- Configuring IEEE 802.1X Port-Based Authentication
- IEEE 802.1X Common Session ID
- IEEE 802.1X Guest VLAN
- IEEE 802.1X RADIUS Accounting
- IEEE 802.1X Voice VLAN
- IEEE 802.1X VLAN Assignment
- IEEE 802.1X Multiple Authentication
- IEEE 802.1X Multidomain Authentication
- IEEE 802.1X Flexible Authentication
- IEEE 802.1X Open Authentication
- IEEE 802.1X Auth Fail VLAN
- Critical Voice VLAN Support
- IEEE 802.1X Wake on LAN Support
- Per-User ACL Support for 802.1X/MAB/Webauth Users
- VLAN RADIUS Attributes in Access Requests
- Finding Feature Information
- Prerequisites for Configuring IEEE 802.1X RADIUS Accounting
- Restrictions for IEEE 802.1X with RADIUS Accounting
- Information About IEEE 802.1X with RADIUS Accounting
- How to Use IEEE 802.1X RADIUS Accounting
- Configuration Example for IEEE 802.1X RADIUS Accounting
- Additional References for IEEE 802.1X Port-Based Authentication
- Feature Information for IEEE 802.1X RADIUS Accounting
IEEE 802.1X RADIUS Accounting
The IEEE 802.1X RADIUS Accounting feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes.
- Finding Feature Information
- Prerequisites for Configuring IEEE 802.1X RADIUS Accounting
- Restrictions for IEEE 802.1X with RADIUS Accounting
- Information About IEEE 802.1X with RADIUS Accounting
- How to Use IEEE 802.1X RADIUS Accounting
- Configuration Example for IEEE 802.1X RADIUS Accounting
- Additional References for IEEE 802.1X Port-Based Authentication
- Feature Information for IEEE 802.1X RADIUS Accounting
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring IEEE 802.1X RADIUS Accounting
The following tasks must be completed before implementing the IEEE 802.1X RADIUS Accounting feature:
IEEE 802.1X must be enabled on the device port.
The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).
EAP support must be enabled on the RADIUS server.
You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http://support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1.
Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information.
The port must be successfully authenticated.
If you plan to implement system-wide accounting, you should also configure IEEE 802.1X accounting. You also need to inform the accounting server of the system reload event when the system is reloaded to ensure that the accounting server is aware that all outstanding IEEE 802.1X sessions on this system are closed.
The RADIUS Accounting feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.
The following ISR-G2 routers are supported:
The following cards or modules support switch ports:
Enhanced High-speed WAN interface cards (EHWICs) with ACL support:
High-speed WAN interface cards (HWICs) without ACL support:
Note | Not all Cisco ISR routers support all the components listed. For information about module compatibility with a specific router platform, see Cisco EtherSwitch Modules Comparison. |
To determine whether your router has switch ports that can be configured with the IEEE 802.1X port-based authentication feature, use the show interfaces switchport command.
Restrictions for IEEE 802.1X with RADIUS Accounting
Information About IEEE 802.1X with RADIUS Accounting
Relaying of IEEE 802.1X RADIUS Accounting Events
IEEE 802.1X RADIUS accounting relays important events to the RADIUS server (such as the supplicant’s connection session). This session is defined as the interval beginning when the supplicant is authorized to use the port and ending when the supplicant stops using the port.
After the supplicant is authenticated, the switch sends accounting-request packets to the RADIUS server, which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value (AV) pairs to report various events and related information to the RADIUS server. The following events are tracked:
User successfully authenticates.
User logs off.
Link-down occurs on an IEEE 802.1X port.
Reauthentication succeeds.
Reauthentication fails.
When the port state transitions between authorized and unauthorized, the RADIUS messages are transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS server, which must be configured to log accounting messages.
The following is the IEEE 802.1X RADIUS accounting process:
A user connects to a port on the router.
Authentication is performed.
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
The router sends a start message to an accounting server.
Reauthentication is performed, as necessary.
The port sends an interim accounting update to the accounting server that is based on the result of reauthentication.
The user disconnects from the port.
The router sends a stop message to the accounting server.
The switch port does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.
Note | See the “Enabling 802.1X Accounting" section for more specific configuration information. |
Enable accounting in your RADIUS server.
Enable IEEE 802.1X accounting on your switch.
Enable AAA accounting.
Enabling AAA system accounting along with IEEE 802.1X accounting allows system reload events to be sent to the accounting RADIUS server for logging. When the accounting RADIUS server receives notice of a system reload event, the server can infer that all active IEEE 802.1X sessions are appropriately closed.
Because RADIUS uses the unreliable transport protocol UDP, accounting messages may be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, the following system message appears:
Accounting message %s for session %s failed to receive Accounting Response.
