Using 802.1X With Vlan Assignment - Cisco Catalyst 3750 Software Configuration Manual

Chapter 8 Configuring 802.1x Port-Based Authentication
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs. The IP phone
uses the VVID for its voice traffic regardless of the authorized or unauthorized state of the port. This
allows the phone to work independently of 802.1x authentication.
When you enable the single-host mode, multiple IP phones are allowed on the VVID; only one 802.1x
client is allowed on the PVID. When you enable the multiple-hosts mode and when an 802.1x user is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1x
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x is enabled on a voice VLAN port, the switch drops packets from
unrecognized IP phones more than one hop away.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see the

Using 802.1x with VLAN Assignment

The switch supports 802.1x with VLAN assignment. After successful 802.1x authentication of a port,
the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, which assigns the VLAN based on the username
of the client connected to the switch port. You can use this feature to limit network access for certain
users.
When configured on the switch and the RADIUS server, 802.1x with VLAN assignment has these
characteristics:
•
•
•
•
•
•
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put
into the configured access VLAN.
If an 802.1x port is authenticated and put in the RADIUS server assigned VLAN, any change to the port
access VLAN configuration does not take effect.
The 802.1x with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
78-15870-01
If no VLAN is supplied by the RADIUS server or if 802.1x authorization is disabled, the port is
configured in its access VLAN after successful authentication.
If 802.1x authorization is enabled but the VLAN information from the RADIUS server is not valid,
the port returns to the unauthorized state and remains in the configured access VLAN. This prevents
ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a
nonexistent or internal (routed port) VLAN ID, or an attempted assignment to a voice VLAN ID.
If 802.1x authorization is enabled and all information from the RADIUS server is valid, the port is
placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
If 802.1x and port security are enabled on a port, the port is placed in RADIUS server assigned
VLAN.
If 802.1x is disabled on the port, it is returned to the configured access VLAN.
Understanding 802.1x Port-Based Authentication
Chapter 12, "Configuring Voice VLAN."
Catalyst 3750 Metro Switch Software Configuration Guide
8-7