Concept Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

111

112

113

114

115

116

117

118

119

120

feature is dierent from multi-host authentication in which multiple devices connected to a single authenticator port can access the

network after only the one device is authenticated, and all hosts are placed in the same VLAN as the authenticated device.

Multi-supplicant authentication is needed, for example, in the case of a workstation at which a VoIP phone and PC are connected to a

single authenticator port. Multi-host authentication could authenticate the rst device to respond, and then both devices could access the

network. However, if you wanted to place them in dierent VLANs — a VoIP VLAN and a data VLAN — you would need to authenticate

the devices separately so that the RADIUS server can send each device’s VLAN assignment during that devices authentication process.

During the authentication process, the switch is able to learn the MAC address of the device though the EAPoL frames, and the VLAN

assignment from the RADIUS server. With this information it creates an authorized-MAC-to-VLAN mapping table per port. Then, the

system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries.

Conguring Multi-Supplicant Authentication

To enable multi-supplicant authentication on a port, enter the dot1x host-mode multi-auth command in Interface mode. To return

to the default single-host authentication mode, enter the no dot1x host-mode command. To verify the currently congured

authentication mode, enter the

show dot1x interface command.

Dell(conf-if-te-1/3)# dot1x host-mode multi-auth

Dell(conf-if-te-1/3)# do show dot1x interface tengigabitethernet 0103

802.1x information on Te 0/0:

-----------------------------

Dot1x Status: Enable

Port Control: AUTO

Re-Authentication: Disable

Guest VLAN: Disable

Guest VLAN id: NONE

Auth-Fail VLAN: Disable

Auth-Fail VLAN id: NONE

Auth-Fail Max-Attempts: NONE

Critical VLAN: Disable

Critical VLAN id: NONE

Mac-Auth-Bypass: Disable

Mac-Auth-Bypass Only: Disable

Static-MAB: Disable

Static-MAB Profile: NONE

Tx Period: 30 seconds

Quiet Period: 60 seconds

ReAuth Max: 2

Supplicant Timeout: 30 seconds

Server Timeout: 30 seconds

Re-Auth Interval: 3600 seconds

Max-EAP-Req: 2

Host Mode: MULTI_AUTH

Max-Supplicants: 128

Port status and State info for Supplicant: 7a:d9:d9:7d:00:00

Port Auth Status: AUTHORIZED

Untagged VLAN id: 400

Auth PAE State: Authenticated

Backend State: Idle

Port status and State info for Supplicant: 7a:d9:d9:7d:00:01

Port Auth Status: AUTHORIZED

Untagged VLAN id: 400

Auth PAE State: Authenticated

Backend State: Idle

802.1X

111