Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

IEEE 802.1x Accounting

The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports:

User successfully authenticates.

User logs off.

Link-down occurs.

Re-authentication successfully occurs.

Re-authentication fails.

The switch does not log IEEE 802.1x accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.

IEEE 802.1x Accounting Attribute-Value Pairs

The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for IEEE 802.1x accounting. Three types of RADIUS accounting packets are sent by a switch:

START–sent when a new user session starts

INTERIM–sent during an existing session for updates

STOP–sent when a session terminates

Table 10-1lists the AV pairs and when they are sent are sent by the switch:

 

 

Table 10-1

Accounting AV Pairs

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Attribute Number

AV Pair Name

START

INTERIM

STOP

 

 

 

 

 

 

 

 

 

 

 

Attribute[1]

 

User-Name

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[4]

 

NAS-IP-Address

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[5]

 

NAS-Port

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[8]

 

Framed-IP-Address

Never

Sometimes1

Sometimes1

 

 

 

Attribute[25]

 

Class

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[30]

 

Called-Station-ID

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[31]

 

Calling-Station-ID

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[40]

 

Acct-Status-Type

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[41]

 

Acct-Delay-Time

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[42]

 

Acct-Input-Octets

Never

Never

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[43]

 

Acct-Output-Octets

Never

Never

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[44]

 

Acct-Session-ID

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

Attribute[45]

 

Acct-Authentic

Always

Always

Always

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-9775-02

 

 

 

 

 

 

 

10-9

 

 

 

 

 

 

 

 

 

 

Page 261
Image 261
Cisco Systems 3750E manual Ieee 802.1x Accounting Attribute-Value Pairs, Attribute Number AV Pair Name, 10-9