Network Login Multiple Authentication Support
The client or supplicant connected to the NetLogin-enabled port(s) are authenticated by only
one authentication protocol. If enabled globally and at the port, MAC-based authentication takes
precedence if enabled globally and at the port. Dot1x takes precedence over MAC-based
authentication if Dot1x is supported by the supplicant. In this case the MAC-based authentication
information is cleared as the client gets authenticated via Dot1x. Web-based authentication
happens only when the port belongs to the NetLogin VLAN (Virtual LAN). The final
authentication method used with its associated actions is applied while any previous
authenticated protocol information is cleared.
This feature supports multiple authentication protocols on a NetLogin-enabled port. The user
must specify the authentication protocol priority or order per port which dictates the action for
the client or supplicant that is getting authenticated on this port. Use the CLI to configure the
authentication protocol order (
configure netlogin authentication
protocol-order [[dot1x [web-based | mac | cep]] |
[mac [dot1x | web-based | cep]] | [web-based [dot1x | mac | cep]] |
[cep [dotlx | web-based |
mac]]]). By default the protocol precedence order for a NetLogin-enabled port is:
- Dot1x
- Web-based
- MAC
- CEP
For example, if the following is the authentication protocol order configured on a
NetLogin-enabled port in which three authentication protocols are enabled:
- Dot1x
- MAC
- Web-based
Note
Precedence order does not
work when MAC and web-based are enabled on the same port. If you want to authenticate by
web-based, do not use MAC and other protocols.
When user “john” tries to authenticate
with his login credentials through Dot1x-enabled supplicant or client, it sends the EAPOL packet
to the
ExtremeXOS
switch or authenticator. Upon receipt of the EAPOL packet, the
ExtremeXOS kernel
FDB (forwarding database) module informs the user interface FDBMgr about the new MAC detection. The FDBMgr
in turn informs the NetLogin process about the new MAC or client. The NetLogin process tries to
authenticate the client/MAC through
RADIUS (Remote Authentication Dial In User Service). On receiving the
authentication result from AAA process, the NetLogin process checks for the protocol precedence
configured by the user for that port and also finds if this client is being authenticated by any
other authentication protocol. In this case, no other authentication protocol has authenticated
this MAC address yet and the NetLogin process applies the action (VLAN movement, UPM security
profile, etc.;) corresponding to MAC-based authentication.
The ExtremeXOS
switch or authenticator then sends the credentials of user “john” to the authentication server
(RADIUS) a second time for Dot1x protocol authentication, After the authentication result is
received, the NetLogin process again checks the protocol precedence to find that the user
“john's" host/MAC is already authenticated using MAC-based authentication. Since Dot1x is
configured as the highest precedence protocol for this port the NetLogin process remove MAC-based
authentication actions for this client and apply the Dot1x protocol action for “john” on this
port. The MAC-based authenticated client continues to exist and performs the periodic
re-authentication for the configured time. The show netlogin output shows the
client‘s highest precedence protocol or action applied authentication protocol details only.
When another user “sam” tries to authenticate from the same host or MAC through
web-based authentication method (provided the NetLogin-enabled port is still present in NetLogin
VLAN) the user “sam” gets authenticated, but the web-based authentication protocol action is not
applied, since user “john” is already authenticated from this MAC address with user-configured
highest precedence Dot1x protocol on this port.
Note
After changing the protocol precedence, the
action for the current highest precedence protocol (if client is authenticated by this protocol)
takes effect immediately.
Note
After
disabling the highest precedence protocol on this port, the next precedence protocol (if client
is authenticated by this protocol) action takes effect immediately.