Skip to main content
Skip table of contents

Access Authentication Profile

The Access Authentication Profile defines the authentication process for client traffic received on both wired devices (Switch devices) and wireless devices (Steller AP downlink Port). Profile parameters are used to configure 802.1X and MAC authentication, Access Classification, the AAA Server Profile to use for authentication, the Access Role Profile to assign, etc.

Use the Access Auth Profile screen to display information about all of the configured Access Authentication Profiles. This screen also allows you to create, edit, and delete profiles. To access the Access Auth Profile screen, click on Network Access > Unified Access > Access Auth Profile under the “Configure” section of the OmniVista Cirrus Menu.

Access Auth Profile - OmniVista Cirrus 10.4.3-20250110-135202.png

Creating an Access Authentication Profile

The Create Access Auth Profile screen is used to select profile settings, devices, and the downlink ports to which the profile is applied. To access this screen, click on Create Access Auth Profile.

Consider the following use cases when configuring Access Authentication Profile:

  • When a Switch device polls for Access Auth profile information and the database does not have an existing Access Auth Profile, OmniVista will automatically create an Access Auth Profile with the correct configuration and Assignment Port that polls from the Switch device.

  • When a Switch device polls for Access Auth profile information and the database already has an existing Access Auth Profile, OmniVista will only update the Network Assignment Port of the Access Auth Profile belonging to that specific Switch device, not the device configuration.

  • When a Switch device polls and there is no Access Auth profile information, but the database has an existing Access Auth Profile, OmniVista will delete the Network Assignment - Port belonging to that specific Switch device.

  • You can apply the AAA Server Profile on the Access Auth Profile page to Switch and verify that the AAA server profile has been successfully applied.

  • You can change the new AAA Server profile on the Access Auth Profile screen for Switch, and verify that the AAA server profile should be applied to Switch.

  • You can create an Access Auth profile without an AAA server profile and verify no AAA server profiles are pushed to Switch.

  • You can unlink the AAA server profile on the Access Auth Profile page. However, the AAA server profile wouldn't be deleted from Switch, only if that AAA server profile is still being used somewhere in Switch. The AAA server profile template would still be retained on the User Interface screen.

The Create Access Auth Profile screen provides the following step-by-step process for creating an Access Authentication Profile:

1. Access Auth Profile Settings

  • Basic Information - Configures the profile name and the status of MAC and 802.1X authentication.

  • No Auth/Failure/Alternate - This section is used to configure the actions taken if a device assigned to a profile fails authentication.

  • Advanced Settings - Configures the advanced 802.1X authentication settings for the Profile.

2. Device Selection

Select the specific set of devices or Group of devices from the available device list. The Access Authentication Profile is applied to those APs or Switch devices.

3. Port Assignments

  • Ports - An Access Auth Profile can be assigned to the Switch devices or Steller APs. Select the Switch Port(s) or AP downlink port(s) to which OmniVista will apply the Access Authentication Profile.

1. Access Auth Profile Settings

Complete the fields for the Basic Information and No Auth/Failure/Alternate sections on the Access Auth Profile Settings tab as described below, then click Next to go to the next tab (Step 2).

Basic Information

This section is used to configure basic settings for the profile.

  • Profile Name (required) - Specify a name to assign to the profile.

  • MAC Authentication - Enable/Disable MAC Authentication for the port.

  • 802.1X Authentication - Enable/Disable 802.1X Authentication for the port.

    • Bypass Status (802.1X authentication only) - Enable/Disable 802.1X bypass. When 802.1X Bypass is enabled, both MAC authentication and 802.1X authentication are performed - MAC authentication is performed first, then 802.1X authentication.

    • MAC Allow EAP - When 802.1X Bypass is enabled, select Pass or Fail for MAC Allow EAP.

      • Pass - 802.1X authentication is performed if MAC authentication passes.

      • Fail - 802.1X authentication is performed if MAC authentication fails.

  • AAA Server Profile - Select an existing authentication, authorization, and accounting (AAA) Server Profile from the drop-down list. An AAA Server profile identifies the authentication servers and attributes that are used in an Access Authentication Profile. This field is required only if MAC or 802.1X authentication is enabled.

