Using Multiple Domain Authentication And Multiple Authentication - Cisco Catalyst 4500 Series Software Configuration Manual

About 802.1X Port-Based Authentication

Using Multiple Domain Authentication and Multiple Authentication

Multiple Domain Authentication (MDA) allows both a data device and a voice device, such as an IP phone (Cisco or third party
non-Cisco), to authenticate on the same switch port, which is divided into a data domain and a voice domain.
Multi Auth allows multiple data devices and a voice device. When a voice VLAN is configured on a multiple- authentication
port, the port can perform authentication in the voice domain as on an MDA port.
MDA does not enforce the order of device authentication. For best results, however, you should authenticate a voice device
before you authenticate a data device on an MDA-enabled port.
When configuring MDA, consider the following guidelines.
Note The same guidelines also apply for Multiple Authentication when voice VLAN is configured.
We recommend that you enable CoPP on an MDA-enabled port to protect against a DoS attack. Refer to
•
"Configuring Control Plane Policing and Layer 2 Control Packet QoS."
To configure a switch port for MDA or Multiple Authentication, see the
•
Multiple Authorization" section on page
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For more information,
•
see Chapter 46, "Configuring Voice Interfaces."
To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute with
•
a value of device-traffic-class=voice. Without this value, the switch treats the voice device as a data device.
You must configure the attribute device-traffic-class=voice on all authenticated phones. If not configured, authenticated
•
phones may not work correctly.
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port. The switch treats
•
a voice device that fails authorization as a data device.
If more than one device attempts authorization on either the voice or the data domain of a port, it is error-disabled.
•
Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data
•
and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire
the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the data VLAN is
blocked. A security violation may occur in MDA if the voice device continues to send traffic on the data VLAN.
MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do
•
not support 802.1X authentication. it is especially useful for third party phones without 802.1X supplicant. For more
information, see the "Using 802.1X with MAC Authentication Bypass" section on page
When a data or a voice device is detected on a port, its MAC address is blocked until authorization succeeds. If the
•
authorization fails, the MAC address remains blocked for 5 minutes.
If more than one device is detected on the data VLAN or more than one voice device is detected on the voice VLAN while
•
a port is unauthorized, the port is error-disabled.
When a port host mode is changed from single- or multihost to multidomain mode, an authorized data device remains
•
authorized on the port. However, a Cisco IP phone that was allowed on the port in the voice VLAN is automatically
removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single-
or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized devices from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-802.1X-capable voice devices need to tag their
packets on the voice VLAN to trigger authentication.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-22
49-34.
Chapter 49 Configuring 802.1X Port-Based Authentication
"Configuring Multiple Domain Authentication and
49-11.
Chapter 57,