VPN Access Control Using 802 .1X Authentication

Last Updated: January 17, 2012

The home access router provides connectivity to the corporate network through a Virtual Private Network (VPN) tunnel through the Internet. In the home LAN, apart from the employee, other members of the household may also be using the same access router. The VPN Access Control Using 802 .1X Authentication feature allows enterprise employees to access their enterprise networks from home while allowing other household members to access only the Internet. The feature uses the IEEE 802 .1X protocol framework to achieve the VPN access control. The authenticated employee has access to the VPN tunnel and others (unauthenticated users on the same LAN) have access only to the Internet.

An authentication manager has been added to allow more flexible authentication between different authentication methods like, dot1x, MAC address bypass, and web authentication. See the 802 .1X Flexible Authentication feature for more information.

find Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

use Cisco Feature Navigator to find information about platform support and Cisco software image support . To access Cisco Feature Navigator , go to
www.cisco.com/go/cfn . An account on Cisco.com is not require .

Prerequisites for VPN Access Control Using 802 .1X Authentication

• The PCs connecting behind the router should have 802 .1X clients running on them.
• You is know should know how to configure authentication , authorization , and accounting ( AAA ) and RADIUS .
• You is be should be familiar with IP Security ( ipsec ) .
• You should be familiar with Dynamic Host Configuration Protocol (DHCP).
• You should know how to configure user lists on a Cisco access control server (ACS).

Restrictions for VPN Access Control Using 802 .1X Authentication

• Easy VPN is not support .
• VLAN interface are currently not support .
• If there is a switch located between the router and the supplicant (client PC), the Extensible Authentication Protocol over LAN (EAPOL) frames will not reach the router because the switch discards them.

Information About VPN Access Control Using 802 .1X Authentication

How VPN Control Using 802 .1X Authentication Works

The home access router provides connectivity to the corporate network through a VPN tunnel through the Internet. In the home LAN, both authenticated (employee) and unauthenticated (other household members) users exist, and both have access to the corporate VPN tunnel. Currently there is no existing mechanism to prevent the unauthenticated user from accessing the VPN tunnel.

To distinguish between the users, the VPN Access Control Using 802 .1X Authentication feature uses the IEEE 802 .1X protocol that allows end hosts to send user credential on Layer 2 of the network operating system. Unauthenticated traffic users will be allowed to pass through the Internet but will be blocked from accessing the corporate VPN tunnel. The VPN Access Control Using 802 .1X feature expands the scope of the 802 .1X standard to authenticate devices rather than ports, meaning that multiple devices can be independently authenticated for any given port. This feature separates traffic from authenticated and unauthenticated users so that separate access policies can be applied.

When an 802 .1X – capable host start up , it is initiate will initiate the authentication phase by send the EAPOL – Start 802 .1X protocol datum unit ( PDU ) to the reserved IEEE multicast MAC address ( 01 – 80 – c2 – 00 – 00 – 03 ) with the ethernet type or length set to 0x888E.

All 802 .1X pdu will be identify as such by the Ethernet driver and will be enqueue to be handle by an 802 .1X process . On some platform , ethernet drivers is have have to program the interface address filter so that EAPOL packet can be accept .

On the router, the receipt of the EAPOL-Start message will result in the source MAC address being “remembered,” and an EAPOL-request or identity PDU being sent to the host. The router will send all host-addressed PDUs to the individual MAC address of the host rather than to the multicast address.

802 .1X Authentication Sample Topology and Configuration

The figure below illustrates a typical scenario in which VPN access control using 802 .1X authentication is in place.

In the figure above, all the PCs are 802 .1X capable hosts, and the Cisco router is an authenticator. All the PCs are connected to the built-in hub or to an external hub. If a PC does not support 802 .1X authentication, MAC-based authentication is supported on the Cisco router. You can have any kind of connectivity or network beyond the Cisco router WAN.

• A supplicant is an entity at one end of a point-to-point LAN segment that is being authenticated by an authenticator that is attached to the other end of that link.

Converged 802 .1X Authenticator Support

The Cisco IOS commands in Cisco IOS Release 12 .4(6)T for 802 .1X authenticators have been standardized to work the same way on various Cisco IOS platforms.