When the stop message is not transmitted successfully, a message like the following appears:
00:09:55: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 172.20.50.145 sam 11/06/03 07:01:16 11000002 failed to receive Accounting Response.
Note | Use the debug radius command or debug radius accounting command to enable the %RADIUS-3-NO ACCOUNTING RESPONSE message. |
Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.
IEEE 802.1X Accounting Attribute-Value Pairs
The information sent to the RADIUS server is represented in the form of AV pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)
AV pairs are automatically sent by a router that is configured for IEEE 802.1X accounting. Three types of RADIUS accounting packets are sent by a router:
START—sent when a new user session starts
INTERIM—sent during an existing session for updates
STOP—sent when a session terminates
The following table lists the AV pairs and when they are sent by the router.
Note | The Framed-IP-Address AV pair (Attribute 8) is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table. |
Note | With CSCtz66183, the Service-Type AV pair (Attribute 6) is not displayed in the Accounting-Request records. |
Attribute Number |
AV Pair Name |
START |
INTERIM |
STOP |
---|---|---|---|---|
Attribute [1] |
User-Name |
Always |
Always |
Always |
Attribute [4] |
NAS-IP-Address |
Always |
Always |
Always |
Attribute [5] |
NAS-Port |
Always |
Always |
Always |
Attribute [6] |
Service-Type |
Always |
Always |
Always |
Attribute [8] |
Framed-IP-Address |
Never |
Sometimes |
Sometimes 1 |
Attribute [25] |
Class |
Always |
Always |
Always |
Attribute [30] |
Called-Station-ID |
Always |
Always |
Always |
Attribute [31] |
Calling-Station-ID |
Always |
Always |
Always |
Attribute [40] |
Acct-Status-Type |
Always |
Always |
Always |
Attribute [41] |
Acct-Delay-Time |
Always |
Always |
Always |
Attribute [42] |
Acct-Input-Octets |
Never |
Always |
Always |
Attribute [43] |
Acct-Output-Octets |
Never |
Always |
Always |
Attribute [44] |
Acct-Session-ID |
Always |
Always |
Always |
Attribute [45] |
Acct-Authentic |
Always |
Always |
Always |
Attribute [46] |
Acct-Session-Time |
Never |
Never |
Always |
Attribute [47] |
Acct-Input-Packets |
Never |
Always |
Always |
Attribute [48] |
Acct-Output-Packets |
Never |
Always |
Always |
Attribute [49] |
Acct-Terminate-Cause |
Never |
Never |
Always |
Attribute [61] |
NAS-Port-Type |
Always |
Always |
Always |
You can configure the device to send Cisco vendor-specific attributes (VSAs) to the RADIUS server. The following table lists the available Cisco AV pairs.
Note | Before VSAs can be sent in the accounting records you must configure the radius-server vsa send accounting command. |
Attribute Number |
AV Pair Name |
START |
INTERIM |
STOP |
---|---|---|---|---|
Attribute [26,9,1] |
Cisco-Avpair: connect-progress |
Always |
Always |
Always |
Attribute [26,9,2] |
cisco-nas-port |
Always |
Always |
Always |
Attribute [26,9,1] |
Cisco-Avpair: disc-cause |
Never |
Never |
Always |
You can display the AV pairs that are being sent by the router by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference. For more information about AV pairs, see Cisco IOS RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.
How to Use IEEE 802.1X RADIUS Accounting
Enabling 802.1X RADIUS Accounting
1.
enable
2.
configure terminal
3.
aaa new-model
4.
radius-server host {hostname |
ip-address}
auth-port
port-number
acct-port
port-number
5.
aaa accounting dot1x default start-stop group radius
6.
aaa accounting system default start-stop group radius
7.
end
DETAILED STEPS
Configuration Example for IEEE 802.1X RADIUS Accounting
Example: Enabling IEEE 802.1X RADIUS Accounting
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server. The first command configures the RADIUS server, specifying port 1812 as the authorization port, 1813 as the UDP port for accounting, and rad123 as the encryption key:
Note | You must configure the RADIUS server to perform accounting tasks. |
Device# configure terminal Device(config)# aaa new-model Device(config)# radius-server host 172.20.39.46 auth-port 1812 acct-port 1813 key rad123 Device(config)# aaa accounting dot1x default start-stop group radius Device(config)# aaa accounting system default start-stop group radius Device(config)# end Device#
Additional References for IEEE 802.1X Port-Based Authentication
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Standards and RFCs
Standard/RFC | Title |
---|---|
IEEE 802.1X |
Port Based Network Access Control |
RFC 3580 |
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines |
MIBs
MIB |
MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for IEEE 802.1X RADIUS Accounting
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IEEE 802.1X RADIUS Accounting |
Cisco IOS XE 3.2SE Cisco IOS XE 3.3SE Cisco IOS XE Release 3.6E |
This feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. |