Handbook
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 42
NOTE: When an 802.1x-enabled client connects to a port that is not 802.1x-controlled, the client
initiates the authentication process by sending an EAPOL-Start frame. When no response is
received, the client retransmits the request for a fixed number of times. If no response is received,
the client assumes the port is in authorized state, and begins sending frames, even if the port is
unauthorized.
802.1x port states
The state of the port determines whether the client is granted access to the network, as follows:
Unauthorized: While in this state, the port discards all ingress and egress traffic except EAP packets.
Authorized : When the client is authenticated successfully, the port transitions to the authorized state
allowing all traffic to and from the client to flow normally.
Force Unauthorized : You can configure this state that denies all access to the port.
Force Authorized : You can configure this state that allows full access to the port.
Use the 802.1x Global Configuration Menu (/cfg/l2/8021x/global) to configure 802.1x authentication
for all ports in the switch. Use the 802.1x Port Menu (/cfg/l2/8021x/port x) to configure a single port.
Supported RADIUS attributes
The switch 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The
following table lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based
on the guidelines specified in Annex D of the 802.1x standard and RFC 3580.
Table 9 EAP support for RADIUS attributes
#
Attribute
Attribute Value
A-R
A-A
A-C
A-R
1
User-Name
The value of the Type-Data field from
the supplicant‘s EAP-
Response/Identity message. If the
Identity is unknown (i.e. Type-Data
field is zero bytes in length), this
attribute will have the same value as
the Calling-Station-Id.
1
0-1
0
0
4
NAS-IP-Address
IP address of the authenticator used
for RADIUS communication.
1
0
0
0
5
NAS-Port
Port number of the authenticator port
to which the supplicant is attached.
1
0
0
0
24
State
Server-specific value. This is sent
unmodified back to the server in an
Access-Request that is in response to
an Access-Challenge.
0-1
0-1
0-1
0
30
Called-Station-ID
The MAC address of the authenticator
encoded as an ASCII string in
canonical format, e.g. 0017EF22E39F.
1
0
0
0
31
Calling-Station-ID
The MAC address of the supplicant
encoded as an ASCII string in
canonical format, e.g. 003013436206.
1
0
0
0
79
EAP-Message
Encapsulated EAP packets from the
supplicant to the authentication
server (Radius) and vice-versa. The
authenticator relays the decoded
packet to both devices.
1+
1+
1+
1+
80
Message-
Authenticator
Always present whenever an EAP-
Message attribute is also included.
Used to integrity-protect a packet.
1
1
1
1
87
NAS-Port-ID
Name assigned to the authenticator
port, e.g. Server1_Port3
1
0
0
0