6.1.1 Support function
This section lists the functionality supported by the Switch.
- <Structure of this section>
(1) Authentication operation mode
The Switch takes the role of the authenticator in the IEEE 802.1X model. You cannot configure the Switch to act as a supplicant.
(2) Authentication method
The Switch supports authentication using a RADIUS server. In this method, EAPOL packets received from the terminal are encapsulated into EAP over RADIUS packets and forwarded to the RADIUS server for authentication. The RADIUS server must support EAP.
Table 6-2: Attribute names used for authentication (their 1 Access-Request) and Table 6-5: Attribute names used for authentication (their 4 Access-Reject) show the attribute names for RADIUS used by the Switch.
Attribute name |
Type value |
Description |
---|---|---|
User-Name |
1 |
The name of the user to be authenticated. |
NAS-IP-Address |
4 |
The IP address of the authenticator (the Switch) that is requesting authentication of the user. This attribute contains the local address of the Switch, or the IP address of the transmission interface if no local address is set. |
NAS-Port |
5 |
The IfIndex of the interface that is authenticating the supplicant. |
Service-Type |
6 |
The type of service to be provided. Fixed as Framed(2). |
Framed-MTU |
12 |
The largest frame size between Supplicant~Authenticator. Fixed at (1466). |
State |
24 |
Allows state information to be maintained between the authenticator and the RADIUS server. |
Called-Station-Id |
30 |
The MAC address of the bridge or access point. The MAC address of the Switch (as a hyphen-punctuated ASCII string). |
Calling-Station-Id |
31 |
The MAC address of the supplicant (as a hyphen-punctuated ASCII string). |
NAS-Identifier |
32 |
A string identifying the authenticator (by host name). |
NAS-Port-Type |
61 |
The type of physical port the authenticator is using to authenticate the user. Fixed as Ethernet (15). |
Connect-Info |
77 |
A string characterizing the connection with the supplicant. Port-based authentication: Physical port ("CONNECT Ethernet") CH port ("CONNECT Port-Channel ") VLAN-based authentication (static):("CONNECT VLAN") VLAN-based authentication (dynamic):("CONNECT DVLAN") |
EAP-Message |
79 |
Encapsulates EAP packets. |
Message-Authenticator |
80 |
Provides protection for RADIUS/EAP packets. |
NAS-Port-Id |
87 |
A string identifying the port of the authenticator that is authenticating the supplicant. Port-based authentication:"Port x/y", "ChGr x" VLAN-based authentication (static):"VLAN x" VLAN-based authentication (dynamic):"DVLAN x" (x and y take numerical values) |
NAS-IPv6-Address |
95 |
The IPv6 address of the authenticator that is requesting authentication of the user (in this case the Switch). This attribute contains the local address of the Switch, or the IP address (IPv6) of the transmission interface if no local address is set. Note that when communication takes place using IPv6 link-local addresses, this attribute will contain the IPv6 link-local addresses of the transmission interface regardless of whether local addresses are set. |
Attribute name |
Type value |
Description |
---|---|---|
Reply-Message |
18 |
A message that may be displayed to a user. |
State |
24 |
Allows state information to be maintained between the authenticator and the RADIUS server. |
Session-Timeout |
27 |
The length of time to wait for a supplicant to respond to an EAP-Request. |
EAP-Message |
79 |
Encapsulates EAP packets. |
Message-Authenticator |
80 |
Provides protection for RADIUS/EAP packets. |
Attribute name |
Type value |
Description |
---|---|---|
Service-Type |
6 |
The type of service to be provided. Fixed as Framed(2). |
Filter-Id |
11 |
The name of the filter list to be applied to the supplicant's session. This attribute is meaningful only in the context of VLAN-based authentication (static), or port-based authentication in terminal authentication mode. The authentication IPv4 access list, being the only applicable filter, takes effect when the Filter-Id is non-zero. |
Reply-Message |
18 |
A message that may be displayed to a user. |
Session-Timeout |
27 |
The time between supplicant re-authentication attempts. # |
Termination-Action |
29 |
Indicates what action the Switch should take following expiry of the re-authentication timer. # |
Tunnel-Type |
64 |
Indicates the tunneling protocol used. It is meaningful only in the context of VLAN-based authentication (dynamic). Fixed as VLAN(13). |
Tunnel-Medium-Type |
65 |
Indicates the protocol to use to create a tunnel. It is meaningful only in the context of VLAN-based authentication (dynamic). Fixed as IEEE 802(6). |
EAP-Message |
79 |
Encapsulates EAP packets. |
Message-Authenticator |
80 |
Provides protection for RADIUS/EAP packets. |
Tunnel-Private-Group-ID |
81 |
A string identifying a VLAN. In an Access-Accept packet, this attribute indicates the VLAN to be assigned to the authenticated supplicant. It is meaningful only in the context of VLAN-based authentication (dynamic). The strings can be formatted as follows: (1) As a string indicating a VLAN ID (2) As a string containing the word "VLAN" followed by a VLAN ID (3) As a string indicating a VLAN name as specified by the name configuration command. The string cannot contain spaces. If it does, VLAN assignment will fail. Examples (for VLAN 10): Format (1): "10" Format (2): "VLAN10" Format (3): "business-office" |
Acct-Interim-Interval |
85 |
The number of seconds between interim packets. Interim packets will be sent if this attribute has a value of 60 or greater, but not for values less than 60. When using this attribute, we recommend that you specify a value of 600 or greater. Due to the potential for increased network traffic, caution is required when assigning values less than 600. |
- #
-
If the RADIUS server returns the value Radius-Request(1) for the Termination-Action attribute in an Access-Accept packet, the Switch performs re-authentication after the value specified for the Session-Timeout attribute (as a time in seconds) configured in the same packet has elapsed. The Switch exhibits the following behavior depending on the Session-Timeout value:
0 :Re-authentication is disabled.
