Cisco IOS Software Releases 12.3 Special and Early Deployments

Table Of Contents

VPN Access Control Using 802.1X Authentication

Contents

Prerequisites for VPN Access Control Using
802.1X Authentication

Restrictions for VPN Access Control Using
802.1X Authentication

Information About VPN Access Control Using
802.1X Authentication

How VPN Control Using 802.1X Authentication Works

802.1X Authentication Sample Topology and Configuration

Converged 802.1X Authenticator Support

802.1X Supplicant Support

Converged 802.1X Supplicant Support

Authentication Using Passwords and MD5

How to Configure VPN Access Control Using
802.1X Authentication

Configuring an AAA RADIUS Server

Configuring a Router

Enabling 802.1X Authentication

Configuring Router and RADIUS Communication

Configuring 802.1X Parameters (Retransmissions and Timeouts)

Configuring the Identity Profile

Configuring the Virtual Template and DHCP

Configuring the Necessary Access Control Policies

Configuring a Router As a Supplicant

Configuring a PC

Configuring a PC for VPN Access Control Using 802.1X Authentication

Enabling 802.1X Authentication on a Windows 2000/XP PC

Enabling 802.1X Authentication on a Windows 2000 PC

Enabling 802.1X Authentication on a Windows XP PC

Enabling 802.1X Authentication on Windows 2000 and Windows XP PCs

Monitoring VPN Access Control Using 802.1X Authentication

Verifying VPN Access Control Using 802.1X Authentication

Configuration Examples for VPN Access Control Using 802.1X Authentication

Typical VPN Access Control Using 802.1X Configuration: Example

Access Control Policies: Example

Router Acting As a Supplicant: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

aaa authentication dot1x

clear dot1x

clear eap

debug dot1x

debug eap

description (dot1x credentials)

description (identity profile)

device (identity profile)

dot1x control-direction

dot1x credentials

dot1x default

dot1x guest-vlan

dot1x host-mode

dot1x initialize

dot1x max-reauth-req

dot1x max-req

dot1x max-start

dot1x multiple-hosts

dot1x pae

dot1x port-control

dot1x re-authenticate (privileged EXEC)

dot1x reauthentication

dot1x system-auth-control

dot1x timeout

eap

identity profile

macro global

macro name

password (dot1x credentials)

show dot1x

show eap registrations

show eap sessions

show ip igmp snooping

template (identity profile)

username (dot1x credentials)

Glossary

Feature Information for VPN Access Control
Using 802.1X Authentication

VPN Access Control Using 802.1X Authentication

---

First Published: August 11, 2003

Last Updated: June 2, 2006

The home access router provides connectivity to the corporate network via a Virtual Private Network (VPN) tunnel through the Internet. In the home LAN, apart from the employee, other members of the household may also be using the same access router. The VPN Access Control Using 802.1X Authentication feature allows enterprise employees to access their enterprise networks from home while allowing other household members to access only the Internet. The feature uses the IEEE 802.1X protocol framework to achieve the VPN access control. The authenticated employee has access to the VPN tunnel and others (unauthenticated users on the same LAN) have access only to the Internet.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for VPN Access Control Using 802.1X Authentication" section.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for VPN Access Control Using 802.1X Authentication

•Restrictions for VPN Access Control Using 802.1X Authentication

•Information About VPN Access Control Using 802.1X Authentication

•How to Configure VPN Access Control Using 802.1X Authentication

•Configuration Examples for VPN Access Control Using 802.1X Authentication

•Additional References

•Command Reference

•Feature Information for VPN Access Control Using 802.1X Authentication

Prerequisites for VPN Access Control Using
802.1X Authentication

•The PCs connecting behind the router should have 802.1X clients running on them.

•You should know how to configure authentication, authorization, and accounting (AAA) and RADIUS.

•You should be familiar with IP Security (IPSec).

•You should be familiar with Dynamic Host Configuration Protocol (DHCP).

•You should know how to configure user lists on a Cisco access control server (ACS).

Restrictions for VPN Access Control Using
802.1X Authentication

•Easy VPN is not supported.

•VLAN interfaces are currently not supported.

