In a switch stack:
•
The stack master checks the status of the RADIUS servers by sending keepalive packets. When the
status of a RADIUS server changes, the stack master sends the information to the stack members. The
stack members can then check the status of RADIUS servers when re-authenticating critical ports.
•
If the new stack master is elected, the link between the switch stack and RADIUS server might change,
and the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If
the server status changes from dead to alive, the switch re-authenticates all switch ports in the
critical-authentication state.
When a member is added to the stack, the stack master sends the member the server status.
Switch stacks are supported only on Catalyst 2960-S switches running the LAN base image.Note
802.1x Critical Voice VLAN
When an IP phone connected to a port is authenticated by the access control server (ACS), the phone is put
into the voice domain. If the ACS is not reachable, the switch cannot determine if the device is a voice device.
If the server is unavailable, the phone cannot access the voice network and therefore cannot operate.
For data traffic, you can configure inaccessible authentication bypass, or critical authentication, to allow traffic
to pass through on the native VLAN when the server is not available. If the RADIUS authentication server
is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access
to the network and puts the port in the critical-authentication state in the RADIUS-configured or the
user-specified access VLAN. When the switch cannot reach the configured RADIUS servers and new hosts
cannot be authenticated, the switch connects those hosts to critical ports. A new host trying to connect to the
critical port is moved to a user-specified access VLAN, the critical VLAN, and granted limited authentication.
You can enter the authentication event server dead action authorize voice interface configuration command
to configure the critical voice VLAN feature. When the ACS does not respond, the port goes into critical
authentication mode. When traffic coming from the host is tagged with the voice VLAN, the connected device
(the phone) is put in the configured voice VLAN for the port. The IP phones learn the voice VLAN identification
through CDP (Cisco devices) or through LLDP or DHCP.
You can configure the voice VLAN for a port by entering the switchport voice vlan vlan-id interface
configuration command.
This feature is supported in multidomain and multi-auth host modes. Although you can enter the command
when the switch in single-host or multi-host mode, the command has no effect unless the device changes to
multidomain or multi-auth host mode.
802.1x User Distribution
You can configure 802.1x user distribution to load-balance users with the same group name across multiple
different VLANs.
The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN
group name.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 287
Configuring IEEE 802.1x Port-Based Authentication
802.1x Critical Voice VLAN
To Next Page
Loading...
Need help?
General
Weight and Dimensions
