802.1x Critical Voice VLAN
When an IP phone connected to a port is authenticated by the access control server (ACS), the phone is put
into the voice domain. If the ACS is not reachable, the switch cannot determine if the device is a voice device.
If the server is unavailable, the phone cannot access the voice network and therefore cannot operate.
For data traffic, you can configure inaccessible authentication bypass, or critical authentication, to allow traffic
to pass through on the native VLAN when the server is not available. If the RADIUS authentication server
is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access
to the network and puts the port in the critical-authentication state in the RADIUS-configured or the
user-specified access VLAN. When the switch cannot reach the configured RADIUS servers and new hosts
cannot be authenticated, the switch connects those hosts to critical ports. A new host trying to connect to the
critical port is moved to a user-specified access VLAN, the critical VLAN, and granted limited authentication.
You can enter the
authentication event server dead action authorize voice
interface configuration command
to configure the critical voice VLAN feature. When the ACS does not respond, the port goes into critical
authentication mode. When traffic coming from the host is tagged with the voice VLAN, the connected device
(the phone) is put in the configured voice VLAN for the port. The IP phones learn the voice VLAN identification
through CDP (Cisco devices) or through LLDP or DHCP.
You can configure the voice VLAN for a port by entering the
switchport voice vlan vlan-id
interface
configuration command.
This feature is supported in multidomain and multi-auth host modes. Although you can enter the command
when the switch in single-host or multi-host mode, the command has no effect unless the device changes to
multidomain or multi-auth host mode.
802.1x User Distribution
You can configure 802.1x user distribution to load-balance users with the same group name across multiple
different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN
group name.
•
Configure the RADIUS server to send more than one VLAN name for a user. The multiple VLAN names
can be sent as part of the response to the user. The 802.1x user distribution tracks all the users in a
particular VLAN and achieves load balancing by moving the authorized user to the least populated
VLAN.
•
Configure the RADIUS server to send a VLAN group name for a user. The VLAN group name can be
sent as part of the response to the user. You can search for the selected VLAN group name among the
VLAN group names that you configured by using the switch CLI. If the VLAN group name is found,
the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN.
Load balancing is achieved by moving the corresponding authorized user to that VLAN.
The RADIUS server can send the VLAN information in any combination of VLAN-IDs,
VLAN names, or VLAN groups.
Note
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1343
Information About 802.1x Port-Based Authentication
Содержание Catalyst 2960 Series
Страница 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...
Страница 96: ......
Страница 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...
Страница 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...
Страница 196: ......
Страница 250: ......
Страница 292: ......
Страница 488: ......
Страница 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Страница 590: ......
Страница 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Страница 620: ......
Страница 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...
Страница 750: ......
Страница 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...
Страница 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...
Страница 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...
Страница 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...
Страница 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...
Страница 1604: ......
Страница 1740: ......
Страница 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...
Страница 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...
Страница 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...
Страница 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...
Страница 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...
Страница 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...
Страница 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...
Страница 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Страница 2106: ......
Страница 2118: ......
Страница 2164: ......