Wired 802.1x

Amit Kulshrestha — Fri, 23 Aug 2019 09:02:58 GMT

Hi All,

I have recently done wired 802.1x implementation and its seem very thing is working fine, but still i would request you kindly suggest what more best can be done in below mentioned script.

ISE :-2.3 patch 2,3,5

L2 SW:- 2960 series

IOS Ver :- 15.2

===================================================================

L2 Switch Global level 802.1x commands:-

aaa group server radius ISE
server name ISE-ISE
ip radius source-interface vlan 5
!
aaa authentication login default local enable
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
!
aaa server radius dynamic-author
client 10.10.10.71 server-key 7 090D40031B
server-key 7 0152080E59
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server deadtime 30
!
ip radius source-interface Vlan5
!
radius server ISE-ISE
address ipv4 10.10.10.71 auth-port 1812 acct-port 1813
key 7 086042440B

===============================================================================

L2 Switch USERS INTERFACE LEVEL 802.1x commands:-

switchport mode access
authentication open
authentication event fail action next-method
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

================================================================

Regards

Amit

Re: Wired 802.1x

Mike.Cifelli — Fri, 23 Aug 2019 12:52:28 GMT

At some point you will want to replace authentication open with authentication closed. In doing so you will want to create some sort of Base ACL for your interface config that then later gets overridden by something like a dacl upon successful authc/authz. Something else to consider is to determine whether or not you want to configure dot1x max-reauth-req to statically configure how many times it re-sends request-identity frames. One quick last thing to consider is to maybe configure an auth fail vlan via the authentication event fail action authorize vlan ## and move hosts into a restricted area upon failure. This all depends on your requirements. Good luck & HTH!

topic Re: Wired 802.1x in Network Access Control

Wired 802.1x

Re: Wired 802.1x