Users Guide
266 Authentication, Authorization, and Accounting
console(config-auth-radius)#usage 802.1x
console(config-auth-radius)#exit
2
Create the VLANs. VLAN 2 is the secure data VLAN; VLAN 202 is the
critical data VLAN; VLAN 10 is the voice VLAN.
console(config)#vlan 2,202,10
console(config-vlan2,202,10)#exit
3
Enable authentication and globally enable 802.1x client authentication via
RADIUS. Globally enable Voice VLAN.
console(config)#authentication enable
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control
console(config)#switchport voice vlan
4
On the interface, set the port to access mode, assign a PVID, enable Multi-
Domain mode and set the order of authentication to 802.1X. Configure
the voice VLAN on the interface. Also enable periodic re-authentication
and configure the critical voice VLAN and the critical data VLAN.
console(config)#interface gi1/0/4
console(config-if-Gi1/0/4)#switchport mode access
console(config-if-Gi1/0/4)#switchport access vlan 2
console(config-if-Gi1/0/4)#authentication host-mode multi-
domain
console(config-if-Gi1/0/4)#dot1x pae authenticator
console(config-if-Gi1/0/4)#authentication order dot1x
console(config-if-Gi1/0/4)#authentication periodic
console(config-if-Gi1/0/4)#voice vlan 202
console(config-if-Gi1/0/4)#authentication event server dead
action authorize voice
console(config-if-Gi1/0/4)#authentication event server dead
action authorize vlan 11
console(config-if-Gi1/0/4)#exit
Some host devices may require access to network resources prior to
authenticating. Examples include IP phones that must connect to a call
manager to obtain firmware updates and configuration information. If it is
desired that hosts be able to access network resources prior to authentication,
the following configuration can be used in conjunction with the above
example.
console(config-Gi1/0/4)#authentication open