Filter
Top Products
61-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 61 Configuring Identity Policies
802.1x on Cisco IOS Routers
• Topologies Supported by 802.1x, page 61-3
• Defining 802.1x Policies, page 61-4
Understanding 802.1x Device Roles
802.1x port-based authentication uses the following device roles:
• Client—The workstation requesting access to the VPN. It must be running 802.1x-compliant client
software, such as that offered with the Microsoft Windows XP operating system.
• Authentication server—Authenticates clients. The authentication server validates the client’s
identity and notifies the router whether the client is authorized to access the network. The Remote
Authentication Dial-In User Service (RADIUS) security system with EAP extensions is the only
supported authentication server. In Security Manager, a AAA (authentication, authorization, and
accounting) server, as defined in a AAA server object, is the authentication server for 802.1x
policies.
• Router (edge router or wireless access point)—Controls physical access to the network based on the
authentication status of the client. The router is an intermediary (proxy) between the client and the
authentication server, requesting identity information from the client, verifying that information
with the authentication server, and relaying a response to the client. In Security Manager, the router
on which you configure an 802.1x policy acts as the switch.
Related Topics
• 802.1x Interface Authorization States, page 61-2
• Topologies Supported by 802.1x, page 61-3
• Defining 802.1x Policies, page 61-4
• 802.1x on Cisco IOS Routers, page 61-1
802.1x Interface Authorization States
When you use 802.1x, the interface state determines whether to grant the client network access. By
default, the interface starts in the unauthorized state. While in this state, the interface disallows all traffic
in both directions, except for EAPOL packets. After a client is authenticated, the interface transitions to
the authorized state, enabling all client traffic to flow normally.
If a client that does not support 802.1x is connected to an unauthorized 802.1x interface, the router
requests the client’s identity. In this situation, the client does not respond to the request, the interface
remains in the unauthorized state, and the client is not granted access to the network. In contrast, when
an 802.1x-enabled client connects to an interface that is not running the 802.1x protocol, the client
initiates the authentication process by sending the EAPOL-Start frame. If no response is received, the
client sends the request a fixed number of times. Because no response is received, the client begins
sending frames as if the interface were in the authorized state.
You can control the interface authorization state by selecting one of the following options:
• Auto—Enables 802.1x authentication, which causes the interface to start in the unauthorized state.
Only EAPOL frames are sent and received through the interface. Authentication begins when the
link state of the interface transitions from down to up or when an EAPOL-Start frame is received.
The router requests the client’s identity and begins relaying authentication messages between the
client and the authentication server. The router uses the MAC address of each client trying to access
the network as unique client identifiers.