Filter
Top Products
29-11
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
article at the URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0703.asp,
and set the SupplicantMode registry to 3 and the AuthMode registry to 1.
The client uses EAP to authenticate itself with the RADIUS server. The switch relays EAP packets
between the client and the RADIUS server.
After the client is authenticated, the switch sends accounting-request packets to the RADIUS server,
which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value pairs to report various
events and related information to the RADIUS server. The following events are tracked:
• User successfully authenticates
• User logs-off
• Link-down occurs on a 802.1X port
• Reauthentication succeeds
• Reauthentication fails
When the port state transitions between authorized and unauthorized, the RADIUS messages are
transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS
server, which must be configured to log accounting messages.
The 802.1X authentication, authorization and accounting process is as follows:
Step 1 A user connects to a port on the switch.
Step 2 Authentication is performed, for example, using the username/password method.
Step 3 VLAN assignment is enabled, as appropriate, per RADIUS server configuration.
Step 4 The switch sends a start message to an accounting server.
Step 5 Reauthentication is performed, as necessary.
Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of
reauthentication.
Step 7 The user disconnects from the port.
Step 8 The switch sends a stop message to the accounting server.
To configure 802.1X accounting, you need to do the following tasks:
• Enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server’s
Network Configuration tab.
• Enable “Logging>CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
• Enable 802.1X accounting on your switch.
• Enable AAA accounting by using the aaa system accounting command. Refer to the “Enabling
802.1X Accounting” section on page 29-19.
Enabling AAA system accounting along with 802.1X accounting allows system reload events to be sent
to the accounting RADIUS server for logging. By doing this, the accounting RADIUS server can infer
that all active 802.1X sessions are appropriately closed.