Cisco IE 4000, Software Configuration Manual

Page: 206 / 1066

202
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication

If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN
configuration does not take effect. In the case of a multidomain host, the same applies to voice devices when the
port is fully authorized with these exceptions:
— If the VLAN configuration change of one device results in matching the other device configured or assigned
VLAN, then authorization of all devices on the port is terminated and multidomain host mode is disabled until a
valid configuration is restored where data and voice device configured VLANs no longer match.
— If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN
configuration, or modifying the configuration value to
dot1p or untagged results in voice device un-authorization
and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into the configured
access VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with
dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:

Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.

Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure 802.1x
authentication on an access port.)

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the
switch:
— [64] Tunnel-Type = VLAN
— [65] Tunnel-Medium-Type = 802
— [81] Tunnel-Private-Group-ID = VLAN name, VLAN ID, or VLAN-Group
— [83] Tunnel-Preference
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute
[81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated user.
For examples of tunnel attributes, see Configuring Vendor-Specific RADIUS Attributes: Examples, page 185 .
Voice Aware 802.1x Security
You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a security violation
occurs, whether it is a data or voice VLAN. You can use this feature in IP phone deployments where a PC is connected
to the IP phone. A security violation found on the data VLAN results in the shutdown of only the data VLAN. The traffic
on the voice VLAN flows through the switch without interruption.
Follow these guidelines to configure voice aware 802.1x voice security on the switch:

You enable voice aware 802.1x security by entering the errdisable detect cause security-violation shutdown vlan
global configuration command. You disable voice aware 802.1x security by entering the no version of this command.
This command applies to all 802.1x-configured ports in the switch.
Note: If you do not include the shutdown vlan keywords, the entire port is shut down when it enters the error-disabled
state.

If you use the errdisable recovery cause security-violation global configuration command to configure
error-disabled recovery, the port is automatically reenabled. If error-disabled recovery is not configured for the port,
you reenable it by using the
shutdown and no-shutdown interface configuration commands.