10-7
Catalyst 3750 Switch Software Configuration Guide
78-16180-02
Chapter 10 Configuring 802.1x Port-Based Authentication
Understanding 802.1x Port-Based Authentication
Using 802.1x with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
Before Cisco IOS Release 12.1(14)EA1, a switch in single-host mode accepted traffic from a single host,
and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until
the client was authenticated on the primary VLAN, thus making the IP phone inoperable until the user
logged in.
With Cisco IOS Release 12.1(14)EA1 and later, the IP phone uses the VVID for its voice traffic
regardless of the authorized or unauthorized state of the port. This allows the phone to work
independently of 802.1x authentication.
When you enable the single-host mode, multiple IP phones are allowed on the VVID; only one 802.1x
client is allowed on the PVID. When you enable the multiple-hosts mode and when an 802.1x user is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1x
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x is enabled on a voice VLAN port, the switch drops packets from
unrecognized IP phones more than one hop away.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Note If you enable 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP
Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
For more information about voice VLANs, see Chapter 16, “Configuring Voice VLAN.”
Using 802.1x with VLAN Assignment
Before Cisco IOS Release 12.1(14)EA1, when an 802.1x port was authenticated, it was authorized to be
in the access VLAN configured on the port even if the RADIUS server returned an authorized VLAN
from its database. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent
from or received on this port belong to this VLAN.
However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports 802.1x with
VLAN assignment. After successful 802.1x authentication of a port, the RADIUS server sends the
VLAN assignment to configure the switch port. The RADIUS server database maintains the
username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to
the switch port. You can use this feature to limit network access for certain users.
To Next Page
Loading...
Need help?
General