Cisco Catalyst 2960-X Security Configuration Manual page 303
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
• Enabling port security does not impact the RADIUS server-assigned VLAN behavior.
• If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and
configured voice VLAN.
• If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to
voice devices when the port is fully authorized with these exceptions:
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice
devices when the port is fully authorized with these exceptions:
• If the VLAN configuration change of one device results in matching the other device configured or
assigned VLAN, authorization of all devices on the port is terminated and multidomain host mode is
disabled until a valid configuration is restored where data and voice device configured VLANs no longer
match.
• If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN
configuration, or modifying the configuration value to dot1p or untagged results in voice device
un-authorization and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or
with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you
configure 802.1x authentication on an access port).
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these
attributes to the switch:
OL-29048-01
◦ If the VLAN configuration change of one device results in matching the other device configured
or assigned VLAN, then authorization of all devices on the port is terminated and multidomain
host mode is disabled until a valid configuration is restored where data and voice device configured
VLANs no longer match.
◦ If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice
VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice
device un-authorization and the disablement of multi-domain host mode.
◦ [64] Tunnel-Type = VLAN
◦ [65] Tunnel-Medium-Type = 802
◦ [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
◦ [83] Tunnel-Preference
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
802.1x Authentication with VLAN Assignment
279
Hide quick links:
Advertisement
Table of Contents
