Cisco WS-C2960-24TC-S Software Guide - Page 190
network, con d VLANs no longer match.
View all Cisco WS-C2960-24TC-S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 190 highlights
Understanding IEEE 802.1x Port-Based Authentication Chapter 9 Configuring IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, IEEE 802.1x authentication with VLAN assignment has these characteristics: • If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN. • If IEEE 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, authorization fails and configured VLAN remains in use. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error. Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a nonexistent or internal (routed port) VLAN ID, an RSPAN VLAN, a shut down or suspended VLAN. In the case of a mutlidomain host port, configuration errors can also be due to an attempted assignment of a data VLAN that matches the configured or assigned voice VLAN ID (or the reverse). • If IEEE 802.1x authentication is enabled and all information from the RADIUS server is valid, the authorized device is placed in the specified VLAN after authentication. • If the multiple-hosts mode is enabled on an IEEE 802.1x port, all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host. • Enabling port security does not impact the RADIUS server-assigned VLAN behavior. • If IEEE 802.1x authentication is disabled on the port, it is returned to the configured access VLAN and configured voice VLAN. • If an IEEE 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice devices when the port is fully authorized with these exceptions: - If the VLAN configuration change of one device results in matching the other device configured or assigned VLAN, then authorization of all devices on the port is terminated and multidomain host mode is disabled until a valid configuration is restored where data and voice device configured VLANs no longer match. - If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice device un-authorization and the disablement of multi-domain host mode. When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into the configured access VLAN. The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure IEEE 802.1x authentication on an access port). 9-10 Catalyst 2960 Switch Software Configuration Guide OL-8603-04