Precedence of Client-based authentication: Dynamic Configuration Arbiter
The Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.
-
Untagged client VLAN ID
-
Tagged VLAN IDs
-
Per-port CoS (802.1p) priority
-
Per-port rate-limiting on inbound traffic
-
Client-based ACLs
DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:
- 802.1X authentication parameters (RADIUS-assigned)
- Web- or MAC authentication parameters (RADIUS-assigned)
- Local, statically configured parameters
Although RADIUS-assigned settings are never applied to ports for unauthenticated clients, the DCA allows configuring and assigning client-specific port configurations to unauthenticated clients, provided that a client MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and nonauthenticated ports.
DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.