Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 969
53-1002269-02
Using multi-device port authentication and 802.1X security on the same port
28
NOTE
This example assumes that the IP phone initially transmits untagged packets (for example, CDP or
DHCP packets), which trigger the authentication process on the Dell device and client lookup on the
RADIUS server. If the phone sends only tagged packets and the port (e 3) is not a member of that
VLAN, authentication would not occur. In this case, port e 3 must be added to that VLAN prior to
authentication.
FIGURE 126 Multi-device port authentication and 802.1X authentication on the same port
When the devices attempt to connect to the network, they are first subject to multi-device port
authentication.
When the MAC address of the IP phone is authenticated, the Access-Accept message from the
RADIUS server specifies that the IP phone port be placed into the VLAN named “IP-Phone-VLAN”.
which is VLAN 7. The Foundry-802_1x-enable attribute is set to 0, meaning that 802.1X
authentication is skipped for this MAC address. Port 3 is placed in VLAN 7 as a tagged port. No
further authentication is performed.
When the PC MAC address is authenticated, the Access-Accept message from the RADIUS server
specifies that the PVID for the PC port be changed to the VLAN named “Login-VLAN”, which is VLAN
1024. The Foundry-802_1x-enable attribute is set to 1, meaning that 802.1X authentication is
required for this MAC address. The PVID of the port 3 is temporarily changed to VLAN 1024,
pending 802.1X authentication.
Hub
User 0002.3f7f.2e0a (PC) Profile:
Foundry-y-802_1x-enable = 1
Tunnel-Private-Group-ID: = U:Login-VLAN
User 1 Profile:
Tunnel-Private-Group-ID: = U:IP-User-VLAN
Switch
Port e 3
Dual Mode
Hub
Untagged
Tagged
RADIUS Server
PC
MAC: 0002.3f7f.2e0a
User 1
IP Phone
MAC: 0050.048e.86ac
User 0050.048e.86ac (IP Phone) Profile:
Foundry-802_1x-enable = 0
Tunnel-Private-Group-ID = T:IP-Phone-VLAN