Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Figure 22
Multiple Host Mode Example
Workstations
(clients)
The switch supports multidomain authentication (MDA), which allows both a data device and a voice device, such as an
IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more information, see
Authentication, page
Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP
phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice
domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that a voice device
is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
To configure a switch port for MDA, see
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For more information,
see
Configuring VLANs, page 271
To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute
device-traffic-class=voice
with a value of
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port. The switch
treats a voice device that fails authorization as a data device.
If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled.
Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both
the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address
and acquire the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the
data VLAN is blocked.
A voice device MAC address that is binding on the data VLAN is not counted towards the port security MAC address
limit.
MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices
that do not support 802.1x authentication. For more information, see
page
217.
When a data or a voice device is detected on a port, its MAC address is blocked until authorization succeeds. If the
authorization fails, the MAC address remains blocked for 5 minutes.
197.
Configuring the Host Mode, page
Authentication
server
(RADIUS)
. Without this value, the switch treats the voice device as a data device.
MAC Authentication Bypass Guidelines,
197
Multidomain
222.
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
