Pre-authentication role

The pre-authentication (pre-auth) role allows a device, such as an IP phone, to have network access before the device is authenticated. The pre-auth role is triggered when a MAC-based client is connected to a switch before being authenticated by the RADIUS server. Devices must be assigned a VLAN to provide network connectivity. Two new VLANs are created for pre-auth role functionality, one for voice traffic and one for data traffic. Pre-auth role VLANs can be configured on the switch individually or within a user-role. Devices that can be connected to the switch without authentication are divided into two categories:
  • Devices that send voice traffic.

  • Devices that send data traffic.


Either one of pre-auth role VLANs (voice and/or data) or a pre-auth role can be configured for a port. However, both a VLAN and role cannot coexist for an interface. Initial traffic on the port is restricted only by Access Control Lists (ACLs) configured for the port or for VLANs or ACLs in the role.