1~60 :The reauthentication timer value is set to 60 seconds.
61~65535:Operation is performed with the set value.
Attribute name |
Type value |
Description |
---|---|---|
Reply-Message |
18 |
A message that may be displayed to a user. |
EAP-Message |
79 |
Encapsulates EAP packets. |
Message-Authenticator |
80 |
Provides protection for RADIUS/EAP packets. |
(3) Authentication algorithm
The following table describes the supported authentication algorithms.
Authentication algorithm |
Overview |
---|---|
EAP-MD5-Challenge |
Uses a challenge value to test the validity of user passwords. |
EAP-TLS |
Performs authentication based on a certificate authentication mechanism. |
EAP-PEAP |
Performs authentication using a separate EAP authentication algorithm encapsulated within an EAP-TLS tunnel. The following two authentication methods are supported.
|
EAP-TTLS |
Performs authentication using an authentication algorithm of an existing protocol (such as EAP, PAP, or CHAP) encapsulated within an EAP-TLS tunnel. |
(4) RADIUS Accounting function
The Switch supports RADIUS accounting. This functionality generates user accounting information whenever service delivery to an IEEE 802.1X-authenticated terminal starts or finishes. An administrator can use this information to track network usage. You can set up separate servers for RADIUS authentication and accounting services to distribute the RADIUS workload.
The following table describes the information that the RADIUS accounting functionality sends to the RADIUS server.
Attribute name |
Type value |
Description |
Transmission by accounting request type |
||
---|---|---|---|---|---|
Start |
stop |
Interim- Update |
|||
User-Name |
1 |
The name of the user to be authenticated. |
OK |
OK |
OK |
NAS-IP-Address |
4 |
The IP address of the authenticator (the Switch) that is requesting authentication of the user. This attribute contains the local address of the Switch, or the IP address of the transmission interface if no local address is set. |
OK |
OK |
OK |
NAS-Port |
5 |
The IfIndex of the interface that is authenticating the supplicant. |
OK |
OK |
OK |
Service-Type |
6 |
The type of service to be provided. Fixed as Framed(2). |
OK |
OK |
OK |
Calling-Station-Id |
31 |
The MAC address of the supplicant (as a hyphen-punctuated ASCII string). |
OK |
OK |
OK |
NAS-Identifier |
32 |
A string identifying the authenticator (by host name). |
OK |
OK |
OK |
Acct-Status-Type |
40 |
Accounting request type (Start (1), Stop (2), or Interim-Update (3)). |
OK |
OK |
OK |
Acct-Delay-Time |
41 |
The delay (in seconds) between the event occurring and transmission to the server. |
OK |
OK |
OK |
Acct-Input-Octets |
42 |
Accounting information (number of octets received). (0)Fixed. |
- |
OK |
OK |
Acct-Output-Octets |
43 |
Accounting information (number of octets sent) (0)Fixed. |
- |
OK |
OK |
Acct-Session-Id |
44 |
ID that identifies Accounting (same for successful authentication and deauthorization). |
OK |
OK |
OK |
Acct-Authentic |
45 |
Indicates how the user was authenticated (RADIUS (1), Local (2), or Remote (3)). |
OK |
OK |
OK |
Acct-Session-Time |
46 |
Accounting information (session length). |
- |
OK |
OK |
Acct-Input-Packets |
47 |
Accounting information (number of packets received). (0)Fixed. |
- |
OK |
OK |
Acct-Output-Packets |
48 |
Accounting information (number of packets sent). (0)Fixed. |
- |
OK |
OK |
Acct-Terminate-Cause |
49 |
Accounting information (reason for session termination). For more information, see Table 6-8 Disconnection factor in Acct-Terminate-Cause. User Request (1), Lost Carrier (2), Admin Reset (6), Reauthentication Failure (20), Port Reinitialized (21) |
- |
OK |
- |
NAS-Port-Type |
61 |
The type of physical port the authenticator is using to authenticate the user. Fixed as Ethernet (15). |
OK |
OK |
OK |
NAS-Port-Id |
87 |
A string identifying the port of the authenticator that is authenticating the supplicant. NAS-Port-Id differs from NAS-Port in that it is a string of variable length whereas NAS-Port is a 4-octet integer value. Port-based authentication:"Port x/y", "ChGr x" VLAN-based authentication (static):"VLAN x" VLAN-based authentication (dynamic):"DVLAN x" (x and y take numerical values) |
OK |
OK |
OK |
NAS-IPv6-Address |
95 |
The IPv6 address of the authenticator that is requesting authentication of the user (in this case the Switch). This attribute contains the local address of the Switch, or the IP address (IPv6) of the transmission interface if no local address is set. Note that when communication takes place using IPv6 link-local addresses, this attribute will contain the IPv6 link-local addresses of the transmission interface regardless of whether local addresses are set. |
OK |
OK |
OK |
(Legend) OK: Send-: Do not send
Termination cause |
Code |
Description |
---|---|---|
User Request |
1 |
The session was terminated at the request of the supplicant.
|
Lost Carrier |
2 |
The modem dropped the carrier signal.
|
Admin Reset |
6 |
Action by the administrator caused the session to terminate.
|
Reauthentication Failure |
20 |
Re-authentication failed. |
Port Reinitialized |
21 |
The port's MAC address has been reinitialized.
|
(5) Logging Operations to syslog Servers
You can output the internal logs for the IEEE 802.1X functionality to a syslog server. In this case, the items that are output to the server are the same as those that appear in the internal log. The following figure shows the format of log output to the syslog server.
|
You can use the dot1x logging enable and logging event-kind configuration commands to start and stop the logging of IEEE 802.1X authentication sessions.