Switch config for ISE

networker4424 — Sun, 09 Oct 2022 01:49:30 GMT

Hi All,

I'm trying to configure cisco 3560 for basic 802.1x with ISE 2.6. I have a single PC attached to gigabitEthernet 0/1 but I dont see any pop up on PC to enter username and password. Not sure dot1x is supported on this switch but all the commands are there.

Here is the show output:

205cisco#show authentication interface gigabitEthernet 0/1

Client list: empty

Available methods list: empty

Runnable methods list: empty

Version:

205cisco#show version
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(2)SE11, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 19-Aug-17 09:04 by prod_rel_team

ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560E-HBOOT-M) Version 12.2(44r)SE5, RELEASE SOFTWARE (fc3)

205cisco uptime is 17 minutes
System returned to ROM by power-on
System image file is "flash:c3560e-universalk9-mz.150-2.SE11.bin"

Switch config:

205cisco#show running-config
Building configuration...

Current configuration : 10074 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 205cisco
!
boot-start-marker
boot-end-marker
!
enable password test
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!!
!
!
aaa session-id common
system mtu routing 1500
ip routing
no ip dhcp relay information check
ip dhcp excluded-address 100.100.100.1 100.100.100.200
ip dhcp excluded-address 192.168.20.32
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 20.1.1.1
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 30.1.1.1
ip dhcp excluded-address 40.1.1.1
ip dhcp excluded-address 50.1.1.1
!
ip dhcp pool testk
network 192.168.1.0 255.255.255.0
lease 0 0 3
!

ip dhcp pool mike.kou
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
lease 0 0 1
!
ip dhcp pool tong
network 20.1.1.0 255.255.255.0
!
ip dhcp pool kevin
network 192.100.1.0 255.255.255.0
!
ip dhcp pool test1
network 10.1.1.0 255.255.255.0
!
ip dhcp pool test2
network 30.1.1.0 255.255.255.0
!
ip dhcp pool test3
network 40.1.1.0 255.255.255.0
!
ip dhcp pool test4
network 50.1.1.0 255.255.255.0
!

ip dhcp pool test5
network 60.1.1.0 255.255.255.0
!
ip dhcp pool test6
network 70.1.1.0 255.255.255.0
!
ip dhcp pool test10
network 100.1.1.0 255.255.255.0
!
ip dhcp pool test11
network 110.1.1.0 255.255.255.0
!
!
ip dhcp snooping vlan 123
no ip dhcp snooping information option
ip dhcp snooping
ip multicast-routing distributed
ipv6 icmp error-interval 1
ipv6 unicast-routing
ipv6 dhcp pool ipv6-1
address prefix 10:1:1::/64
!
ipv6 dhcp pool ipv6-2

address prefix 20:1:1::/64 lifetime 60 30
!
ipv6 dhcp pool ipv6-3
address prefix 30:1:1::/64
!
ipv6 dhcp pool ipv6-4
address prefix 40:1:1::/64
!
ipv6 dhcp pool ipv6-5
address prefix 50:1:1::/64
!
ipv6 dhcp pool ipv6-6
address prefix 60:1:1::/64
!
ipv6 dhcp pool ipv6-7
address prefix 70:1:1::/64
!
ipv6 dhcp pool ipv6-10
address prefix 100:1:1::/64
!
ipv6 dhcp pool ipv6-11
address prefix 120:1:1::/64
address prefix 110:1:1::/64

!
vtp domain kk
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-3197563520
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3197563520
revocation-check none
rsakeypair TP-self-signed-3197563520
!
!
crypto pki certificate chain TP-self-signed-3197563520
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313937 35363335 3230301E 170D3131 30333330 30313238
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31393735
36333532 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EE3B 3962DC20 998C25EB 1C015C98 37024542 18BF3287 9EB685A9 1BDABDB4
93C534E9 7F84EA0D BB1999FB 9E0A9C55 204617A8 51F28A98 3BEA5D97 8A8D212C
902EC7C1 A16FF735 8BC504CD 98629F51 3EE48C03 434EF273 E2519E1B 8AAC1A36

quit
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 123,400-401,528-600,990,1001,1412,4000
lacp system-priority 100
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
vlan 10,20,100
!
vlan 123
private-vlan primary
private-vlan association 1231-1232
!
vlan 200-201,300,400
!
vlan 500
private-vlan primary
private-vlan association 501-502
!
vlan 501
private-vlan isolated
!
vlan 502
private-vlan community
!
vlan 600,800,999-1001,1111

