Cisco Systems 3560 Manual De Usuario
10-11
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
The switch supports Multi-Domain Authentication (MDA), which allows both a data device and a voice
device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more
information, see the
device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more
information, see the
.
Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that
a voice device is authenticated before a data device on an MDA-enabled port.
a voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
•
To configure a switch port for MDA, see the
•
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For
more information, see
more information, see
•
Voice VLAN assignment on an MDA-enabled port is supported in Cisco IOS Release 12.2(40)SE
and later.
and later.
Note
If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port on a switch
running Cisco IOS Release 12.2(37)SE, the voice device fails authorization.
running Cisco IOS Release 12.2(37)SE, the voice device fails authorization.
•
To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of
(AV) pair attribute with a value of
device-traffic-class=voice
. Without this value, the switch
treats the voice device as a data device.
•
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled
port. The switch treats a voice device that fails authorization as a data device.
port. The switch treats a voice device that fails authorization as a data device.
•
If more than one device attempts authorization on either the voice or the data domain of a port, it is
error disabled.
error disabled.
•
Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are
allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a
DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice
device starts sending on the voice VLAN, its access to the data VLAN is blocked.
allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a
DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice
device starts sending on the voice VLAN, its access to the data VLAN is blocked.
•
A voice device MAC address that is binding on the data VLAN is not counted towards the port
security MAC address limit.
security MAC address limit.
•
You can use dynamic VLAN assignment from a RADIUS server only for data devices.
•
MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to
connect to devices that do not support 802.1x authentication. For more information, see the
connect to devices that do not support 802.1x authentication. For more information, see the
•
When a data or a voice device is detected on a port, its MAC address is blocked until authorization
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
•
If more than five devices are detected on the data VLAN or more than one voice device is detected
on the voice VLAN while a port is unauthorized, the port is error disabled.
on the voice VLAN while a port is unauthorized, the port is error disabled.
•
When a port host mode changes from single- or multihost to multidomain mode, an authorized data
device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is
automatically removed and must be reauthenticated on that port.
device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is
automatically removed and must be reauthenticated on that port.