Cisco Systems ISA550

Networking

Managing Ports

Cisco ISA500 Series Integrated Security Appliances Administration Guide 121

STEP 1 In the RADIUS Settings area, specify the RADIUS servers for authentication.

The security appliance predefines three RADIUS groups. Choose a predefined

RADIUS group from the RADIUS Index drop-down list to authenticate users on

802.1x-capable clients. The RADIUS server settings of the selected group are

displayed. You can edit the RADIUS server settings here but the settings that you

specify will replace the default settings of the selected group. For information on

configuring RADIUS servers, see Configuring RADIUS S ervers, page 401.

STEP 2 In the Port-Based Access Control Settings area, perform the following actions:

•Access Control: Check this box to enable the 802.1x access control feature,

or uncheck this box to disable it. This feature is not available for trunk ports.

•Guest Authentication: After you enable the 802.1x access control feature,

check this box to enable the Guest Authentication feature, or uncheck this

box to disable it.

•Authorization Mode: Specify the authorization mode for each physical port

by clicking one of the following icons:

-Forced Authorized: Disable the 802.1x access control feature and cause

the port to transition to the authorized state without any authentication

exchange required. The port transmits and receives normal traffic

without 802.1x-based authentication of the client.

-Forced Unauthorized: Cause the port to remain in the unauthorized

state, ignoring all attempts by the client to authenticate. The security

appliance cannot provide authentication services to the client through

the port.

-Auto: Enable the 802.1x access control feature and cause the port to

begin in the unauthorized state, allowing only EAPOL frames to be sent

and received through the port. The authentication process begins when

the link state of the port transitions from down to up, or when an

EAPOL-start frame is received. The security appliance requests the

identity of the client and begins relaying authentication messages

between the client and the authentication server. Each client attempting

to access the network is uniquely identified by the security appliance by

using the client's MAC address.

STEP 3 To specify the authenticated VLANs on a physical por t, click the Edit (pencil) icon.

STEP 4 Enter the following information in the Port-Base Access Control - Edit page:

•Access Control: Check this box to enable the 802.1x acc ess control feature.