Network Login Multiple Authentication Support

The client or supplicant connected to the NetLogin-enabled port(s) are authenticated by only one authentication protocol. If enabled globally and at the port, MAC-based authentication takes precedence if enabled globally and at the port. Dot1x takes precedence over MAC-based authentication if Dot1x is supported by the supplicant. In this case the MAC-based authentication information is cleared as the client gets authenticated via Dot1x. Web-based authentication happens only when the port belongs to the NetLogin VLAN (Virtual LAN). The final authentication method used with its associated actions is applied while any previous authenticated protocol information is cleared.

This feature supports multiple authentication protocols on a NetLogin-enabled port. The user must specify the authentication protocol priority or order per port which dictates the action for the client or supplicant that is getting authenticated on this port. Use the CLI to configure the authentication protocol order (configure netlogin authentication protocol-order [[dot1x [web-based | mac | cep]] | [mac [dot1x | web-based | cep]] | [web-based [dot1x | mac | cep]] | [cep [dotlx | web-based | mac]]]).

By default the protocol precedence order for a NetLogin-enabled port is:
  1. Dot1x
  2. Web-based
  3. MAC
For example, if the following is the authentication protocol order configured on a NetLogin-enabled port in which all three authentication protocols are enabled:
  1. Dot1x
  2. MAC
  3. Web-based
Note

Note

Precedence order does not work when MAC and web-based are enabled on the same port. If you want to authenticate by web-based, do not use MAC and other protocols.
When user “john” tries to authenticate with his login credentials through Dot1x-enabled supplicant or client, it sends the EAPOL packet to the ExtremeXOS switch or authenticator. Upon receipt of the EAPOL packet, the ExtremeXOS kernel FDB (forwarding database) module informs the user interface FDBMgr about the new MAC detection. The FDBMgr in turn informs the NetLogin process about the new MAC or client. The NetLogin process tries to authenticate the client/MAC through RADIUS (Remote Authentication Dial In User Service). On receiving the authentication result from AAA process, the NetLogin process checks for the protocol precedence configured by the user for that port and also finds if this client is being authenticated by any other authentication protocol. In this case, no other authentication protocol has authenticated this MAC address yet and the NetLogin process applies the action (VLAN movement, UPM security profile, etc.;) corresponding to MAC-based authentication.

The ExtremeXOS switch or authenticator then sends the credentials of user “john” to the authentication server (RADIUS) a second time for Dot1x protocol authentication, After the authentication result is received, the NetLogin process again checks the protocol precedence to find that the user “john's" host/MAC is already authenticated using MAC-based authentication. Since Dot1x is configured as the highest precedence protocol for this port the NetLogin process remove MAC-based authentication actions for this client and apply the Dot1x protocol action for “john” on this port. The MAC-based authenticated client continues to exist and performs the periodic re-authentication for the configured time. The show netlogin output shows the client‘s highest precedence protocol or action applied authentication protocol details only.

When another user “sam” tries to authenticate from the same host or MAC through web-based authentication method (provided the NetLogin-enabled port is still present in NetLogin VLAN) the user “sam” gets authenticated, but the web-based authentication protocol action is not applied, since user “john” is already authenticated from this MAC address with user-configured highest precedence Dot1x protocol on this port.
Note

Note

After changing the protocol precedence, the action for the current highest precedence protocol (if client is authenticated by this protocol) takes effect immediately.
Note

Note

After disabling the highest precedence protocol on this port, the next precedence protocol (if client is authenticated by this protocol) action takes effect immediately.