Cisco Systems OL-8550-09 MAC Move

10-15

Catalyst 3750 SwitchSoftware Configuration Guide

OL-8550-09

Chapter10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If a hub or access point is connected to an 802.1x-enabled port, each connected client must be

authenticated.

For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host

authentication fallback method to authenticate different hosts with different methods on a single port.

There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one

voice device is allowed if the voice VLAN is configured. Since there is no host limit defined violation

will not be trigger, if a second voice is seen we silently discard it but do not trigger violation.

For MDA functionality on the voice VLAN, multiple-authentication mode assigns authenticated devices

to either a data or a voice VLAN, depending on the VSAs received from the authentication server.

Note When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN

features do not activate.

For more information about critical authentication mode and the critical VLAN, see the “802.1x

Authentication with Inaccessible Authentication Bypass” section on page 10-25.

For more information about configuring multiauth mode on a port, see the “Configuring the Host Mode”

section on page 10-46.

Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in

multi-auth mode, under these conditions:

•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.

•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.

•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no

VLAN assignment, or their VLAN information matches the operational VLAN.

•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either

have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent

hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all

hosts are subject to the conditions specified in the VLAN list.

•Only one voice VLAN assignment is supported on a multi-auth port.

•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN

information or be denied access to the port.

•You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.

•The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to

authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured

VLAN.

MAC Move

When a MAC address is authenticated on one switch port, that address is not allowed on another

authentication manager-enabled port of the switch. If the switch detects that same MAC address on

another authentication manager-enabled port, the address is not allowed.

There are situations where a MAC address might need to move from one port to another on the same

switch. For example, when there is another device (for example a hub or an IP phone) between an

authenticated host and a switch port, you might want to disconnect the host from the device and connect

it directly to another port on the same switch.