Access Authentication Profile
The Access Authentication Profile defines the authentication process for client traffic received on Stellar AP downlink ports. Profile parameters are used to configure 802.1X and MAC authentication, Access Classification, the AAA Server Profile to use for authentication, the Access Role Profile to assign, etc.
Use the Access Auth Profile screen to display information about all of the configured Access Authentication Profiles. This screen also allows you to create, edit, and delete profiles. To access the Access Auth Profile screen, click on Network Access > Unified Access > Access Auth Profile under the “Configure” section of the OmniVista Cirrus Menu.
Creating an Access Authentication Profile
The Create Access Auth Profile screen is used to select profile settings, devices, and the downlink ports to which the profile is applied. To access this screen, click on Create Access Auth Profile.
The Create Access Auth Profile screen provides the following step-by-step process for creating an Access Authentication Profile:
1. Access Auth Profile Settings
Basic Information - Configures the profile name and the status of MAC and 802.1X authentication.
No Auth/Failure/Alternate - Specifies alternate methods to authenticate traffic on the port.
Select Sites and Groups - Select Access Point Groups from one or more Sites. The Access Authentication Profile is applied to the APs in the selected Sites/AP groups.
Ports - Select the AP downlink port(s) to which OmniVista will apply the Access Authentication Profile.
1. Access Auth Profile Settings
Complete the fields for the Basic Information and No Auth/Failure/Alternate sections on the Access Auth Profile Settings tab as described below, then click Next to go to the next tab (Step 2).
Basic Information
This section is used to configure basic settings for the profile.
Profile Name (required) - Specify a name to assign to the profile.
MAC Authentication - Enable/Disable MAC Authentication for the port.
802.1X Authentication - Enable/Disable 802.1X Authentication for the port.
Bypass Status (802.1X authentication only) - Enable/Disable 802.1X bypass. When 802.1X Bypass is enabled, both MAC authentication and 802.1X authentication are performed - MAC authentication is performed first, then 802.1X authentication.
MAC Allow EAP - When 802.1X Bypass is enabled, select Pass or Fail for MAC Allow EAP.
Pass - 802.1X authentication is performed if MAC authentication passes.
Fail - 802.1X authentication is performed if MAC authentication fails.
AAA Server Profile - Select an existing authentication, authorization, and accounting (AAA) Server Profile from the drop-down list. An AAA Server profile identifies the authentication servers and attributes that are used in an Access Authentication Profile. This field is required only if MAC or 802.1X authentication is enabled.
Click on Edit to modify settings for the selected AAA Server Profile.
Click on Create AAA Server Profile to create a new profile (see the AAA Server Profile online help).
If you select an AAA Server Profile that uses a RadSec (TLS-enabled RADIUS) Server, then AP wired ports will silently ignore this configuration.
No Auth/Failure/Alternate
This section is used to configure alternate actions taken if MAC or 802.1X authentication was not enabled, authentication fails, or the returned role was not found.
Trust Tag - Enable/Disable whether the VLAN ID of a tagged packet is trusted to determine how the packet is classified. Enabling the trust VLAN ID tag option provides an implicit method of VLAN tag classification that will accept tagged traffic without the need to create specific classification rules for those profiles.
Access Classification - Enable/Disable device classification. When enabled, device traffic is classified based on a classification rule (see the Access Classification online help).
Bypass VLAN - Enter a Bypass VLAN ID (Range = 1 - 4094). The feature improves wired port forwarding performance by skipping the CPU process. When a Bypass VLAN is configured, traffic from the AP uplink port to the downlink port, or vice versa, is forwarded directly through without CPU intervention. The Bypass VLAN has higher priority than Trust Tag. Note that when Bypass VLAN is configured, Authentication/ACL/Policy etc. features cannot be applied to the traffic in the Bypass VLAN. When an Access Auth Profile is applied to an AP Group, OmniVista will pass the Bypass VLAN attribute to all APs in the AP Group. APs that support Bypass VLAN will accept it, other APs in the group will silently ignore this attribute.
MAC Pass Alt. Role (MAC authentication only) - Select the Access Role Profile that is applied to clients that have passed MAC authentication but did not receive an Access Role Profile from the authentication server or the Access Role Profile was not found on the AP.
Click on Edit to modify settings for the selected Access Role Profile.
Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).
802.1X Pass Alt. Role (802.1X authentication only) - Select the Access Role Profile that is applied to clients that have passed 802.1X authentication but did not receive an Access Role Profile from the authentication server or the Access Role Profile was not found on the AP.
Click on Edit to modify settings for the selected Access Role Profile.
Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).
Default Access Role - Select the Default Access Role Profile that is applied to clients if authentication or classification methods fail to match traffic with any role. This is the last-resort role.
Click on Edit to modify settings for the selected Access Role Profile.
Click on Create Access Role Profile to create a new profile (see the Access Role Profiles online help).
