29-10
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter29 Understanding and Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Note The supplicant on the port detects that its session has been terminated and attempts to initiate a new
session. Unless the authentication server treats this new session differently, the client may see only a
brief interruption in network connectivity as the switch sets up a new session.
If the switch is configured to use the RADIUS-supplied timeout, but the Access-Accept message does
not include a Session-Timeout attribute, the switch never reauthenticates the supplicant. This behavior
is consistent with Cisco's wireless access points.
Using 802.1X with RADIUS Accounting
802.1X RADIUS accounting relays important events to the RADIUS server (such as the client’s
connection session). This session is defined as the difference in time from when client is authorized to
use the port and when the client stops using the port.
Figure 29-3 shows the 802.1X device roles.
Figure 29-3 Radius Accounting
Note You must configure the 802.1X client to send an EAP-logoff (Stop) message to the switch when the user
logs off. If you do not configure the 802.1X client, an EAP-logoff message is not sent to the switch and
the accompanying accounting Stop message will not be sent to the authentication server. Refer to the
Microsoft Knowledge Base article at the URL: http://support.microsoft.com. Also refer to the Microsoft
Client
Workstation Catalyst 4500 Network
Access Switch
Port Unauthorized
Supplicant Authenticator Authentication
server
Port Authorized
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/OTP
EAP-Response/OTP
EAP-Success
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
RADIUS Account-Request (start)
RADIUS Account-Response
RADIUS Account-Request (stop)
RADIUS Account-Response
EAPOL-Logoff
RADIUS
105283