Cisco Catalyst 2960 Software Configuration Manual page 294
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
Multi-Host Mode Port Behavior
On a multi-host mode switch port, the Inaccessible Authentication Bypass feature operates as described
in
"Overview of Authentication
switch port. As expected in multi-host mode, subsequent hosts are granted access to whatever VLAN the
port is currently authorized in: either the previously assigned VLAN from a successful authorization or
the Critical VLAN if the port was authenticated using the Inaccessible Authentication Bypass feature.
Multi-Domain Mode Port Behavior
On a multi-domain mode (MDA) switch port, the Inaccessible Authentication Bypass feature operates
as described in
on a multi-domain port, if another device attempts to authenticate in the data domain, the port enters an
err-disable state due to security violation. The introduction of a voice domain device can have unintuitive
consequences for an MDA mode port with Inaccessible Authentication Bypass enabled.
Assuming the RADIUS servers are unavailable:
•
•
•
•
•
•
Support on Multiple-Authentication Ports
To enable Inaccessible Authentication Bypass on ports configured with host mode multi-auth, you must
use the authentication event server dead action reinitialize vlan vlan-id command.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-26
"Overview of Authentication
If both the data domain and voice domain are already authenticated and authorized in their
respective VLANs, each domain retains its authorized VLAN during its next reauthentication
attempt. The switch places the port into critical-authentication state, suspends the reauthentication
timer and begins ignoring EAPOL-Start messages in the domain reauthenticating.
If the voice domain is authenticated and the data domain is not, a reauthentication attempt in the
voice domain causes the port to move into critical-authentication state, suspends the
reauthentication timer in the voice domain, and causes the voice domain to begin ignoring
EAPOL-Start messages. The voice domain continues to operate, retaining its authorized Voice
VLAN.
If the voice domain is authenticated and the data domain is not, an authentication attempt in the data
domain causes the port to move into critical-authentication state and causes the data domain to
authorize in the configured Critical VLAN. The voice domain continues to operate, retaining its
authorized Voice VLAN.
If the data domain is authenticated and the voice domain is not, a reauthentication attempt in the data
domain causes the port to move into a critical-authentication state, suspends the reauthentication
timer in the data domain, and causes the data domain to begin ignoring EAPOL-Start messages. The
data domain continues to operate, retaining its authorized Data VLAN.
If the data domain is authenticated and voice domain is not, and a voice device attempts to
authenticate, the switch is unable to classify the device as a voice domain device (normally
accomplished with the device-traffic-class = voice RADIUS attribute) and attempts to authenticate
the device in the data domain. This action immediately results in a security violation because more
than one device is detected in the data domain and the port enters an err-disable state.
If neither domain is authenticated, the first authentication attempt by any device causes the port to
move into a critical-authentication state, and authorizes the data domain in the Critical VLAN. If the
device is a phone, it may not work properly in the Critical VLAN. Any other device attempting to
authenticate is subsequently assigned to the data domain and immediately triggers a security
violation, which places the port in an err-disable state.
Chapter 10
Results" for the first host authenticated or authentication attempt on the
Results" for a single host in the data domain. As expected
Configuring IEEE 802.1x Port-Based Authentication
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
