IBM 12.1(22)EA6 ユーザーズマニュアル
6-6
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
For more information about AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.”
Service (RADIUS) Usage Guidelines.”
IEEE 802.1x Host Mode
You can configure an IEEE 802.1x port for single-host or for multiple-hosts mode. In single-host mode
(see
(see
), only one client can be connected to the IEEE 802.1x-enabled switch port.
The switch detects the client by sending an EAPOL frame when the port link state changes to the up
state. If a client leaves or is replaced with another client, the switch changes the port link state to down,
and the port returns to the unauthorized state.
state. If a client leaves or is replaced with another client, the switch changes the port link state to down,
and the port returns to the unauthorized state.
In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port.
shows IEEE 802.1x port-based authentication in a wireless LAN. In this mode, only one of
the attached clients must be authorized for all clients to be granted network access. If the port becomes
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies
network access to all of the attached clients. In this topology, the wireless access point is responsible for
authenticating the clients attached to it, and it also acts as a client to the switch.
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies
network access to all of the attached clients. In this topology, the wireless access point is responsible for
authenticating the clients attached to it, and it also acts as a client to the switch.
With the multiple-hosts mode enabled, you can use IEEE 802.1x to authenticate the port and port
security to manage network access for all MAC addresses, including that of the client.
security to manage network access for all MAC addresses, including that of the client.
Table 6-1
Accounting AV Pairs
Attribute Number
AV Pair Name
START
INTERIM
STOP
Attribute[1]
User-Name
Always
Always
Always
Attribute[4]
NAS-IP-Address
Always
Always
Always
Attribute[5]
NAS-Port
Always
Always
Always
Attribute[8]
Framed-IP-Address
Never
Sometimes
1
1.
The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding
exists for the host in the DHCP snooping bindings table.
exists for the host in the DHCP snooping bindings table.
Sometimes
1
Attribute[25]
Class
Always
Always
Always
Attribute[30]
Called-Station-ID
Always
Always
Always
Attribute[31] Calling-Station-ID
Always
Always
Always
Attribute[40]
Acct-Status-Type
Always
Always
Always
Attribute[41]
Acct-Delay-Time
Always
Always
Always
Attribute[42]
Acct-Input-Octets
Never
Never
Always
Attribute[43] Acct-Output-Octets
Never
Never
Always
Attribute[44]
Acct-Session-ID
Always
Always
Always
Attribute[45] Acct-Authentic
Always
Always
Always
Attribute[46]
Acct-Session-Time
Never
Never
Always
Attribute[49] Acct-Terminate-Cause
Never
Never
Always
Attribute[61]
NAS-Port-Type
Always
Always
Always