11-12
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
802.1x Host Mode
You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode (see
Figure 12-1 on page 12-2), only one client can be connected to the 802.1x-enabled switch port. The
switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If
a client leaves or is replaced with another client, the switch changes the port link state to down, and the
port returns to the unauthorized state.
In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. Figure 11-5 on
page 11-12 shows 802.1x port-based authentication in a wireless LAN. In this mode, only one of the
attached clients must be authorized for all clients to be granted network access. If the port becomes
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies
network access to all of the attached clients. In this topology, the wireless access point is responsible for
authenticating the clients attached to it, and it also acts as a client to the switch.
With the multiple-hosts mode enabled, you can use 802.1x authentication to authenticate the port and
port security to manage network access for all MAC addresses, including that of the client.
Figure 11-5 Multiple Host Mode Example
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple
authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled
port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring
authentication of each connected client. For non-802.1x devices, you can use MAC authentication
bypass or web authentication as the fallback method for individual host authentications to authenticate
different hosts through by different methods on a single port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning
authenticated devices to either a data or voice VLAN, depending on the VSAs received from the
authentication server.
Note When a port is in multiple-authentication mode, the RADIUS-server-supplied VLAN assignment, guest
VLAN, and the authentication-failed VLAN features do not activate.
For more information about critical authentication mode and the critical VLAN, see the “802.1x
Authentication with Inaccessible Authentication Bypass” section on page 11-20.
For more information see the “Configuring the Host Mode” section on page 11-44.
101227
Wireless clients
Access point
Authentication
server
(RADIUS)