Access Classification

The Unified Profile Access Classification Screen displays all Access Classification Rules configured for Access Role Profiles and is used to create edit, and and delete Access Classification Rules (Access Classification Rules in AOS Devices. Access Classification Rules are defined and associated with an Access Role Profile to provide an additional method for classifying a device into an Access Role Profile. If authentication is not available or does not return a profile name for whatever reason, Access Classification rules are applied to determine the profile assignment.

Creating an Access Classification Rule

Click on the Create icon. Select a Rule Type from the drop-down menu. Configure the Rule as described below, select the Access Role Profile for which you want to configure the rule, then click on the Create button. When you are finished, click on the Apply to Devices button to assign the Rule to switches/ports on the network.

Access Classification Rules

• SSID (APs only) - Defines an SSID for the specified Access Role Profile. The specified Access Role Profile will be applied if the SSID of AP (which client is associating) matches with the defined SSID in the rule.
  • Name - The rule name.
  • SSID Value - The SSID of AP.
  • Access Role Profile - Select the Access Role Profile to use for the rule.
• IP Address Rule (AOS Devices only) - Defines an IP Address Access Classification Rule for the specified Access Role Profile. If the source IP address of the device traffic matches the IP address defined for the rule, the specified Access Role Profile is applied.
  • IP Network Address - The IPv4 network address (e.g., 10.0.0.0, 171.15.0.0, 196.190.254.0).
  • IP Mask - An IP address mask to identify the IP subnet for the interface (supports class-less masking).
  • VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address.
  • Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  • Access Role Profile - Select the Access Role Profile to use for the rule.
• LLDP Rule (AOS 8.x Devices only) - Defines an LLDP rule condition for the specified Access Role Profile.
  • Name - User-configured name for the LLDP Rule.
  • Endpoint Identifier - Select an endpoint identifier (IP Phone, AP).
  • Access Role Profile - Select the Access Role Profile to use for the rule.
• MAC Rule (Both AOS Devices and APs) - Defines a MAC Address Access Classification Rule for the specified Access Role Profile. If the source MAC address of the device traffic matches the MAC address defined for the rule, the specified Access Role Profile is applied. Note that when a MAC Access Classification Rule is removed or modified, all MAC addresses classified with that rule are flushed.
  • Name - User-configured name for the MAC Rule.
  • MAC Address - The MAC address to be used for the rule.
  • VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address.
  • Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  • Access Role Profile - Select the Access Role Profile to use for the rule.
• MAC OUI Rule (Both AOS Devices and APs) - Defines a MAC address Organizationally Unique Identifier (OUI) classification rule for the specified Access Role Profile. If the OUI of the source MAC address of the device traffic matches the OUI defined for the rule, the specified Access Role Profile is applied to the device.
  • Name - User-configured name for the MAC OUI Rule.
  • MAC Address - The MAC OUI to be used for the rule.
  • VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC OUI.
• MAC Range Rule (Both AOS Devices and APs) - Defines a MAC Address Range Access Classification Rule for the specified Access Role Profile. If the source MAC address of the device traffic matches any of the MAC address within the range of MAC addresses, the specified profile is applied. Note that when a MAC Access Classification Rule is removed or modified, all MAC addresses classified with that rule are flushed.
  • MAC Low Address - MAC address that defines the low end of the range (e.g., 00:00:39:59:f1:00).
  • MAC High Address - MAC address that defines the high end of the range (e.g., 00:00:39:59:f1:90).
  • VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address.
  • Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  • Access Role Profile - Select the Access Role Profile to use for the rule.
• VLAN Tag Rule (AOS 8x Devices only) - Defines a VLAN Tag for the specified Access Classification Rule. If the source VLAN Tag of the device traffic matches the VLAN Tag defined for the rule, the specified Access Role Profile is applied.
  • VLAN Tag - The VLAN Tag used for the rule.
  • Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  • Access Role Profile - Select the Access Role Profile to use for the rule.

Editing an Access Classification Rule

Select the profile in the Classification Profile List and click on the Edit icon to bring up the Edit Access Classification Screen. Edit the fields as described above then click on the Apply button to save the changes to the server. Note that if the Access Role Profile has been applied to any devices, you will have to re-apply the profile to those devices. You can also go to the Device Config - Access Classification Screen to edit a profile on any device.

Note: You cannot edit an Access Classification Rule Name.

Assigning an Access Classification Rule

When you click the Apply To Devices button, the Access Classification Assignments Screen appears. Select a Mapping Method, then select devices. When you are finished, click on the Apply button. Note that a VLAN must exist on a switch/wireless devices to configure VLAN Mapping.

Select Mapping Methods

You can map the Access Classification Rule to a specific VLAN or service. Select a Mapping Method, then make a selection from the drop-down menu. Note that you can only use one mapping method for a profile.

• Map to VLAN - Maps the profile to a specific VLAN on network devices.
• Map to SPB - Maps the profile to an SPB Profile.
• Map to VXLAN - Maps the profile to a VXLAN Profile.
• Map to Static Service - Maps the profile to a Static Service.

Select Devices

After configuring the Mapping Method, click on the Devices ADD button and/or the AP Group ADD button to select devices. The device(s) will appear in the List of Selected Devices. If necessary, click on the Devices EDIT button and/or the AP Group EDIT button to add/remove devices from the list.

The devices presented will vary according to your Mapping Method. For example, if you selected VLAN Number 3, only those devices on which VLAN 3 is configured would be displayed. After selecting devices, click on the Apply button to assign the Access Classification Rule.

Deleting an Access Classification Rule

To delete a rule(s), select the Rule(s) in the table and click on the Delete icon, then click OK at the confirmation prompt. This removes the profile from the server. If the profile has been assigned to any devices, go to the Device Config - Access Classification Screen to remove the profile from the device(s). Select the applicable device(s) in the Devices - Classification Profile List, click on the Delete icon, then click OK at the confirmation prompt.