1-35
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no
matter which authentication method is used. This ID is used for all reporting purposes, such as the show
commands and MIBs. The session ID appears with all per-session syslog messages.
The session ID includes:
• The IP address of the Network Access Device (NAD)
• A monotonically increasing unique 32 bit integer
• The session start time stamp (a 32 bit integer)
This example shows how the session ID appears in the output of the show authentication command. The
session ID in this example is 160000050000000B288508E5:
Switch# show authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa4/0/4 0000.0000.0203 mab DATA Authz Success 160000050000000B288508E5
This is an example of how the session ID appears in the syslog output. The session ID in this example
is also160000050000000B288508E5:
1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0203) on Interface Fa4/0/4
AuditSessionID 160000050000000B288508E5
1w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0000.0203) on Interface
Fa4/0/4 AuditSessionID 160000050000000B288508E5
1w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5
The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify
the client. The ID appears automatically. No configuration is required.
Device Sensor
Device Sensor uses protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol
(LLDP), and DHCP to obtain endpoint information from network devices and make this information
available to its clients. Device Sensor has internal clients, such as the embedded Device Classifier (local
analyzer), Auto Smartports (ASP), MediaNet Service Interface (MSI)-Proxy, and EnergyWise. Device
Sensor also has an external client, Identity Services Engine (ISE), which uses RADIUS accounting to
receive and analyze endpoint data. When integrated with ISE, Device Sensor provides central policy
management and device-profiling capabilities.
Device profiling capability consists of two parts:
• Collector--Gathers endpoint data from network devices.
• Analyzer--Processes the data and determines the type of device.
For more information about device profiling, see the “Configuring Endpoint Profiling Policies” chapter
in the Cisco Identity Services Engine User Guide at this URL:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html
Device Sensor represents the embedded collector functionality. Figure 1-7shows Device Sensor in the
context of its internal clients and the ISE.
To Next Page
Loading...
Need help?
General
