Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

Configuring Authentication

April 15, 2011 Page 22 of 36

switchdevices).Youmaychangetheprecedenceforoneormoremethodsbysettingthe

authenticationmethodsintheorderofprecedencefromhightolow.Anymethodsnotenteredare

givenalowerprecedencethanthemethodsenteredintheirpre‐existingorder.Forinstance,ifyou

startwiththe

defaultorderandonlysetPWAandMAC,thenewprecedenceorderwillbePWA,

MAC,802.1x,andCEP.

Giventhedefaultorderofprecedence(802.1x,PWA,MAC,andCEP),ifauserwastosuccessfully

authenticatewithPWAandMAC,theauthenticationmethodRADIUSFilter‐IDappliedwouldbe

PWA,becauseithasahigherpositionintheorder.AMACsessionwouldauthenticate,butits

associatedRADIUSFilter‐IDwouldnotbeapplied.

Procedure 8describessettingtheorderforMultiAuthauthenticationprecedence.

Setting MultiAuth Authentication Port Properties

MultiAuthauthenticationsupportstheconfigurationofMultiAuthportandmaximumnumberof

usersperportproperties.TheMultiAuthportpropertycanbeconfiguredasfollows:

• AuthenticationOptional–Authenticationmethodsareactiveontheportbaseduponthe

globalandportauthentica tionmethod.Beforeauthenticationsucceeds,thecurrentpolicyrole

applied

totheportisassignedtotheingresstraffic.Thisisthedefaultroleifnoauthenticated

userordeviceexistsontheport.Afterauthenticationsucceeds,theuserordeviceisallowed

toaccessthenetworkaccordingtothepolicyinformationreturnedfromtheauthentication

server,intheform

oftheRADIUSFilter‐IDattribute,orthestaticconfigurationontheswitch.

Thisisthedefaultsetting.

• AuthenticationRequired–Authenticationmethodsareactiveontheport,basedonthe

globalandperportauthenticationmethodconfigured.Beforeauthenticationsucceeds,no

trafficisforwardedontothenetwork.Afterauthenticationsucceeds,

theuserordevicegains

accesstothenetworkbaseduponthepolicyinfo rmationreturnedbytheauthenticationserver

intheformoftheRADIUSFilter‐IDattribute,orthestaticconfigurationontheswitch.

• ForceAuthenticated–Theportiscompletelyaccessiblebyallusersanddevicesconnectedto



theport,allauthenticationmethodsareinactiveontheport,andallframesareforwarded

ontothenetwork.

• ForceUnauthenticated–Theportiscompletelyclosedforaccessbyallusersanddevices

connectedtotheport.Allauthenticationmethodsareinactiveandallframesarediscarded.

Procedure 8 MultiAuth Authentication Precedence Configuration

Step Task Command(s)

1. Set a new order of precedence for the selection

of the RADIUS Filter-ID that will be returned

when multiple authentication methods are

authenticated at the same time for a single user.

set multiauth precedence {[dot1x] [mac]

[pwa] [cep] [radius-snooping]}

2. Reset the order MultiAuth authentication

precedence to the default values.

clear multiauth precedence