Access Auth Profile

The Unified Profile Access Auth Profile Screen displays all configured Access Auth Profiles and is used to create, edit, and delete Access Authentication Profiles. An Access Auth Profile enables you to assign a pre-defined UNP port configuration to a port or linkagg, or specify them individually on each port to enable UNP port status and set the parameters for the authentication process for the port. For IAP devices, an Access Auth Profile can be assigned to a WLAN identified by the SSID Profile. For wireless controller devices, an Access Auth Profile can be assigned to Virtual AP Profile, which is used to configure WLAN. The Access Auth Profile configures 802.1X and MAC authentication for both wired and wireless devices, Access Classification and the default AAA Server and/or UNP Profile to be used once a user is authenticated. The basic configuration for each configured Access Auth Profile is displayed. You can also click on a profile for a configuration view.

Creating an Access Auth Profile

Click on the Add icon. Enter a Profile Name and configure the profile as described below, then click on the Create button. When you are finished, select the checkbox next to the profile and click on the Apply to Devices button to assign the profile to switches/ports or wireless devices/virtual APs on the network.

Default Settings

This section is used to configure basic settings for the profile.

AAA Server Profile - The AAA Server Profile used to authenticate users on the port. Select a profile from the drop-down list or click on the "Add New" link to go to the AAA Server Profile Screen and create a new profile. Note that this field is not supported for AOS 6x devices. To apply a AAA Profile to an AOS 6x device, go to the Global Configuration AAA Screen (Global Configuration - AAA), create a AAA Profile, and apply it to devices.
Port Bounce - Enables/Disables Port Bounce. Always Enabled on wireless devices and AOS 6x switches. This feature is required to handle scenarios where a client is switched from one VLAN to other after COA. If port bounce is enabled, the port will be administratively shut down. This is to trigger DHCP renewal and re-authentication, if necessary.
MAC Auth - Enables/Disables MAC Authentication for the port. Wireless devices do not contain this attribute in their configuration table. MAC Pass Alt attribute in the next section, No Auth/Failure/Alternate, is used for MAC Authentication on wireless devices.
802.1X Auth - Enables/Disables 802.1X Authentication. Wireless devices do not contain this attribute in their configuration table. 802.1X Pass Alt attribute in the next section, No Auth/Failure/Alternate, is used for 802.1X Authentication on wireless devices.
Dynamic Service - Select a dynamic mapping method for the profile, if applicable (SPB, VXLAN).
Customer Domain ID - Select a Customer Domain ID for the profile, if applicable. If necessary, click on the "Add New" link to go to the Customer Domain Screen and create a Customer Domain.
AP Mode - Enables/Disables the Access Point Mode for the port. When enabled (the default), the switch automatically detects, learns, and manages a Stellar AP that is connected to the port. Wireless client traffic is then forwarded from the AP to the OmniSwitch onto the wired network.
Secure - If the AP Mode is enabled, you can check this box to secure the AP Mode. The AP Mode is not secured by default (box is not checked). When an AP device is detected on a UNP port, the trust tag function is operationally enabled to trust the AP client traffic. If the AP device fails authentication but is still learned as forwarding, the client traffic is still trusted and forwarded on the port. When the AP Mode is secured (box is checked), the trust tag function is not enabled for client traffic until after the AP device successfully authenticates.

No Auth/Failure/Alternate

This section is used to configure the actions taken if a device assigned to the profile fails authentication.

