802.1X Radius Accounting - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 31
Understanding and Configuring 802.1X Port-Based Authentication
These examples describe the interaction between 802.1X and port security on the switch:
•
•
•
•
•
•
802.1X RADIUS Accounting
802.1X RADIUS accounting relays important events to the RADIUS server (such as the client's
connection session). This session is defined as the difference in time from when client is authorized to
use the port and when the client stops using the port.
Figure 31-3
OL-6696-01
When a client is authenticated, and the port security table is not full, the client's MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if an additional host is learned on the port. The action taken depends on
which feature (802.1X or port security) detects the security violation:
If 802.1X detects the violation, the action is to err-disable the port.
–
–
If port security detects the violation, the action is to shutdown or restrict the port (the action is
configurable).
The following describes when port security and 802.1X security violations occur:
–
In single host mode, after the port is authorized, any MAC address received other than the
client's will cause a 802.1X security violation.
–
In single host mode, if installation of an 802.1X client's MAC address fails because port
security has already reached its limit (due to a configured secure MAC addresses), a port
security violation is triggered.
–
In multi host mode, once the port is authorized, any additional MAC addresses that cannot be
installed because the port security has reached its limit will trigger a port security violation.
When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all
dynamic entries in the secure host table are cleared, including the entry for the client. Normal
authentication then ensues.
If you administratively shut down the port, the port becomes unauthenticated, and all dynamic
entries are removed from the secure host table.
Only 802.1X can remove the client's MAC address from the port security table. Note that in multi
host mode, with the exception of the client's MAC address, all MAC addresses that are learned by
port security can be deleted using port security CLIs.
Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate
the client. Only if the reauthentication succeeds will the client's MAC address be retained in the port
security table.
All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security
table by using CLI.
shows the 802.1X device roles.
Understanding 802.1X Port-Based Authentication
Software Configuration Guide—Release 12.2(25)EW
31-7
Advertisement
Table of Contents
