Premium Services Overview

The Unified Access Premium Services application includes the Alcatel-Lucent Enterprise OmniSwitch implementation of Bring Your Own Device (BYOD). BYOD leverages Access Guardian features along with ClearPass Policy Manager (CPPM) to allow a wired or wireless guest, device, or authenticated user to connect to the network through an OmniSwitch edge device using the CPPM Server for unified authentication.

Note BYOD is only supported on Alcatel-Lucent Enterprise Switches running AOS 6.4.6.R01 and later, AOS 6.6.5.R01 and later, AOS 7.3.4.R02 and later, and AOS 8.1.1.R01 and later. OmniVista supports CPPM Manager 6.2, 6.3, and 6.4. Additional configuration of the CPPM Server per CPPM's documentation is required for the BYOD solution to work.

BYOD/ClearPass Overview

The Alcatel-Lucent Enterprise OmniSwitch implementation of BYOD leverages Access Guardian features along with ClearPass Policy Manager (CPPM) to allow a wired or wireless guest, device, or authenticated user to connect to the network through an OmniSwitch edge device using the CPPM Server for unified authentication. The Unified Access application in OmniVista is used to connect to and configure the CPPM Server as a RADIUS Server. Device authentication and network access policies are configured on the ClearPass Server through the ClearPass software and directed to the desired network resources using the UNP feature in the Access Guardian application. The OmniSwitch BYOD solution comprises of the following main components:

• The network infrastructure consisting of both wireless and wireline network. OmniSwitch leverages the Access Guardian features such as 802.1x supplicants, non-supplicant MAC authentication, and User Network Profiles (UNP) to support the BYOD solution.
• The CPPM interacts with both wireless and wireline networks acting as a RADIUS server or RADIUS server proxy. The CPPM provides policy management, guest access, onboarding, and posture checking capabilities.

The figure below provides a high-level view of a typical BYOD Network configuration. The BYOD/ClearPass setup is detailed below.

BYOD Authentication Process Overview

This section describes the basic BYOD process with respect to the OmniSwitch and its interaction with the ClearPass Server.

Authentication for Registered Devices (802.1x)

The BYOD solution provides the following authentication process for registered devices (for example, IT issued employee devices):

1. When an 802.1x enabled port on OmniSwitch detects the user the authentication process is triggered to classify the user.
2. The OmniSwitch sends a request to the ClearPass Server, which authenticates the user based on the user credentials and returns the Role/UNP configured on the ClearPass Server. 
3. The ClearPass Server authenticates the user based on the user credentials, and returns the Role/UNP configured on the server to the OmniSwitch.
4. The OmniSwitch assigns the user to the UNP obtained from the ClearPass Server.

Authentication for Network Devices (MAC Authentication)

The BYOD solution provides the following MAC authentication process for network devices such as IP phones, printers, or access points.

1. When MAC authentication is enabled on a port and the OmniSwitch detects the device, MAC authentication process is triggered to classify the device.
2. The OmniSwitch sends a request to the ClearPass Server that authenticates the device based on the devices MAC address and the profiles and policies configured on the ClearPass Server.
3. ClearPass classifies the device to a UNP and returns the UNP information to the OmniSwitch.
4. The OmniSwitch assigns the device to the UNP obtained from the ClearPass Server.

Authentication for Guest Devices and Employees Onboarding

The BYOD solution provides the following authentication process for guest devices and employee personal devices:

1. When MAC authentication is enabled on a port and the OmniSwitch detects the device, the MAC authentication process is triggered to classify the device.
2. ClearPass initially classifies the device to a temporary UNP and returns a redirection URL that allows for guest registration or employee onboarding.
3. OmniSwitch assigns the user to the specified UNP. Since redirection is also set, all DHCP or DNS traffic is allowed but HTTP traffic from the user is redirected towards the URL returned in the UNP.
4. The user is presented with a guest login page or an onboarding page to enter user credentials.
5. ClearPass determines the appropriate role of the user after doing registration and sends the final UNP to the OmniSwitch through a CoA request or RADIUS packet for the case of onboarding.