802 .1X Supplicant Support

There are deployment scenarios in which a network device (a router
acting as an 802 .1X authenticator) is placed in an unsecured location and
cannot be trusted as an authenticator. This scenario requires that a network
device be able to authenticate itself against another network device. The
802 .1X supplicant support functionality provides the following solutions for
this requirement:

• An extensible
  Authentication Protocol ( EAP ) framework has been include so that the
  supplicant has the ability to ” understand ” and ” respond ” to EAP request .
  EAP – message Digest 5 ( EAP – MD5 ) is currently support .
• Two network devices that
  are connected through an Ethernet link can act as a supplicant and as an
  authenticator simultaneously, thus providing mutual authentication capability.
• A network device that is
  acting as a supplicant can authenticate itself with more than one authenticator
  (that is, a single port on a supplicant can be connected to multiple
  authenticators).

The follow illustration is an example of 802 .1X supplicant support.
The illustration shows that a single supplicant port has been connected to
multiple authenticators. Router A is acting as an authenticator to devices that
are sitting behind it on the LAN while those devices are acting as supplicants.
At the same time, Router B is an authenticator to Router A (which is acting as
a supplicant). The RADIUS server is located in the enterprise network.

When Router A tries to authenticate devices on the LAN, it needs to
“talk” to the RADIUS server, but before it can allow access to any of the
devices that are sitting behind it, it has to prove its identity to Router B.
Router B checks the credential of Router A and gives access.

converge 802 .1X Supplicant Support

The Cisco IOS commands in Cisco IOS Release 12 .4(6)T for 802 .1X supplicants have been standardized to work the same way on various Cisco IOS platforms. See the Configuring a Router As an 802 .1X Supplicant module.

authentication Using Passwords and MD5

For information about using passwords and Message Digest 5 (MD5), see the following document on Cisco.com:

• Improving Security on Cisco Routers

How to Configure VPN Access Control Using 802 .1X Authentication

configure a AAA radius Server

To configure an AAA RADIUS server, perform the following steps.

summary step

1 .   
configure entry for the network access server and associate shared secret .

2 .   
add the username and configure the password of the user .

3 .   
configure a global or per – user authentication scheme .

detailed step

Configuring a Router

Enabling 802 .1X Authentication

To enable 802 .1X port-based authentication, you should configure the router so that it can communicate with the AAA server, enable 802 .1X globally, and enable 802 .1X on the interface. To enable 802 .1X port-based authentication, perform the following steps.

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

aaa
new – model

4 .   

aaa
authentication
dot1x
{default |
listname}
method1 [method2 …]

5 .   

dot1x
system-auth-control

6 .   

identity
profile
default

7 .   

interface


type
slot


/


port

8 .   

dot1x
port – control
auto

detailed step

Examples

The follow example shows that 802 .1X authentication has been configured on a router:

 Router #configure terminal
 router(config ) #aaa new - model
 router(config ) #aaa authentication dot1x default group radius group radius
 router(config ) #dot1x system-auth-control
 router(config ) # interface fastethernet 1
 router(config - if ) #dot1x port - control auto

The follow
show
dot1x command is shows sample output show that 802 .1X authentication has been configure on a router :

 Router #show dot1x all
Sysauthcontrol              Enabled
Dot1x Protocol Version            2
Dot1x Info for FastEthernet1
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both 
HostMode                  = MULTI_HOST
ReAuthentication          = Enabled
QuietPeriod               = 600
ServerTimeout             = 60
SuppTimeout               = 30
ReAuthPeriod              = 1800 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 3
TxPeriod                  = 60
RateLimitPeriod           = 60

Configuring Router and RADIUS Communication

To configure radius server parameter , perform the following step .

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

ip
radius
source – interface


interface – name

4 .   

radius-server
host
{hostname |
ip – address}

5 .   

radius-server
key


string

detailed step

Example

The follow example shows that RADIUS server parameters have been configured on the router:

 Router #configure terminal
 router(config ) #ip radius source - interface ethernet1
 router(config ) #radius-server host 192 .0.2 .1
 router(config ) # radius-server key radiuskey

Configuring 802 .1X Parameters Retransmissions and Timeouts

Various 802 .1X retransmission and timeout parameters can be configured. Because all of these parameters have default values, configuring them is optional. To configure the retransmission and timeout parameters, perform the following steps.

