Solved: Re: 802.1x Multi-Domain - Multiple Workstation

s.kho · ‎11-29-2010

Hi,

I have successfully configured my switch for 802.1x with mmulti-domain. The IP Phone and workstation gets assigned to ther respective VLANS. My issue is when I connect a sepearet hub to a switch port with multiple workstations connected to the hub. I can only get one mac address to gain access to the network. Subsequent devices are restricted from gaining connection.

Is there configuration that I can apply to change the default behavior of allowing only a single mac address per domain on the switch port?

Thanks

Tiago Antunes · ‎12-01-2010

Well, you can use multiple-authentication mode.

Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.

Multiple-authentication mode is limited to eight authentications (hosts) per port.

Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.

VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.

This is the configuration commands:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎11-30-2010

Hi,

Multidomain allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.Only one device is allowed per domain.

If you want to allow more than one device on a dot1x port, you need to use multi-host mode.In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port.

In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

s.kho · ‎12-01-2010

Thanks Tiago,

So does this mean that I am unable to have multiple devices connected to a single switch port if I want to use a generic IP Phone switch port configuration.

Is the port-security maximum command applicable?

Thanks

Tiago Antunes · ‎12-01-2010

Well, you can use multiple-authentication mode.

Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.

Multiple-authentication mode is limited to eight authentications (hosts) per port.

Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.

VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.

This is the configuration commands:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Kobus Raath · ‎12-19-2010

Hi

I have a similar issue in that i have PC's running VM instances that require seperate authentication from the host PC. The host is connected via a Nortel phone connected to a c2960. The ports are authenticated on a Microsoft NPS server instead of a Cisco ACS.

Multi-domain seem the fail with this setup and i am experiencing some issues with multi-auth (the phone is placed in the data vlan) that should be the correct config. Would this be due to the fact that i am using a MS NPS seerver instead of a Cisco ACS and do not have the ability to setup av-pairs in MS?

Regards

Kobus