AOS-CX 10.6 Auth-Priority
Auth-precedence will trigger as per the port-level configuration, same client can't achieve both method of authentication till the AOS-CX 10.5 release. Workaround with 10.5 is manually IT admin has to change the precedence, which is not practical.
This challenge can be overcome using Auth-priority feature which is introduce in 10.6 onwards.
- Clients like wireless access-points (APs), or phones or laptops without-pre-loaded-supplicant-software, can first download the required supplicant Software and then attempt 802.1x Authentication.
- Set MAC Authentication as the primary authentication method followed by 802.1x for the Authentication order.
- Set the Authentication priority with primary as 802.1x and secondary as MAC Authentication to enforce the access based on 802.1x.
-
- Auth-precedence: mac-auth dot1x
- Auth-priority: dot1x mac-auth
- Thus the client will initially get authenticated by MAC Authentication, and then install the required supplicant-software to achieve subsequent 802.1x Authentication.
- Authentication is started based on the precedence order and even after successful authentication by an auth-method, authentication continues till enabled highest priority method gives the response.
Auth-Priority Required Configuration on AOS-CX 6000 switches:
aaa authentication port-access dot1x authenticator enable
aaa authentication port-access mac-auth enable
(config-if)#
aaa authentication port-access auth-precedence mac-auth dot1x
aaa authentication port-access auth-priority dot1x mac-auth
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
More details please refer:
AOS-CX 10.06 Security Guide 6200, 6300, 6400 Switch Series
Good day!
------------------------------
Yash NN
------------------------------