802.1X Accounting; 802.1X Accounting Attribute-Value Pairs - Cisco Catalyst 2960 Software Configuration Manual

Understanding IEEE 802.1x Port-Based Authentication
This feature does not apply to ports in multi-auth mode, because violations are not triggered in that
Note
mode. It does not apply to ports in multiple host mode, because in that mode, only the first host requires
authentication.
If you configure the authentication violation interface configuration command with the replace
keyword, the authentication process on a port in multi-domain mode is:
•
•
•
•
If a port is in open authentication mode, any new MAC address is immediately added to the MAC address
table.
For more information see the

802.1x Accounting

The 802.1x standard defines how users are authorized and authenticated for network access but does not
keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting
to monitor this activity on 802.1x-enabled ports:
•
•
•
•
•
The switch does not log 802.1x accounting information. Instead, it sends this information to the
RADIUS server, which must be configured to log accounting messages.

802.1x Accounting Attribute-Value Pairs

The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs.
These AV pairs provide data for different applications. (For example, a billing application might require
information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)
AV pairs are automatically sent by a switch that is configured for 802.1x accounting. Three types of
RADIUS accounting packets are sent by a switch:
•
•
•
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-16
A new MAC address is received on a port with an existing authenticated MAC address.
The authentication manager replaces the MAC address of the current data host on the port with the
new MAC address.
The authentication manager initiates the authentication process for the new MAC address.
If the authentication manager determines that the new host is a voice host, the original voice host is
removed.
"Enabling MAC Replace" section on page
User successfully authenticates.
User logs off.
Link-down occurs.
Re-authentication successfully occurs.
Re-authentication fails.
START–sent when a new user session starts
INTERIM–sent during an existing session for updates
STOP–sent when a session terminates
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
10-52.
OL-26520-01