Cisco Catalyst 4500 Series Configuration Manual page 991

Chapter 44 Configuring 802.1X Port-Based Authentication
MDA does not enforce the order of device authentication. For best results, however, you should
authenticate a voice device before you authenticate a data device on an MDA-enabled port.
When configuring MDA, consider the following guidelines.
The same guidelines also apply for Multiple Authentication when voice VLAN is configured.
Note
We recommend that you enable CoPP on an MDA-enabled port to protect against a DoS attack.
•
Refer to
• To configure a switch port for MDA or Multiple Authentication, see the
Domain Authentication and Multiple Authorization" section on page
• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For
more information, see
• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats
the voice device as a data device.
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled
•
port. The switch treats a voice device that fails authorization as a data device.
If more than one device attempts authorization on either the voice or the data domain of a port, it is
•
error-disabled.
Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are
•
allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a
DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice
device starts sending on the voice VLAN, its access to the data VLAN is blocked. A security
violation may occur in MDA if the voice device continues to send traffic on the data VLAN.
• MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to
connect to devices that do not support 802.1X authentication. it is especially useful for third party
phones without 802.1X supplicant. For more information, see the
Authentication Bypass" section on page
When a data or a voice device is detected on a port, its MAC address is blocked until authorization
•
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
• If more than one device is detected on the data VLAN or more than one voice device is detected on
the voice VLAN while a port is unauthorized, the port is error-disabled.
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized
data device remains authorized on the port. However, a Cisco IP phone that was allowed on the port
in the voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single- or multihost mode to multidomain mode.
Switching a port host mode from multidomain to single- or multihost mode removes all authorized
•
devices from the port.
If a data domain is authorized first and placed in the guest VLAN, non-802.1X-capable voice
•
devices need to tag their packets on the voice VLAN to trigger authentication.
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
•
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
OL-25340-01
Chapter 48, "Configuring Control Plane Policing and Layer 2 Control Packet QoS."
Chapter 41, "Configuring Voice Interfaces."
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
"Using 802.1X with MAC
44-12.
"Configuring Multiple
44-34.
44-23