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

interface


type
slot


/


port

4 .   

dot1x
max-req


number – of – retrie

5 .   

dot1x
port – control
[auto|
force – authorize|
force – unauthorized]

6 .   

dot1x
control – direction
{both |
in}

7 .   

dot1x
reauthentication

8 .   

dot1x
timeout
tx – period


second

9 .   

dot1x
timeout
server – timeout


second

10.   

dot1x
timeout
reauth – period






second

11 .   

dot1x
timeout
quiet – period


second

12 .   

dot1x
timeout
ratelimit-period


second

detailed step

Examples

The follow configuration example shows that various retransmission and timeout parameters have been configured:

 Router #configure terminal

 router(config ) #interface FastEthernet1

 router(config - if ) #dot1x port - control auto

 router(config - if ) # dot1x reauthentication

 router(config - if ) #dot1x timeout reauth - period 1800

 router(config - if ) #dot1x timeout quiet - period 600

 router(config - if ) #dot1x timeout supp-timeout 60

 router(config - if ) #dot1x timeout server - timeout 60

configure the Identity Profile

The
identity
profile
default
command allows you to configure the static MAC addresses of the client that do not support 802 .1X and to authorize or unauthorize them statically. The VPN Access Control Using 802 .1X Authentication feature allows authenticated and unauthenticated users to be mapped to different interfaces. Under the
dot1x
profile configuration mode, you can specify the virtual template interface that should be used to create the virtual-access interface to which unauthenticated supplicants will be mapped. To specify which virtual template interface should be used to create the virtual access interface, perform the following steps.

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

identity
profile
default

4 .   

description






line-of-description

5 .   

template






virtual – template

6 .   

device
[authorize |
not – authorize]
mac – address
mac – address

7 .   

device
authorize
type


device-type

detailed step

Examples

The follow example shows that Cisco IP phones and a specific MAC address have been statically authorized:

 Router #configure terminal

 Router ( config ) # identity profile default

 router(config-1x - prof ) #description put the description here

 router(config-1x - prof ) #template virtual - template1

Router(config-1x-prof)# device authorize type cisco ip phone

 router(config-1x - prof ) #device authorize mac - address 0001 .024B.B4E7

configure the Identity Profile

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

identity
profile
default

4 .   

description






description – string

5 .   

template






virtual – template

6 .   

exit

detailed step

Configuring the DHCP Private Pool

The VPN Access Control Using 802 .1X Authentication feature can be
configured with one DHCP pool or two. If there are two pools, the
unauthenticated and authenticated devices will get their addresses from
separate DHCP pools. For example, the public pool can have an address block
that has only local significance, and the private pool can have an address that
is routable over the VPN tunnel.

summary step

1 .   

ip
dhcp
pool




name

2 .   

network


network – number

[mask]

3 .   

default – router


address

detailed step

Configuring the DHCP Public Pool

The VPN Access Control Using 802 .1X Authentication feature can be
configured with one DHCP pool or two. If there are two pools, the
unauthenticated and authenticated devices will get their addresses from
separate DHCP pools. For example, the public pool can have an address block
that has only local significance, and the private pool can have an address that
is routable over the VPN tunnel.

summary step

1 .   

ip
dhcp
pool


name

2 .   

network


network – number


[mask]

3 .   

default – router


address

4 .   

exit

detailed step

Configuring the Interface

summary step

1 .   

configure
terminal

2 .   

interface


type
slot


/


port

3 .   

ip
address






ip – address
mask
[secondary]

4 .   

interface
virtual – template






number

5 .   

ip
address


ip – address
mask
[secondary]

6 .   

exit

detailed step

Configuring an Interface Without Assigning an Explicit IP Address to the Interface

summary step

1 .   

enable

2 .   

configure
terminal

3 .   

interface




type
slot


/


port

4 .   

ip
unnumbered


type
number

detailed step

Example

The follow example shows that the identity profile associates virtual – template1 with unauthenticated supplicants. Virtual-template1 gets its IP address from interface loopback 0, and unauthenticated supplicants are associated with a public pool. Authenticated users are associated with a private pool.

