9-20
Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide
OL-12189-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
• View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
• Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 IEEE 802.1x
Validation” section on page 9-41 and the “Configuring Periodic Re-Authentication” section on
page 9-30.
For more information about NAC, see the Network Admission Control Software Configuration Guide.
Using Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that
a voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
• To configure a switch port for MDA, see the “Configuring the Host Mode” section on page 9-29.
• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For
more information, see Chapter 14, “Configuring Voice VLAN.”
• Voice VLAN assignment on an MDA-enabled port is supported.
Note If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port, the voice
device fails authorization.
• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of
device-traffic-class=voice. Without this value, the switch
treats the voice device as a data device.
• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled
port. The switch treats a voice device that fails authorization as a data device.
