Device Config - Access Auth Profile

The Unified Profile Device Config Access Auth Profile Screen displays information about all devices to which an Access Auth Profile has been assigned. You can edit the Access Auth Profile on an AOS Device or AP Group,or delete the profile from an AOS Device or AP Group. To display AOS Device information, click on the Devices ADD button and select a device(s). To display AP Group information, click on the AP Group ADD button and select an AP Group(s). To add/remove devices/AP Groups from the display, click on the applicable EDIT button.

Important Note: Any configuration updates applied in the Device Config application are only applied to the selected devices/AP Groups. The updates will not affect the corresponding SSIDs, Unified Access Profiles/Templates.

Editing an Access Auth Profile

Select a device/AP Group in the Access Auth Profile List and click on the Edit icon to edit the field(s) as described below. When you are finished, click on the Apply button. Note that support for different parameters varies by device type. You can select an option from the "Highlight" drop-down menu at the top of the screen to highlight the parameters supported by specific devices (6x, 7x, 8x)

Default Settings

This section is used to configure basic settings for the profile.

• AAA Server Profile - The AAA Server Profile used to authenticate users on the port.
• Port Bounce - Enables/Disables Port Bounce. Always Enabled on wireless devices. This feature is required to handle scenarios where a client is switched from one VLAN to other after COA. If port bounce is enabled, the port will be administratively put down. This is to trigger DHCP renewal and re-authentication, if necessary.
• MAC Auth - Enables/Disables MAC Authentication for the port. Wireless devices do not contain this attribute in their configuration table. MAC Pass Alt attribute in the next section, No Auth/Failure/Alternate, is used for MAC Authentication on wireless devices.
• 802.1X Auth - Enables/Disables 802.1X Authentication. Wireless devices do not contain this attribute in their configuration table. 802.1X Pass Alt attribute in the next section, No Auth/Failure/Alternate, is used for 802.1X Authentication on wireless devices.
• Dynamic Service - Select a dynamic mapping method, if applicable (SPB, VXLAN).
• Customer Domain ID - Select a Customer Domain ID for the profile, if applicable.
• AP Mode - Enables/Disables the Access Point Mode for the port. When enabled (the default), the switch automatically detects, learns, and manages a Stellar AP that is connected to the port. Wireless client traffic is then forwarded from the AP to the OmniSwitch onto the wired network.
• Secure - If the AP Mode is enabled, you can check this box to secure the AP Mode. The AP Mode is not secured by default (box is not checked). When an AP device is detected on a UNP port, the trust tag function is operationally enabled to trust the AP client traffic. If the AP device fails authentication but is still learned as forwarding, the client traffic is still trusted and forwarded on the port. When the AP Mode is secured (box is checked), the trust tag function is not enabled for client traffic until after the AP device successfully authenticates.

No Auth/Failure/Alternate

This section is used to configure the actions taken if a device assigned to the profile fails authentication.

• Trust Tag - Enables/Disables whether to trust the VLAN ID of a tagged packet to determine how the packet is classified. Enabling the trust VLAN ID tag option provides an implicit method of VLAN tag classification that will accept tagged traffic matching any of the existing UNPs without the need to create specific classification rules for those profiles (Default = Disabled).
• Access Classification - Enables/Disables device classification. Always Enabled on wireless devices. (Default = Disabled).
• Default Access Role Profile - The Default Access Role Profile that users are assigned to after authentication. Note that for IAP devices the default Access Role Profile name must match the SSID Profile name in order for it to take effect.
• Bypass VLAN - Enter a Bypass VLAN (Range = 1 - 4094). The Bypass VLAN attribute is supported on Stellar AP 1201H/1201HL (running AWOS 4.0.2 or later) and Stellar AP 1301H/1311 (running AWOS 4.0.5 or later). The feature improves wired port forwarding performance by skipping the CPU process. When a Bypass VLAN is configured, traffic from the AP uplink port to the downlink port, or vice versa, is forwarded directly through the switch chipset without CPU intervention.
• 802.1X Pass Alt - The user shall be assigned a Pass-Alternate UNP in case the 802.1X authentication does not result in a valid UNP for the pass branch.
• Bypass Status - Enables/Disables 802.1X bypass. When 802.1X bypass is enabled, the user's 802.1X authentication method is skipped. The user enters directly mac-authentication or Access Classification based on the configuration on the UNP ports/Linkaggs. On wireless devices, this attribute corresponds to another attribute named l2-auth-fail-through, and this attribute must be combined with the MAC Allow EAP attribute to make l2-auth-fail-through attribute work (Default = Disabled) .
  • Bypass Status with ENABLED status combined with None MAC Allow EAP will disable 802.1X authentication, and l2-auth-fail-through is not ENABLED
  • Bypass Status with ENABLED status combined with Fail MAC Allow EAP will enable l2-auth-fail-through.
  • Other configurations of Bypass Status and MAC Allow EAP cause l2-auth-fail-through to be ignored on wireless devices.
• Failure Policy - The authentication method used if 802.1X authentication fails.
• MAC Pass Alt - The Access Role Profile the user is assigned to after passing authentication.
• MAC Allow EAP - Enables/Disables Extensible Authentication Protocol (EAP).

Advanced Settings

This section is used to configure advanced 802.1x authentication settings for the profile.

• 802.1X Tx Period - Access Auth Profile 802.1x Tx period, in seconds.
• 802.1X Supp Timeout - 802.1X Authentication Supp Timeout, in seconds.
• 802.1X Request - 802.1X Authentication Max Request number.
• Port Controlled Directions - Configures whether network access control is applied to both incoming and outgoing traffic, or only applied to incoming traffic.
• Client Isolation - Enables/Disables Client Isolation (Default = Disabled). When enabled, traffic between clients on the same AP in the SSID is blocked; client traffic can only go toward the default gateway. You can create a list of device MAC addresses that a client can still access when Client Isolation is enabled. This list is configured for the Access Role Profile to which a client is assigned.

Configuration Information

This section displays current port configurations, if applicable; and and is used to create/edit port configurations for the profile.

• Ports - The switch port(s) configured for the profile.
• Port Type - The port type (VLAN Port, SPB Access Port, VXLAN Access Port).
• UNP VLANs - The VLANS configured for dynamically-created UNP VLANs. For 8.x Devices, select a traffic type (Tagged, Untagged).

Deleting an Access Auth Profile

Select a device(s)/AP Group(s) in the Access Auth Profile List, click on the Delete icon, then click OK at the confirmation prompt.