1-19
Security Overview
Precedence of Security Options
Client-specific configurations are applied on a per-parameter basis on a port. 
In a client-specific profile, if DCA detects that a parameter has configured 
values from two or more levels in the hierarchy of precedence described 
above, DCA decides which parameters to add or remove, or whether to fail 
the authentication attempt due to an inability to apply the parameters.
For example, NIM may configure only rate-limiting for a specified client 
session, while RADIUS-assigned values may include both an untagged VLAN 
ID and a rate-limiting value to be applied. In this case, DCA applies the NIM-
configured rate-limiting value and the RADIUS-assigned VLAN (if there are no 
other conflicts). 
Also, you can assign NIM-configured parameters (for example, VLAN ID 
assignment or rate-limiting) to be activated in a client session when a threat 
to network security is detected. When the NIM-configured parameters are 
later removed, the parameter values in the client session return to the 
RADIUS-configured or locally configured settings, depending on which are 
next in the hierarchy of precedence.
In addition, DCA supports conflict resolution for QoS (port-based CoS 
priority) and rate-limiting (ingress) by determining whether to configure 
either strict or non-strict resolution on a switch-wide basis. For example, if 
multiple clients authenticate on a port and a rate-limiting assignment by a 
newly authenticating client conflicts with the rate-limiting values assigned to 
previous clients, by using Network Immunity you can configure the switch to 
apply any of the following attributes:
■ Apply only the latest rate-limiting value assigned to all clients.
■ Apply a client-specific rate-limiting configuration to the appropriate client 
session (overwrites any rate-limit previously configured for other client 
sessions on the port).
For information about how to configure RADIUS-assigned and locally 
configured authentication settings, refer to:
■ RADIUS-assigned 802.1X authentication: “Configuring Port-Based and 
User-Based Access Control (802.1X)” on page 13-1.
■ RADIUS-assigned Web or MAC authentication: “Web and MAC Authenti-
cation” on page 4-1.
■ RADIUS-assigned CoS, rate-limiting, and ACLS: “Configuring RADIUS 
Server Support for Switch Services” on page 7-1.
■ Statically (local) configured: “Configuring Username and Password 
Security” on page 2-1.