•If there is a switch located between the router and the supplicant (client PC), the Extensible Authentication Protocol over LAN (EAPOL) frames will not reach the router because the switch discards them.

Information About VPN Access Control Using
802.1X Authentication

To configure the VPN Access Control Using 802.1X Authentication feature, you should understand the following concepts:

•How VPN Control Using 802.1X Authentication Works

•802.1X Supplicant Support

•Authentication Using Passwords and MD5

How VPN Control Using 802.1X Authentication Works

The home access router provides connectivity to the corporate network via a VPN tunnel through the Internet. In the home LAN, both authenticated (employee) and unauthenticated (other household members) users exist, and both have access to the corporate VPN tunnel. Currently there is no existing mechanism to prevent the unauthenticated user from accessing the VPN tunnel.

To distinguish between the users, the VPN Access Control Using 802.1X Authentication feature uses the IEEE 802.1X protocol that allows end hosts to send user credentials on Layer 2 of the network operating system. Unauthenticated traffic users will be allowed to pass through the Internet but will be blocked from accessing the corporate VPN tunnel. The VPN Access Control Using 802.1X feature expands the scope of the 802.1X standard to authenticate devices rather than ports, meaning that multiple devices can be independently authenticated for any given port. This feature separates traffic from authenticated and unauthenticated users so that separate access policies can be applied.

When an 802.1X-capable host starts up, it will initiate the authentication phase by sending the EAPOL-Start 802.1X protocol data unit (PDU) to the reserved IEEE multicast MAC address (01-80-C2-00-00-03) with the Ethernet type or length set to 0x888E.

All 802.1X PDUs will be identified as such by the Ethernet driver and will be enqueued to be handled by an 802.1X process. On some platforms, Ethernet drivers have to program the interface address filter so that EAPOL packets can be accepted.

On the router, the receipt of the EAPOL-Start message will result in the source MAC address being "remembered," and an EAPOL-request or identity PDU being sent to the host. The router will send all host-addressed PDUs to the individual MAC address of the host rather than to the multicast address.

802.1X Authentication Sample Topology and Configuration

Figure 1 illustrates a typical scenario in which VPN access control using 802.1X authentication is in place.

Figure 1 Typical 802.1X Authentication Setup

In Figure 1, all the PCs are 802.1X capable hosts, and the Cisco 831 router is an authenticator. All the PCs are connected to the built-in hub or to an external hub. If a PC does not support 802.1X authentication, MAC-based authentication is supported on the Cisco 831 router.

---

Note•You can have any kind of connectivity or network beyond the Cisco 831 WAN.

•If there is a switch located between the router and the supplicant (client PC), the EAPOL frames will not reach the router because the switch discards them.

•A supplicant is an entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator that is attached to the other end of that link.

---

Converged 802.1X Authenticator Support

The Cisco IOS commands in Cisco IOS Release 12.4(6)T for 802.1X authenticators have been standardized to work the same way on various Cisco IOS platforms.

802.1X Supplicant Support

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario requires that a network device be able to authenticate itself against another network device. The 802.1X supplicant support functionality provides the following solutions for this requirement:

•An Extensible Authentication Protocol (EAP) framework has been included so that the supplicant has the ability to "understand" and "respond" to EAP requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

•Two network devices that are connected through an Ethernet link can act as a supplicant and as an authenticator simultaneously, thus providing mutual authentication capability.

•A network device that is acting as a supplicant can authenticate itself with more than one authenticator (that is, a single port on a supplicant can be connected to multiple authenticators).

The following illustration is an example of 802.1X supplicant support. The illustration shows that a single supplicant port has been connected to multiple authenticators. Router A is acting as an authenticator to devices that are sitting behind it on the LAN while those devices are acting as supplicants. At the same time, Router B is an authenticator to Router A (which is acting as a supplicant). The RADIUS server is located in the enterprise network.

When Router A tries to authenticate devices on the LAN, it needs to "talk" to the RADIUS server, but before it can allow access to any of the devices that are sitting behind it, it has to prove its identity to Router B. Router B checks the credential of Router A and gives access.

Figure 2 Multiple Instances of Supplicant Support

Converged 802.1X Supplicant Support

The Cisco IOS commands in Cisco IOS Release 12.4(6)T for 802.1X supplicants have been standardized to work the same way on various Cisco IOS platforms.

