Using 802.1x readiness check – Dell POWEREDGE M1000E User Manual

Page 276

Advertising
background image

10-14

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command. For more information about this command, see the Cisco IOS Debug
Command Reference, Release 12.2 at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a
00800872ce.html

For more information about AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.”

Using 802.1x Readiness Check

The 802.1x readiness check monitors IEEE 802.1x activity on all the switch ports and displays
information about the devices connected to the ports that support IEEE 802.1x. You can use this feature
to determine if the devices connected to the switch ports are IEEE 802.1x-capable. You use an alternate
authentication such as MAC authentication bypass or web authentication for the devices that do not
support IEEE 802.1x functionality.

This feature only works if the supplicant on the client supports a query with the NOTIFY EAP
notification packet. The client must respond within the IEEE 802.1x timeout value.

For information on configuring the switch for the 802.1x readiness check, see the

“Configuring IEEE

802.1x Authentication” section on page 10-36

.

Using IEEE 802.1x Authentication with VLAN Assignment

The switch supports IEEE 802.1x authentication with VLAN assignment. After successful IEEE 802.1x
authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port.
The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based
on the username of the client connected to the switch port. You can use this feature to limit network
access for certain users.

Voice device authentication is supported. When a voice device is authorized and the RADIUS server
returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on
the assigned voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on
multidomain authentication (MDA)-enabled ports. For more information, see the

“Using Multidomain

Authentication” section on page 10-26

.

Attribute[46]

Acct-Session-Time

Never

Never

Always

Attribute[49]

Acct-Terminate-Cause

Never

Never

Always

Attribute[61]

NAS-Port-Type

Always

Always

Always

1.

The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding
exists for the host in the DHCP snooping bindings table.

Table 10-3

Accounting AV Pairs (continued)

Attribute Number

AV Pair Name

START

INTERIM

STOP

Advertising
Popular Brands
Popular manuals