Cisco Switch Dot1x Config:
Configuring Global AAA Parameters:
conf t
username admin privilege 15 secret Cisco123
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius server Our-ISE
address ipv4 192.168.1.105 auth-port 1812 acct-port 1813
key Cisco123
automate-tester username testuser
exit
aaa group server radius Our-Group
server name Our-ISE
exit
radius-server dead-criteria time 3 tries 3
radius-server deadtime 15
aaa server radius dynamic-author
client 192.168.1.222
server-key Cisco123
exit
ip radius source-interface gig 0/1
radius-server vsa send authentication
radius-server vsa send accounting
dot1x system-auth-control
ip adevice tracking
end
wr
Switch Port Configuration:
conf t
vlan 10,20,30,80,999
int range fa 0/1-8
switchport host
switchport access vlan 999
authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method
authentication event server dead action authorise vlan 10
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
authentication port-control auto
end
wr
Verification and Troubleshooting:
show int status (to check vlans the interfaces are)
show vlan brief (to see if the vlan now exists and an authenticated port it assigned to it)
show authentication sessions
show authentication sessions int fa 0/1 (MAC/IP/user/status/DACL/success/failure)
ISE:
Operations>RADIUS>Live Logs>Magnifying glass (detail) (shows the matching 5200 successful policy set/Authentication policy/Authorization policy)(Shows Switch/NAS IP and the switch port number)
Network and Security Specialist 