Specifications
8-7
Catalyst 2970 Switch Software Configuration Guide
78-15462-03
Chapter 8 Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host,
and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until
the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user
logged in.
With Cisco IOS Release 12.1(14)EA1 and later, the IP phone uses the VVID for its voice traffic
regardless of the authorized or unauthorized state of the port. This allows the phone to work
independently of 802.1X authentication.
When you enable the single-host mode, multiple IP phones are allowed on the VVID; only one 802.1X
client is allowed on the PVID. When you enable the multiple-hosts mode and when an 802.1X user is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1X
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from
unrecognized IP phones more than one hop away.
When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see the Chapter 13, “Configuring Voice VLAN.”
Using 802.1X with VLAN Assignment
Before Cisco IOS Release 12.1(14)EA1, when an 802.1X port was authenticated, it was authorized to be
in the access VLAN configured on the port even if the RADIUS server returned an authorized VLAN
from its database. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent
from or received on this port belong to this VLAN.
However, with Cisco IOS Release 12.1(14)EA1 and later, the switch supports 802.1X with VLAN
assignment. After successful 802.1X authentication of a port, the RADIUS server sends the VLAN
assignment to configure the switch port. The RADIUS server database maintains the
username-to-VLAN mappings, which assigns the VLAN based on the username of the client connected
to the switch port. You can use this feature to limit network access for certain users.
When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these
characteristics:
• If no VLAN is supplied by the RADIUS server or if 802.1X authorization is disabled, the port is
configured in its access VLAN after successful authentication.
• If 802.1X authorization is enabled but the VLAN information from the RADIUS server is not valid,
the port returns to the unauthorized state and remains in the configured access VLAN. This prevents
ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.
Configuration errors could include specifying a malformed VLAN ID, a nonexistent VLAN ID, or
an attempted assignment to a voice VLAN ID.
• If 802.1X authorization is enabled and all information from the RADIUS server is valid, the port is
placed in the specified VLAN after authentication.
• If the multiple-hosts mode is enabled on an 802.1X port, all hosts are placed in the same VLAN
(specified by the RADIUS server) as the first authenticated host.
• If 802.1X and port security are enabled on a port, the port is placed in RADIUS server assigned
VLAN.
• If 802.1X is disabled on the port, it is returned to the configured access VLAN.