Users Guide

Table Of Contents
314 Authentication, Authorization, and Accounting
The port security feature can be utilized if it is desired to limit access on auto
mode configured ports. To limit access to a phone and laptop configuration
using Voice VLAN, the port security limit should be set to 3 as many IP
phones also utilize the data VLAN during power up. For more information
on port security, see "Port and System Security" on page 655.
What are Authentication Host Modes
Authentication host modes configure the allowed authentication modes on a
port. The authentication modes restrict the number of simultaneously
authenticated clients and VLAN assignments.
Single-Host Mode
In a single-host mode, only one data or one voice client can be authenticated
and granted access to the port. Access is allowed only for this client and no
other. Only when this client is unauthenticated can another client get
authenticated and authorized on the port. A single voice VLAN device is
supported in single-host mode if no other device has authenticated.
Multi-Host Mode
In multi-host mode, only one data client can be authenticated on a port.
However, once authentication succeeds, access is granted to all hosts
connected to the port. A typical use case is a wireless access point which is
connected to an access-controlled port of a NAS. Once the access point is
authenticated by the NAS, the port is authorized for traffic from, not just the
access point, but also from all the wireless clients connected to the access
point.
Multi-Domain Mode
In multi-domain mode, only one data client and one voice client can be
authenticated on a port. A typical use case is an IP phone connected to a NAS
port and a laptop connected to the hub port of the IP phone. Both the devices
need to be authenticated to access the network. The voice and data domains
NOTE: Only Auto mode uses 802.1X and RADIUS to authenticate. Force-
authorized and Force-unauthorized modes are manual overrides.