Cisco Systems IE3010 Multidomain Authentication

10-12

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

The switch supports multidomain authentication (MDA), which allows both a data device and a voice

device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more

information, see the “Multidomain Authentication” section on page 10-12.

Multidomain Authentication

The switch supports multidomain authentication (MDA), which allows both a data device and voice

device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is

divided into a data domain and a voice domain.

MDA does not enforce the order of device authentication. However, for best results, we recommend that

a voice device is authenticated before a data device on an MDA-enabled port.

Follow these guidelines for configuring MDA:

• To configure a switch port for MDA, see the “Configuring the Host Mode” section on page 10-43.

• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.

For more information, see Chapter 14, “Configuring VLANs.”

• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value

(AV) pair attribute with a value of device-traffic-class=voice. Without this value, the switch

treats the voice device as a data device.

• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled

port. The switch treats a voice device that fails authorization as a data device.

• If more than one device attempts authorization on either the voice or the data domain of a port, it is

error disabled.

• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are

allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a

DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice

device starts sending on the voice VLAN, its access to the data VLAN i s blocked.

• A voice device MAC address that is binding on the data VLAN is not counted t owards the port

security MAC address limit.

• MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to

connect to devices that do not support 802.1x authentication. For more information, see the “MAC

Authentication Bypass” section on page 10-37.

• When a data or a voice device is detected on a port, its MAC address is blocked until authorization

succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.

• If more than five devices are detected on the data VLAN or more than one voice device is detected

on the voice VLAN while a port is unauthorized, the port is error disabled.

• When a port host mode changes from single- or multihost to multidomain mode, an authorized data

device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is

automatically removed and must be reauthenticated on that port.

• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a

port changes from single-host or multiple-host mode to multidom ain mode.

• Switching a port host mode from multidomain to single-host or multiple-hosts mode removes all

authorized devices from the port.

• If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices

need their packets tagged on the voice VLAN to trigger authentication. The phone need not need to

send tagged traffic. (The same is true for an 802.1x-capable phone.)