
aaa new-model

radius server ISEHRD01
 address ipv4 10.x.x.1 auth-port 1812 acct-port 1813
 key xxxxx
!
radius server ISEHRD02
 address ipv4 10.x.x.2 auth-port 1812 acct-port 1813
 key xxxx
!
aaa group server radius ISE_HRD_RADIUS
 server name ISEHRD01
 server name ISEHRD02
!
aaa authentication dot1x default group ISE_HRD_RADIUS
aaa authorization network default group ISE_HRD_RADIUS 
aaa authorization auth-proxy default group ISE_HRD_RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting auth-proxy default start-stop group ISE_HRD_RADIUS
aaa accounting dot1x default start-stop group ISE_HRD_RADIUS
aaa accounting network default start-stop group ISE_HRD_RADIUS
aaa accounting system default start-stop group ISE_HRD_RADIUS
!
dot1x system-auth-control
dot1x critical eapol
!
aaa server radius dynamic-author
 client 10.x.x.1 server-key xxxx
 client 10.x.x.2 server-key xxxx

ip radius source-interface vlan 20
!
ip device tracking
ip device tracking probe delay 10
!
no ip domain-lookup
ip domain-name xxx.com.sa
!
ip access-list extended PRE-AUTHEN-ACL
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit icmp any any
 permit udp any any eq tftp
 deny   ip any any

ip access-list extended POSTURE-REDIRECT-ACL
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 10.x.x.1
deny ip any host 10.x.x.2
permit ip any any


radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 10
radius-server vsa send authentication
radius-server vsa send accounting
!
logging host 10.x.x.x transport udp port 20514
logging host 10.x.x.x transport udp port 20514
!
interface GigabitEthernet1/0/1
 switchport access vlan 20
 switchport mode access
 switchport voice vlan 9
 auto qos voip cisco-phone 
 authentication event fail action next-method
 authentication event server dead action authorize vlan 20
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 mab
 snmp trap mac-notification change added
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast
 spanning-tree bpduguard enable