Security Overview

Precedence of Security Options

Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.

For example, NIM may configure only rate-limiting for a specified client session, while RADIUS-assigned values may include both an untagged VLAN ID and a rate-limiting value to be applied. In this case, DCA applies the NIM- configured rate-limiting value and the RADIUS-assigned VLAN (if there are no other conflicts).

Also, you can assign NIM-configured parameters (for example, VLAN ID assignment or rate-limiting) to be activated in a client session when a threat to network security is detected. When the NIM-configured parameters are later removed, the parameter values in the client session return to the RADIUS-configured or locally configured settings, depending on which are next in the hierarchy of precedence.

In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide basis. For example, if multiple clients authenticate on a port and a rate-limiting assignment by a newly authenticating client conflicts with the rate-limiting values assigned to previous clients, by using Network Immunity you can configure the switch to apply any of the following attributes:

Apply only the latest rate-limiting value assigned to all clients.

Apply a client-specific rate-limiting configuration to the appropriate client session (overwrites any rate-limit previously configured for other client sessions on the port).

For information about how to configure RADIUS-assigned and locally configured authentication settings, refer to:

RADIUS-assigned 802.1X authentication: “Configuring Port-Based and User-Based Access Control (802.1X)” on page 10-1.

RADIUS-assigned Web or MAC authentication: “Web and MAC Authenti- cation” on page 3-1.

RADIUS-assigned CoS, and rate-limiting: “Configuring RADIUS Server Support for Switch Services” on page 7-1.

Statically (local) configured: “Configuring Username and Password Security” on page 2-1.

1-20