10-19
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
802.1x Authentication with VLAN Assignment
The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of
the client connected to the switch port. You can use this feature to limit network access for certain users.
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE.
In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server
returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on
the assigned voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on
multidomain authentication (MDA)-enabled ports. For more information, see the “Multidomain
Authentication” section on page 10-13.
When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment
has these characteristics:
If no VLAN is supplied by the RADIUS server or if 802.1x authent ication is disabled, the port is
configured in its access VLAN after successful authentication. Recall that an access VLAN is a
VLAN assigned to an access port. All packets sent from or received on this port belong to this
VLAN.
If 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid,
authorization fails and configured VLAN remains in use. This prevents ports from appearing
unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a malformed VL AN ID, a nonexistent VLAN ID, an
RSPAN VLAN, a shut down or suspended VLAN. In the case of a mutlidomain host port ,
configuration errors can also be due to an attempted assignment o f a data VLAN that matches the
configured or assigned voice VLAN ID (or the reverse).
If 802.1x authentication is enabled and all information from the RADIUS ser ver is valid, the
authorized device is placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
Enabling port security does not impact the RADIUS server-assigned VLAN behavior.
If 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and
configured voice VLAN.
If an 802.1x port is authenticated and put in the RADI US server-assigned VLAN, any change to the
port access VLAN configuration does not take effect. In the case of a multidomain host, the same
applies to voice devices when the port is fully authorized with these exceptions:
If the VLAN configuration change of one device results in matching the other device configured
or assigned VLAN, then authorization of all devices on the port is terminated and multidomain
host mode is disabled until a valid configuration is restored where data and voice device
configured VLANs no longer match.
If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice
VLAN configuration, or modifying the configuration value to dot1p or untagg ed results in voice
device un-authorization and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown stat e, it is put
into the configured access VLAN.
The 802.1x authentication with VLAN assignment featu re is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).