Multidomain authentication (MDA) allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for IEEE 802.1X Multidomain Authentication
IEEE 802.1X Port-Based Network Access Control
You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the
Configuring IEEE 802.1X Port-Based Authentication module.
The switch must be connected to a Cisco secure Access Control System (ACS) and RADIUS authentication, authorization, and accounting (AAA) must be configured for Web authentication. If appropriate, you must enable ACL download.
If the authentication order includes the 802.1X port authentication method, you must enable IEEE 802.1X authentication on the switch.
If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.
Note
The web authentication method is not supported on Cisco integrated services routers (ISRs) or Integrated Services Routers Generation 2 (ISR G2s) in Cisco IOS Release 15.2(2)T.
You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the
Cisco IOS Security Configuration Guide: Securing User Services.
The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the
Configuration Guide for CISCO Secure ACS.
Restrictions for IEEE 802.1X Multidomain Authentication
In multidomain authentication mode, only multicast EAPOL packets are accepted by the port.
Inactivity aging is not supported on Cisco integrated services routers (ISRs) or Integrated Services Routers Generation 2 (ISR-G2s) in multidomain authentication mode.
In multidomain authentication mode, the CDP 2nd port disconnect feature is supported.
This feature does not support standard ACLs on the switch port.
Configuring the same VLAN ID for both access and voice traffic (using the
switchport access vlanvlan-idand the
switchport voice vlanvlan-id commands) will fail if authentication has already been configured on the port.
Configuring authentication on a port on which you have already configured
switchport access vlanvlan-id and
switchport voice vlanvlan-id will fail if the access VLAN and voice VLAN have been configured with the same VLAN ID.
Information About IEEE 802.1X Multidomain Authentication
Guidelines for Configuring IEEE 802.1X Multidomain Authentication
MDA allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that a voice device is authenticated before a data device on an MDA-enabled port.
Note
Any traffic destined to an unauthenticated client will be dropped. Traffic originating from an unauthenticated device will not be dropped.
Follow these guidelines for configuring MDA:
To configure a switch port for MDA, see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1X Port-Based Authentication" chapter.
You must configure the voice VLAN for the IP phone when the host mode is set to multi-domain. For more information, see the "Configuring VLANS" chapter of the
Catalyst 3750 Switch Software Configuration Guide, Release 12.2(58)SE.
To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice device as a data device.
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port. The switch treats a voice device that fails authorization as a data device.
If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled.
Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the data VLAN is blocked.
A voice device MAC address that is binding on the data VLAN is not counted towards the port security MAC address limit.
MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do not support 802.1X authentication.
When a data or a voice device is detected on a port, its MAC address is blocked until authorization succeeds. If the authorization fails, the MAC address remains blocked for five minutes.
If more than five devices are detected on the data VLAN or more than one voice device is detected on the voice VLAN while a port is unauthorized, the port is error disabled.
When a port host mode changes from single- or multihost to multidomain mode, an authorized data device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single-host or multihost mode to multidomain mode.
Switching a port host mode from multidomain to single-host or multiple-hosts mode removes all authorized devices from the port.
If a data domain is authorized first and placed in the guest VLAN, non-802.1X-capable voice devices need their packets tagged on the voice VLAN to trigger authentication. The phone need not need to send tagged traffic. (The same is true for an 802.1X-capable phone.)
It is not recommended to use per-user ACLs with an MDA-enabled port. An authorized device with a per-user ACL policy might impact traffic on both the port voice and data VLANs. You can use only one device on the port to enforce per-user ACLs.
How to Configure IEEE 802.1X Multidomain Authentication
Allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an 802.1X-authorized port.
Note
You must configure the voice VLAN for the IP phone when the host mode is set to multi-domain. See the "Configuring Voice VLAN" chapter of the
Catalyst 3750 Switch Software Configuration Guide, Release 12.2(58)SE for more information.
Make sure that the
authenticationport-control interface configuration command is set to
auto for the specified interface.
Step 5
exit
Example:
Switch(config)# exit
Returns to privileged EXEC mode.
Configuring Critical Voice VLAN Support in Multidomain Authentication Mode
Perform this task on a port to configure critical voice VLAN support in multidomain authentication (MDA) mode.
Note
To configure MDA mode, see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1X Port-Based Authentication" chapter.
Switch(config-if)# authentication event server dead action authorize vlan 40
Configures a critical data VLAN.
Note
This step is only required if the
authenticationeventserverdeadactionauthorizevlanvlan-id command is not configured on the port.
Step 5
authenticationeventserverdeadactionauthorizevoice
Example:
Switch(config-if)# authentication event server dead action authorize voice
Enables the Critical Voice VLAN feature, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.
Configuration Examples for IEEE 802.1X Multidomain Authentication
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for IEEE 802.1X Multidomain Authentication
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1
Feature Information for IEEE 802.1X Multidomain Authentication
Feature Name
Releases
Feature Information
IEEE 802.1X Multidomain Authentication
15.2(2)T
Multi-domain authentication (MDA) allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.