port-access onboarding-method concurrent

Syntax

port-access onboarding-method concurrent <enable | disable>

Description

Configures all methods to start concurrently for faster onboarding process. If authentication priority is not configured when enabling concurrent onboarding, the priority will be 802.1x followed by mac-auth and device-profile.

Default priority for concurrent onboarding is 802.1x followed by mac-auth and device-profile.

When enabling concurrent onboarding on the port, existing clients will be de-authenticated and freshly onboarded concurrently.

When concurrent onboarding is enabled, then auth-precedence will be ignored.

If concurrent onboarding is configured, the client will stay in pre-auth role till it gets succeeded by one authentication method or gets failed by all the authentication methods.

When the authentication method with the highest priority fails, the profile of the next successful authentication method is applied.

If all methods fail, the reject or critical role is applied based on the 802.1X authentication failure reason and continues to reauthenticate with the 802.1X method.

Reauthentication will be triggered for all high priority methods and not just the final successful authentication method.

Some RADIUS server may block the client when it receives two requests, mac-auth and 802.1X, from the same client at the same time. This is because the RADIUS server allows only one authentication request. In such cases, concurrent onboarding is not feasible. To prevent such scenarios, configure auth-precedence with auth-priority.

Command context

config-if

Parameters

enable

Enable clients to be onboarded concurrently.

disable

Disable clients to be onboarded concurrently.

Authority

Administrators or local user group members with execution rights for this command.

Examples

On the 6400 Switch Series, interface identification differs.

Enabling concurrent onboarding on a port:

switch(config)# interface 1/1/1 switch(config-if)# port-access onboarding-method concurrent enable

Disabling concurrent onboarding on a port:

switch(config)# interface 1/1/1 switch(config-if)# port-access onboarding-method concurrent disable

Sample configuration:

interface 1/1/1 no shutdown no routing vlan access 999 !aaa authentication port-access auth-precedence mac-auth dot1x port-access onboarding-method concurrent enable