802.1X Multiple Authentication Mode; 802.1X Accounting - Cisco IE-3000-8TC Software Configuration Manual
Software configuration guide
Hide thumbs
Also See for IE-3000-8TC:
- Command reference manual (802 pages) ,
- Administration manual (496 pages) ,
- Message manual (98 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
•
•
For more information, see the
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple
authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled
port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring
authentication of each connected client. For non-802.1x devices, you can use MAC authentication
bypass or web authentication as the fallback method for individual host authentications to authenticate
different hosts through by different methods on a single port.
Note
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning
authenticated devices to either a data or voice VLAN, depending on the VSAs received from the
authentication server.
When a port is in multiple-authentication mode, all the VLAN assignment features, including the
Note
RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass,
and the Authentication Failed VLAN do not activate.
For more information see the
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not
keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting
to monitor this activity on 802.1x-enabled ports:
•
•
•
•
•
The switch does not log 802.1x accounting information. Instead, it sends this information to the
RADIUS server, which must be configured to log accounting messages.
Cisco IE 3000 Switch Software Configuration Guide
12-12
If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices
need their packets tagged on the voice VLAN to trigger authentication.
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the port voice and data VLANs. You can use only
one device on the port to enforce per-user ACLs.
"Configuring the Host Mode" section on page 12-35.
User successfully authenticates.
User logs off.
Link-down occurs.
Re-authentication successfully occurs.
Re-authentication fails.
Chapter 12
"Configuring the Host Mode" section on page
Configuring IEEE 802.1x Port-Based Authentication
12-35.
OL-13018-03
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
