9-21
Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide
OL-12247-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
If more than one device attempts authorization on either the voice or the data domain of a port, it is
error disabled.
•
Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are
allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a
DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice
device starts sending on the voice VLAN, its access to the data VLAN is blocked.
•
A voice device MAC address that is binding on the data VLAN is not counted towards the port
security MAC address limit.
•
You can use dynamic VLAN assignment from a RADIUS server only for data devices.
•
MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to
connect to devices that do not support IEEE 802.1x authentication. For more information, see the
“MAC Authentication Bypass” section on page 9-26
.
•
When a data or a voice device is detected on a port, its MAC address is blocked until authorization
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
•
If more than five devices are detected on the data VLAN or more than one voice device is detected
on the voice VLAN while a port is unauthorized, the port is error disabled.
•
When a port host mode is changed from single- or multihost to multidomain mode, an authorized
data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the
port voice VLAN is automatically removed and must be reauthenticated on that port.
•
Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single- or multihost mode to multidomain mode.
•
Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
•
If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
•
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Using Web Authentication
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. This
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for
each end host on a shared port.
You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE 802.1x authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
•
The first attribute,
priv-lvl=15
, must always be set to 15. This sets the privilege level of the user
who is logging into the switch.
•
The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of
ip:inacl
, this attribute must begin with
proxyacl
, and the
source
field in each entry must be
any
. (After authentication, the client IP
address replaces the
any
field when the ACL is applied.)