10-10
Catalyst 3750 Switch Software Configuration Guide
OL-8550-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Table 10-1 lists the AV pairs and when they are sent are sent by the switch:
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command. For more information about this command, see the Cisco IOS Debug
Command Reference, Release 12.2 at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a008
00872ce.html
For more information about AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.”
Using IEEE 802.1x Authentication with VLAN Assignment
Before Cisco IOS Release 12.1(14)EA1, when an IEEE 802.1x port was authenticated, it was authorized
to be in the access VLAN configured on the port even if the RADIUS server returned an authorized
VLAN from its database. Recall that an access VLAN is a VLAN assigned to an access port. All packets
sent from or received on this port belong to this VLAN.
However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x
authentication with VLAN assignment. After successful IEEE 802.1x authentication of a port, the
RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database
maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client
connected to the switch port. You can use this feature to limit network access for certain users.
Table 10-1 Accounting AV Pairs
Attribute Number AV Pair Name START INTERIM STOP
Attribute[1] User-Name Always Always Always
Attribute[4] NAS-IP-Address Always Always Always
Attribute[5] NAS-Port Always Always Always
Attribute[8] Framed-IP-Address Never Sometimes
1
1. The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding
exists for the host in the DHCP snooping bindings table.
Sometimes
1
Attribute[25] Class Always Always Always
Attribute[30] Called-Station-ID Always Always Always
Attribute[31] Calling-Station-ID Always Always Always
Attribute[40] Acct-Status-Type Always Always Always
Attribute[41] Acct-Delay-Time Always Always Always
Attribute[42] Acct-Input-Octets Never Never Always
Attribute[43] Acct-Output-Octets Never Never Always
Attribute[44] Acct-Session-ID Always Always Always
Attribute[45] Acct-Authentic Always Always Always
Attribute[46] Acct-Session-Time Never Never Always
Attribute[49] Acct-Terminate-Cause Never Never Always
Attribute[61] NAS-Port-Type Always Always Always
To Next Page
Loading...
Need help?
General
