Arbitrating client-specific attributes
In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.
DCA stores client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:
-
RADIUS-assigned
-
802.1X authentication
-
Web or MAC authentication
-
-
Statically (local) configured
Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or nonstrict resolution on a switchwide basis.
-
RADIUS-assigned 802.1X authentication: Configuring Port and User-Based Access Control (802.1X)
-
RADIUS-assigned Web or MAC authentication: Web and MAC Authentication
-
RADIUS-assigned CoS, rate-limiting, and ACLs: “Configuring RADIUS Server Support for Switch Services”
-
Statically (local) configured: Configuring Username and Password Security