Wired

last person joined: 23 hours ago 

AOS-CX 10.6 Auth-Priority

This thread has been viewed 6 times
  • 1.  AOS-CX 10.6 Auth-Priority

    Posted Apr 20, 2021 10:43 AM

    AOS-CX 10.6 Auth-Priority


    Auth-precedence will trigger as per the port-level configuration, same client can't achieve both method of authentication till the AOS-CX 10.5 release. Workaround with 10.5 is manually IT admin has to change the precedence, which is not practical.

    This challenge can be overcome using Auth-priority feature which is introduce in 10.6 onwards.

    • Clients like wireless access-points (APs), or phones or laptops without-pre-loaded-supplicant-software, can first download the required supplicant Software and then attempt 802.1x Authentication.
    • Set MAC Authentication as the primary authentication method followed by 802.1x for the Authentication order.
    • Set the Authentication priority with primary as 802.1x and secondary as MAC Authentication to enforce the access based on 802.1x.
    •  
      •              Auth-precedence: mac-auth dot1x 
      •              Auth-priority: dot1x mac-auth 
    • Thus the client will initially get authenticated by MAC Authentication, and then install the required supplicant-software to achieve subsequent 802.1x Authentication.
    • Authentication is started based on the precedence order and even after successful authentication by an auth-method, authentication continues till enabled highest priority method gives the response.


    Auth-Priority Required Configuration on AOS-CX 6000 switches:

    aaa authentication port-access dot1x authenticator enable

    aaa authentication port-access mac-auth enable

    (config-if)#

     aaa authentication port-access auth-precedence mac-auth dot1x

        aaa authentication port-access auth-priority dot1x mac-auth

        aaa authentication port-access dot1x authenticator

            enable

        aaa authentication port-access mac-auth

            enable


    More details please refer:
    AOS-CX 10.06 Security Guide 6200, 6300, 6400 Switch Series

     
    Good day!



    ------------------------------
    Yash NN
    ------------------------------