and returns a VLAN ID, the
supplicant is assigned to that VLAN. If not, then any configured device classification policies for the
port are applied to determine VLAN assignment for the supplicant. If there are no policies, then the
default port behavior for 802.1x ports is in affect.
The following types of device classification policies are available:
1. 802.1x authentication—performs 802.1x authentication via a remote RADIUS server.
2. MAC authentications—performs MAC based authentication via a remote RADIUS server.
3. Group Mobility rules—uses Group Mobility rules to determine the VLAN assignment for a
device
4. Strict Group Mobility rules—uses Group Mobility rules to determine the VLAN
assignment for a device; does not allow assignment to authenticated VLANs.
5. VLAN ID—assigns the device to the specified VLAN.
6. Strict VLAN ID—assigns the device to the specified VLAN; does not allow assignment to
authenticated VLANs.
7. Default VLAN—assigns a device to the default VLAN for the 802.1x port.
8. Strict Default VLAN—assigns a device to the default VLAN for the 802.1x port; does not
allow assignment to authenticated VLANs.
9. Block—blocks a device from accessing the 802.1x port.
Alcatel Access Guardian support
Note: The Alcatel Access Guardian is supported in
Release 6.1.2r02 and in 6.1.2r03.
Alcatel Access Guardian Support entails a set of security features that provide:
o Automatic detection of 802.1x and non-802.1x devices
o Flexible per port configuration of securities policies
o 802.1x is used for user authentication, MAC-based authentication can be used
for non-802.1x clients
o Supported policies:
Group Mobility rules
Guest VLANs
Default VLAN
Block
o Centralized location for user/device authentication-using RADIUS
o Separate security policies can be configured for supplicants and non-supplicants
Benefits:
o Allows for flexible networks configuration which strengthens the security
o Centralized management of users and devices reduces the administration cost
All known users and devices are authenticated using RADIUS
Change in one place only, takes effect everywhere in the network
A mobile user will authenticate the same way a "wired" user
o Guest users are placed in guest VLAN
Applications:
o Educational sector
Port Mapping
• Allows traffic segregation at L2
• User ports in the same session cannot talk
to each other
Note: this feature is part of
“Residential bridging features”
Port Mapping is a security feature, which controls communication between peer users. Each session
comprises a session ID, a set of user ports, and/or a set of network ports. The user ports within a
session cannot communicate with each other and can only communicate via network ports. In a port
mapping session with user port set A and network port set B, the ports in set A can only communicate
with the ports in set B. If set B is empty, the ports in set A can communicate with rest of the ports in
the system. A port mapping session can be configured in the unidirectional or bi-directional mode. In
the unidirectional mode, the network ports can communicate with each other within the session. In the
bi-directional mode, the network ports cannot communicate with each other. Network ports of a
unidirectional port mapping session can be shared with other unidirectional sessions, but cannot be
shared with any sessions configured in the bi-directional mode. Network ports of different sessions can
communicate with each other.
Port Mapping Specifications:
Ports Supported: Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit Ethernet (1 Gb/1000 Mbps)
/10 Gigabit Ethernet (10 Gb/10000 Mbps).
Mapping Sessions: Eight sessions supported per standalone switch and stack.
Port Mapping Defaults:
Mapping Session: Creation: No mapping sessions
Mapping Status configuration: Disabled
Port Mapping Direction: Bi-directional