7 The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings

table.

802.1x Readiness Check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about

the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices

connected to the switch ports are 802.1x-capable. You use an alternate authentication such as MAC

authentication bypass or web authentication for the devices that do not support 802.1x functionality.

This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification

packet. The client must respond within the 802.1x timeout value.

The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness check is

not available on a port that is configured as dot1x force-unauthorized.

Follow these guidelines to enable the readiness check on the switch:

• The readiness check is typically used before 802.1x is enabled on the switch.

• If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface,

• When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link

• The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is connected

Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port

numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port

number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a

Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1

226

AV Pair Name

Acct-Authentic

Acct-Session-Time

Acct-Terminate-Cause

NAS-Port-Type

all the ports on the switch stack are tested.

comes up, the port queries the connected client about its 802.1x capability. When the client responds

with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds

within the timeout period. If the client does not respond to the query, the client is not 802.1x-capable.

No syslog message is generated.

to an IP phone). A syslog message is generated for each of the clients that respond to the readiness check

within the timer period.

Configuring IEEE 802.1x Port-Based Authentication

START

INTERIM

Always

Never

Always

Never

Always

STOP

Always

OL-29434-01

Table of Contents

Show Quick Links

Quick Links:
Disabling 802.1X Authentication on the Port

Hide quick links:

Table of Contents

802.1X Readiness Check; Switch-To-Radius-Server Communication - Cisco Catalyst 2960-XR Security Configuration Manual