Filter
Top Products
8-5
Catalyst 2940 Switch Software Configuration Guide
78-15507-02
Chapter 8 Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
In a point-to-point configuration (see Figure 8-1 on page 8-2), only one client can be connected to the
802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state.
If a client leaves or is replaced with another client, the switch changes the port link state to down, and
the port returns to the unauthorized state.
Figure 8-3 shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured
as a multiple-hosts port that becomes authorized as soon as one client is authenticated. When the port is
authorized, all other hosts indirectly attached to the port are granted access to the network. If the port
becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch
denies access to the network to all of the attached clients. In this topology, the wireless access point is
responsible for authenticating the clients attached to it, and the wireless access point acts as a client to
the switch.
Figure 8-3 Wireless LAN Example
Using 802.1X with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
Each port that you configure for a voice VLAN is associated with a PVID and a VVID. This
configuration allows voice traffic and data traffic to be separated onto different VLANs.
When you enable the single-host mode, only one 802.1X client is allowed on the primary VLAN; other
workstations are blocked. When you enable the multiple-hosts mode and an 802.1X client is
authenticated on the primary VLAN, additional clients on the voice VLAN are unrestricted after 802.1X
authentication succeeds on the primary VLAN.
A voice VLAN port becomes active when there is link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from
unrecognized Cisco IP phones more than one hop away.
When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
For more information about voice VLANs, see Chapter 15, “Configuring Voice VLAN.”
Wireless clients
Access point
Catalyst 2940
switch
Authentication
server
(RADIUS)
87811