    • Click on Edit to modify settings for the selected AAA Server Profile.

    • Click on Create AAA Server Profile to create a new profile (see the AAA Server Profile online help).

If you select an AAA Server Profile that uses a RadSec (TLS-enabled RADIUS) Server, then AP wired ports will silently ignore this configuration.

No Auth/Failure/Alternate

This section is used to configure alternate actions taken if MAC or 802.1X authentication was not enabled, authentication fails, or the returned role was not found.

  • Trust Tag - Enable/Disable whether the VLAN ID of a tagged packet is trusted to determine how the packet is classified. Enabling the trust VLAN ID tag option provides an implicit method of VLAN tag classification that will accept tagged traffic without the need to create specific classification rules for those profiles.

  • Access Classification - Enable/Disable device classification. When enabled, device traffic is classified based on a classification rule (see the Access Classification online help).

  • Bypass VLAN - Enter a Bypass VLAN ID (Range = 1 - 4094). The feature improves wired port forwarding performance by skipping the CPU process. When a Bypass VLAN is configured, traffic from the AP uplink port to the downlink port, or vice versa, is forwarded directly through without CPU intervention. The Bypass VLAN has higher priority than Trust Tag. Note that when Bypass VLAN is configured, Authentication/ACL/Policy etc. features cannot be applied to the traffic in the Bypass VLAN. When an Access Auth Profile is applied to an AP Group, OmniVista will pass the Bypass VLAN attribute to all APs in the AP Group. APs that support Bypass VLAN will accept it, other APs in the group will silently ignore this attribute.

  • MAC Pass Alt. Role (MAC authentication only) - Select the Access Role Profile that is applied to clients that have passed MAC authentication but did not receive an Access Role Profile from the authentication server or the Access Role Profile was not found on the AP.

    • Click on Edit to modify settings for the selected Access Role Profile.

    • Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).

  • 802.1X Pass Alt. Role (802.1X authentication only) - Select the Access Role Profile that is applied to clients that have passed 802.1X authentication but did not receive an Access Role Profile from the authentication server or the Access Role Profile was not found on the AP.

    • Click on Edit to modify settings for the selected Access Role Profile.

    • Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).

  • Default Access Role - Select the Default Access Role Profile that is applied to clients if authentication or classification methods fail to match traffic with any role. This is the last-resort role.

    • Click on Edit to modify settings for the selected Access Role Profile.

    • Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).

Advanced Settings

Create Access Auth Profile-advanced settings - OmniVista Cirrus 10.4.3-20240904-171052.png

This section is used to create the advanced 802.1X authentication settings for the Profile. The Client Isolation default value is disable.

The Client Isolation advanced settings only support Access Points. It is unsupported for Switch devices.

2. Device Selection

The Device Selection tab is used to select the AP(s) or Switch devices from the available list of devices to which the Access Authentication Profile will be applied to devices within those groups. Complete the device selection as described below, then click Next to to the the next tab (Step 3).

  • Device Assignment - Select the specific set of Devices from the available list to assign the profile.

  • Group Assignment - Select the specific group of Devices from the available list to assign the profile. The Access Authentication Profile is applied to the selected group of devices from the list.

Create Access Auth Profile-device selection - OmniVista Cirrus 10.4.3-20240909-075151.png

Note: In case of failing to apply an Access Authentication Profile to devices, if you want to re-apply the profile with no change in the configuration, you needs to edit the profile (or the profile that links to it and supports device assignment) to remove the devices then edit to re-add the devices into the device assignment tab.

3. Port Assignments

The Port Assignments tab is used to select the port(s) to which OmniVista will apply the Access Authentication Profile. The profile is applied to client traffic received on the selected port(s).

Create Access Auth Profile-port assignment - OmniVista Cirrus 10.4.3-20240911-161457.png

You can make a port selection for all AP Groups or Switch devices across all Sites in the Organization, for all AP Groups or Switch devices associated with a specific Site, or for the selected devices.

Consider the following use cases while selecting the Port assignments.

  • Select different ports for different Access Authentication Profiles. No two different profiles can use the same ports.

  • If any profile is using the selected switch port, then the other profile should be removed from that port.