Trust Tag - Enables/Disables whether to trust the VLAN ID of a tagged packet to determine how the packet is classified. Enabling the trust VLAN ID tag option provides an implicit method of VLAN tag classification that will accept tagged traffic without the need to create specific classification rules for those profiles (Default = Disabled).
Access Classification - Enables/Disables device classification. Always Enabled on wireless devices (Default = Disabled).
Default Access Role Profile - The Default Access Role Profile that users are assigned to if authentication or classification methods fail to match traffic with any role. This is the last-resort role. Select a profile from the drop-down list or click on the "Add New" link to go to the Access Role Profile Screen and create a new profile. Note that for IAP devices the default Access Role Profile name must match the SSID Profile name in order for it to take effect.
Bypass VLAN - Enter a Bypass VLAN (Range = 1 - 4094). The Bypass VLAN attribute is supported on Stellar AP 1201H/1201HL (running AWOS 4.0.2 or later) and Stellar AP 1301H/1311 (running AWOS 4.0.5 or later). The feature improves wired port forwarding performance by skipping the CPU process. When a Bypass VLAN is configured, traffic from the AP uplink port to the downlink port, or vice versa, is forwarded directly through the switch chipset without CPU intervention. The Bypass VLAN has higher priority than Trust Tag. When a VLAN is configured as the Bypass VLAN and Trust Tag at the same time, the Bypass VLAN function is effective on that VLAN, while Trust Tag is not. Note that when Bypass VLAN is configured, Authentication/ACL/Policy etc. features cannot be applied to the traffic in the Bypass VLAN. When an Access Auth Profile is applied to an AP Group, OmniVista will pass the Bypass VLAN attribute to all APs in the AP Group. APs 1201H/1201HL and 1301H/1311 will accept it, other APs in the group will silently ignore this attribute. Bypass VLAN is recommended for the use case of HD IPTV.
802.1X Pass Alt - The user shall be assigned a Pass-Alternate UNP in case the 802.1X authentication does not result in a valid UNP for the pass branch. Select a profile from the drop-down list or click on the "Add New" link to go to the Access Role Profile Screen and create a new profile.
Bypass Status - Enables/Disables 802.1X bypass. When 802.1X bypass is enabled, the user's 802.1X authentication method is skipped. The user directly enters mac-authentication or Access Classification based on the configuration on the UNP ports/Linkaggs. On wireless devices, this attribute corresponds to another attribute named l2-auth-fail-through, and this attribute must be combined with the MAC Allow EAP attribute to make l2-auth-fail-through attribute work (Default = Disabled).
- AOS Devices
  - Bypass Status with Enabled status combined with MAC Allow EAP set to "None" will disable 802.1X authentication, and l2-auth-fail-through is not Enabled.
  - Bypass Status with Enabled status combined with l MAC Allow EAP set to "Fail" will enable l2-auth-fail-through.
  - Other configurations of Bypass Status and MAC Allow EAP cause l2-auth-fail-through to be ignored on wireless devices.
- Stellar APs
  - If Bypass Status is Enabled, MAC Allow EAP will be considered. In the AP. There are only two options: Pass or Fail. When Bypass Status is Enabled, both MAC authentication and 802.1x authentication are performed - MAC authentication is performed first, then 802.1x authentication.
  - If Bypass Status is Disabled, OmniVista will always perform 802.1x authentication and ignore MAC authentication (unless both MAC and 802.1x authentication are enabled).
Failure Policy - The authentication method used if 802.1X authentication fails. Note that MAC Authentication Failure Policy is not supported on AOS 6.x devices.
MAC Pass Alt - The Access Role Profile the user is assigned to after passing authentication.
MAC Allow EAP - MAC Allow EAP behavior can be configured on both AOS Device and certain Stellar AP Models (e.g., AP1201H).
- AOS Devices - Normally, when we enable both MAC and 802.1x authentication, 802.1x authentication status is considered first. If 802.1x authentication is disabled or it is a non-supplicant client, MAC authentication will be performed. In some cases, you may want the AOS port to perform MAC authentication first. 802.1x authentication will be performed later or not based on the result of the MAC Authentication. Select one of the following options:
  - Pass - Allows 802.1x (EAP frame) authentication if the supplicant passes MAC authentication.
  - Fail - Allows 802.1x (EAP frame) authentication if the supplicant fails MAC authentication.
  - No Auth - Allows 802.1x (EAP frame) authentication if there is no MAC authentication configured on the port.
  - None - Prevents 802.1x Authentication. Only MAC authentication is performed on any device accessing this port.
- Stellar APs - The Bypass Status setting (above) controls when the AP performs 802.1x Authentication on the downlink port. If the Bypass Status is set to Enable, select one of the following options:
  - Pass - 802.1x Authentication is only performed if MAC authentication passed.
    Fail - 802.1x Authentication is only performed if MAC authentication fails.

Advanced Settings

This section is used to configure advanced 802.1X authentication settings for the profile.

