Handbook
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 43
Table 9 EAP support for RADIUS attributes
#
Attribute
Attribute Value
A-R
A-A
A-C
A-R
Legend:
RADIUS Packet Types: A-R (Access-Request), A-A (Access-Accept), A-C (Access-Challenge), A-R (Access-Reject)
RADIUS Attribute Support:
0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in a packet.
0-1 Zero or one instance of this attribute MAY be present in a packet.
1 Exactly one instance of this attribute MUST be present in a packet.
1+ One or more of these attributes MUST be present.
EAPoL configuration guidelines
When configuring EAPoL, consider the following guidelines:
The 802.1x port-based authentication is currently supported only in point-to-point configurations, that
is, with a single supplicant connected to an 802.1x-enabled switch port.
When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature
can be operationally enabled. For example, the STG state of a port is operationally disabled while
the port is in the unauthorized state.
The 802.1x supplicant capability is not supported. Therefore, none of its ports can connect suc-
cessfully to an 802.1x-enabled port of another device, such as another switch, which acts as an
authenticator, unless access control on the remote port is disabled or is configured in forced-
authorized mode. For example, if a switch is connected to another switch, and if 802.1x is enabled
on both switches, the two connected ports must be configured in force-authorized mode.
The 802.1x standard has optional provisions for supporting dynamic virtual LAN assignment via
RADIUS tunneling attributes, for example, Tunnel-Type (=VLAN), Tunnel-Medium-Type (=802), and
Tunnel-Private-Group-ID (=VLAN id). These attributes are not supported and might affect 802.1x
operations. Other unsupported attributes include Service-Type, Session-Timeout, and Termination-
Action.
RADIUS accounting service for 802.1x-authenticated devices or users is not supported.
Configuration changes performed using SNMP and the standard 802.1x MIB take effect immediately.
Port-based traffic control
Port-based traffic control prevents the switch ports from being disrupted by LAN storms. A LAN storm
occurs when data packets flood the LAN, which can cause the network to become congested and slow
down. Errors in the protocol-stack implementation or in the network configuration can cause a LAN storm.
You can enable port-based traffic control separately for each of the following traffic types:
Broadcast—packets with destination MAC address ff:ff:ff:ff:ff:ff
Multicast—packets that have MAC addresses with the least significant bit of their first octet set to
one
Destination Lookup Failed (DLF)—packets with unknown destination MAC address, that are treated
like broadcast packets
With Port-based Traffic Control enabled, the port monitors incoming traffic of each type noted above. If
the traffic exceeds a configured threshold, the port blocks traffic that exceeds the threshold until the
traffic flow falls back within the threshold.
The switch supports separate traffic-control thresholds for broadcast, multicast, and DLF traffic. The traffic
threshold is measured in number of frames per second.
NOTE: All ports that belong to a trunk must have the same traffic-control settings.