Cisco Systems ISA550 Configuring Port-Based (802.1x) Access Control

Networking

Managing Ports

Cisco ISA500 Series Integrated Security Appliances Administration Guide 120

STEP 1 Click On to enable port mirroring, or click Off to disable this feature.

STEP 2 If you enable port mirroring, enter the following information:

•TX Destination: Choose the port that monitors the transmitted traffic for

other ports.

•TX Monitored Ports: Check the ports that are monitored. The port that you

set as a TX Destination port cannot be selected as a monitored port.

•RX Destination: Choose the port that monitors the received traffic for other

ports.

•RX Monitored Ports: Check the ports that are monitored. The port that you

set as a RX Destination port cannot be selected as a monitored port.

STEP 3 Click Save to apply your settings.

Configuring Port-Based (802.1x) Access Control

Use the Networking > Ports > Port-Based Access Control page to configure IEEE

802.1x port-based authentication, which prevents unauthorized devices

(802.1x-capable clients) from gaining access to the network.

The IEEE 802.1x standard defines a client-server-based access control and

authentication protocol that restricts unauthorized devices from connecting to a

VLAN through publicly accessible ports. The authentication server authenticates

each client (supplicant in Windows 2000, XP, Vista, Windows 7, and Mac OS)

connected to a port before making available any service offered by the security

appliance or the VLAN.

Until the client is authenticated, 802.1x access control allows only Extensible

Authentication Protocol over LAN (EAPOL) traffic through the port to which the

client is connected. After authentication is successful, normal traffic can pass

through the port.

This feature simplifies the security management by allowing you to control access

from a master database in a single server (although you can use up to three

RADIUS servers to provide backups in case access to the primary server fails). It

also means that user can enter the same authorized RADIUS username and

password pair for authentication, regardless of which switch is the access point

into the VLAN.