MultiAuth Authentication

Authentication mode support provides for the global setting of a single authentication mode 802.1X (strict-mode) or multiple modes (MultiAuth) per user or port when authenticating.

Strict mode is the appropriate mode when authenticating a single 802.1X user. All traffic on the port receives the same policy in strict mode. When authenticating PWA, CEP, or MAC, you must use MultiAuth authentication, whether authenticating a single or multiple supplicants.

MultiAuth authentication supports the simultaneous configuration of up to seven authentication methods per user on the same port, but only one method per user is actually applied. When MultiAuth authentication ports have a combination of authentication methods enabled, and a user is successfully authenticated for more than one method at the same time, the configured authentication method precedence will determine:

The number of users or devices MultiAuth authentication supports depends upon the type of device, whether the ports are fixed access or uplink, and whether increased port capacity or extra chassis user capacity MUA licenses have been applied. See the firmware customer release note that comes with your device for details on the number of users or devices supported per port.

In Authenticating Multiple Users With Different Methods on a Single Port, multiple users are authenticated on a single port each with a different authentication method (in this example only 802.1X, PWA, MAC, and CEP are enabled on the device). In this case, each user on a single port successfully authenticates with a different authentication type. The authentication method is included in the authentication credentials sent to the RADIUS server. RADIUS looks up the user account for that user based upon the SMAC. The filter ID for that user is returned to the switch in the authentication response, and the authentication is validated for that user.

Click to expand in new window
Authenticating Multiple Users With Different Methods on a Single Port
Graphics/Auth_drawing2.png

In Selecting Authentication Method When Multiple Methods are Validated, full MultiAuth authentication takes place in that multiple users on a single port are validated for more than one authentication method. The applied authentication and policy are based upon the authentication method precedence level. On the far right column of the figure, the enabled authentication methods are listed from top to bottom in order of precedence. User 1 is authenticating with both the 802.1x and PWA methods, with the Credit policy. Both the 802.1x and PWA authentication methods are validated, but only the 802.1x MultiAuth session is applied, because that has the highest precedence. User 2 is authenticating with both PWA and MAC methods, with the Sales policy. PWA, having a higher precedence than MAC, is the MultiAuth session applied for User 2. User 3 is a guest and is authenticating with the MAC method only. The MAC MultiAuth session, with the Guest policy is applied for User 3.

Click to expand in new window
Selecting Authentication Method When Multiple Methods are Validated
Graphics/Auth_drawing3.png

When a re-authentication attempt times out, the timeout action can either be set to terminate the session or for none, in which case the session remains authenticated and provisioned according to the prior successful RADIUS authentication response. It is recommended that you not set the re-authentication timeout action to none when using 802.1x authentication.