Cisco Systems 3560X Manual De Usuario
11-14
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command. For more information about this command, see the Cisco IOS Debug
Command Reference, Release 12.2
privileged EXEC command. For more information about this command, see the Cisco IOS Debug
Command Reference, Release 12.2
at this URL:
For more information about AV pairs, see RFC 3580, “IEEE 802.1x Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.”
Service (RADIUS) Usage Guidelines.”
802.1x Readiness Check
The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information
about the devices connected to the ports that support 802.1x. You can use this feature to determine if the
devices connected to the switch ports are 802.1x-capable. You use an alternate authentication such as
MAC authentication bypass or web authentication for the devices that do not support 802.1x
functionality.
about the devices connected to the ports that support 802.1x. You can use this feature to determine if the
devices connected to the switch ports are 802.1x-capable. You use an alternate authentication such as
MAC authentication bypass or web authentication for the devices that do not support 802.1x
functionality.
This feature only works if the supplicant on the client supports a query with the NOTIFY EAP
notification packet. The client must respond within the 802.1x timeout value.
notification packet. The client must respond within the 802.1x timeout value.
For information on configuring the switch for the 802.1x readiness check, see the
Table 11-3
Accounting AV Pairs
Attribute Number
AV Pair Name
START
INTERIM
STOP
Attribute[1]
User-Name
Always
Always
Always
Attribute[4]
NAS-IP-Address
Always
Always
Always
Attribute[5]
NAS-Port
Always
Always
Always
Attribute[8]
Framed-IP-Address
Never
Sometimes
1
1. The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding
exists for the host in the DHCP snooping bindings table.
Sometimes
1
Attribute[25]
Class
Always
Always
Always
Attribute[30]
Called-Station-ID
Always
Always
Always
Attribute[31]
Calling-Station-ID
Always
Always
Always
Attribute[40]
Acct-Status-Type
Always
Always
Always
Attribute[41]
Acct-Delay-Time
Always
Always
Always
Attribute[42]
Acct-Input-Octets
Never
Always
Always
Attribute[43]
Acct-Output-Octets
Never
Always
Always
Attribute[44]
Acct-Session-ID
Always
Always
Always
Attribute[45]
Acct-Authentic
Always
Always
Always
Attribute[46]
Acct-Session-Time
Never
Always
Always
Attribute[49]
Acct-Terminate-Cause
Never
Never
Always
Attribute[61]
NAS-Port-Type
Always
Always
Always