11-33
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication
MACsec, MKA and 802.1x Host Modes
You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi
Domain Authentication (MDA) mode. Multiple authentication mode is not supported.
Note Although the software supports MDA mode, there are no IP phones that support MACsec and MKA.

Single-Host Mode

Figure 11-7 shows how a single EAP authenticated session is secured by MACsec by using MKA.
Figure 11-7 MACsec in Single-Host Mode with a Secured Data Session
The same switch port hosts an unsecured phone session using CDP bypass. Since CDP bypass mode
bypasses authentication to provide access based only on device type, the switch does not attempt to enter
into an MKA exchange with the phone. If a voice VLAN is configured, CDP packets bypass MAC sec.
For secure voice access, you should use MDA mode.

Multiple-Host Mode

In standard (not 802.1x REV) 802. multiple-host mode, a port is open or closed based on a single
authentication. If one user, the primary secured client services client host, is authenticated, the same
level of network access is provided to any host connected to the same port. If a secondary host is a
MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a
non-MACsec host can send traffic to the network without authentication because it is in multiple-host
mode. See Figure 11-8.
Figure 11-8 MACsec in Standard Multiple-Host Mode - Unsecured
253663
MACsec AAA
Access-control system
Switch with
MACsec
configured
Unsecured
IP
Host
253664
AAA
Access-control system
Switch with
MACsec
configured
Primary host
Secondary host
Secondary host