Cisco 4500M Software Manual page 437

Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication
When the port state transitions between authorized and unauthorized, the RADIUS messages are
transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS
server, which must be configured to log accounting messages.
The 802.1X authentication, authorization and accounting process is as follows:
A user connects to a port on the switch.
Step 1
Authentication is performed, for example, using the username/password method.
Step 2
VLAN assignment is enabled, as appropriate, per RADIUS server configuration.
Step 3
The switch sends a start message to an accounting server.
Step 4
Step 5 Reauthentication is performed, as necessary.
Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of
reauthentication.
Step 7 The user disconnects from the port.
The switch sends a stop message to the accounting server.
Step 8
To configure 802.1X accounting, you need to do the following tasks:
Enable logging of "Update/Watchdog packets from this AAA client" in your RADIUS server's
•
Network Configuration tab.
Enable "Logging>CVS RADIUS Accounting" in your RADIUS server System Configuration tab.
•
Enable 802.1X accounting on your switch.
•
Enable AAA accounting by using the aaa system accounting command. Refer to the
•
802.1X Accounting" section on page
Enabling AAA system accounting along with 802.1X accounting allows system reload events to be sent
to the accounting RADIUS server for logging. By doing this, the accounting RADIUS server can infer
that all active 802.1X sessions are appropriately closed.
Because RADIUS uses the unreliable transport protocol UDP, accounting messages may be lost due to
poor network conditions. If the switch does not receive the accounting response message from the
RADIUS server after a configurable number of retransmissions of an accounting request, the following
system message appears:
Accounting message %s for session %s failed to receive Accounting Response.
When the stop message is not transmitted successfully, the following message appears:
00:09:55: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session
172.20.50.145 sam 11/06/03 07:01:16 11000002 failed to receive Accounting Response.
Use the show radius statistics command to display the number of RADIUS messages that do not receive
the accounting response message.
OL-6696-01
Understanding 802.1X Port-Based Authentication
31-16.
Software Configuration Guide—Release 12.2(25)EW
"Enabling
31-9