2. Device Selection
You can assign an Access Authentication Profile to Stellar APs with downlink ports. (Note that not all Stellar AP models have downlink ports.)
The Device Selection tab is used to select the AP Group(s) within a Site(s) to which the Access Authentication Profile will be applied to devices within those groups. Complete the device selection as described below, then click Next to to the the next tab (Step 3).
Select Site to Filter Groups - Select the Site from which you want to select AP Group(s).
Select Access Point Groups - Select the Access Point Group(s) associated with the selected Site. The Access Authentication Profile is applied to devices in the AP Group(s) that have downlink ports.
3. Port Assignments
The Port Assignments tab is used to select the AP downlink port(s) to which OmniVista will apply the Access Authentication Profile. The profile is applied to client traffic received on the selected downlink port(s).
You can make a port selection for all AP Groups across all Sites in the Organization, for all AP Groups associated with a specific Site, or for the selected AP Group.
Not all AP models have the same number of downlink ports (for example, some may have three and some may have four). If an AP Group contains an AP that does not support the selected downlink port(s), the AP will ignore the Access Authentication Profile configuration for that port and only apply the configuration to the available ports.
The downlink ports are displayed (Eth1, Eth2, Eth3, Eth4) on the Port Selection prompt, shown below, or next to the individual AP Group based on if you selected a Bulk Edit option or the individual AP Group to assign ports to the Authentication Access Profile.
When you are done selecting the downlink ports, click on Create Access Auth Profile. The Access Authentication Profile is created and applied to client traffic received on the selected downlink ports.
Editing an Authentication Access Profile
You can edit the parameter values for an existing Access Authentication Profile by accessing the Edit Access Auth Profile screen.
Use one of the following methods to access the Edit Access Auth Profile screen (as shown above):
Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.
Click on the pencil icon under the “Actions” column next to the profile that you want to edit.
The following Edit Access Auth Profile screen displays. Edit the fields as described above, then click on Save.
Deleting an Access Authentication Profile
To delete an Access Authentication Profile, use one of the following methods to select the profile you want to delete:
Select the profile to delete by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.
Click on the trash can icon under the “Actions” column next to the profile that you want to delete.
When you select the profile you want to delete, the following confirmation prompt appears:
Click on Delete to confirm that you want to delete the Access Authentication Profile.
Display Access Authentication Profile Information
The Access Authentication Profile list displays information for the configured Access Authentication Profiles. To display detailed information about a specific profile, click on the Additional Information icon under the “Actions” column. The information displayed on this screen is defined below.
The following information is displayed for each Access Authentication Profile:
Profile Name - The name assigned to the Access Authentication Profile.
Basic Information
MAC Authentication - The status of MAC authentication (Enable/Disable). When enabled, MAC authentication is applied with the profile.
802.1X Authentication - The status of 802.1X authentication (Enable/Disable). When enabled, 802.1X authentication is applied with the profile.
Bypass Status - The status of 802.1X bypass (Enable/Disable). Applies only when 802.1X authentication is enabled. When Bypass Status is enabled, the 802.1X authentication process is skipped and either MAC authentication or Access Classification is applied based on the profile configuration.
MAC Allow EAP - Whether MAC Allow EAP is set to Pass or Fail (None). Applies only when 802.1X authentication and 802.1X bypass is enabled. If MAC Allow EAP is set to Pass, 802.1X authentication is performed only if MAC authentication passed. When MAC Allow EAP is set to None, 802.1X authentication is performed only if MAC authentication fails.
AAA Server Profile - The name of the authentication, authorization, and accounting (AAA) Server Profile assigned to the Access Authentication Profile.
No Auth/Failure/Alternate
Access Classification - The status of device classification (Enable/Disable). When enabled, classification rules are applied if other authentication methods are not enabled or fail.
Trust Tag - The Trust Tag status (Enable/Disable). When enabled, the VLAN ID of tagged traffic is trusted to determine how traffic is classified if other authentication methods are not enabled or fail.
Bypass VLAN - The Bypass VLAN ID specified for this profile.
802.1X Pass Alt. Role - The Access Role Profile that is applied to clients that have passed 802.1X authentication but did not receive an Access Role Profile from the authentication server. Applies only when 802.1X authentication is enabled.
MAC Pass Alt. Role - The Access Role Profile that is applied to clients that have passed MAC authentication but did not receive an Access Role Profile from the authentication server. Applies only when MAC authentication is enabled.
Default Access Role - The Access Role Profile that is applied to clients if authentication or classification methods fail to match traffic with any role.
Assigned Devices
Site - The Organization Site(s) and AP Group(s) to which the Access Authentication Profile is applied to devices within the selected groups.
Ports
Eth1, Eth2, Eth3, Eth4 - The Stellar AP downlink ports to which the Access Authentication Profile is applied.