Access Classification

Access Classification Rules are defined and associated with an Access Role Profile to provide an additional method for classifying a device into an Access Role Profile. If authentication is not available or does not return a profile name for whatever reason, Access Classification rules are applied to determine the profile assignment.

Use the Access Classification screen to display information about all Access Classification Rules configured for Access Role Profiles. This screen is also used to create, edit, and delete Access Classification Rules. To access the Access Classification screen, click on Network Access > Unified Access > Access Classification under the “Configure” section of the OmniVista Cirrus Menu.

Access Classification OV 10.5.2-20251217-152955.png

Creating an Access Classification Rule

The Create a New Access Classification screen is used to select the type of rule (SSID, IP Address or MAC, etc.) to configure and assign the rule to an Access Role Profile and network devices. To access this screen, click on Create Access Classification.

The Create a New Access Classification screen provides the following step-by-step process to create an an Access Classification Rule:

1. Classification Configuration - Specify the type of rule, a name for the rule, and the Access Role Profile to which the rule is assigned. The Access Role Profile is applied to traffic that matches the Access Classification Rule.

2. Network Assignment - Selects devices or Groups of devices from one or more Sites. The Access Classification Rule is applied to the devices in the selected Sites/Device groups.

1. Classification Configuration

Complete the fields on the Classification Configuration tab, as described below, then click Next to go to the next tab (Step 2).

create new access classification OV 10.5.2-1-20251217-171200.png

Rule Type - Click on this field and select the type of rule to configure (MAC or SSID) from the drop-down menu.
- SSID - Defines an SSID for the specified Access Role Profile. The specified Access Role Profile will be applied if the SSID of AP (which client is associating) matches with the defined SSID in the rule.
  - SSID Value - The SSID of AP.
  - Rule Name - Defines the rule name for the SSID, which will be stored as a unique identifier.
  - Access Role Profile - Select the Access Role Profile to use for the rule.
- IP Address - Defines an IP Address for the specified Access Role Profile. If the source IP address of the device traffic matches the IP address defined for the rule, the specified Access Role Profile is applied.
  - IP Network Address - The IPv4 network address (e.g., 10.0.0.0, 171.15.0.0, 196.190.254.0).
  - Rule Name - Defines the rule name for the IP Address, which will be stored as a unique identifier.
  - IP Mask - An IP address mask to identify the IP subnet for the interface(supports class-less masking).
  - VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address. VLAN tag is not supported for wireless devices. (Range= 1 to 4094).
  - Customer Domain ID - Specifies Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  - Customer Domain Description - Specifies the Customer Domain description.
  - Access Role Profile - Select the Access Role Profile to use for the rule.
- LLDP - Defines an LLDP rule condition for the specified Access Role Profile.
  - Rule Name - Defines the rule name for the LLDP rule, which will be stored as a unique identifier.
  - Endpoint Identifier - The endpoint identifier (IP Phone or Access Point).
  - Access Role Profile - The Access Role Profile to use for the rule.
- MAC - Defines a MAC Address Access Classification Rule for the specified Access Role Profile. If the source MAC address of the device traffic matches the MAC address defined for the rule, the specified Access Role Profile is applied. Note that when a MAC Access Classification Rule is removed or modified, all MAC addresses classified with that rule are flushed.
  - Rule Name - Defines the rule name for the MAC address rule, which will be stored as a unique identifier.
  - MAC Address - The MAC address to be used for the rule. If the source MAC address of the device traffic matches the MAC address defined for the rule, the specified Access Role Profile is applied.
  - VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address. VLAN tag is not supported for wireless devices. (Range= 1 to 4094).
  - Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  - Customer Domain Description - Specifies the Customer Domain description.
  - Access Role Profile - Select the Access Role Profile to use for the rule.
- MAC OUI - Defines a MAC address Organizationally Unique Identifier (OUI) classification rule for the specified Access Role Profile. If the OUI of the source MAC address of the device traffic matches the OUI defined for the rule, the specified Access Role Profile is applied to the device.
  - Rule Name - Defines the rule name for the MAC OUI Rule.
  - MAC OUI Address - The MAC OUI to be used for the rule.
  - VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC OUI.
  - Access Role Profile - The Access Role Profile to use for the rule.
- MAC Range - Defines a MAC Address Range Access Classification Rule for the specified UNP Access Role Profile. If the source MAC address of the device traffic matches any of the MAC address within the range of MAC addresses, the specified profile is applied. Removing or modifying a MAC Access Classification Rule flushes all MAC addresses classified under that rule.
  - Rule Name - Defines the rule name for the MAC Range Rule.
  - MAC Low Address - MAC address that defines the low end of the range.
  - MAC High Address - MAC address that defines the high end of the range. MAC High Address must be greater than MAC Low Address.
  - VLAN Tag - An optional VLAN Tag. If configured, traffic must also match this VLAN Tag in addition to the source MAC address.
  - Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  - Customer Domain Description - Specifies the Customer Domain description.
  - Access Role Profile - Select the Access Role Profile to use for the rule.
- VLAN Tag - Defines a VLAN Tag for the specified Access Classification Rule. If the source VLAN Tag of the device traffic matches the VLAN Tag defined for the rule, the specified Access Role Profile is applied.
  - Rule Name - Defines the rule name for the VLAN Tag Rule.
  - VLAN Tag - The VLAN Tag used for the rule.
  - Customer Domain ID - An optional Customer Domain ID to which this rule will apply. When a customer domain ID is configured for this rule, the rule is applied only to traffic received on UNP ports that are associated with the same domain ID. All UNP ports are automatically assigned to customer domain 0 at the time the port is configured as a UNP port.
  - Customer Domain Description - Specifies the Customer Domain description.
  - Access Role Profile - Select the Access Role Profile to use for the rule.
Rule Name - Specify a name to identify the rule.
Access Role Profile - Select an existing Access Role Profile to use for the rule from the drop-down menu or click on Create Access Role Profile to open the the Create Access Role Profile screen and create a new profile. You can also click on Edit to open the Edit Access Role Profile and make changes to the selected profile.

