Information About 802.1x Port-Based Authentication
To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant connection
to it. For example, you can have a redundant connection to the stack master and another to a stack member,
and if the stack master fails, the switch stack still has connectivity to the RADIUS server.
802.1x Host Mode
You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode, only one
client can be connected to the 802.1x-enabled switch port. The switch detects the client by sending an EAPOL
frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the
switch changes the port link state to down, and the port returns to the unauthorized state.
In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. In this mode, only one
of the attached clients must be authorized for all clients to be granted network access. If the port becomes
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network
access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating
the clients attached to it, and it also acts as a client to the switch.
Figure 94: Multiple Host Mode Example
Note
For all host modes, the line protocol stays up before authorization when port-based authentication is
configured.
The switch supports multidomain authentication (MDA), which allows both a data device and a voice device,
such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port.
802.1x Multiple Authentication Mode
Multiple-authentication (multiauth) mode allows multiple authenticated clients on the data VLAN. Each host
is individually authenticated. If a voice VLAN is configured, this mode also allows one client on the VLAN.
(If the port detects any additional voice clients, they are discarded from the port, but no violation errors occur.)
If a hub or access point is connected to an 802.1x-enabled port, each connected client must be authenticated.
For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host
authentication fallback method to authenticate different hosts with different methods on a single port.
There is no limit to the number of data hosts can authenticate on a multiauthport. However, only one voice
device is allowed if the voice VLAN is configured. Since there is no host limit defined violation will not be
trigger, if a second voice is seen we silently discard it but do not trigger violation. For MDA functionality on
the voice VLAN, multiple-authentication mode assigns authenticated devices to either a data or a voice VLAN,
depending on the VSAs received from the authentication server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1328