RackSwitch G8000 Application Guide

Supported RADIUS attributes

The G8000 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 2 lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580.

Table 2 Support for RADIUS Attributes

#

Attribute

Attribute Value

A-R

A-A

A-C

A-R

 

 

 

 

 

 

 

1

User-Name

The value of the Type-Data field from the supplicant’s

1

0-1

0

0

 

 

EAP-Response/Identity message. If the Identity is

 

 

 

 

 

 

unknown (i.e. Type-Data field is zero bytes in length), this

 

 

 

 

 

 

attribute will have the same value as the Calling-Station-

 

 

 

 

 

 

Id.

 

 

 

 

 

 

 

 

 

 

 

4

NAS-IP-Address

IP address of the authenticator used for Radius commu-

1

0

0

0

 

 

nication.

 

 

 

 

 

 

 

 

 

 

 

5

NAS-Port

Port number of the authenticator port to which the suppli-

1

0

0

0

 

 

cant is attached.

 

 

 

 

 

 

 

 

 

 

 

24

State

Server-specific value. This is sent unmodified back to the

0-1

0-1

0-1

0

 

 

server in an Access-Request that is in response to an

 

 

 

 

 

 

Access-Challenge.

 

 

 

 

 

 

 

 

 

 

 

30

Called-Station-ID

The MAC address of the authenticator encoded as an

1

0

0

0

 

 

ASCII string in canonical format, e.g. 000D5622E3 9F.

 

 

 

 

 

 

 

 

 

 

 

31

Calling-Station-ID

The MAC address of the supplicant encoded as an ASCII

1

0

0

0

 

 

string in canonical format, e.g. 00034B436206.

 

 

 

 

 

 

 

 

 

 

 

79

EAP-Message

Encapsulated EAP packets from the supplicant to the

1+

1+

1+

1+

 

 

authentication server (Radius) and vice-versa. The

 

 

 

 

 

 

authenticator relays the decoded packet to both devices.

 

 

 

 

 

 

 

 

 

 

 

80

Message-Authentica-

Always present whenever an EAP-Message attribute is

1

1

1

1

 

tor

also included. Used to integrity-protect a packet.

 

 

 

 

 

 

 

 

 

 

 

87

NAS-Port-ID

Name assigned to the authenticator port, e.g.

1

0

0

0

 

 

Server1_Port3

 

 

 

 

Legend:

RADIUS Packet Types: A-R (Access-Request), A-A (Access-Accept), A-C (Access-Challenge), A-R (Access-Reject) RADIUS Attribute Support:

0 This attribute MUST NOT be present in a packet.

0+ Zero or more instances of this attribute MAY be present in a packet.

0-1 Zero or one instance of this attribute MAY be present in a packet.

1Exactly one instance of this attribute MUST be present in a packet.

1+ One or more of these attributes MUST be present.

44 „ Chapter 2: Port-based Network Access Control

BMD00041, November 2008

Page 44
Image 44
Blade ICE G8000 manual Supported Radius attributes, Support for Radius Attributes