BYOD/ClearPass Setup

As mentioned earlier, the Alcatel-Lucent Enterprise OmniSwitch implementation of BYOD leverages Access Guardian features on the OmniSwitch along with ClearPass Policy Manager (CPPM) to authenticate users onto the network. The first step in configuring BYOD is to set up the ClearPass Server. The following key points must be considered when configuring the CPPM Server and OmniSwitch for BYOD integration:

• ClearPass Policies and the ClearPass Database must be configured on the CPPM Server using the ClearPass Policy Manager Application.
• The CPPM Server connection, including ClearPass Database login information must be configured in OmniVista so that OmniVista can connect to the CPPM Server and access the CPPM Database.
• The UNP Profile Name configured in OmniVista must be the same as the Enforcement Policy name configured in ClearPass.  
• The Insight Database must be enabled on the ClearPass Server for OmniVista to gather Locator information. In the CPPM Application go to: Administration - Server Configuration, then click on the Server in the table to bring up the following screen. Make sure the Enable Profile and Enable Insight checkboxes are checked.

Note: ClearPass Policies are configured on the ClearPass Server using the CPPM application web interface. The CPPM web interface can be accessed by entering the CPPM Server IP address into a browser or configuring the CMMP Server connection in OmniVista and clicking the Launch button. The procedures below provide steps to configure OmniVista to interface with the CPPM Server to direct users to the proper UNP following ClearPass authentication. Detailed ClearPass Policy configuration instructions are included in the ClearPass online help. An overview of BYOD and sample ClearPass policy configurations are available in Chapter 43 - “Configuring Access Guardian”, in the OmniSwitch Network Configuration Guide.

Quick Steps to Configure OmniVista for BYOD

Both the Unified Access application and the Access Guardian application (UNP) are used to configure OmniVista for BYOD. You first use the BYOD application to configure the ClearPass Server connection to OmniVista, and to configure the ClearPass Server as a RADIUS Server. You then use the Access Guardian Application to create UNP policies to provide the user with access to the proper network resources. The sections below provide "quick steps" to initially configure OmniVista for BYOD. For more detailed procedures, click here.

Unified Access Configuration

After setting up the ClearPass Server, follow the steps below to configure the OmniVista connection to the CPPM Server (Management and Database Sections) and to configure the ClearPass Server as a RADIUS Server. You can also configure a Redirect URL for Guest user login.

Note: Some key fields on the "Add ClearPass Server" screen are pre-filled with default values. It is recommended that you do not change the pre-filled values.

1. In the Unified Access Application, click on the ClearPass Link, then click on the Create icon to bring up the" Add ClearPass Server" screen.

2. In the Management fields, enter the IP Address, User Name, and Password of the CPPM Server. The remaining fields are pre-filled with the default values.

3. In the Database fields, enter the Database Password (the password should match the one configured when the Database Connection was set up in ClearPass). The remaining fields are pre-filled with the default values.

4. In the Radius Server fields, enter the CPPM Server Shared Secret (with confirmation). You can also complete the Backup IP Address/Host Name field, if applicable.

5. For web authentication, complete the Redirect Options fields to specify Proxy Server Port and add the Allowed Server IP address and mask.

6. When you have completed all of the fields, click the Apply button. The Server will now appear in the ClearPass list of servers.

7. Select the server and click the Apply to Devices button at the top of the screen to assign the server to specific switches.

8. Configure the fields on the Assignment Screen as described below.

• ClearPass: The name and IP address of the CPPM Server (informational only, not configurable).
• Vendor Name: Select a vendor to automatically enable the RADIUS dictionary associated with that vendor. Note that the IETF dictionary containing the standard the set of RADIUS attributes is always loaded and is generally used. (Default = IETF)
• CoA Port: The UDP port used to send CoA actions (Default = 3799).

9. Select the switch(es) to which you want to assign the CPPM Server, then click the Apply button.

Note: The "Available Switches" area will be populated with all of the switches available on the network. However, BYOD is only supported on Alcatel-Lucent Enterprise Switches running AOS 6.4.6.R01 and later, AOS 8.1.1.R01 and later.

Access Guardian Configuration

After configuring the ClearPass Server, go to the Access Guardian application to create UNP policies to provide authenticated users access to the proper network resources.

1. On the Edge Profile Screen, create an Edge (UNP) Profile (e.g., UNP-employee). The Profile Name must match the profile name configured in the Enforcement Profile Screen in ClearPass. If required for the policy, select a Policy List from the Policy List Name drop-down field.

2. Enable Redirect Status to allow users to be redirected by CPPM while in this UNP.