Authentication Using Passwords and MD5

For information about using passwords and Message Digest 5 (MD5), see the following document on Cisco.com:

•Improving Security on Cisco Routers

How to Configure VPN Access Control Using
802.1X Authentication

This section includes the following procedures:

•Configuring an AAA RADIUS Server

•Configuring a Router

•Configuring a PC

•Monitoring VPN Access Control Using 802.1X Authentication

•Verifying VPN Access Control Using 802.1X Authentication

Configuring an AAA RADIUS Server

To configure an AAA RADIUS server, perform the following steps.

---

Step 1 Configure entries for the network access server and associated shared secrets.

Note The AAA server can be FreeRADIUS or Cisco Secure ACS or any other similar product with 802.1X support.

Step 2 Add the username and configure the password of the user.

Step 3 Configure a global or per-user authentication scheme.

---

Configuring a Router

This section contains the following procedures:

•Enabling 802.1X Authentication (required)

•Configuring Router and RADIUS Communication (required)

•Configuring 802.1X Parameters (Retransmissions and Timeouts) (optional)

•Configuring the Identity Profile (required)

•Configuring the Virtual Template and DHCP (required)

•Configuring the Necessary Access Control Policies (optional)

•Configuring a Router As a Supplicant (optional)

Enabling 802.1X Authentication

To enable 802.1X port-based authentication, you should configure the router so that it can communicate with the AAA server, enable 802.1X globally, and enable 802.1X on the interface. To enable 802.1X port-based authentication, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication dot1x default group radius

5. dot1x system-auth-control

6. identity profile default

7. interface type slot/port

8. dot1x port-control auto

DETAILED STEPS

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Router (config)# aaa new-model	Enables AAA.
Step 4	aaa authentication dot1x default group radius Example: Router (config)# aaa authentication dot1x default group radius	Creates an 802.1X port-based authentication method list.
Step 5	dot1x system-auth-control Example: Router (config)# dot1x system-auth-control	Globally enables 802.1X port-based authentication.
Step 6	identity profile default Example: Router (config)# identity profile default	Creates an identity profile and enters dot1x profile configuration mode.
Step 7	interface type slot/port Example: Router (config)# interface fastethernet 5/1	Enters interface configuration mode and specifies the interface to be enabled for 802.1X port-based authentication.
Step 8	dot1x port-control auto Example: Router (config-if)# dot1x port-control auto	Enables 802.1X port-based authentication on the interface.

Example

This section provides the following examples:

•802.1X Configuration

•Verifying 802.1X Authentication

802.1X Configuration

The following example shows that 802.1X authentication has been configured on a router:

Router# configure terminal

Router(config)# aaa new-model

Router(config)# aaa authentication dot1x default group radius

Router(config)# dot1x system-auth-control

Router(config)# interface fastethernet 5/1

Router(config-if)# dot1x port-control auto

Verifying 802.1X Authentication

The following show dot1x command sample output shows that 802.1X authentication has been configured on a router:

Router# show dot1x all

PortControl       = AUTO

ReAuthentication  = Disabled

ReAuthPeriod      = 3600 Seconds

ServerTimeout     = 30 Seconds

SuppTimeout       = 30 Seconds

QuietWhile        = 120 Seconds

MaxReq            = 2

Configuring Router and RADIUS Communication

To configure RADIUS server parameters, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip radius source-interface interface-name

4. radius-server host {hostname | ip-address}

5. radius-server key string

DETAILED STEPS

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip radius source-interface interface-name Example: Router (config)# ip radius source-interface ethernet1	Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
Step 4	radius-server host {hostname | ip-address} Example: Router (config)# radius-server host 172.16.39.46	Configures the RADIUS server host name or IP address of the router. •To use multiple RADIUS servers, reenter this command for each server.
Step 5	radius-server key string Example: Router (config)# radius-server key radiuskey	Configures the authorization and encryption key used between the router and the RADIUS daemon running on the RADIUS server. •The key is a text string that must match the encryption key used on the RADIUS server.

