Reset Search
 

 

Article

Clarification of Multiauth Precedence on the SecureStacks

« Go Back

Information

 
TitleClarification of Multiauth Precedence on the SecureStacks
Question
How Multiauth precedence works on the SecureStack solution?
A network administrator may use the 'set multiauth precedence...' command to specify which authentication methods may be utilized by network clients, and in which order they should override or be overridden. Incorrect use of this command could result in authentication problems; for example, an inability of machine MAC authentication to be combined with user 802.1x authentication. This document provides sufficient background to avoid this type of problem. 

 
Environment
  • A-Series
  • B-Series
  • C-Series
  • SecureStack
  • All firmware versions
  • Multiauth
  • 802.1x, dot1x
  • MAC authentication
  • PWA authentication
Answer
The command format is demonstrated here, though note that PWA is not supported in the absence of Policy (12499):
set multiauth precedence ?
 
    dot1x                    IEEE 802.1X Port-Based Network Access Control
    mac                      Enterasys MAC Authentication
    pwa                      Enterasys Port Web Authentication

In the more typical example ("dot1x mac pwa"), a user might have a laptop which does machine MAC authentication to yield a basic network policy, and then would follow that, after the laptop fully boots up, with a user 802.1x authentication and more granular network policy. The 802.1x authentication traffic from this user would have a source MAC address identical to when the laptop machine-authenticated. The user authentication would thus be accepted to replace the machine authentication. Though two authentications occurred, in terms of the number of users there was only one concurrently, because the first was droppped as the second was accepted to override the first. 

This precedence setting allows this process because dot1x authentication is stated to override mac authentication from the same user as determined by MAC address. 

However, if the administrator had instead specified "mac dot1x", then not only would PWA no longer be accepted but the above-described sequence of events would no longer be possible. This is because after the machine authentication, there is no provision to accept an overriding 802.1x authentication from the same MAC address, and thus no such authentication occurs. On the other hand, if a different user did not use machine authentication but did use 802.1x authentication, that would work fine - because each user is considered separately. 

A final point is that, regardless of precedence settings, for any given user (= MAC) only one authentication is retained at any time. This means that if in the first scenario there were two devices to MAC authenticate for the same user prior to the 802.1x authentication, the first MAC authentication would have been dropped when the second MAC authentication was accepted, and the second MAC authentication would have been dropped when the 802.1x authentication was accepted. 

To clear the precedence setting back to defaults (no precedence), issue the 'clear multiauth precedence' command, which records the 'set multiauth precedence 0' command within the device's config. 

All of the above is Functions as Designed (FAD). 


 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255