Configuring Access Guardian Access Guardian Application Examples
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-106
• LLDP frames are exchanged between the IP phone and the switch. This traffic will be untagged but
will be accepted by the switch since these are control frames.
• Subsequent data traffic will be tagged with the right VLAN after the LLDP exchange; this traffic will
be accepted because the VLAN is a tagged member of the port.
Application Example 6: Restricted Role (Policy List) Assignment
This application example demonstrates post-authentication role assignment through the QMR feature, a
location-based policy, and a time-based policy.
Quarantine Manager and Remediation (QMR)
A client MAC address is determined to be in a quarantined state when one of the following occurs:
• The OmniVista Quarantine Manager (OVQM) application receives a TRAP indicating that the MAC
address has to be quarantined. The TRAP may come from a network anomaly detection application or
from an intrusion detection system (IDS) running in the same subnet as the client.
• A list containing the quarantined MAC address is manually configured on OVQM.
• A list containing the quarantined MAC is manually configured on every switch in the network.
After the list of quarantined MAC addresses is known, OVQM can add these addresses to the Quarantine
MAC group and push the configuration to the switches in a logical group or to all switches. Access
Guardian then moves the users associated with the quarantined MAC addresses to a QMR restricted role.
There is a built-in policy list associated with the QMR restricted role that can be replaced with a user-
defined policy list. For example, the administrator may want to use the following explicit policy list for
QMR redirection instead of the built-in policy list:
-> policy service http80 destination tcp-port 80
-> policy service http443 destination tcp-port 443
-> policy service http8080 destination tcp-port 8080
-> policy service http8081 destination tcp-port 8081
-> policy service group alaRestrictedHttpSG http80 http443 http8080 http8081
-> policy condition qmr_traffic service group alaRestrictedHttpSG
-> policy action qmr_action redirect module qmr
-> policy rule qmr_rule condition qmr_traffic action qmr_action no default-list
-> policy list qmr_list type unp
-> policy list qmr_list rules qmr_rule
-> qos apply
With minor changes (such as changing the redirect module option to “captive-portal” or “byod”), this
example policy list may also be useful for internal Captive Portal and OmniSwitch BYOD redirection.
The following OmniSwitch configuration demonstrates assigning a different role (explicit policy list) to a
quarantine user as well as an example of configuring QMR on the switch:
1 Use the unp restricted-role policy-list command to assign a new policy list to replace the built-in
QMR policy list. This is an optional command.
-> unp restricted-role qmr policy-list qmr_list
2 Configure the name of the Quarantine MAC Group. The default name of this group is “Quarantined”,
so changing the name is optional. To change the name of this group, use the qos quarantine mac-group
command.
To Next Page
Loading...
Need help?
General
