Cisco Systems IE3010 802.1x Multiple Authentication Mode, MAC Move

10-13

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device wi th a

per-user ACL policy might impact traffic on both the port voice and data VLANs. You can use only

one device on the port to enforce per-user ACLs.

For more information, see the “Configuring the Host Mode” section on page 10-43.

802.1x Multiple Authentication Mode

Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN. Each

host is individually authenticated. If a voice VLAN is configured, this mode also allows one client on

the VLAN. (If the port detects any additional voice clients, they are discarded from the port, but no

violation errors occur.)

If a hub or access point is connected to an 802.1x-enabled port, each connected client must be

authenticated.

For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host

authentication fallback method to authenticate different hosts with different methods on a single port.

There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one

voice device is allowed if the voice VLAN is configured. Since there is no host limit defined violation

will not be trigger, if a second voice is seen we silently discard it but do not trigger violation.

For MDA functionality on the voice VLAN, multiple-authentication mode assigns authenticated devices

to either a data or a voice VLAN, depending on the VSAs received from the authentication server.

Note When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN

features do not activate.

For more information about critical authentication mode and the critical VLAN, see the “802.1x

Authentication with Inaccessible Authentication Bypass” section on page 10-23.

For more information about configuring multiauth mode on a port, see the “Configuring the Host Mode”

section on page 10-43.

MAC Move

When a MAC address is authenticated on one switch port, that address is not allowed on another

authentication manager-enabled port of the switch. If the switch detects that same MAC address on

another authentication manager-enabled port, the address is not allowed.

There are situations where a MAC address might need to move from one port to another o n the same

switch. For example, when there is another device (for example a hub or an IP phone) between an

authenticated host and a switch port, you might want to disconnect the host from the device and connect

it directly to another port on the same switch.

You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves

to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port.

MAC move is supported on all host modes. (The authenticated host can move to any port o n the switch,

no matter which host mode is enabled on the that port.)

Beginning with Cisco IOS Release 12.2(55)SE, MAC move can be configured in all host modes, along

with port security.