 router(config ) #identity profile default
Router(config-identity-prof)#  description is put put the description here
Router(config-identity-prof)# template virtual - template1
Router(config-identity-prof)# exit
 router(config ) #ip dhcp pool private
Router(dhcp-config)# default - router 192 .0.2 .0
 Router(dhcp - config ) #exit
 router(config ) #ip dhcp pool public
 Router(dhcp - config ) #default - router 192 .0.2 .1
 Router(dhcp - config ) #exit
 router(config ) #interface
 Router(dhcp - config ) #network 209 .165 .200.225 255 .255 .255 .224
 Router(dhcp - config ) #default - router 192 .0.2 .1
 Router(dhcp - config ) #exit
 router(config ) #interface loopback0
 router(config - if ) #interface ethernet0
 router(config - if ) #ip address 209 .165 .200.226 255 .255 .255 .224
 router(config - if ) #exit
 router(config ) #interface virtual - template1
 router(config - if ) #ip unnumbered loopback 0

Configuring the Necessary Access Control Policies

802 .1X authentication separates traffic from authenticated and unauthenticated devices. Traffic from authenticated devices transit through the physical interface, and unauthenticated traffic transits through the Virtual-Template1 . Therefore, different policies can be applied on each interface. The configuration will also depend on whether two DHCP pools or a single DHCP pool is being used. If a single DHCP pool is being used, access control can be configured on Virtual-Template1, which will block any traffic from going to the networks to which unauthenticated devices should not have access. These networks (to which unauthenticated devices should not have access) could be the corporate subnetworks protected by the VPN or encapsulated by generic routing encapsulation (GRE). There can also be access control that restricts the access between authenticated and unauthenticated devices.

If two pool are configure , the traffic from a non – trusted pool is route to the internet using Network Address Translation ( NAT ) , whereas trusted pool traffic is forward through a VPN tunnel . The routing can be achieve by configure ACLs used by NAT and VPN accordingly .

For an example of an access control policy configuration , see the Access Control Policies Example section .

Configuring a PC As an 802 .1X Supplicant

Configuring a PC for VPN Access Control Using 802 .1X Authentication

To configure your PC for VPN Access Control Using 802 .1X Authentication, perform the following steps.

summary step

1 .   
Enable 802 .1X for MD5 .

2 .   
Enable DHCP.

detailed step

Enabling 802 .1X Authentication on a Windows 2000 XP PC

802 .1X implementation on a Windows 2000/XP PC is unstable. A more stable 802 .1X client, AEGIS (beta) for Microsoft Windows, is available at the Meetinghouse Data Communications website at www.mtghouse.com.

Enabling 802 .1X Authentication on a Windows 2000 PC

To enable 802 .1X authentication on your Windows 2000 PC, perform the following steps.

summary step

1 .   
Make sure that the PC has at least Service Pack 3 .

2 .   
Reboot your PC after installing the client.

3 .   
Go to the Microsoft Windows registry and add or install the following entry:

4 .   
reboot your pc .

detailed step

Enabling 802 .1X Authentication on a Windows XP PC

To enable 802 .1X authentication on a Windows XP PC, perform the following steps.

summary step

1 .   
Go to the Microsoft Windows registry and install the following entry there:

2 .   
reboot your pc .

detailed step

Enabling 802 .1X Authentication on Windows 2000 and Windows XP PCs

To enable 802 .1X authentication on Windows 2000 and Windows XP PCs, that is, if you are operating both at the same time, perform the following steps.

summary step

1 .    Open the Network and Dial-up Connections window on your computer.

2 .    Right-click the Ethernet interface (Local Area Connection) to open the properties window. It should have a tab called “Authentication.”

detailed step

What to Do Next

Configuring a Router As an 802 .1X Supplicant

To configure a router as an 802 .1X supplicant, perform the following steps.

summary step

1 .   

enable

2 .   

configure


terminal

3 .   

aaa
authentication
dot1x
{default |
listname}
method1 [method2 …]

4 .   

dot1x
credential


name

5 .   

username


name

6 .   

password
[0 |
7]
password

7 .   

exit

8 .   

interface


type


number

9 .   

dot1x
pae


supplicant

10.   

dot1x
credential


name

11 .   

end

detailed step

Troubleshooting Tips

Use the debug commands in the Monitoring VPN Access Control Using 802 .1X Authentication section to debug the supplicant.

