Cisco 4500M Software Manual page 436

Understanding 802.1X Port-Based Authentication
Figure 31-3 Radius Accounting
Client
Workstation
Supplicant
You must configure the 802.1X client to send an EAP-logoff (Stop) message to the switch when the user
Note
logs off. If you do not configure the 802.1X client, an EAP-logoff message is not sent to the switch and
the accompanying accounting Stop message will not be sent to the authentication server. Refer to the
Microsoft Knowledge Base article at the URL: http://support.microsoft.com. Also refer to the Microsoft
article at the URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0703.asp,
and set the SupplicantMode registry to 3 and the AuthMode registry to 1.
The client uses EAP to authenticate itself with the RADIUS server. The switch relays EAP packets
between the client and the RADIUS server.
After the client is authenticated, the switch sends accounting-request packets to the RADIUS server,
which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value pairs to report various
events and related information to the RADIUS server. The following events are tracked:
User successfully authenticates
•
User logs-off
•
Link-down occurs on a 802.1X port
•
Reauthentication succeeds
•
• Reauthentication fails
Software Configuration Guide—Release 12.2(25)EW
31-8
Catalyst 4500 Network
Access Switch
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/OTP
EAP-Response/OTP
EAP-Success
Port Authorized
EAPOL-Logoff
Port Unauthorized
Authenticator
Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
RADIUS Account-Request (start)
RADIUS Account-Response
RADIUS Account-Request (stop)
RADIUS Account-Response
Authentication
RADIUS
server
OL-6696-01