1-13
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Note When a port is in multiple-authentication mode, the guest VLAN and authentication-failed VLAN
features do not activate.
Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in
multi-auth mode, under these conditions:
• The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
• Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
• A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no
VLAN assignment, or their VLAN information matches the operational VLAN.
• The first host authorized on the port has a group VLAN assignment, and subsequent hosts either
have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent
hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all
hosts are subject to the conditions specified in the VLAN list.
• Only one voice VLAN assignment is supported on a multi-auth port.
• After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN
information or be denied access to the port.
• You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
• The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured
VLAN.
For more information about critical authentication mode and the critical VLAN, see the “802.1x
Authentication with Inaccessible Authentication Bypass” section on page 1-23.
For more information see the “Configuring the Host Mode” section on page 1-47.
MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another
authentication manager-enabled port of the switch. If the switch detects that same MAC address on
another authentication manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same
switch. For example, when there is another device (for example a hub or an IP phone) between an
authenticated host and a switch port, you might want to disconnect the host from the device and connect
it directly to another port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves
to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port.
MAC move is supported on all host modes. (The authenticated host can move to any port on the switch,
no matter which host mode is enabled on the that port.)
When a MAC address moves from one port to another, the switch terminates the authenticated session
on the original port and initiates a new authentication sequence on the new port.
The MAC move feature applies to both voice and data hosts.
Note In open authentication mode, a MAC address is immediately moved from the original port to the new
port, with no requirement for authorization on the new port.
To Next Page
Loading...
Need help?
General