Example

The following example shows that RADIUS server parameters have been configured on the router:

Router# configure terminal

Router(config)# ip radius source-interface ethernet1

Router(config)# radius-server host 172.l6.39.46

Router(config)# radius-server key radiuskey

Configuring 802.1X Parameters (Retransmissions and Timeouts)

Various 802.1X retransmission and timeout parameters can be configured. Because all of these parameters have default values, configuring them is optional. To configuring the retransmission and timeout parameters, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type slot/port

4. dot1x max-req number-of-retries

5. dot1x port-control [auto | force-authorized | force-unauthorized]

6. dot1x control-direction {both | in}

7. dot1x reauthentication

8. dot1x timeout tx-period seconds

9. dot1x timeout server-timeout seconds

10. dot1x timeout reauth-period seconds

11. dot1x timeout quiet-period seconds

12. dot1x timeout ratelimit-period seconds

DETAILED STEPS

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type slot/port Example: Router (config)# interface ethernet 0/1	Enters interface configuration mode and specifies the interface to be enabled for 802.1X port-based authentication.
Step 4	dot1x max-req number-of-retries Example: Router (config-if)# dot1x max-req 3	Sets the maximum number of times that the router sends an EAP request/identity frame (assuming that no response is received) to the supplicant before concluding that the supplicant does not support 802.1X.
Step 5	dot1x port-control [auto | force-authorized | force-unauthorized] Example: Router (config-if)# dot1x port-control auto	Sets the port control value. •auto (optional)—Authentication status of the supplicant will be determined by the authentication process. •force-authorized (optional)—All the supplicants on the interface will be authorized. The force-authorized keyword is the default. •force-unauthorized (optional)—All the supplicants on the interface will be unauthorized.
Step 6	dot1x control-direction {both | in} Example: Router (config-if)# dot1x control-direction both	Changes the port control to unidirectional or bidirectional.
Step 7	dot1x reauthentication Example: Router (config-if)# dot1x reauthentication	Enables periodic reauthentication of the supplicants on the interface. •The reauthentication period can be set using the dot1x timeout command.
Step 8	dot1x timeout tx-period seconds Example: Router (config-if)# dot1x timeout tx-period 60	Sets the timeout for supplicant retries. •If an 802.1X packet is sent to the supplicant and the supplicant does not send a response, the packet will be sent again after the time that was set using the seconds argument. •The value is 1 through 65535 seconds. The default is 30 seconds.
Step 9	dot1x timeout server-timeout seconds Example: Router (config-if)# dot1x timeout server-timeout 60	Sets the timeout for RADIUS retries. •If an 802.1X packet is sent to the server, and the server does not send a response, the packet will be sent again after the time that was set using the seconds argument. •The value is from 1 to 65535 seconds. The default is 30 seconds.
Step 10	dot1x timeout reauth-period seconds Example: Router (config-if)# dot1x timeout reauth-period 1800	Sets the time after which an automatic reauthentication should be initiated. •The value is from 1 to 65535 seconds. The default is 3600 seconds.
Step 11	dot1x timeout quiet-period seconds Example: Router (config-if)# dot1x timeout quiet-period 600	The time after which authentication is restarted after the authentication has failed. •The value is from 1 to 65535 seconds. The default is 120 seconds.
Step 12	dot1x timeout ratelimit-period seconds Example: Router (config-if)# dot1x timeout ratelimit-period 60	The rate limit period throttles the EAP-START packets from misbehaving supplicants. •The value is from 1 to 65535 seconds.

Example

The following configuration example shows that various retransmission and timeout parameters have been configured:

Router# configure terminal

Router(config)# interface ethernet 0

Router(config-if)# dot1x port-control auto

Router(config-if)# dot1x reauthentication

Router(config-if)# dot1x timeout reauth-period 1800

Router(config-if)# dot1x timeout quiet-period 600

Router(config-if)# dot1x timeout supp-timeout 60

Router(config-if)# dot1x timeout server-timeout 60

Configuring the Identity Profile

The identity profile default command allows you to configure the static MAC addresses of the client that do not support 802.1X and to authorize or unauthorize them statically. The VPN Access Control Using 802.1X Authentication feature allows authenticated and unauthenticated users to be mapped to different interfaces. Under the dot1x profile configuration mode, you can specify the virtual template interface that should be used to create the virtual-access interface to which unauthenticated supplicants will be mapped. To specify which virtual template interface should be used to create the virtual access interface, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. identity profile default

