Network Login Multiple Authentication Support

The client or supplicant connected to the netlogin-enabled port(s) are authenticated by only one authentication protocol. If enabled globally and at the port, MAC-based authentication takes precedence if enabled globally and at the port. Dot1x takes precedence over MAC based authentication if Dot1x is supported by the supplicant. In this case the MAC-based authentication information is cleared as the client gets authenticated via Dot1x. Web based authentication happens only when the port belongs to the netlogin VLAN (Virtual LAN). The final authentication method used with its associated actions will be applied while any previous authenticated protocol information will be cleared.

This feature supports multiple authentication protocols on a netlogin-enabled port. The user must specify the authentication protocol priority or order per port which dictates the action for the client or supplicant that is getting authenticated on this port. Use the CLI to configure the authentication protocol order. By default the protocol precedence order for a netlogin enabled port is

Dot1x
Web-based
MAC

For example, if the following is the authentication protocol order configured on a netlogin enabled port in which all three authentication protocols are enabled:

Dot1x
MAC
Web-based

When user “john” tries to authenticate with his login credentials through Dot1x enabled supplicant or client, it sends the EAPOL packet to the ExtremeXOS switch or authenticator. Upon receipt of the EAPOL packet, the ExtremeXOS kernel FDB (forwarding database) Module informs the user interface FDBMgr about the new MAC detection. The FDBMgr in turn informs the netlogin process about the new MAC or client. The netlogin process tries to authenticate the client/MAC through RADIUS (Remote Authentication Dial In User Service). On receiving the authentication result from AAA process, the netlogin process checks for the protocol precedence configured by the user for that port and also finds if this client is being authenticated by any other authentication protocol. In this case no other authentication protocol has authenticated this MAC yet and the netlogin process will apply the action (VLAN movement, UPM security profile, etc.;) corresponding to MAC based authentication.

The ExtremeXOS switch or authenticator then sends the credentials of user “john” to the authentication server (RADIUS) a second time for Dot1x protocol authentication, Once the authentication result is received the netlogin process again checks the protocol precedence to find that the user “john”‘s host/MAC is already authenticated via MAC based authentication. Since Dot1x is configured as the highest precedence protocol for this port the netlogin process will remove MAC based authentication actions for this client and apply the Dot1x protocol action for “john” on this port. The MAC based authenticated client will continue to exist and will do the periodic reauthentication for the configured time. The “show netlogin” output will show the client‘s highest precedence protocol or action applied authentication protocol details only.

When another user “sam” tries to authenticate from the same host or MAC through web based authentication method (provided the netlogin enabled port is still present in netlogin VLAN) the user “sam” will get authenticated but the web based authentication protocol action will not be applied since user “john” is already authenticated from this MAC with user configured highest precedence Dot1x protocol in this port.

Note

After changing the protocol precedence, the action for the current highest precedence protocol (if client is authenticated by this protocol) takes effect immediately.

Note

After disabling the highest precedence protocol on this port, the next precedence protocol (if client is authenticated by this protocol) action takes effect immediately.

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback