User's Manual
13-11
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
  • A voice device MAC address that is binding on the data VLAN is not counted towards the port 
security MAC address limit.
  • MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to 
connect to devices that do not support 802.1x authentication. For more information, see the 
“MAC 
Authentication Bypass Guidelines” section on page 13-33.
  • When a data or a voice device is detected on a port, its MAC address is blocked until authorization 
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes. 
  • If more than five devices are detected on the data VLAN or more than one voice device is detected 
on the voice VLAN while a port is unauthorized, the port is error disabled. 
  • When a port host mode changes from single- or multihost to multidomain mode, an authorized data 
device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is 
automatically removed and must be reauthenticated on that port. 
  • Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a 
port changes from single-host or multiple-host mode to multidomain mode.
  • Switching a port host mode from multidomain to single-host or multiple-hosts mode removes all 
authorized devices from the port.
  • If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices 
need their packets tagged on the voice VLAN to trigger authentication. The phone need not need to 
send tagged traffic. (The same is true for an 802.1x-capable phone.) 
  • We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a 
per-user ACL policy might impact traffic on both the port voice and data VLANs. You can use only 
one device on the port to enforce per-user ACLs.
For more information, see the “Configuring the Host Mode” section on page 13-38.
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN. Each 
host is individually authenticated. If a voice VLAN is configured, this mode also allows one client on 
the VLAN. (If the port detects any additional voice clients, they are discarded from the port, but no 
violation errors occur.)
If a hub or access point is connected to an 802.1x-enabled port, each connected client must be 
authenticated.
For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host 
authentication fallback method to authenticate different hosts with different methods on a single port.
There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one 
voice device is allowed if the voice VLAN is configured. Since there is no host limit defined violation 
will not be trigger, if a second voice is seen we silently discard it but do not trigger violation.
For MDA functionality on the voice VLAN, multiple-authentication mode assigns authenticated devices 
to either a data or a voice VLAN, depending on the VSAs received from the authentication server.
Note When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN 
features do not activate.
For more information about critical authentication mode and the critical VLAN, see the “802.1x 
Authentication with Inaccessible Authentication Bypass” section on page 13-22.










