Chapter 6
Configuring Endpoint Admission Control
Flexible Authentication Sequence and Failover Configuration
Flexible Authentication Sequence (FAS) allows the access port to be configured for 802.1X, MAB, and
WebAuth authentication methods, specifying the fallback sequence if one or more of the authentication
methods are not available. The default failover sequence is as follows:
•
•
•
Layer 2 authentications always occur before Layer 3 authentications. That is, 802.1X and MAB must
occur before WebAuth.
The following example specifies the authentication sequence as MAB, dot1X, and then WebAuth.
switch(config)# interface gigabitEthernet 2/1
switch(config-if)# authentication order mab dot1x webauth
switch(config-if)^Z
For more detailed information on authentication method sequence configuration, see the configuration
guide for your access switch.
For additional information on FAS, see the Cisco document, Flexible Authentication Order, Priority, and
Failed Authentication at the following URL:
http://www.ciscosystems.com.pe/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_n
ote_c27-573287_ps6638_Products_White_Paper.html
802.1X Host Modes
Four host classification modes can be configured per port:
•
•
•
•
For more detailed information on 802.1x Host Mode configurations, see the configuration guide for your
access switch.
Pre-Authentication Open Access
The Pre-Authentication Open Access feature allows clients and devices to gain network access before
port authentication is performed. This process is primarily required for the PXE boot scenario, where a
device needs to access the network before PXE times out and download a bootable image that may
contain a supplicant.
For more detailed information on Pre-authentication Open Access configuration, see the configuration
guide for your access switch.
OL-22192-01
802.1X port-based Authentication
MAC Authentication Bypass
Web Authentication
Single Host —Interface-based session with one MAC address
Multi Host—Interface-based session with multiple MAC addresses per port
Multi Domain—MAC + Domain (VLAN) session
Multi Auth—MAC-based session with multiple MAC address per port
Flexible Authentication Sequence and Failover Configuration
Cisco TrustSec Configuration Guide
6-5