209
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is
the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone
to work independently of 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send
traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the
supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message
from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are
connected in series, the switch recognizes only the one directly connected to it. When 802.1x authentication is enabled
on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Note: If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco
IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see Configuring Voice VLAN, page 309
802.1x Authentication with Port Security
In general, Cisco does not recommend enabling port security when IEEE 802.1x is enabled. Since IEEE 802.1x enforces
a single MAC address per port (or per VLAN when MDA is configured for IP telephony), port security is redundant and
in some cases may interfere with expected IEEE 802.1x operations.
802.1x Authentication with Wake-on-LAN
The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered when the switch
receives a specific Ethernet frame, known as the magic packet. You can use this feature in environments where
administrators need to connect to systems that have been powered down.
When a host that uses WoL is attached through an 802.1x port and the host powers off, the 802.1x port becomes
unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host. When
the PC is powered off, it is not authorized, and the switch port is not opened.
When the switch uses 802.1x authentication with WoL, the switch forwards traffic to unauthorized 802.1x ports, including
magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPOL packets.
The host can receive packets but cannot send packets to other devices in the network.
Note: If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as unidirectional by using the authentication control-direction in interface configuration
command, the port changes to the spanning-tree forwarding state. The port can send packets to the host but cannot
receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both interface configuration
command, the port is access-controlled in both directions. The port does not receive packets from or send packets to
the host.
To Next Page
Loading...
Need help?
General