802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN. Each host
is individually authenticated. If a voice VLAN is configured, this mode also allows one client on the VLAN.
(If the port detects any additional voice clients, they are discarded from the port, but no violation errors occur.)
If a hub or access point is connected to an 802.1x-enabled port, each connected client must be authenticated.
For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host
authentication fallback method to authenticate different hosts with different methods on a single port.
There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one voice
device is allowed if the voice VLAN is configured. Since there is no host limit defined violation will not be
trigger, if a second voice is seen we silently discard it but do not trigger violation. For MDA functionality on
the voice VLAN, multiple-authentication mode assigns authenticated devices to either a data or a voice VLAN,
depending on the VSAs received from the authentication server.
When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN
features do not activate.
Note
You can assign a RADIUS-server-supplied VLAN in multi-auth mode, under the following conditions:
•
The host is the first host authorized on the port, and the RADIUS server supplies VLAN information
•
Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•
A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN
assignment, or their VLAN information matches the operational VLAN.
•
The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have
no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts
must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are
subject to the conditions specified in the VLAN list.
•
Only one voice VLAN assignment is supported on a multi-auth port.
•
After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information
or be denied access to the port.
•
You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
•
The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
Multi-auth Per User VLAN assignment
This feature is supported only on Catalyst 2960X switches running the LAN base imageNote
The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access VLANs
based on VLANs assigned to the clients on the port that has a single configured access VLAN. The port
configured as an access port where the traffic for all the VLANs associated with data domain is not dot1q
tagged, and these VLANs are treated as native VLANs.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 273
Configuring IEEE 802.1x Port-Based Authentication
802.1x Multiple Authentication Mode
To Next Page
Loading...
Need help?
General