802.1X Tx Period Status - Enables/Disables 802.1X Authentication Tx Period (Default = Disabled).
802.1X Tx Period - Access Auth Profile 802.1X Tx period, in seconds.
802.1X Supp Timeout Status - Enables/Disables802.1X Supp Timeout (Default = Disabled).
802.1X Supp Timeout - 802.1X Authentication Supp Timeout, in seconds.
802.1X Request Status - Enables/Disables 802.1X Authentication Max Request (Default = Disabled).
802.1X Request - 802.1X Authentication Max Request number.
Port Controlled Directions - Configures whether network access control is applied to both incoming and outgoing traffic, or only applied to incoming traffic (In/Both, Default = Both).
Client Isolation - Enables/Disables Client Isolation (Default = Disabled). When enabled, traffic between clients on the same AP in the SSID is blocked; client traffic can only go toward the default gateway. You can create a list of device MAC addresses that a client can still access when Client Isolation is enabled. This list is configured for the Access Role Profile to which a client is assigned.

Wireless Settings

This section is used to configure a Virtual AP Profile (i.e., "wireless device" profile) and associate it with the Access Auth Profile.

Virtual AP Name - User-configured name for the Virtual AP Profile.
SSID Profile - The SSID Profile you want to associate with the Virtual AP Profile. Select a profile from the drop-down list or click on the "Add New" link to go to the SSID Profile Screen and create a new profile.
User Derivation Rules - Select a User Derivation Rules from the drop-down list to specify a user attribute profile from which the user role or VLAN is derived. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria. For example, you can configure a rule to assign the role VoIP-Phone to any client that has a MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication. Note that only wireless classification rules are listed in the drop-down menu.
Virtual AP Enable - Enables/Disables the Wireless Authentication Profile.
Forward Mode - Controls whether data is tunneled to the controller using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or using a combination of both depending on the destination (e.g., corporate traffic goes to the controller, and Internet access remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k and station blocklisting.

Tunnel - The AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames, and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames, and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.
Bridge - 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.
Split Tunnel - 802.11 frames are either tunneled or bridged, depending on the destination (e.g., corporate traffic goes to the controller, and Internet access remains local).
Decrypt Tunnel - Both remote and campus APs can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller, which then applies firewall policies to the user traffic.

Allowed Band - The band(s) on which to use the Virtual AP:
- a - 802.11a band only (5 GHz)
- g - 802.11b/g band only (2.4 GHz)
- all - Both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). (Default).
Band Steering - Enables/Disables Band Steering. Band Steering encourages dual-band capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones. The feature supports both campus APs and remote APs that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote APs have virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual APs in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that only have bridge or split-tunnel virtual APs configured.
Steering Mode - Band steering supports the following three band steering modes.
- Force-5GHz - The AP will try to force 5Ghz-capable APs to use that radio band.
- Prefer-5GHz -The AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4G association attempts. (Default)
- Band Balancing - The AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz band has more channels than the 2.4 GHz band, and that the 5Ghz channels operate in 40MHz while the 2.5Ghz band operates in 20MHz.
Dynamic Multicast Optimization - Enables/Disables Dynamic Multicast Optimization.
Dynamic Multicast Optimization Threshold - The maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops. (Range = 2 - 255, Default = 5)
Drop All Broadcast or Multicast Traffic - If "Enabled", broadcast and multicast traffic is dropped. Do not enable this option for Virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for Virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic. When a Virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to filter out that broadcast traffic.
Convert Broadcast ARP Requests To Unicast - If "Enabled", all broadcast ARP requests are converted to unicast and sent directly to the client. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to convert ARP requests directed to the broadcast address into unicast.

Assigning an Access Auth Profile

When you click the Apply to Devices button, the Access Auth Profile Assignments Screen appears. Follow the steps below to assign the profile to a Switch and/or an AP Group.

Assigning an Access Auth Profile to a Switch

An Access Auth Profile can be assigned to AOS Devices and/or Stellar APs.

Assigning an Access Auth Profile to AOS Devices

Click on the Devices ADD/EDIT buttons and select devices. The device(s) will appear in the List of Selected Devices. Click on the "Add Port" link under a device and select ports. Click on the "Port Type" link to select the port type (VLAN Port, SPB Access Port, VXLAN Access Port). (Default = VLAN Port).