Monitoring VPN Access Control Using 802 .1X Authentication

To monitor VPN Access Control Using 802 .1X Authentication, perform the following steps. The commands shown in the steps may be used one at a time and in no particular order.

summary step

1 .   

enable

2 .   

clear
dot1x
{all |
interface}

3 .   

clear
eap
session
[credential
credential-name |
interface
interface – name |
method
method-name |
transporttransport – name]]

4 .   

debug
dot1x




[


all




|


error




|


event




|


feature




|


packet




|


redundancy




|


registry




|


state – machine




]

5 .   

debug
eap
[all |
method] [authenticator |
peer] {all |
error |
event |
packet |
sm}

6 .   

dot1x
initialize
[interface
interface – name]

7 .   

dot1x
re – authenticate


interface – type




interface-number

detailed step

Verifying VPN Access Control Using 802 .1X Authentication

To verify VPN Access Control Using 802 .1X Authentication, perform the following steps.

summary step

1 .   

enable

2 .   

show
dot1x




[interface
interface – name[detail]]

3 .   

show
eap
registrations
[method |
transport]

4 .   

show
eap
session
[credential
credential-name |
interfaceinterface – name |
method

method-name |
transport

transport – name]

detailed step

Configuration Examples for VPN Access Control Using 802 .1X Authentication

Typical VPN Access Control Using 802 .1X Configuration Example

The following sample output shows that VPN access control using 802 .1X authentication has been configured. Output is shown for the router and for the gateway.

Router

 Router #show run - config
Building configuration...
Current configuration : 2457 bytes
!
version 12 .4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871-1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new - model
!
!
aaa authentication dot1x default group radius group radius
!
!
aaa session-id common
!         
!
dot11 syslog
ip source-route
!
ip dhcp pool private
   network 209 .165 .200.225 255 .255 .255 .224
   default - router 192 .0.2 .18 
!
ip dhcp pool public
   network 209 .165 .200.226 255 .255 .255 .224
   default - router 192 .0.2 .17 
!
ip dhcp pool name
   default - router 192 .0.2 .16 
!
!
ip cef
no ip domain lookup
ip host sjc-tftp02 192 .0.2 .15
ip host sjc-tftp01 192 .0.2 .14
ip host dirt 192 .0.2 .13
!
!         
!
template virtualtemplate1
!
dot1x system-auth-control
dot1x credential basic-user
 description This credential profile should be used for most configured ports
 username router1
 password 0 secret
!
identity profile default
 description description 1
 device authorize mac - address 0001 .024b.b4e7 
 device authorize mac - address 0001 .0001 .0001 
 device authorize type cisco ip phone 
 template Virtual-Template1
!
!
! 
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 209 .165 .200.227 255 .255 .255 .224
!
interface FastEthernet0
!
interface FastEthernet1
 dot1x pae authenticator
 dot1x port - control auto
 dot1x timeout quiet - period 600
 dot1x timeout server - timeout 60
 dot1x timeout reauth - period 1800
 dot1x timeout tx - period 60
 dot1x timeout ratelimit-period 60
 dot1x max-req 3
 dot1x reauthentication
!
interface FastEthernet2
!         
interface FastEthernet3
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered Loopback0
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1 .0 basic-2 .0 basic-5 .5 6 .0 9 .0 basic-11 .0 12 .0 18 .0 24 .0 36 .0 48 .0
 station-role root
 no cdp enable
!
interface Vlan1
 ip address 209 .165 .200.228 255 .255 .255 .224
!
ip default-gateway 192 .0.2 .10
ip default-network 192 .0.2 .11
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192 .0.2 .11
ip route 209 .165 .200.229 255 .255 .255 .224 192 .0.2 .12
no ip http server
no ip http secure-server
!
!
ip radius source - interface FastEthernet1 
!
!
!
radius-server host 192 .0.2 .9 auth-port 1645 acct-port 1646
radius-server key radiuskey
!
control-plane
!
!
line con 0
 exec-timeout 30 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password lab
!
scheduler max-task-time 5000
end