4. description text line-of-description

5. template virtual-template

6. device [authorize | not-authorize] mac-address mac-address

7. device authorize type device-type

DETAILED STEPS

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	identity profile default Example: Router (config)# identity profile default	Creates an identity profile and enters identity profile configuration mode.
Step 4	description line-of-description Example: Router (config-identity-prof)# description description 1	Associates descriptive text with the profile.
Step 5	template virtual-template Example: Router (config-identity-prof)# template virtual-template 1	Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.
Step 6	device [authorize | not-authorize] mac-address mac-address Example: Router (config-identity-prof)# device authorize mac-address mac-address H.H.H	Statically authorizes or unauthorizes a supplicant (by giving its MAC address) if the supplicant does not "understand" 802.1X.
Step 7	device authorize type device-type Example: Router (config-identity-prof)# device authorize type cisco ip phone	Statically authorizes or unauthorizes a device type.

Example

The following example shows that Cisco IP phones and a specific MAC address have been statically authorized:

Router# configure terminal

Router (config)# identity profile default

Router(config-1x-prof)# description put the description here

Router(config-1x-prof)# template virtual-template1

Router(config-1x-prof)# device authorize type cisco ip phone

Router(config-1x-prof)# device authorize mac-address 0001.024B.B4E7

Configuring the Virtual Template and DHCP

The VPN Access Control Using 802.1X Authentication feature can be configured with one DHCP pool or two. If there are two pools, the unauthenticated and authenticated devices will get their addresses from separate DHCP pools. For example, the public pool can have an address block that has only local significance, and the private pool can have an address that is routable over the VPN tunnel. To configure your router for a private pool and for a public pool, perform the following steps.

SUMMARY STEPS

Configuring the Identity Profile

1. enable

2. configure terminal

3. identity profile default

4. description description-string

5. template virtual-template

6. exit

Configuring the DHCP Private Pool

1. ip dhcp pool name

2. network network-number [mask]

3. default-router address

Configuring the DHCP Public Pool

1. ip dhcp pool name

2. network network-number [mask]

3. default-router address

4. exit

Configuring the Interface

1. configure terminal

2. interface type slot/port

3. ip address ip-address mask [secondary]

4. interface virtual-template number

5. ip address ip-address mask [secondary]

6. exit

Configuring an Interface Without Assigning an Explicit IP Address to the Interface

1. enable

2. configure terminal

3. interface type slot/port

4. ip unnumbered type number

DETAILED STEPS

Configuring the Identity Profile

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	identity profile default Example: Router (config)# identity profile default	Creates an identity profile and enters identity profile configuration mode.
Step 4	description description-string Example: Router (config-identity-prof)# description description_string_goes_here	Associates descriptive text with the identity profile.
Step 5	template virtual-template Example: Router (config-identity-prof)# template virtualtemplate1	Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.
Step 6	exit Example: Router (config-identity-prof)# exit	Exits identity profile configuration mode.

Configuring the DHCP Private Pool

	Command	Description
Step 1	ip dhcp pool name Example: Router (config)# ip dhcp pool private	Configures a DHCP private address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
Step 2	network network-number [mask] Example: Router (config-dhcp)# network 10.0.0.1 255.0.0.0	Configures the subnet number and mask for a DHCP private address pool on a Cisco IOS DHCP server.
Step 3	default-router address Example: Router (config-dhcp)# default-router 10.2.2.2	Specifies the default router list for a DHCP client.

Configuring the DHCP Public Pool

	Command	Description
Step 1	ip dhcp pool name Example: Router (config-dhcp)# ip dhcp pool public	Configures the DHCP public address pool on a Cisco IOS DHCP server.
Step 2	network network-number [mask] Example: Router (config-dhcp)# network 10.4.4.4.255.0.0.0	Configures the subnet number and mask for a DHCP public address pool on a Cisco IOS DHCP server.
Step 3	default-router address Example: Router (config-dhcp)# default-router 10.12.12.12	Specifies the default router list for a DHCP client.
Step 4	exit Example: Router (config-dhcp)# exit	Exits DHCP pool configuration mode.

