9-14
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning
authenticated devices to either a data or voice VLAN, depending on the VSAs received from the
authentication server.
Note
When a port is in multiple-authentication mode, the RADIUS-server-supplied VLAN assignment, guest
VLAN, and the authentication-failed VLAN features do not activate.
For more information about critical authentication mode and the critical VLAN, see the
Authentication with Inaccessible Authentication Bypass” section on page 9-22
.
For more information see the
“Configuring the Host Mode” section on page 9-42.
MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another 802.1x
port of the switch. If the switch detects that same MAC address on another 802.1x port, the address is
not allowed.
There are situations where a MAC address might need to move from one port to another on the same
switch. For example, when there is another device (for example a hub or an IP phone) between an
authenticated host and a switch port, you might want to disconnect the host from the device and connect
it directly to another port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves
to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch,
no matter which host mode is enabled on the that port.)
Note
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured
on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
For more information see the
“Enabling MAC Move” section on page 9-47.
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not
keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting
to monitor this activity on 802.1x-enabled ports:
•
User successfully authenticates.
•
User logs off.
•
Link-down occurs.
•
Re-authentication successfully occurs.
•
Re-authentication fails.
The switch does not log 802.1x accounting information. Instead, it sends this information to the
RADIUS server, which must be configured to log accounting messages.