CHAP TER
61-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
61
Configuring Identity Policies
This chapter contains the following topics:
802.1x on Cisco IOS Routers, page 61-1
802.1x Policy Page, page 61-5
Network Admission Control on Cisco IOS Routers, page 61-8
Network Admission Control Policy Page, page61-14

802.1x on Cisco IOS Routers

The IEEE 802.1x standard defines 802.1x port-based authentication as a client-server based access
control and authentication protocol that restricts unauthorized clients from connecting to a LAN through
public ports. The authentication server validates each client connected to an interface before making
available any services offered by the router or the LAN.
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol
over LAN (EAPOL) traffic through the interface to which the client is connected. If authentication is
successful, normal traffic can pass through the interface.
802.1x authentication provides VPN access control, enabling unauthenticated traffic to access the
Internet while preventing it from accessing the VPN tunnel. This solution is especially useful for
enterprises whose workers access the corporate VPN through a home access router that other family
members use to access the Internet. When you use 802.1x, you create a virtual interface to carry
unauthenticated traffic while authenticated traffic continues to pass through the physical interface.
802.1x requires that you use DHCP to provide IP addresses to the clients that request authentication. We
recommend that you use two IP address pools, one for authenticated traffic and the other for
unauthenticated traffic. If you use two pools, the DNS server in the corporate DHCP pool should point
to the corporate DNS server. The DNS server for the noncorporate DHCP pool should use the DNS
server provided by the ISP on the public interface. You configure DHCP by selecting a DHCP policy.
See DHCP on Cisco IOS Routers, page 60-87 for more information.
Note 802.1x is supported on the following platforms—Cisco 800, 1700, 1800, 1900, 2600, 2800, 2900, 3600,
3700, 3800, 3900 Series Routers.
For more information about 802.1x, see:
Understanding 802.1x Device Roles, page 61-2
802.1x Interface Authorization States, page 61-2