Not all AP models have the same number of downlink ports (for example, some may have three and some may have four). If an AP Group contains an AP that does not support the selected downlink port(s), the AP will ignore the Access Authentication Profile configuration for that port and only apply the configuration to the available ports.

The downlink ports are displayed (Eth1, Eth2, Eth3, Eth4) on the Port Selection prompt, shown below, or next to the individual AP Group based on if you selected a Bulk Edit option or the individual AP Group to assign ports to the Authentication Access Profile.

When you are done selecting the device ports, click on Create Access Auth Profile. The Access Authentication Profile is created and applied to client traffic received on the selected ports.

Editing an Authentication Access Profile

You can edit the parameter values for an existing Access Authentication Profile by accessing the Edit Access Auth Profile screen.

Access Auth Profile-edit - OmniVista Cirrus 10.4.2-20240418-074114.png

Use one of the following methods to access the Edit Access Auth Profile screen (as shown above):

  • Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.

  • Click on the pencil icon under the “Actions” column next to the profile that you want to edit.

The following Edit Access Auth Profile screen displays. Edit the fields as described above, then click on Save.

Deleting an Access Authentication Profile

To delete an Access Authentication Profile, use one of the following methods to select the profile you want to delete:

  • Select the profile to delete by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.

  • Click on the trash can icon under the “Actions” column next to the profile that you want to delete.

Access Auth Profile-delete - OmniVista Cirrus 10.4.2-20240418-074429.png

When you select the profile you want to delete, the following confirmation prompt appears:

Access Auth Profile delete confirm-updated - OmniVista Cirrus 10.4.3-20250106-113645.png

Click on Delete to confirm that you want to delete the Access Authentication Profile.

Display Access Authentication Profile Information

The Access Authentication Profile list displays information for the configured Access Authentication Profiles. To display detailed information about a specific profile, click on the Additional Information icon under the “Actions” column. The information displayed on this screen is defined below.

Access Auth Profile list - OmniVista Cirrus 10.4.2-20240418-074545.png

The following information is displayed for each Access Authentication Profile:

  • Profile Name - The name assigned to the Access Authentication Profile.

Basic Information

  • MAC Authentication - The status of MAC authentication (Enable/Disable). When enabled, MAC authentication is applied with the profile.

  • 802.1X Authentication - The status of 802.1X authentication (Enable/Disable). When enabled, 802.1X authentication is applied with the profile.

  • Bypass Status - The status of 802.1X bypass (Enable/Disable). Applies only when 802.1X authentication is enabled. When Bypass Status is enabled, the 802.1X authentication process is skipped and either MAC authentication or Access Classification is applied based on the profile configuration.

  • MAC Allow EAP - Whether MAC Allow EAP is set to Pass or Fail (None). Applies only when 802.1X authentication and 802.1X bypass is enabled. If MAC Allow EAP is set to Pass, 802.1X authentication is performed only if MAC authentication passed.

  • AAA Server Profile - The name of the authentication, authorization, and accounting (AAA) Server Profile assigned to the Access Authentication Profile.

No Auth/Failure/Alternate

  • Access Classification - The status of device classification (Enable/Disable). When enabled, classification rules are applied if other authentication methods are not enabled or fail.

  • Trust Tag - The Trust Tag status (Enable/Disable). When enabled, the VLAN ID of tagged traffic is trusted to determine how traffic is classified if other authentication methods are not enabled or fail.

  • Bypass VLAN - The Bypass VLAN ID specified for this profile.

  • 802.1X Pass Alt. Role - The Access Role Profile that is applied to clients that have passed 802.1X authentication but did not receive an Access Role Profile from the authentication server. Applies only when 802.1X authentication is enabled.

  • MAC Pass Alt. Role - The Access Role Profile that is applied to clients that have passed MAC authentication but did not receive an Access Role Profile from the authentication server. Applies only when MAC authentication is enabled.

  • Default Access Role - The Access Role Profile that is applied to clients if authentication or classification methods fail to match traffic with any role.

Assigned Devices

  • Site - The AP Group(s), Switches and associated Sites to which the Access Authentication Profile is applied.

Ports

  • Eth1, Eth2, Eth3, Eth4 - The Switch ports to which the Access Authentication Profile is applied via Port type VLAN_PORT.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.