Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

61-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 61 Configuring Identity Policies

802.1x on Cisco IOS Routers

Related Topics

• Understanding 802.1x Device Roles, page 61-2

• 802.1x Interface Authorization States, page 61-2

• Defining 802.1x Policies, page 61-4

• 802.1x on Cisco IOS Routers, page 61-1

Defining 802.1x Policies

You configure an 802.1x policy by defining:

• The AAA server group containing the AAA server that authenticates hosts that are trying to connect

to the network.

• The virtual interface that carries unauthenticated traffic and the physical interface that carries

authenticated traffic.

• (Optional) Properties of the physical interface, including the control type, automatic

reauthentication, and several timeout values.

If the router on which you are defining the 802.1x policy is not part of a VPN (for example, if it is directly

connected to the corporate network to which you want to restrict access), you must manually define an

access list. You can do this by defining an access rules policy (see Chapter 16, “Managing Firewall

Access Rules”).

Before You Begin

• Configure the selected router with a DHCP policy that contains two IP address pools, one for

authenticated clients and one for unauthenticated clients. See Defining DHCP Policies, page 60-90.

• Make sure the router can route packets to the configured AAA (RADIUS) server. You can verify this

by pinging the server from the router.

Related Topics

• Understanding 802.1x Device Roles, page 61-2

• 802.1x Interface Authorization States, page 61-2

• Topologies Supported by 802.1x, page 61-3

• 802.1x on Cisco IOS Routers, page 61-1

Step 1 Do one of the following:

• (Device view) Select Platform > Identity > 802.1x from the Policy selector.

• (Policy view) Select Router Platform > Identity > 802.1x from the Policy Type selector. Select an

existing policy or create a new one.

The 802.1x page is displayed. See Table 61-1 on page 61-6 for a description of the fields on this page.

Step 2 Enter the name of the AAA server group containing the AAA server to use for authenticating clients

using 802.1x, or click Select to select a server group from a list or to create a new one. The selected AAA

server must use RADIUS with EAP extensions.

Note Each AAA server in the selected group must be configured to communicate with an interface

that exists on the router; otherwise, validation fails.

previous next