Authentication order and priority

In the earlier releases, all Authentication methods were attempted in parallel. 802.1x had the highest priority, followed by MAC, Web, and local MAC authentication. Authentication methods started in parallel may cause issues for the clients that require authentication requests to be processed sequentially. Now users can specify the order and priority for Authentication methods.

Users can assign an order of Authentication between 802.1X and MAC Authentication using the aaa port-access <port> auth-order command. The switch will follow the order. If both the methods fail, the Authentication method defaults to Local MAC Authentication, if configured.

Specifying Authentication priority is optional. Users must configure Authentication order before configuring priority. The Authentication method with higher priority is used to access a client when both methods are configured to succeed through the Authentication server. Setting the priority is useful in deployments where clients like wireless access-points (APs) or IT-compliant-laptops or phones or laptops without-pre-loaded-supplicant-software, can first download the supplicant software or firmware/OS patches before attempting 802.1x Authentication. In this case, you can set MAC Authentication as the primary Authentication method followed by 802.1x for the Authentication order, but set the Authentication priority with primary as 802.1x and secondary as MAC Authentication to enforce the access based on 802.1x. Thus the client (or end-access-device) will initially be authenticated by MAC Authentication, get the access required to on-board and install the software or patches, and subsequently attempt the 802.1x Authentication. When 802.1x Authentication succeeds, client will be provided access based on the 8021.x access as 802.1x is configured as the Authentication method with higher priority.

You can configure the Local MAC Authentication as the fallback method in case both 802.1x and MAC Authentication fail.

Considerations

  • If only Authentication order is configured, Authentication priority will be the same as Authentication order.

  • If Local mac authentication is configured on the port without fallback option in the Authentication order or vice-versa, Local MAC Authentication will not be triggered.

  • If the primary method is MAC Authentication for order, EAP packets from the supplicant capable clients will not trigger MAC Authentication. Use 802.1x as the primary Authentication method and use Authentication priority to enforce the priority for MAC Authentication.

  • If critical auth (vlan or user-role) is configured and RADIUS Service is not available, the clients will be placed in critical auth (vlan or user-role), even if Local MAC authentication is enabled as the fallback method.

  • If Authentication order or priority is configured or updated, the existing clients are de-authenticated and Authentication process is triggered again on the impacted ports.

  • Configure the max-eap-retries value to a smaller number to reduce the time in waiting for the EAP-Response from non-supplicant clients.

  • When priority is set and the highest priority method fails, the client is given access by the successful secondary priority method. The highest primary method will not be attempted again.

  • Re-authentication or cached re-authentication happens for the clients in the Authentication method that authenticated the client. After cached re-authentication expiry, client will attempt the next method in Authentication order if RADIUS service is still not available.

  • When MAC Authentication is configured as the primary method for Authentication order, the EAP packets from the supplicant capable clients will not trigger MAC Authentication. In such cases, use 802.1x as the primary Authentication method and use Authentication priority to enforce the priority for MAC Authentication.

  • If the primary method is Mac Authentication, non-supplicant capable clients will not be placed in critical vlan/user-role, if configured, when the RADIUS server is not reachable.