MDA does not enforce
the order-of-device authentication. However, for best results, we recommend
that a voice device is authenticated before a data device on an MDA-enabled
When you connect IP
phones to a dot1x secured port, we recommend that you use MDA, instead of Cisco
Discovery Protocol (CDP) bypass.
To configure a
switch port for MDA, see the “Configuring the Host Mode” section of the
“Configuring IEEE 802.1X Port-Based Authentication” chapter.
configure the voice VLAN for the IP phone when the host mode is set to
multi-domain. For more information, see the “Configuring VLANS” chapter of the
Switch Software Configuration Guide, Release 12.2(58)SE.
To authorize a
voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of device-traffic-class=voice. Without this
value, the switch treats the voice device as a data device.
The guest VLAN and
restricted VLAN features only apply to the data devices on an MDA-enabled port.
The switch treats a voice device that fails authorization as a data device.
If more than one
device attempts authorization on either the voice or the data domain of a port,
it is error disabled.
phones or voice devices are allowed into both the data and voice VLANs. The
data VLAN allows the voice device to contact a DHCP server to obtain an IP
address and acquire the voice VLAN information. After the voice device starts
sending on the voice VLAN, its access to the data VLAN is blocked.
A voice device
MAC address that is binding on the data VLAN is not counted towards the port
security MAC address limit.
MDA can use MAC
authentication bypass as a fallback mechanism to allow the switch port to
connect to devices that do not support 802.1X authentication.
When a data or a
voice device is detected on a port, its MAC address is blocked until
authorization succeeds. If the authorization fails, the MAC address remains
blocked for five minutes.
If more than five
devices are detected on the data VLAN or more than one voice device is detected
on the voice VLAN while a port is unauthorized, the port is error disabled.
When a port host
mode changes from single- or multihost to multidomain mode, an authorized data
device remains authorized on the port. However, a Cisco IP phone on the port
voice VLAN is automatically removed and must be reauthenticated on that port.
mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single-host or multihost mode to multidomain mode.
Switching a port
host mode from multidomain to single-host or multiple-hosts mode removes all
authorized devices from the port.
If a data domain
is authorized first and placed in the guest VLAN, non-802.1X-capable voice
devices need their packets tagged on the voice VLAN to trigger authentication.
The phone need not need to send tagged traffic. (The same is true for an
It is not
recommended to use per-user ACLs with an MDA-enabled port. An authorized device
with a per-user ACL policy might impact traffic on both the port voice and data
VLANs. You can use only one device on the port to enforce per-user ACLs.