Configuring the Interface

	Command	Description
Step 1	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 2	interface type slot/port Example: Router (config)# interface loopback 0/1	Enters interface configuration mode and specifies the interface to be enabled.
Step 3	ip address ip-address mask [secondary] Example: Router (config-if)# ip address 10.5.5.5 255.255.255.0	Sets the private IP address for the interface.
Step 4	interface virtual-template number Router (config-if)# interface virtual-template 1	Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces.
Step 5	ip address ip-address mask [secondary] Example: Router (config-if)# ip address 10.6.6.6 255.255.255.0	Sets the public IP address for the interface.
Step 6	exit Example: Router (config-if)# exit	Exits interface configuration mode.

Configuring an Interface Without Assigning an Explicit IP Address to the Interface

	Command	Description
Step 1	enable Example: Router# enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type slot/port Example: Router (config)# interface virtual-template 1/2	Enters interface configuration mode and specifies the interface to be enabled.
Step 4	ip unnumbered type number Example: Router (config-if)# ip unnumbered loopback 0	Enables IP processing on an interface without assigning an explicit IP address to the interface.

Example

The following example shows that the identity profile associates virtual-template1 with unauthenticated supplicants. Virtual-template1 gets its IP address from interface loopback 0, and unauthenticated supplicants are associated with a public pool. Authenticated users are associated with a private pool.

Router(config)# identity profile default

Router(config-1x-prof)# description put the description here

Router(config-1x-prof)# template virtual-template1

Router(config-1x-prof)# exit

Router(config)# ip dhcp pool private

Router(config-dhcp)# network 10.0.0.1 255.0.0.0

Router(config-dhcp)# default-router 10.2.2.2

Router(config-dhcp)# exit

Router(config)#ip dhcp pool public

Router(config-dhcp)# network 10.4.4.4 255.0.0.0

Router(config-dhcp)# default-router 10.12.12.12

Router(config-dhcp)# exit

Router(config)# interface loopback0

Router(config-if)# ip address 10.5.5.5 255.255.255.0

Router(config-if)# interface ethernet0

Router(config-if)# ip address 10.6.6.6 255.255.255.0

Router(config-if)# exit

Router(config)# interface virtual-template1

Router(config-if)# ip unnumbered loopback 0

Configuring the Necessary Access Control Policies

802.1X authentication separates traffic from authenticated and unauthenticated devices. Traffic from authenticated devices transit via the physical interface, and unauthenticated traffic transits via the Virtual-Template1. Therefore, different policies can be applied on each interface. The configuration will also depend on whether two DHCP pools or a single DHCP pool is being used. If a single DHCP pool is being used, access control can be configured on Virtual-Template1, which will block any traffic from going to the networks to which unauthenticated devices should not have access. These networks (to which unauthenticated devices should not have access) could be the corporate subnetworks protected by the VPN or encapsulated by generic routing encapsulation (GRE). There can also be access control that restricts the access between authenticated and unauthenticated devices.

If two pools are configured, the traffic from a non-trusted pool is routed to the Internet using Network Address Translation (NAT), whereas trusted pool traffic is forwarded via a VPN tunnel. The routing can be achieved by configuring ACLs used by NAT and VPN accordingly.

For an example of an access control policy configuration, see the "Access Control Policies: Example" section.

Configuring a Router As a Supplicant

To configure a router to act as a supplicant, you have to first configure the identity profile that the supplicant will use to obtain its EAP credentials. Then you have to configure the interface as a supplicant Port Access Entity (PAE) type. To configure a router as a supplicant, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. dot1x credentials name

