6-8
Cisco Systems IntelligentGigabit Ethernet Switch Modules for the IBMBladeCenter, Software Configuration Guide
24R9746
Chapter6 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
When an IEEE 802.1x client address is manually removed from the port security table, we
recommend that you re-authenticate the client by entering the dot1x re-authenticate privileged
EXEC command.
For more information about enabling port security on your switch, see the “Configuring Port Security”
section on page 15-4.
Using IEEE 802.1x with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly
connected to it. When IEEE 802.1x is enabled on a voice VLAN port, the switch drops packets from
unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice
VLAN.
Using IEEE 802.1x with VLAN Assignment
You can limit network access for certain users by using VLAN assignment. After successful IEEE
802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch
port. The RADIUS server database maintains the username-to-VLAN mappings, which assigns the
VLAN based on the username of the client connected to the switch port.
When configured on the switch and the RADIUS server, IEEE 802.1x with VLAN assignmen t has these
characteristics:
If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authorization is disabled, the port
is configured in its access VLAN after successful authentication.
If IEEE 802.1x authorization is enabled but the VLAN information from the RADIUS server is not
valid, the port returns to the unauthorized state and remains in the configured access VLAN. This
prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration
error.
Configuration errors could include specifying a malformed VLAN ID, a nonexiste nt VLAN ID, or
attempted assignment to a voice VLAN ID.
If IEEE 802.1x authorization is enabled and all information from the RADIUS server is valid, the
port is placed in the specified VLAN after authentication.
If the multiple-hosts mode is enabled on an IEEE 802.1x port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.