Information About Multiple Authentications for a Client
Multiple Authentication feature is an extension of Layer 2 and Layer 3 security types supported for client join.
Note |
You can enable both L2 and L3 authentication for a given SSID. |
Note |
The Multiple Authentication feature is applicable for regular clients only. |
Information About Supported Combination of Authentications for a Client
The Multiple Authentications for a Client feature supports multiple combination of authentications for a given client configured in the WLAN profile.
The following table outlines the supported combination of authentications:
Layer 2 |
Layer 3 |
Supported |
MAB |
CWA |
Yes |
MAB |
LWA |
Yes |
MAB + PSK |
- |
Yes |
MAB + 802.1X |
- |
Yes |
MAB Failure |
LWA |
Yes |
802.1X |
CWA |
Yes |
802.1X |
LWA |
Yes |
PSK |
- |
Yes |
PSK |
LWA |
Yes |
PSK |
CWA |
Yes |
iPSK |
- |
Yes |
iPSK |
CWA |
Yes |
iPSK + MAB |
CWA |
Yes |
iPSK |
LWA |
No |
MAB Failure + PSK |
LWA |
Yes |
MAB Failure + PSK |
CWA |
No |
MAB Failure + OWE |
LWA |
Yes |
MAB Failure + SAE |
LWA |
Yes |
From 16.10.1 onwards, 802.1X configurations on WLAN support web authentication configurations with WPA or WPA2 configuration.
The feature also supports the following AP modes:
-
Local
-
FlexConnect
-
Fabric
Jumbo Frame Support for RADIUS Packets
RADIUS packets will be fragmented according to the MTU of the egress interface if the following conditions are met:
-
The command ip radius source-interface is configured under the relevant AAA group server radius group to point to the egress interface.
-
The ip mtu NNN command is configured on the egress interface.
Note |
If the MTU of the source interface is set to a value lower than 1500, additional fragmentation might occur. This fragmentation can lead to packet drops by upstream network devices, such as firewalls and load balancers, potentially causing authentication failures. It is recommended to verify these configurations during upgrades to prevent such issues. |
Combination of Authentications on MAC Failure Not Supported on a Client
The following table outlines the combination of authentications on MAC failure that are not supported on a given client:
Authentication Types |
Foreign |
Anchor |
Supported |
---|---|---|---|
WPA3-OWE+LWA |
Cisco AireOS |
Cisco Catalyst 9800 Controller |
No |
WPA3-SAE+LWA |
Cisco AireOS |
Cisco Catalyst 9800 Controller |
No |