802.1X Authentication With Voice Vlan Ports - Cisco Catalyst 2960 Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
802.1x Critical Voice VLAN
When an IP phone connected to a port is authenticated by the access control server (ACS), the phone is
put into the voice domain. If the ACS is not reachable, the switch cannot determine if the device is a
voice device. If the server is unavailable, the phone cannot access the voice network and therefore cannot
operate.
For data traffic, you can configure inaccessible authentication bypass, or critical authentication, to allow
traffic to pass through on the native VLAN when the server is not available. If the RADIUS
authentication server is unavailable (down) and inaccessible authentication bypass is enabled, the switch
grants the client access to the network and puts the port in the critical-authentication state in the
RADIUS-configured or the user-specified access VLAN. When the switch cannot reach the configured
RADIUS servers and new hosts cannot be authenticated, the switch connects those hosts to critical ports.
A new host trying to connect to the critical port is moved to a user-specified access VLAN, the critical
VLAN, and granted limited authentication.
With this release, you can enter the authentication event server dead action authorize voice interface
configuration command to configure the critical voice VLAN feature. When the ACS does not respond,
the port goes into critical authentication mode. When traffic coming from the host is tagged with the
voice VLAN, the connected device (the phone) is put in the configured voice VLAN for the port. The IP
phones learn the voice VLAN identification through CDP (Cisco devices) or through LLDP or DHCP.
You can configure the voice VLAN for a port by entering the switchport voice vlan vlan-id interface
configuration command.
This feature is supported in multidomain and multi-auth host modes. Although you can enter the
command when the switch in single-host or multi-host mode, the command has no effect unless the
device changes to multidomain or multi-auth host mode.

802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets
from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-28
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
OL-26520-01