Multidomain authentication
Multidomain authentication allows a combination of voice and data clients to be authenticated on a port. By default only one voice client and one data client is allowed for authentication. You can configure a maximum of five data clients for authentication. You can enable the multidomain authentication mode with the aaa authentication port-access auth-mode
command. You can configure only the number of data clients supported with the aaa authentication port-access client-limit multi-domain
command.
Multidomain authentication requirements
Following are the requirements for multidomain authentication:
- You must configure the multidomain authentication mode by one of the following ways:
- In the CLI with the
aaa authentication port-access auth-mode
command at the interface level - Configure
Aruba-Port-Auth-Mode
andAruba-Device-Traffic-Class
VSAs on the RADIUS server - In the CLI with the
auth-mode
command at the port access role level (config-pa-role
context)
- In the CLI with the
- In case the multidomain mode is not enabled on port in the CLI or the
Aruba-Port-Auth-Mode
VSA is not configured, then the switch operates as a client mode on that port, even if theAruba-Device-Traffic-Class
VSA is configured. - To identify the client as a voice client, you must configure either the
device-traffic-class
parameter in the role or theAruba-Device-Traffic-Class
VSA (value=1) in the RADIUS server.- If both are configured, then the
device-traffic-class
configuration overrides the VSA attribute configuration. - If both are not configured, then the switch considers the client as a data client only.
- If both are configured, then the
- A role
critical-voice-role
is applied when an authenticated client fails to reauthenticate because the RADIUS server is unreachable.This role is not applied when the multidomain authentication mode is not enabled and the client fails to reauthenticate because the RADIUS server is unreachable.
The voice client must first be authenticated successfully with the RADIUS server for the
criticial-voice-role
to be applied. If the client is never authenticated, then this role is not applied.
Scenarios with Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs
The following table lists the various scenarios when you configure the Aruba-Port-Auth-Mode
and Aruba-Device-Traffic-Class
VSAs, and the output in multidomain authentication .
Aruba VSA Configured |
Output when Multidomain mode is disabled on port |
Output when Multidomain mode is enabled on port |
---|---|---|
Only |
|
|
Only |
|
|
|
|
|
|
|
|
Only |
Port will be in client or device mode based on |
Scenarios with device-traffic-class configuration in role
Following are some of the scenarios of configuring device-traffic-class
in the role and the output in multidomain authentication.
- Scenario 1: When multidomain mode is enabled on port and the
auth-mode
is not configured in the role.- Port will be in multi-domain mode.
- If
device-traffic-class
is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
- Scenario 2: When multidomain mode is enabled on port and the
auth-mode
is configured as client or device mode.- Port will be in client or device mode based on
auth-mode
configuration in role. - If
device-traffic-class
is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
- Port will be in client or device mode based on
- Scenario 3: When multidomain mode is not enabled on port and
auth-mode
is configured with multdomain mode in role.- Port will be in multi-domain mode.
- If
device-traffic-class
is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
- When multidomain mode is not enabled on port and
auth-mode
is not configured in role.- Port will be in client mode.
- If
device-traffic-class
is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.