Precedence of client-based authentication: Dynamic Configuration Arbiter (DCA)

The Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:

  • Untagged client VLAN ID

  • Tagged VLAN IDs

  • Per-port CoS (802.1p) priority

  • Per-port rate-limiting on inbound traffic

  • Client-based ACLs

DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:

  1. 802.1X authentication parameters (RADIUS-assigned)

  2. Web or MAC authentication parameters (RADIUS-assigned)

  3. Local, statically configured parameters

Although RADIUS-assigned settings are never applied to ports for unauthenticated clients, the DCA allows configuring and assigning client-specific port configurations to unauthenticated clients, provided that a client MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and unauthenticated ports.

DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.