Header Only - DO NOT REMOVE - Extreme Networks

Clarification of Multiauth Precedence on the SecureStacks

Userlevel 3
Article ID: 11246

SecureStack C3, C2, B3, B2, A2

A network administrator may use the 'set multiauth precedence...' command to specify which authentication methods may be utilized by network clients, and in which order they should override or be overridden.

Incorrect use of this command could result in authentication problems; for example, an inability of machine MAC authentication to be combined with user 802.1x authentication.

This document provides sufficient background to avoid this type of problem.

The command format is demonstrated here, though note that PWA is not supported in the absence of Policy (12499): B2(su)->set multiauth precedence ?

dot1x IEEE 802.1X Port-Based Network Access Control
mac Enterasys MAC Authentication
pwa Enterasys Port Web Authentication

In the more typical example ("dot1x mac pwa"), a user might have a laptop which does machine MAC authentication to yield a basic network policy, and then would follow that, after the laptop fully boots up, with a user 802.1x authentication and more granular network policy. The 802.1x authentication traffic from this user would have a source MAC address identical to when the laptop machine-authenticated. The user authentication would thus be accepted to replace the machine authentication. Though two authentications occurred, in terms of the number of users there was only one concurrently, because the first was droppped as the second was accepted to override the first.

This precedence setting allows this process because dot1x authentication is stated to override mac authentication from the same user as determined by MAC address.

However, if the administrator had instead specified "mac dot1x", then not only would PWA no longer be accepted but the above-described sequence of events would no longer be possible. This is because after the machine authentication, there is no provision to accept an overriding 802.1x authentication from the same MAC address, and thus no such authentication occurs. On the other hand, if a different user did not use machine authentication but did use 802.1x authentication, that would work fine - because each user is considered separately.

A final point is that, regardless of precedence settings, for any given user (= MAC) only one authentication is retained at any time. This means that if in the first scenario there were two devices to MAC authenticate for the same user prior to the 802.1x authentication, the first MAC authentication would have been dropped when the second MAC authentication was accepted, and the second MAC authentication would have been dropped when the 802.1x authentication was accepted.

To clear the precedence setting back to defaults (no precedence), issue the 'clear multiauth precedence' command, which records the 'set multiauth precedence 0' command within the device's config.

All of the above is Functions as Designed (FAD).

See also: 10283.

0 replies

Be the first to reply!