Handbook
N8406-023 1Gb Intelligent L3 Switch Application Guide 41
802.1x port states
The state of the port determines whether the client is granted access to the network, as follows:
Unauthorized—While in this state, the port discards all ingress and egress traffic except EAP packets.
Authorized—When the client is authenticated successfully, the port transitions to the authorized state allowing
all traffic to and from the client to flow normally.
Force Unauthorized—You can configure this state that denies all access to the port.
Force Authorized—You can configure this state that allows full access to the port.
Use the 802.1x Global Configuration Menu (/cfg/l2/8021x/global) to configure 802.1x authentication for all
ports in the switch. Use the 802.1x Port Menu (/cfg/l2/8021x/port x) to configure a single port.
Supported RADIUS attributes
The switch 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The following table
lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines
specified in Annex D of the 802.1x standard and RFC 3580.
Table 9 EAP support for RADIUS attributes
#
Attribute
Attribute Value
A-R
A-A
A-C
A-R
1
User-Name
The value of the Type-Data field from the
supplicant‘s EAP-Response/Identity
message. If the Identity is unknown (i.e.
Type-Data field is zero bytes in length),
this attribute will have the same value as
the Calling-Station-Id.
1
0-1
0
0
4
NAS-IP-Address
IP address of the authenticator used for
RADIUS communication.
1
0
0
0
5
NAS-Port
Port number of the authenticator port to
which the supplicant is attached.
1
0
0
0
24
State
Server-specific value. This is sent
unmodified back to the server in an
Access-Request that is in response to an
Access-Challenge.
0-1
0-1
0-1
0
30
Called-Station-ID
The MAC address of the authenticator
encoded as an ASCII string in canonical
format, e.g. 0017EF22E39F.
1
0
0
0
31
Calling-Station-ID
The MAC address of the supplicant
encoded as an ASCII string in canonical
format, e.g. 003013436206.
1
0
0
0
79
EAP-Message
Encapsulated EAP packets from the
supplicant to the authentication server
(Radius) and vice-versa. The
authenticator relays the decoded packet
to both devices.
1+
1+
1+
1+
80
Message-
Authenticator
Always present whenever an EAP-
Message attribute is also included. Used
to integrity-protect a packet.
1
1
1
1
87
NAS-Port-ID
Name assigned to the authenticator port,
e.g. Server1_Port3
1
0
0
0