12-12
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices
need their packets tagged on the voice VLAN to trigger authentication.
•
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the port voice and data VLANs. You can use only
one device on the port to enforce per-user ACLs.
For more information, see the
“Configuring the Host Mode” section on page 12-35
.
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple
authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled
port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring
authentication of each connected client. For non-802.1x devices, you can use MAC authentication
bypass or web authentication as the fallback method for individual host authentications to authenticate
different hosts through by different methods on a single port.
Note
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning
authenticated devices to either a data or voice VLAN, depending on the VSAs received from the
authentication server.
Note
When a port is in multiple-authentication mode, all the VLAN assignment features, including the
RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass,
and the Authentication Failed VLAN do not activate.
For more information see the
“Configuring the Host Mode” section on page 12-35.
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not
keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting
to monitor this activity on 802.1x-enabled ports:
•
User successfully authenticates.
•
User logs off.
•
Link-down occurs.
•
Re-authentication successfully occurs.
•
Re-authentication fails.
The switch does not log 802.1x accounting information. Instead, it sends this information to the
RADIUS server, which must be configured to log accounting messages.