Cisco Systems IE3010 802.1x Authentication with Voice VLAN Ports

10-24

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when

the RADIUS server is again available. When this is configured, all critical ports in the

critical-authentication state are automatically re-authenticated. For more information, see the command

reference for this release and the “Configuring the Inaccessible Aut hentication Bypass Feature” section

on page 10-54.

Feature Interactions

Inaccessible authentication bypass interacts with these features:

• Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest

VLAN is enabled on 8021.x port, the features interact as follows:

–

If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when

the switch does not receive a response to its EAP request/identity frame or when EAPOL

packets are not sent by the client.

–

If all the RADIUS servers are not available and the client is connected to a critical port, the

switch authenticates the client and puts the critical port in the critical-authentication state in the

RADIUS-configured or user-specified access VLAN.

–

If all the RADIUS servers are not available and the client is not connected to a critical port, the

switch might not assign clients to the guest VLAN if one is configured.

–

If all the RADIUS servers are not available and if a client is connected to a critical port and was

previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.

• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers

are unavailable, the switch puts the critical port in the critical-authentication state in the restricted

VLAN.

• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.

• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.

The access VLAN must be a secondary private VLAN.

• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the

RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.

• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the

RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.

802.1x Authentication with Voice VLAN Ports

A voice VLAN port is a special access port associated with two VLAN identifiers:

• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone

connected to the port.

• PVID to carry the data traffic to and from the workstation connected to the switch through the IP

phone. The PVID is the native VLAN of the port.

The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This

allows the phone to work independently of 802.1x authentication.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,

additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.

When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the

VVID.