Auto-Tracking

The auto-tracking agent is a form of authentication that authenticates those sessions that are not captured by the other supported MultiAuth authentication agents (quarantine, 802.1x, PWA, MAC, CEP, and RADIUS snooping). If auto-tracking is disabled, these sessions are never entered into the session table. Many policy driven switch features depend on the session being in the session table for the feature to interact with the session. It is important that a network administrator have the ability to determine which station addresses on which ports are not being authenticated through traditional MultiAuth methods. Auto-tracking provides the administrator with the ability to assign these sessions a provisioning result based upon the contents of the admin-policy. Because these sessions can now be tracked, an administrator can determine whether and how to provision them in the future, allowing for increased security and control.

The auto-tracking authentication agent must be enabled globally on the switch and locally on the port to be operational on the port.

The auto-tracking authentication agent behaves the same as any other authentication agent, with the exception that it always returns an authentication result. By default, the auto-tracking agent has the lowest MultiAuth precedence. The auto-tracking agent is one of the authentication agents from which the authentication provisioning result will be chosen based upon MultiAuth precedence. Each authentication agent attempts to authenticate the user. All authentication agents that return a result are grouped. The authentication agent with the highest MultiAuth precedence is selected to authorize the user. For the default MultiAuth precedence ordering, all other authentication agents must fail to return an authentication result for auto-tracking to be selected. If auto-tracking is the selected authentication method, an auto-tracking session is created and if an admin-policy exists, the admin-policy provisions the user session.

It is recommended that you do not configure auto-tracking authentication for a higher MultiAuth precedence than its default setting of lowest. If a non-auto-tracking authentication agent both returns a result and has a lower MultiAuth precedence, that authentication method will never be used, because auto-tracking always returns a result and has been configured with a higher MultiAuth precedence.

Auto-tracking agent accounting is supported and defaults to disabled. To use auto-tracking accounting, RADIUS accounting must be enabled using the set radius accounting command. Auto-tracking agent accounting can be enabled using the set pwa accounting command.

Auto-tracking can be configured with a RADIUS timeout profile. The RADIUS timeout profile allows you to provision a session that encounters a RADIUS timeout condition, on a per port basis, with a policy profile other than the default policy. The RADIUS timeout profile allows a MAC address that attempted to authenticate during a RADIUS outage to be dealt with in a non-default manner based upon the contents of the specified policy profile. The RADIUS timeout profile is configured using the set auto-tracking port radius-timeout-profile command.

Auto-tracking can be configured with a RADIUS access reject profile. The RADIUS access reject profile allows you to provision a session that encounters a RADIUS access reject response from the RADIUS server, on a per port basis, with a policy profile other than the default policy. The RADIUS access reject profile allows a MAC address that was rejected by the RADIUS server to be dealt with in a non-default manner based upon the contents of the specified policy profile.

The RADIUS access reject profile takes precedence over the RADIUS timeout profile configured using the set auto-tracking port radius-timeout-profile command, should a RADIUS timeout take place and a RADIUS access reject has already occurred for this session.

The RADIUS access reject profile is configured using the set auto-tracking port radius-reject-profile command.