Configuring Multiple Authentication Methods
About Multiple Authentication Types
When enabled, multiple authentication types allow users to authenticate using more than one
method on the same port. In order for multiple authentication to function on the device, each
possible method of authentication (MAC authentication, 802.1X, PWA) must be enabled globally
and configured appropriately on the desired ports with its corresponding command set described
in this chapter.
Multiple authentication mode must be globally enabled on the device using the set multiauth
mode command.
Configuring Multi-User Authentication (User + IP phone)
The User + IP phone multi‐user authentication feature allows a user and their IP phone to both use
a single port on the C2 but to have separate policy roles.
ʺUser + IP Phoneʺ Authentication on the SecureStack C2 is implemented by assigning an ingressed
packet received on a port to a policy role based on the VLAN the packet was assigned to, and not
the packetʹs source MAC address. Therefore, on a port configured for User + IP Phone
Authentication, there exists two different VLAN‐to‐policy role mappings.
The policy role for the IP phone is statically mapped using the VLAN‐to‐policy mapping feature
which assigns any packets received with a VLAN tag set to a specific VID (for example, Voice
VLAN) to an indicated policy role (for example, IP Phone policy role). Therefore, it is required that
IP phone is configured to send VLAN tagged packets to the "Voice" VLAN. Refer to the Usage
section for the command "set policy rule" on page 11‐10 for additional information.
The second policy role, for the user, can either be statically configured with the default policy role
on the port or dynamically assigned through authentication to the network. When the default
policy role is assigned on a port, the VLAN set as the portʹs PVID is mapped to the default policy
role. When a policy role is dynamically applied to a port as the result of a successfully
authenticated session, the "authenticated VLAN" is mapped to the policy role set in the Filter‐ID
returned from the RADIUS server. The "authenticated VLAN" may either be the PVID of the port,
if the PVID Override for the policy profile is disabled, or the VLAN specified in the PVID Override
if the PVID Override is enabled.
Commands
For information about...
show multiauth
set multiauth mode
clear multiauth mode
Note: C2 devices support up to six authenticated users per port.
Note: The only Multi-User Authentication supported on the C2 is User + IP phone. The IP phone
has to authenticate using 802.1x or MAC authentication, but the User may authenticate using
802.1x, PWA, or MAC authentication.
Configuring Multiple Authentication Methods
Refer to page...
23-34
23-35
23-35
SecureStack C2 Configuration Guide 23-33