9-8
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries
are removed from the secure host table.
Port security and a voice VLAN can be configured simultaneously on an IEEE 802.1x port that is in
either single-host or multiple-hosts mode. Port security applies to both the voice VLAN identifier
(VVID) and the port VLAN identifier (PVID).
For more information about enabling port security on your switch, see the “Configuring Port Security”
section on page 21-7.
Using IEEE 802.1x with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the sw itch recognizes only the one directly
connected to it. When IEEE 802.1x is enabled on a voice VLAN port, the switch drops packets from
unrecognized IP phones more than one hop away.
When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice
VLAN.
Note If you enable IEEE 802.1x on an access port on which a voice VLAN is configured and to which a Cisco
IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see Chapter1 4, “Configuring Voice VLAN.”
Using IEEE 802.1x with VLAN Assignment
The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server
database maintains the username-to-VLAN mappings, assigning the VLAN ba sed on the username of
the client connected to the switch port. You can use this feature to limit network access for certain users.