Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
If more than five devices are detected on the data VLAN or more than one voice device is detected on the voice
VLAN while a port is unauthorized, the port is error disabled.
When a port host mode changes from single- or multihost to multidomain mode, an authorized data device remains
authorized on the port. However, a Cisco IP phone on the port voice VLAN is automatically removed and must be
reauthenticated on that port.
Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from
single-host or multiple-host mode to multidomain mode.
Switching a port host mode from multidomain to single-host or multiple-hosts mode removes all authorized devices
from the port.
If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices need their
packets tagged on the voice VLAN to trigger authentication. The phone need not need to send tagged traffic. (The
same is true for an 802.1x-capable phone.)
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a per-user ACL policy
might impact traffic on both the port voice and data VLANs. You can use only one device on the port to enforce
per-user ACLs.
For more information, see
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN.
authenticated.
If a voice VLAN is configured, this mode also allows one client on the VLAN. (If the port detects any
additional voice clients, they are discarded from the port, but no violation errors occur.)
If a hub or access point is connected to an 802.1x-enabled port, each connected client must be authenticated.
For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host authentication
fallback method to authenticate different hosts with different methods on a single port.
There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one voice device is
allowed if the voice VLAN is configured. Since there is no host limit defined violation will not be trigger, if a second voice
is seen we silently discard it but do not trigger violation.
For MDA functionality on the voice VLAN, multiple-authentication mode assigns authenticated devices to either a data
or a voice VLAN, depending on the VSAs received from the authentication server.
Note:
When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN features do
not activate.
For more information about critical authentication mode and the critical VLAN, see 802.1x Authentication with
Inaccessible Authentication Bypass, page 207.
For more information about configuring multiauth mode on a port, see Configuring the Host Mode, page 222.
MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another authentication
manager-enabled port of the switch. If the switch detects that same MAC address on another authentication
manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same switch. For
example, when there is another device (for example a hub or an IP phone) between an authenticated host and a switch
port, you might want to disconnect the host from the device and connect it directly to another port on the same switch.
Configuring the Host Mode, page
222.
198
Each host is individually
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