2. Network Assignment

The Network Assignment tab is used to select the AP(s) or Switch devices from the available list of devices to which the Access Classification Rules will be applied to devices within those groups. Complete the network assignment as described below, then click Create tab.

Device Assignment - Select the specific set of Devices from the available list to assign the profile.
Group Assignment - Select the specific group of Devices from the available list to assign the profile. The Access Classification Rule is applied to the selected group of devices from the list.

access classifiction network assign OV 10.5.2-20260105-064641.png

Select Site to Filter Groups - Select the Site from which you want to select Device Group(s).
Select Device Groups - Select the Device Group(s) associated with the selected Site. The Access Classification Rule is applied to devices in the Device Group(s).

Editing an Access Classification Rule

You can edit the values for an existing Access Classification Rule by accessing the Update Access Classification screen. Use one of the following methods to access the Update Access Classification screen:

Select the rule to edit by clicking o the checkbox next to the rule, click on Actions, then select Edit from the drop-down menu.
Click on the pencil icon under the “Actions” column next to the rule that you want to edit.

Access Classification-edit - OmniVista Cirrus 10.4.2-20240420-130658.png

The following Update Access Classification screen displays. Edit the fields as described above, then click on Update Access Classification.

Deleting an Access Classification Rule

To delete an Access Classification Rule, use one of the following methods to select the rule that you want to delete:

Select the rule to edit by clicking on the checkbox next to the rule, click on Actions, then select Delete from the drop-down menu.
Click on the trash can icon under the “Actions” column next to the rule that you want to delete.

Access Classification-delete - OmniVista Cirrus 10.4.2-20240420-131221.png

When you select the Access Classification Rule that you want to delete, the following confirmation prompt appears:

Access classification rule delete OV 10.5.2-20260105-070809.png

Click on Delete to confirm that you want to delete the selected rule(s).

Display Access Classification Additional Information Detail

The Access Classification list displays information for the configured Access Classification Rules. To display detailed information about a specific rule, click on the Additional Information icon under the “Actions” column. The information displayed on this screen is defined below.

Access Classification display Ov 10.5.2-20260105-071439.png

The following information is displayed for each Access Classification Rule:

Rule Name - The name assigned to identify the classification rule.
Rule Type - The type of rule (MAC or SSID).
MAC Address - If the rule type is set to MAC, this field displays the MAC address to match for this rule.
SSID - If the rule type is SSID, this field displays the SSID to match for this rule.
Access Role Profile - The name of the Access Role Profile assigned to this rule. The profile is applied to traffic that matches the classification rule parameters.
Assigned Devices - The Organization Site(s) and device Group(s) to which the Access Classification Rule is applied to devices within the selected groups.

Display and Manage Device Configuration Details

The Access Classification list shows information for the configured Access Classification Rules. To view detailed switch configuration for a specific Profile, click the Rule Name below or select the Manage Device Configurations under the “Actions” column.

manage device config OV 10.5.2-20260105-105947.png

The following screen appears:

Access classification detailed config OV 10.5.2-20260105-110126.png

You can now view the current profile configuration for selected Switch that is assigned to an Access Classification Rule. This screen also allows you to export, search and filter the data. You can click the back icon on the top right to navigate to the Access Classification List page.

The following Device Configuration of the selected Profile is displayed.

IPv4 Address - The IPv4 address of the device.
Device Friendly Name - The name assigned to the device is derived from the Preferred Device Naming convention specified in the user preference settings. By default, the Friendly Name is set to IP Address (System Name).
Config Status - The configuration status of the device. (Successful or Failed or Pending).
- Pending - The configuration is being pushed to the device and is still not receiving a response from the device.
- Failed - The configuration failed to apply to the device. Possible reasons include a timeout while applying the configuration due to the device being unreachable or a network issue, or the configuration being invalid and rejected by the device. Check alerts to identify the specific reason.
- Successful - The configuration is pushed to the device successfully.
Rule Value - The name assigned to identify the classification rule.
Access Role Profile - The name of the Access Role Profile assigned to this rule. The profile is applied to traffic that matches the classification rule parameters.
Rule Type - The type of rule (MAC, SSID, or LLDP, etc.).