Configuration manual
Configuring Authentication
10-18 Configuring User Authentication
Setting MultiAuth Authentication Precedence
MultiAuth authentication administrative precedence globally determines which authentication
method will be selected when a user is successfully authenticated for multiple authentication
methods on a single port. When a user successfully authenticates more than one method at the
same time, the precedence of the authentication methods will determine which RADIUS-returned
Filter-ID will be processed and result in an applied traffic policy profile.
MultiAuth authentication precedence defaults to the following order from high to low: 802.1x,
PWA, and MAC on stackable fixed switch and standalone fixed switch devices. You may change
the precedence for one or more methods by setting the authentication methods in the order of
precedence from high to low. Any methods not entered are given a lower precedence than the
methods entered in their pre-existing order. For instance, if you start with the default order and
only set PWA and MAC, the new precedence order will be PWA, MAC, 802.1x.
Given the default order of precedence (802.1x, PWA, MAC), if a user was to successfully
authenticate with PWA and MAC, the authentication method RADIUS Filter-ID applied would be
PWA, because it has a higher position in the order. A MAC session would authenticate, but its
associated RADIUS Filter-ID would not be applied.
Procedure 10-5 describes setting the order for MultiAuth authentication precedence.
Setting MultiAuth Authentication Port Properties
MultiAuth authentication supports the configuration of MultiAuth port and maximum number of
users per port properties. The MultiAuth port property can be configured as follows:
• Authentication Optional – Authentication methods are active on the port based upon the
global and port authentication method. Before authentication succeeds, the current policy role
applied to the port is assigned to the ingress traffic. This is the default role if no authenticated
user or device exists on the port. After authentication succeeds, the user or device is allowed
to access the network according to the policy information returned from the authentication
server, in the form of the RADIUS Filter-ID attribute, or the static configuration on the switch.
This is the default setting.
Procedure 10-4 MultiAuth Authentication Configuration
Step Task Command(s)
1. For a single user, single authentication 802.1x
port configuration, set MultiAuth mode to strict.
set multiauth mode strict
2. For multiple user 802.1x authentication or any
non-802.1x authentication, set the system
authentication mode to use multiple
authenticators simultaneously.
set multiauth mode multi
3. To clear the MultiAuth authentication mode. clear multiauth mode
Procedure 10-5 MultiAuth Authentication Precedence Configuration
Step Task Command(s)
1. Set a new order of precedence for the selection
of the RADIUS Filter-ID that will be returned
when multiple authentication methods are
authenticated at the same time for a single user.
set multiauth precedence {[dot1x] [mac]
[pwa] }
2. Reset the order MultiAuth authentication
precedence to the default values.
clear multiauth precedence