Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 971
53-1002269-02
Using multi-device port authentication and 802.1X security on the same port
28
Figure 127 shows a configuration where multi-device port authentication is performed for an IP
phone, and 802.1X authentication is performed for a user PC. There is a profile on the RADIUS
server for the IP phone MAC address, but not for the PC MAC address.
FIGURE 127 802.1X Authentication is performed when a device fails multi-device port
authentication
Multi-device port authentication is initially performed for both devices. The IP phone MAC address
has a profile on the RADIUS server. This profile indicates that 802.1X authentication should be
skipped for this device, and that the device port be placed into the VLAN named “IP-Phone-VLAN”.
Since there is no profile for the PC MAC address on the RADIUS server, multi-device port
authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port
would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in
hardware.
NOTE
This example assumes that the IP phone initially transmits untagged packets (for example, CDP or
DHCP packets), which trigger the authentication process on the Dell device and client lookup on the
RADIUS server. If the phone sends only tagged packets and the port (e 4) is not a member of that
VLAN, authentication would not occur. In this case, port e 4 must be added to that VLAN prior to
authentication.
To configure the Dell device to perform 802.1X authentication when a device fails multi-device port
authentication, enter the following command.
PowerConnect(config)# mac-authentication auth-fail-dot1x-override
Syntax: [no] mac-authentication auth-fail-dot1x-override
Hub
No Profile for MAC 0002.3f7f.2e0a (PC)
User 1 Profile:
Tunnel-Private-Group-ID: = U:IP-User-VLAN
Switch
Port e 4
Dual Mode
mac-authentication auth-fail-dot1x-override
CLI command configured
Hub
Untagged
Tagged
RADIUS Server
PC
MAC: 0002.3f7f.2e0a
User 1
IP Phone
MAC: 0050.048e.86ac
User 0050.048e.86ac (IP Phone) Profile:
Foundry-802_1x-enable = 0
Tunnel-Private-Group-ID = T:IP-Phone-VLAN