MultiAuth authentication administrative precedence globally determines which authentication method will be selected when a user is successfully authenticated for multiple authentication methods on a single port. When a user successfully authenticates more than one method at the same time, the precedence of the authentication methods will determine which RADIUS-returned filter ID will be processed and result in an applied traffic policy profile.
MultiAuth authentication precedence defaults to the following order from high to low: quarantine agent, 802.1x, PWA, MAC, CEP, Radius-Snooping, auto tracking. You may change the precedence for one or more methods by setting the authentication methods in the order of precedence from high to low. Any methods not entered are given a lower precedence than the methods entered in their pre-existing order. For instance, if you start with the default order and only set quarantine agent, PWA and MAC, the new precedence order will be quarantine agent, PWA, MAC, 802.1x, CEP, and auto-tracking.
Note
It is highly recommended that if you are using the quarantine agent authentication method that it always have the highest precedence. It is also highly recommended that you keep the auto tracking authentication method at the lowest precedence.Given the default order of precedence (quarantine, 802.1x, PWA, MAC, CEP, and auto-tracking), if a user was to successfully authenticate with PWA and MAC, the authentication method RADIUS Filter-ID applied would be PWA, because it has a higher position in the order. A MAC session would authenticate, but its associated RADIUS Filter-ID would not be applied. If no other authentication method successfully authenticated, the auto-tracking agent would authenticate and an auto-tracking session initiated. The session would authenticate based upon the contents of the admin-policy, if an admin-policy exists.
MultiAuth Authentication Precedence Configuration describes setting the order for MultiAuth authentication precedence.
Step | Task | Command(s) |
---|---|---|
1 | Set a new order of precedence for the selection of the RADIUS filter ID that will be returned when multiple authentication methods are authenticated at the same time for a single user. | set multiauth precedence {[quarantine-agent] [dot1x] [pwa] [mac] [cep] [radius-snooping] [auto-tracking]} |
2 | Reset the order MultiAuth authentication precedence to the default values. | clear multiauth precedence |