Users Guide
264 Authentication, Authorization, and Accounting
MAB is not supported for Multi-Domain-Multi-Host mode. The switch does
not enforce this restriction.
Multi-Domain Mode
Multi-Domain mode supports authentication of a single data host and a
single voice device. Each host that successfully authenticates is allowed
network access. Once the host limit is reached, additional host
authentications are rejected.
A typical use case is an IP phone connected to a NAS port and a laptop
connected to the hub port of the IP phone. Both devices need to be
authenticated to access the network services behind the NAS. The voice and
data domains are segregated by VLAN.
MAB is supported in Multi-Domain mode.
Voice VLAN access is supported in Multi-Domain mode.
Multi-Domain mode supports RADIUS VLAN assignment.
Configuration Example—802.1X and MAB
In this scenario, the authentication manager selects the first authentication
method, 802.1X. If authentication using 802.1X is successful, then the client
is allowed network access. If authentication using 802.1X errors out, then
authentication manager selects the next authentication method: MAB. If
authentication using MAB returns an error, then the port is unauthorized.
The authentication manager will start a timer to re-authenticate the host. At
the expiry of the timer, the authentication manager restarts authentication by
selecting the 802.1X method.
1
Enter global configuration mode and define the RADIUS server.
console#configure
console(config)#aaa new-model
console(config)#dot1x system-auth-control
console(config)#radius server auth 10.10.10.10
console(config-auth-radius)#name BigRadius
console(config-auth-radius)#primary
console(config-auth-radius)#usage 802.1x
console(config-auth-radius)#exit
2
Define the global RADIUS server key.
console(config)#radius server key thatsyoursecret-keepit-
keepit