Cisco Systems 3560-X, 3750-X Flexible Authentication Ordering, Open1x Authentication, Multidomain Authentication

11-27

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication

Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based

authentication except that you must configure a posture token on the RADIUS server. For information

about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 IEEE 802.1x

Validation” section on page 11-58 and the “Configuring Periodic Re-Authentication” section on

page 11-45.

For more information about NAC, see the Network Admission Control Software Configuration Guide.

For more configuration information, see the “Authentication Manager” section on page 11-8.

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to

authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary

authentication methods, and web authentication can be the fallback method if either or both of those

authentication attempts fail. For more information see the “Configuring Flexible Authentication

Ordering” section on page 11-64.

Open1x Authentication

Open1x authentication allows a device access to a port before that device is authenticated. When open

authentication is configured, a new host on the port can only send traffic to the switch. After the host is

authenticated, the policies configured on the RADIUS server are applied to that host.

You can configure open authentication with these scenarios:

• Single-host mode with open authentication–Only one user is allowed network access before and

after authentication.

• MDA mode with open authentication–Only one user in the voice domain and one user in the data

domain are allowed.

• Multiple-hosts mode with open authentication–Any host can access the network.

• Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can

be authenticated.

For more information see the “Configuring the Host Mode” section on page 11-44.

Multidomain Authentication

The switch supports multidomain authentication (MDA), which allows both a data device and voice

device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is

divided into a data domain and a voice domain.

MDA does not enforce the order of device authentication. However, for best results, we recommend that

a voice device is authenticated before a data device on an MDA-enabled port.

Follow these guidelines for configuring MDA:

• To configure a switch port for MDA, see the “Configuring the Host Mode” section on page 11-44.

• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For

more information, see Chapter 17, “Configuring Voice VLAN.”

• Voice VLAN assignment on an MDA-enabled port is supported.