46-25
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized
data device remains authorized on the port. However, a Cisco IP phone that was allowed on the port
in the voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single- or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-802.1X-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Multi-Authentication Per User VLAN Authentication
The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access
VLANs based on VLANs assigned to the clients on the port that has a single configured access VLAN.
The port configured as an access port where the traffic for all the VLANs associated with data domain
is not dot1q tagged, and these VLANs are treated as native VLANs.
The number of hosts per multi-auth port is 8, however there can be more hosts.
Note The Multi-auth Per User VLAN assignment feature is not supported for Voice domain. All clients in
Voice domain on a port must use the same VLAN.
The following scenarios are associated with the multi-auth Per User VLAN assignments:
Scenario One
When a hub is connected to an access port, and the port is configured with an access VLAN (V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed
to V1. This behavior is similar on a single-host or multi-domain-auth port.
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two
operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to
VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and
VLAN (V2) are untagged.
If both the hosts, H1 and H2 are logged out or the sessions are removed due to some reason then VLAN
(V1) and VLAN (V2) are removed from the port, and the configured VLAN (V0) is restored on the port.
Scenario Two
When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The
host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1.
When a second host (H2) is connected and gets authorized without explicit vlan policy, H2 is expected
to use the configured VLAN (V0) that is restored on the port. All egress traffic going out of two
operational VLANs, VLAN (V0) and VLAN (V1) are untagged.
If host (H2) is logged out or the session is removed due to some reason then the configured VLAN (V0)
is removed from the port, and VLAN (V1) becomes the only operational VLAN on the port.