Customers that are not ready for AAA based authentication can still take advantage of some automatic device access control features of AOS-CX using “device profiles” to onboard clients to the network.
Device profile can operate on LLDP frames, CDP frames and MAC address.
Device profile that operates on MAC address is also referred as Local MAC Authentication.
Device profiles are by default active on ports that have “AAA enabled” and on “non-AAA enabled” ports for CDP/LLDP device profiles.
However, for Local MAC Authentication to work on a non-AAA enabled port, the “block-until-profile-applied” command must be used.
Configure a MAC group
mac-group vm
seq 10 match mac-oui 00:50:56
Defining user role
port-access role printer
vlan access 11
Define a device profile by linking the role and mac-group.
port-access device-profile dp-printer
associate role printer
associate mac-group vm
enable
Enable Local MAC Authentication on the interface.
interface 1/1/4
port-access device-profile mode block-until-profile-applied
Running config looks like below.
interface 1/1/4
no shutdown
description PC
no routing
vlan access 19
apply policy asts-qos in
aaa authentication port-access critical-role asts-critical
aaa authentication port-access dot1x authenticator //currently 802.1x is disabled on 1/1/4
eapol-timeout 30
max-eapol-requests 1
max-retries 1
port-access device-profile //Configuring device-profile to enable Local MAC Authentication.
mode block-until-profile-applied
Device Profile Fallback role:
Any device not matching the rules in the device profiles can be assigned to fallback role.
interface 1/1/4
port-access fallback-role asts-fallback //”asts-fallback” is the role that is created.
Device Profile with AAA enabled on the ports. (Onboarding Precedence)
By default, the “RADIUS server” decision will have priority over the local “device profile”.
In case the “RADIUS server” returns a reject, the switch will be allowed to continue the processing of the client using the “device profile” feature.
In case the “RADIUS server” is unreachable,
– AOS-CX will first check if there is any match on a device profile, in that case the device profile will be applied.
– In case there is no match, the authentication “critical role” will be applied, if configured.
Device Profile Config using LLDP information
port-access lldp-group LLDP_AP
seq 10 match vendor-oui 000b86
port-access role AP_Role
vlan trunk native 10
vlan trunk allowed 10-11
port-access device-profile AP_Profile
enable
associate role AP_Role
associate lldp-group LLDP_AP
Different match command syntax
switch(config-lldp-group)# match sys-desc <description>
switch(config-lldp-group)# match sysname <system-name>
switch(config-lldp-group)# match vendo-oui <OUI-MAC-address>
switch(config-lldp-group)# match type <OUI-sub-type-key>
switch(config-lldp-group)# match value <OUI-sub-type-number>
Networking & Security 