topic Re: Wired 802.1X with custom authentication list - no &quot;default&quot; in Network Access Control https://community.cisco.com/t5/network-access-control/wired-802-1x-with-custom-authentication-list-no-quot-default/m-p/3907734#M24732 <P>This is only possible when using IBNS 2.0. Here is snippet, but suggest going through <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">wired guide</A>.</P> <P><FONT face="courier new,courier">policy-map type control subscriber PORT-AUTH-POLICY-I</FONT><BR /><FONT face="courier new,courier">event session-started match-all</FONT><BR /><FONT face="courier new,courier">10 class always do-all</FONT><BR /><FONT face="courier new,courier">10 authenticate using dot1x aaa authc-list <I><SPAN><STRONG>auth-dot1x</STRONG></SPAN></I> authz-list <I><SPAN><STRONG>autho-dot1x</STRONG></SPAN></I> priority 10</FONT><BR /><FONT face="courier new,courier">20 authenticate using mab aaa authc-list <I><SPAN><STRONG>auth-dot1x</STRONG></SPAN></I> authz-list <I><SPAN><STRONG>autho-dot1x</STRONG></SPAN></I> priority 20</FONT></P> <P>Accounting still needs to use 'default' even with IBNS 2.0.</P> Tue, 13 Aug 2019 22:05:11 GMT howon 2019-08-13T22:05:11Z Wired 802.1X with custom authentication list - no "default" https://community.cisco.com/t5/network-access-control/wired-802-1x-with-custom-authentication-list-no-quot-default/m-p/3907071#M24729 <P>Hi,</P><P>&nbsp;</P><P>I do not want to use, authentication list named "default" for 802.1x authentication. I want to use my own custom list.</P><P>&nbsp;</P><P>For example for ssh login I use -&nbsp;</P><P>&nbsp;</P><P>aaa new-model</P><P>&nbsp;</P><P>radius server nps01<BR />&nbsp; &nbsp;address ipv4 172.16.245.11 auth-port 1812 acct-port 1813<BR />&nbsp; &nbsp;key test123</P><P>&nbsp;</P><P>aaa group server radius nps-servers<BR />&nbsp; &nbsp; server name nps01</P><P>&nbsp;</P><P>aaa authentication login <STRONG>my-ssh-login</STRONG> group nps-servers local<BR />aaa authorization exec <STRONG>my-ssh-autho</STRONG> group nps-servers local<BR /><BR /></P><P>line vty 0 4<BR />&nbsp; authorization exec <STRONG>my-ssh-autho</STRONG><BR />&nbsp; login authentication <STRONG>my-ssh-login</STRONG><BR />&nbsp; transport input ssh</P><P>&nbsp;</P><P>But for 802.1x -</P><P>&nbsp;</P><P>I must write&nbsp;</P><P>&nbsp;</P><P><I><SPAN>aaa authentication dot1x <STRONG>default</STRONG> group nps-servers</SPAN></I></P><P><I><SPAN>aaa authorization network <STRONG>default</STRONG> group nps-servers</SPAN></I></P><P>&nbsp;</P><P>But I do not want to use this default list, I want to use my own custom named list like SSH, for example -</P><P>&nbsp;</P><P><I><SPAN>aaa authentication dot1x <STRONG>auth-dot1x</STRONG> group nps-servers<BR />aaa authorization network <STRONG>autho-dot1x</STRONG> group nps-servers</SPAN></I></P><P>&nbsp;</P><P>But it does not work, as expected. I need to bind these list with 802.1x process. And I do not know if it is possible or what are the commands. As in for SSH access, I have bind them under vty lines.</P><P>&nbsp;</P><P>All the Cisco's documentation refers to this default list. For 802.1x, is it possible to use a custom list?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Aug 2019 20:13:25 GMT https://community.cisco.com/t5/network-access-control/wired-802-1x-with-custom-authentication-list-no-quot-default/m-p/3907071#M24729 ssajiby2k 2019-08-12T20:13:25Z Re: Wired 802.1X with custom authentication list - no "default" https://community.cisco.com/t5/network-access-control/wired-802-1x-with-custom-authentication-list-no-quot-default/m-p/3907734#M24732 <P>This is only possible when using IBNS 2.0. Here is snippet, but suggest going through <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">wired guide</A>.</P> <P><FONT face="courier new,courier">policy-map type control subscriber PORT-AUTH-POLICY-I</FONT><BR /><FONT face="courier new,courier">event session-started match-all</FONT><BR /><FONT face="courier new,courier">10 class always do-all</FONT><BR /><FONT face="courier new,courier">10 authenticate using dot1x aaa authc-list <I><SPAN><STRONG>auth-dot1x</STRONG></SPAN></I> authz-list <I><SPAN><STRONG>autho-dot1x</STRONG></SPAN></I> priority 10</FONT><BR /><FONT face="courier new,courier">20 authenticate using mab aaa authc-list <I><SPAN><STRONG>auth-dot1x</STRONG></SPAN></I> authz-list <I><SPAN><STRONG>autho-dot1x</STRONG></SPAN></I> priority 20</FONT></P> <P>Accounting still needs to use 'default' even with IBNS 2.0.</P> Tue, 13 Aug 2019 22:05:11 GMT https://community.cisco.com/t5/network-access-control/wired-802-1x-with-custom-authentication-list-no-quot-default/m-p/3907734#M24732 howon 2019-08-13T22:05:11Z