When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN
features do not activate.
Note
You can assign a RADIUS-server-supplied VLAN in multi-auth mode, under the following conditions:
•
The host is the first host authorized on the port, and the RADIUS server supplies VLAN information
•
Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•
A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN
assignment, or their VLAN information matches the operational VLAN.
•
The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have
no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts
must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are
subject to the conditions specified in the VLAN list.
•
Only one voice VLAN assignment is supported on a multi-auth port.
•
After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information
or be denied access to the port.
•
You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
•
The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
Multi-auth Per User VLAN assignment
This feature is supported only on Catalyst 2960X switches running the LAN base imageNote
The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access VLANs
based on VLANs assigned to the clients on the port that has a single configured access VLAN. The port
configured as an access port where the traffic for all the VLANs associated with data domain is not dot1q
tagged, and these VLANs are treated as native VLANs.
The number of hosts per multi-auth port is 8, however there can be more hosts.
The Multi-auth Per User VLAN assignment feature is not supported for Voice domain. All clients in Voice
domain on a port must use the same VLAN.
Note
The following scenarios are associated with the multi-auth Per User VLAN assignments:
Scenario one
When a hub is connected to an access port, and the port is configured with an access VLAN (V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. This behaviour is similar on a single-host or multi-domain-auth port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1329
Information About 802.1x Port-Based Authentication
To Next Page
Loading...
Need help?
General
