SecureStack/D/G/I-Series Defaults regarding Multiauth Mode: Multi or Strict

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 12499

Products
SecureStack C3, C2, B3, B2, A2
G-Series
D-Series
I-Series 

Changes
With default multiauth configurations (no commands visible from a 'show config multiauth'), issued a 'show multiauth' query on multiple devices. 

Symptoms
No apparent reason why some devices default to "System mode : multi" and some default to "System mode : strict". 

Cause
When policy commands are supported - whether used or not - then multiauth mode defaults to "multi". Otherwise, it defaults to "strict". 

As a result:
  • The C3, C2, G-Series, and I-Series, which support policy with no need for licensing, always default to "multi".
  • The A2, which has no policy support, always defaults to "strict".
  • The B3, B2, and D-Series, which support policy upon application of a policy license (10833), default to "strict" when unlicensed and to "multi" when licensed.

This is demonstrated below, for the D-Series. Note that upon application of a policy license (10791), the system attempts to retain the existing multiauth mode by insertion of an explicit 'set multiauth mode strict' command in the configuration. Similarly, upon removal of a policy license, the system inserts a 'set multiauth mode multi' command. In either case, removal of that 'set multiauth mode...' command yields the described default behavior.
D2(su)->show config multiauth

#multiauth
!
end

D2(su)->show multiauth

Multiple authentication system configuration
-------------------------------------------------
Supported types : dot1x, mac
Maximum number of users : 36
Current number of users : 0
System mode : strict
Default precedence : dot1x, mac
Admin precedence
Operational precedence : dot1x, mac

D2(su)->set license D2Policy

Terms of this license may be found at

http://www.enterasys.com/support/fla.aspx

Do you accept the terms of the applicable policy license (y/n) [n]?y
License successfully enabled
D2(su)->show config multiauth

#multiauth
set multiauth mode strict
!
end

D2(su)->set multiauth mode multi
D2(su)->show config multiauth

#multiauth
!
end

D2(su)->show multiauth

Multiple authentication system configuration
-------------------------------------------------
Supported types : dot1x, pwa, mac
Maximum number of users : 36
Current number of users : 0
System mode : multi
Default precedence : dot1x, pwa, mac
Admin precedence
Operational precedence : dot1x, pwa, mac

D2(su)->

Solution
Functions as Designed (FAD). 

Be aware of the "multiauthentication mode" guidelines as described above. 
See also: 10283 and 11246.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.