If you are finished, click on the Apply button. The configuration will be applied and the assignment status displayed. Click OK to return to the Access Auth Profile Screen.

UNP VLANs for Silent Devices

When assigning an Access Authentication Profile, you can map a UNP VLAN to a UNP Port. This configures a Tagged or Untagged VLAN Port Association between the specified UNP Bridge Port and the VLAN This feature is useful when connecting "Silent" devices (e.g., printers) to Bridge Ports. The feature is supported on 6.x Switches (running AOS 6.7.1.R02 and higher) and 8.x Switches (running AOS 8.6R1 and higher).

Click on the "Add UNP VLANs" link under the device to bring up the UNP VLANs window.

6.x Switches - Enter a VLAN and click on "+". Repeat to add additional VLANs. Click on OK.
8.x Switches - Enter a VLAN, select a traffic type (Tagged or Untagged) and click on "+". Repeat to add additional VLANs. Click on OK.

If you are finished, click on the Apply button. The configuration will be applied and the assignment status displayed. Click OK to return to the Access Auth Profile Screen.

Assigning an Access Auth Profile to Stellar APs

You can assign an Access Auth Profile to Stellar APs with downlink ports (e.g., AP1201H). Click on the AP Groups ADD/EDIT buttons and select an AP Group(s). The AP Group(s) will appear in the List of Selected Groups. Three ports (Eth1, Eth2, Eth3) are displayed under the AP Group Name. Select a port(s). OmniVista will apply the profile to the selected ports on supported APs/ports in the AP Group. OmniVista will ignore unsupported APs/ports in the AP Group.

If you are finished, click on the Apply button. The configuration will be applied and the assignment status displayed. Click OK to return to the Access Auth Profile Screen.

Common Errors Seen when Assigning an Access Auth Profile

The following common errors may be seen in the Results page when attempting to assigning an Access Auth Profile to an AOS Switch. Possible causes are provided for each.

Error Message	Possible Cause(s)
"Failed to apply Access Auth Profile to port x/x/x"	A member of Link-Agg, Port x/x/x is a Tagged Port.
"Port-Template applied to UNP Bridge Ports, cannot set L2 Profile on Bridge Ports"	L2 Profile cannot be set when template is applied to UNP Bridge Ports. UNP cannot be enabled on Tagged Port x/x/x. UNP cannot be enabled on Service Access Port x/x/x. VLAN ID xx does not exist. VLAN specified in "UNP VLANs" must exist on the switch. VLAN ID xx is not a Standard VLAN. VLAN ID specified in "UNP VLANs" should be a Standard VLAN.

Editing an Access Auth Profile

Select the profile in the Access Auth Profile Screen and click on the Edit icon to bring up the Edit Access Auth Profile Screen. Edit the fields as described above then click on the Apply button to save the changes to the server. (Note that you cannot edit the Access Auth Profile Name.) If the Access Auth Profile has been applied to any devices, you will have to re-apply the profile to those devices. You can also go to the Device Config - Access Auth Profile Screen to edit a profile on any device.

To "unassign" an Access Auth Profile from a device, go the Device Config - Access Auth Profile Screen and delete the profile from the device. To "unassign" a profile from specific device ports, go the Device Config - Access Auth Profile Screen and delete the profile from the device. Then return to the Access Auth Profile Screen, select the profile and re-assign it to the device, selecting only those ports to which you want to assign the profile.

For example, if you had assigned Access Auth Profile 1 to ports 1/1, 1/2, 1/3, and 1/4 on a device and you want to remove it from ports 1/3 and 1/4. You would go to the Device Config - Access Auth Profile Screen and delete Access Auth Profile 1 from the device. Then return to the Access Auth Profile Screen, select Access Auth Profile 1 and re-assign it to the device, selecting only ports 1/1 and 1/2 on the Device Selection Screen.

Deleting an Access Auth Profile

Select the profile in the Access Auth Profile Screen and click on the Delete icon, then click OK at the confirmation prompt. This removes the profile from the server. If the profile has been assigned to any devices, go to the Device Config - Access Auth Profile Screen to remove the profile from the device(s). Select the applicable device(s) in the Devices - Access Auth Profile Table, click on the Delete icon, then click OK at the confirmation prompt.