Using Ieee 802.1X Authentication With Voice Vlan Ports - Cisco 3750G - Catalyst Integrated Wireless LAN Controller Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
•
•
•
•
•
In a switch stack, the stack master checks the status of the RADIUS servers by sending keepalive
packets. When the status of a RADIUS server changes, the stack master sends the information to the
stack members. The stack members can then check the status of RADIUS servers when re-authenticating
critical ports.
If the new stack master is elected, the link between the switch stack and RADIUS server might change,
and the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If
the server status changes from dead to alive, the switch re-authenticates all switch ports in the
critical-authentication state.
When a member is added to the stack, the stack master sends the member the server status.

Using IEEE 802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:
•
•
Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host,
and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until
the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user
logged in.
With Cisco IOS Release 12.1(14)EA1 and later, the IP phone uses the VVID for its voice traffic,
regardless of the authorization state of the port. This allows the phone to work independently of
IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops
packets from unrecognized IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal
to a voice VLAN.
Catalyst 3750 Switch Software Configuration Guide
10-16
Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers
are unavailable, the switch puts the critical port in the critical-authentication state in the restricted
VLAN.
IEEE 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
OL-8550-02