Users Guide

Authentication, Authorization, and Accounting 353

The port security feature can be utilized if it is desired to limit access on auto

mode configured ports. To limit access to a phone and laptop configuration

using Voice VLAN, the port security limit should be set to 3 as many IP

phones also utilize the data VLAN during power up. For more information

on port security, see "Port and System Security" on page 695.

What are Authentication Host Modes

Authentication host modes configure the allowed authentication modes on a

port. The authentication modes restrict the number of simultaneously

authenticated clients and VLAN assignments.

Single-Host Mode

In a single-host mode, only one data or one voice client can be authenticated

and granted access to the port. Access is allowed only for this client and no

other. Only when this client is unauthenticated can another client get

authenticated and authorized on the port. A single voice VLAN device is

supported in single-host mode if no other device has authenticated.

Multi-Host Mode

In multi-host mode, only one data client can be authenticated on a port.

However, once authentication succeeds, access is granted to all hosts

connected to the port. A typical use case is a wireless access point which is

connected to an access-controlled port of a NAS. Once the access point is

authenticated by the NAS, the port is authorized for traffic from, not just the

access point, but also from all the wireless clients connected to the access

point.

Multi-Domain Mode

In multi-domain mode, only one data client and one voice client can be

authenticated on a port. A typical use case is an IP phone connected to a NAS

port and a laptop connected to the hub port of the IP phone. Both the devices

need to be authenticated to access the network. The voice and data domains

NOTE: Only Auto mode uses 802.1X and RADIUS to authenticate. Force-

authorized and Force-unauthorized modes are manual overrides.