Enable Profiling and Create Matching Identity Groups

1. Navigate to:
   Policy > System > Profiling > Profiling Policies > Search for Brightsign-Device
2. Enable the setting:"Yes, create matching Identity Group"

Verify or Manually Create the Endpoint Identity Group

To view automatically profiled endpoints:
Go to: Administration > Identity Management > Groups > BrightSign-Device

 

 

 

To manually add a new group and MAC address:

• Click Add to create a new Identity Group (e.g., BrightSign-Device)
• Manually add the MAC address of the DMP device to this group

 

Create Allowed Protocols for DMP Devices

 Navigate to:
Policy > Results > Allowed Protocols > Add

Create a new Allowed Protocols set with the following:

• Name: DMP
• Enable MAC Authentication Bypass (Process Host Lookup)

Create a Test Policy Set for DMP Devices

Navigate to:
Policy > Policy Sets

Create a new Policy Set:

• Name: DMP Test
• Condition:
  • Network Device IP EQUALS 10.21.130.201 (example test switch IP)
• Allowed Protocols: DMP

Authentication Policy (Within Test Policy Set)

Rule Name: Wired_MAB

Condition: Wired_MAB

Use: Internal Endpoints

 

Rule Name: Default Deny 

Use: Deny Access

 

Create Authorization Profiles

Navigate to:
Policy > Results > Authorization > Authorization Profiles

Create a new profile:

• Name: DMP_VLAN_313
• Access Type: ACCESS_ACCEPT
• VLAN: 313

Define Authorization Policy Rules(Within Test Policy Set)

Rule Name: DMP Author

Conditions: IdentityGroup Name EQUALS Endpoint Identity Group Brightsign-Device

Profiles: DMP

Rule Name: Default Deny

Profile: Deny Access

 

Global Switch Configuration

aaa authentication dot1x default group AAA                   !Sets dot1x authentication to use the AAA server group named 'AAA'

aaa authorization network default group AAA                 !Enables network authorization via the AAA server group 'AAA'

aaa accounting dot1x default start-stop group AAA    ! Enables accounting for dot1x sessions with start and stop messages to the AAA server

dot1x system-auth-control    ! Enables 802.1X globally on the switch

 radius-server vsa send        ! Allows the switch to send vendor-specific attributes (VSAs) to the RADIUS server

 

Port Config

interface GigabitEthernet x/x/x

description DMP

switchport mode access

access vlan XXX         ! (Optional) Assign a fallback VLAN if authentication fails or before authentication

authentication host-mode multi-auth     ! Allows multiple devices to authenticate on the same port simultaneously (useful for multi-host ports)

authentication order mab dot1x              ! Specifies the order of authentication: try MAB first, then 802.1X

 authentication priority mab dot1x        ! Gives priority to MAB over 802.1X (check hardware support)

 authentication port-control auto         ! Enables the port to be controlled by 802.1X state machine automatically

 mab   ! Enables MAC Authentication Bypass on the port

 dot1x pae authenticator        ! Sets the port as an 802.1X authenticator (switch will authenticate connected devices)

 dot1x timeout tx-period 10   ! Sets the timeout period (in seconds) for EAPOL transmission retries

 spanning-tree portfast

 spanning-tree bpduguard enable