Multidomain authentication

Multidomain authentication allows a combination of voice and data clients to be authenticated on a port. By default only one voice client and one data client is allowed for authentication. You can configure a maximum of five data clients for authentication. You can enable the multidomain authentication mode with the aaa authentication port-access auth-mode command. You can configure only the number of data clients supported with the aaa authentication port-access client-limit multi-domain command.

Multidomain authentication requirements

Following are the requirements for multidomain authentication:

  • You must configure the multidomain authentication mode by one of the following ways:
    • In the CLI with the aaa authentication port-access auth-mode command at the interface level
    • Configure Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs on the RADIUS server
    • In the CLI with the auth-mode command at the port access role level (config-pa-role context)
  • In case the multidomain mode is not enabled on port in the CLI or the Aruba-Port-Auth-Mode VSA is not configured, then the switch operates as a client mode on that port, even if the Aruba-Device-Traffic-Class VSA is configured.
  • To identify the client as a voice client, you must configure either the device-traffic-class parameter in the role or the Aruba-Device-Traffic-Class VSA (value=1) in the RADIUS server.
    • If both are configured, then the device-traffic-class configuration overrides the VSA attribute configuration.
    • If both are not configured, then the switch considers the client as a data client only.
  • A role critical-voice-role is applied when an authenticated client fails to reauthenticate because the RADIUS server is unreachable.

    This role is not applied when the multidomain authentication mode is not enabled and the client fails to reauthenticate because the RADIUS server is unreachable.

    The voice client must first be authenticated successfully with the RADIUS server for the criticial-voice-role to be applied. If the client is never authenticated, then this role is not applied.

Scenarios with Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs

The following table lists the various scenarios when you configure the Aruba-Port-Auth-Mode and Aruba-Device-Traffic-Class VSAs, and the output in multidomain authentication .

Table 1: Scenarios configuring authentication mode and traffic class VSAs

Aruba VSA Configured

Output when Multidomain mode is disabled on port

Output when Multidomain mode is enabled on port

Only Aruba-Device-Traffic-Class VSA is configured

  • Port will be in client mode
  • Client will be authenticated as data or voice client based on Aruba-Device-Traffic-Class VSA
  • Port will be in multidomain mode
  • Client will be authenticated as data or voice client based on Aruba-Device-Traffic-Class VSA

Only Aruba-Port-Auth-Mode VSA configured with multidomain mode

  • Port will be in multidomain mode
  • Client will be authenticated as data client only
  • Aruba-Port-Auth-Mode VSA configured with multidomain mode
  • Aruba-Device-Traffic-Class VSA is configured
  • Port will be in multidomain mode
  • Client will be authenticated as data or voice client based on Aruba-Device-Traffic-Class VSA
  • Aruba-Port-Auth-Mode VSA configured with client or device mode
  • Aruba-Device-Traffic-Class VSA is configured
  • Port will be in client or device mode based on Aruba-Port-Auth-Mode VSA
  • Client will be authenticated as data or voice client based on Aruba-Device-Traffic-Class VSA

Only Aruba-Port-Auth-Mode VSA configured with client or device mode

Port will be in client or device mode based on Aruba-Port-Auth-Mode VSA

Scenarios with device-traffic-class configuration in role

Following are some of the scenarios of configuring device-traffic-class in the role and the output in multidomain authentication.

  • Scenario 1: When multidomain mode is enabled on port and the auth-mode is not configured in the role.
    • Port will be in multi-domain mode.
    • If device-traffic-class is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
  • Scenario 2: When multidomain mode is enabled on port and the auth-mode is configured as client or device mode.
    • Port will be in client or device mode based on auth-mode configuration in role.
    • If device-traffic-class is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
  • Scenario 3: When multidomain mode is not enabled on port and auth-mode is configured with multdomain mode in role.
    • Port will be in multi-domain mode.
    • If device-traffic-class is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.
  • When multidomain mode is not enabled on port and auth-mode is not configured in role.
    • Port will be in client mode.
    • If device-traffic-class is configured in role, then the client will be authenticated as voice, else will be authenticated as data client.