Peer Router As Gateway

Router# show run - config
Building configuration...
Current configuration: 1828 bytes
!
version 12 .3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c3725
!
!
no aaa new - model
ip subnet-zero
!
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol pppoe
  virtual - template 1
!
mpls ldp logging neighbor-changes
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key 0 test address 192 .0.2 .8
!
!
crypto ipsec transform-set t1 ah-md5-hmac esp-des
crypto mib ipsec flowmib history tunnel size 2
crypto mib ipsec flowmib history failure size 2
!
crypto map test 1 ipsec-isakmp
 set peer 192 .0.2 .7
 set transform-set t1
 match address 101
!
no voice hpi capture buffer
no voice hpi capture destination
!
interface Loopback0
 description corporate
 ip address 209 .165 .200.230 255 .255 .255 .224
!
interface Loopback1
 description internet
 ip address 209 .165 .200.231 255 .255 .255 .224
!
interface FastEthernet0/0
 ip address 209 .165 .200.232 255 .255 .255 .224
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 speed auto
 half-duplex
 pppoe enable
!
interface ATM1/0
 ip address 209 .165 .200.233 255 .255 .255 .224
 no atm ilmi-keepalive
 pvc 1/43
  protocol ip 192 .0.2 .6 broadcast
  encapsulation aal5snap
!
!
interface FastEthernet2/0
 no ip address
 speed auto
 full-duplex
!
interface FastEthernet2/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip address 209 .165 .200.234 255 .255 .255 .224
 ip mtu 1492
 crypto map test
!
!
router rip
 network 192 .0.2 .5
 network 192 .0.2 .4
 network 192 .0.2 .3
 network 192 .0.2 .2
 network 192 .0.2 .1
!
ip http server
no ip http secure-server
ip classless
!
access-list 101 permit ip 10.5 .0.0 0.0.0.255 10.0.0.1 0.0.0.255
no cdp log mismatch duplex
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

Access Control Policies Example

The following output example shows that access control policies have been configured.

Single DHCP pool

ip dhcp pool private
 network 209 .165 .200.236 255 .255 .255 .224
 default - router 20.0.0.1
 exit
crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp key test address address
 crypto ipsec transform-set t1 esp-3des esp-sha-hmac
 mode tunnel
 crypto map test 1 ipsec-isakmp
 set peer address
 set transform-set t1
 match address 101
 access-list 101 permit ip 10.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255
 access-list 102 deny ip 10.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255
 access-list 102 permit  ip any any
!
interface Ethernet0
! inside interface
! dot1x configs
!
interface Virtual-Template1
! Deny traffic from going to VPN
 ip access-group 102 in
!
Interface Ethernet1
! outside interface
 crypto map test

Two DHCP Pools

ip dhcp pool private
 network 209 .165 .200.237 255 .255 .255 .224
 default - router 192 .0.2 .1
 exit
!
ip dhcp pool public
 network 209 .165 .200.238 255 .255 .255 .224
 default - router 192 .0.2 .0
 exit
!
crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp key test address address
 crypto ipsec transform-set t1 esp-3des esp-sha-hmac
 mode tunnel
 crypto map test 1 ipsec-isakmp
 set peer address
 set transform-set t1
 match address 101
 access-list 101 permit ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.255
 access-list 102 permit ip 10.0.0.1 0.0.0.255 any
!
interface Ethernet0
!inside interface
! dot1x configs
!
interface Loopback0
 ip address 209 .165 .200.239 255 .255 .255 .224
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip nat inside
!
Interface Ethernet1
! outside interface
 crypto map test
 ip nat outside
!
ip nat inside source list 102 interface Ethernet1 overload

Additional References

Related Documents

standard

MIBs

rfc

Technical Assistance

Feature Information for VPN Access Control Using 802 .1X Authentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

use Cisco Feature Navigator to find information about platform support and Cisco software image support . To access Cisco Feature Navigator , go to
www.cisco.com/go/cfn . An account on Cisco.com is not require .

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.