Solved: Re: About authentication order and authentication priority

dgaikwad · ‎07-07-2020

Hi Experts,

I am in need of some clarification about these tow commands

I have a tried and test template that has a authentication order mab dot1x and authentication priority dot1x mab

Now this is working well for the clients and recently we added to configuration to some more switches in production and initiallly found out that these endpoints were not able to initiate a dot1x authentication and would always fallback to MAB...

But when I change the authentication order mab dot1x to dot1x mab, then those same endpoints started authentication using dot1x... Which is strange, since when I connected already working endpoint to the previously configured authentication order, then that was able to work, which made me think that there was an issue with the NIC or the OS.
But, now with this simple change of order has just put me a different spiral of events...
So, what is the real reason of using authentication order and priority commands?

Greg Gibbs · ‎07-07-2020

Have a look at the Flexible Authentication Order, Priority, and Failed Authentication document for info on how this legacy IBNS feature works.

Pay particular attention of the footnote reference to the 'termination-action-modifier=1' attribute. This needs to be returned in the AuthZ Profile used by your 802.1x endpoints so the switch will only attempt the last auth method (802.1x) after a reauth.

View solution in original post

Greg Gibbs · ‎07-07-2020

Have a look at the Flexible Authentication Order, Priority, and Failed Authentication document for info on how this legacy IBNS feature works.

Pay particular attention of the footnote reference to the 'termination-action-modifier=1' attribute. This needs to be returned in the AuthZ Profile used by your 802.1x endpoints so the switch will only attempt the last auth method (802.1x) after a reauth.