Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Table 10-1

Accounting AV Pairs (continued)

 

 

 

 

 

 

 

Attribute Number

AV Pair Name

START

INTERIM

STOP

 

 

 

 

 

 

Attribute[46]

 

Acct-Session-Time

Never

Never

Always

 

 

 

 

 

 

Attribute[49]

 

Acct-Terminate-Cause

Never

Never

Always

 

 

 

 

 

 

Attribute[61]

 

NAS-Port-Type

Always

Always

Always

 

 

 

 

 

 

1.The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table.

You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a008 00872ce.html

For more information about AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.”

Using IEEE 802.1x Authentication with VLAN Assignment

The switch supports IEEE 802.1x authentication with VLAN assignment. After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users.

When configured on the switch and the RADIUS server, IEEE 802.1x authentication with VLAN assignment has these characteristics:

If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.

If IEEE 802.1x authentication is enabled but the VLAN information from the RADIUS server is not valid, the port returns to the unauthorized state and remains in the configured access VLAN. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.

Configuration errors could include specifying a VLAN for a routed port, a malformed VLAN ID, a nonexistent or internal (routed port) VLAN ID, or an attempted assignment to a voice VLAN ID.

If IEEE 802.1x authentication is enabled and all information from the RADIUS server is valid, the port is placed in the specified VLAN after authentication.

If the multiple-hosts mode is enabled on an IEEE 802.1x port, all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host.

If IEEE 802.1x authentication and port security are enabled on a port, the port is placed in the RADIUS server-assigned VLAN.

If IEEE 802.1x authentication is disabled on the port, it is returned to the configured access VLAN.

When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into the configured access VLAN.

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

10-10

OL-9775-02

Page 262
Image 262
Cisco Systems 3750E manual Using Ieee 802.1x Authentication with Vlan Assignment, 10-10