Support User Manuals

Cisco Systems IE 2000 Switch User Manual

Open as PDF

of 924

13-16

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 13 Configuring IEEE 802.1x Port-Based Authentication

Information About Configuring IEEE 802.1x Port-Based Authentication

To configure VLAN assignment you need to perform these tasks:

• Enable AAA authorization by using the network keyword to allow interface configuration from the

RADIUS server.

• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you

configure 802.1x authentication on an access port.)

• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return

these attributes to the switch:

–

[64] Tunnel-Type = VLAN

–

[65] Tunnel-Medium-Type = 802

–

[81] Tunnel-Private-Group-ID = VLAN name, VLAN ID, or VLAN-Group

–

[83] Tunnel-Preference

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802

(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the

802.1x-authenticated

user.

For examples of tunnel attributes, see the “Configuring Vendor-Specific RADIUS Attributes: Examples”

section on page 12-46.

Voice Aware 802.1x Security

You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a

security violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone

deployments where a PC is connected to the IP phone. A security violation found on the data VLAN

results in the shutdown of only the data VLAN. The traffic on the voice VLAN flows through the switch

without interruption.

Follow these guidelines to configure voice aware 802.1x voice security on the switch:

• You enable voice aware 802.1x security by entering the errdisable detect cause security-violation

shutdown vlan global configuration command. You disable voice aware 802.1x security by entering

the no version of this command. This command applies to all 802.1x-configured ports in the switch.

Note If you do not include the shutdown vlan keywords, the entire port is shut down when it enters the

error-disabled state.

• If you use the errdisable recovery cause security-violation global configuration command to

configure error-disabled recovery, the port is automatically reenabled. If error-disabled recovery is

not configured for the port, you reenable it by using the shutdown and no-shutdown interface

configuration commands.

• You can reenable individual VLANs by using the clear errdisable interface interface-id vlan

[vlan-list] privileged EXEC command. If you do not specify a range, all VLANs on the port are

enabled.

previous next