X Multiple Authentication Mode; Mac Move - Cisco Catalyst 3750-E Software Configuration Manual

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

802.1x Multiple Authentication Mode

Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple
authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled
port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring
authentication of each connected client. For non-802.1x devices, you can use MAC authentication
bypass or web authentication as the fallback method for individual host authentications to authenticate
different hosts through by different methods on a single port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning
authenticated devices to either a data or voice VLAN, depending on the VSAs received from the
authentication server.
Note When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN
features do not activate.
Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in
multi-auth mode, under these conditions:
•
•
•
•
•
•
•
•
For more information about critical authentication mode and the critical VLAN, see the
Authentication with Inaccessible Authentication Bypass" section on page
For more information see the

MAC Move

When a MAC address is authenticated on one switch port, that address is not allowed on another
authentication manager-enabled port of the switch. If the switch detects that same MAC address on
another authentication manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same
switch. For example, when there is another device (for example a hub or an IP phone) between an
authenticated host and a switch port, you might want to disconnect the host from the device and connect
it directly to another port on the same switch.
OL-9775-08
The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no
VLAN assignment, or their VLAN information matches the operational VLAN.
The first host authorized on the port has a group VLAN assignment, and subsequent hosts either
have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent
hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all
hosts are subject to the conditions specified in the VLAN list.
Only one voice VLAN assignment is supported on a multi-auth port.
After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN
information or be denied access to the port.
You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured
VLAN.
"Configuring the Host Mode" section on page 10-44.
Understanding IEEE 802.1x Port-Based Authentication
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
"802.1x
10-23.
10-13