4. username name

5. password [0 | 7] password

6. description text

7. exit

8. interface type number

9. dot1x pae supplicant

10. exit

11. exit

DETAILED STEPS

	Command	Description
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	dot1x credentials name Example: Router (config)# dot1x credentials basic-user	Specifies which 802.1X credential profile to use when configuring a supplicant and enters dot1x credentials configuration mode.
Step 4	username name Example: Router (config-dot1x-creden)# username router1	Specifies the username for an 802.1X credentials profile.
Step 5	password [0 | 7] password Example: Router (config-dot1x-creden)# password secret	Specifies the password for an 802.1X credentials profile.
Step 6	description text Example: Router (config-dot1x-creden)# description This credentials profile should be used for most configured ports	Specifies a description for an 802.1X profile.
Step 7	exit Example: Router (config-dot1x-creden)# exit	Exits dot1x credentials configuration mode.
Step 8	interface type number Example: Router# interface Ethernet1	Configures an interface type and enters interface configuration mode.
Step 9	dot1x pae supplicant Example: Router (config-if)# dot1x pae supplicant	Sets the PAE type. •The supplicant keyword specifies that the interface will be acting only as a supplicant and will not respond to messages that are meant for an authenticator.
Step 10	exit Example: Router (config-if)# exit	Exits interface configuration mode.
Step 11	exit Example: Router (config-dot1x-creden)# exit	Exits global configuration mode.

Configuring a PC

This section includes the following procedures.

•Configuring a PC for VPN Access Control Using 802.1X Authentication

•Enabling 802.1X Authentication on a Windows 2000/XP PC

•Enabling 802.1X Authentication on a Windows 2000 PC

•Enabling 802.1X Authentication on a Windows XP PC

•Enabling 802.1X Authentication on Windows 2000 and Windows XP PCs

Configuring a PC for VPN Access Control Using 802.1X Authentication

To configure your PC for VPN Access Control Using 802.1X Authentication, perform the following steps.

---

Step 1 Enable 802.1X for MD5.

Step 2 Enable DHCP.

---

Enabling 802.1X Authentication on a Windows 2000/XP PC

802.1X implementation on a Windows 2000/XP PC is unstable. A more stable 802.1X client, AEGIS (beta) for Microsoft Windows, is available at the Meetinghouse Data Communications website at www.mtghouse.com.

Enabling 802.1X Authentication on a Windows 2000 PC

To enable 802.1X authentication on your Windows 2000 PC, perform the following steps.

---

Step 1 Make sure that the PC has at least Service Pack 3.

Go to the page "Microsoft 802.1x Authentication Client" on the Microsoft Windows 2000 website at the following URL:

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp.

At the above site, download and install 802.1X client for Windows 2000.

If the above site is unavailable, search for the "Q313664: Recommended Update" page on the Microsoft Windows 2000 website at the following URL: http://www.microsoft.com/windows2000/downloads/recommended/q313664/default.asp

Step 2 Reboot your PC after installing the client.

Step 3 Go to the Microsoft Windows registry and add or install the following entry:

"HKLM\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode REG_DWORD 3"

("SupplicantMode" key entry is not there by default under Global option in the registry. So add a new entry named "SupplicantMode" as REG_DOWORD and then set its value to 3.)

Step 4 Reboot your PC.

---

Enabling 802.1X Authentication on a Windows XP PC

To enable 802.1X authentication on a Windows XP PC, perform the following steps.

---

Step 1 Go to the Microsoft Windows registry and install the following entry there:

"HKLM\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode REG_DWORD 3"

Step 2 Reboot your PC.

---

Enabling 802.1X Authentication on Windows 2000 and Windows XP PCs

To enable 802.1X authentication on Windows 2000 and Windows XP PCs, that is, if you are operating both at the same time, perform the following steps.

---

Step 1 Open the Network and Dial-up Connections window on your computer.

Step 2 Right-click the Ethernet interface (Local Area Connection) to open the properties window. It should have a tab called "Authentication."

Click the Authentication tab. Select the check box titled "Enable network access control using IEEE 802.1X."

In a short period of time you should see a dialog box (for Windows 2000) or a floating window asking you to select it. Select it, and when the next window appears, enter the username and password in this dialog box. See Figure 3.

---

Figure 3 Local Area Connection Properties Window

Monitoring VPN Access Control Using 802.1X Authentication

To monitor VPN Access Control Using 802.1X Authentication, perform the following steps. The commands shown in the steps may be used one at a time and in no particular order.

SUMMARY STEPS

1. enable

2. clear dot1x

3. clear eap [sessions [credentials