!
vlan 1231
private-vlan isolated
!
vlan 1232
private-vlan community
!
vlan 2000-2001,3000,4000
!
lldp run
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 205.205.205.205 255.255.255.255
ipv6 dhcp relay source-interface Loopback0
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2000
switchport trunk allowed vlan 2000,2001
switchport mode trunk
!
interface Port-channel3
no switchport
ip address 192.168.3.1 255.255.255.0
!
interface Port-channel10
no switchport
no ip address
!
interface FastEthernet0
ip address 10.10.51.205 255.255.255.0
no ip route-cache
!
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto
!
interface GigabitEthernet0/2
switchport access vlan 501
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface GigabitEthernet0/3
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 123,1231,1232
switchport mode trunk
ip dhcp snooping trust
!
interface GigabitEthernet0/4
switchport access vlan 500
!
interface GigabitEthernet0/5
switchport access vlan 100
switchport private-vlan host-association 123 1232
switchport mode private-vlan host
!
interface GigabitEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,200,300
switchport mode trunk
!
interface GigabitEthernet0/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/8
no switchport
ip address 100.100.100.1 255.255.255.0
ip pim sparse-mode
!
interface GigabitEthernet0/9
switchport access vlan 1111
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1111
switchport mode trunk
!
interface GigabitEthernet0/10
no switchport
no ip address
ipv6 address 90:1:1::205/64
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server ipv6-2
ipv6 ospf 1 area 0
no cdp enable
!
interface GigabitEthernet0/11
switchport access vlan 4000
switchport trunk encapsulation dot1q
switchport trunk native vlan 4000
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 1000
!
interface GigabitEthernet0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1412
switchport mode trunk
!
interface GigabitEthernet0/14
switchport access vlan 199
switchport mode access
!
interface GigabitEthernet0/15

switchport access vlan 600
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,300,400
switchport mode trunk
!
interface GigabitEthernet0/18
switchport trunk encapsulation dot1q
switchport trunk native vlan 2000
switchport trunk allowed vlan 2000,2001
switchport mode trunk
!
interface GigabitEthernet0/19
switchport access vlan 500
switchport trunk native vlan 2000
switchport trunk allowed vlan 2000,2001
switchport private-vlan mapping 500 501-502
switchport mode private-vlan promiscuous
shutdown
!
interface GigabitEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 2000
switchport trunk allowed vlan 2000,2001
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet0/21
switchport trunk encapsulation dot1q
switchport trunk native vlan 2000
switchport trunk allowed vlan 2000,2001
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet0/22
no switchport
no ip address
!
interface GigabitEthernet0/23
no switchport
no ip address
channel-group 3 mode active
!
interface GigabitEthernet0/24
no switchport
no ip address
channel-group 3 mode active
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface TenGigabitEthernet0/1
!
interface TenGigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
ip pim passive
!
interface Vlan20
ip address 22.22.22.2 255.255.255.0
ipv6 address 2002::2/64
ipv6 enable
!
interface Vlan100
no ip address
ip pim passive
!
interface Vlan200
ip address 192.168.2.2 255.255.255.0
!
interface Vlan300
no ip address
!
interface Vlan500
ip address 50.50.50.1 255.255.255.0
!
interface Vlan600
ip address 192.168.60.46 255.255.255.0
!
interface Vlan800
no ip address
!
interface Vlan999
no ip address
ipv6 address autoconfig
ipv6 enable
!
interface Vlan1000
ip address 192.168.10.46 255.255.255.0
!
interface Vlan1001
no ip address
ipv6 address 2003::1/64
ipv6 enable
!
interface Vlan1412
ip address 148.132.64.194 255.255.255.0
standby 1 ip 148.132.64.193
!
interface Vlan2000
no ip address
!
interface Vlan4000

ip address 192.168.40.1 255.255.255.0
!
router ospf 1
router-id 2.2.2.2
network 90.1.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 1
network 192.168.60.0 0.0.0.255 area 0
!
ip http server
ip http secure-server
!
ip pim rp-address 1.1.1.1
ip route 0.0.0.0 0.0.0.0 10.10.51.1
ip route 1.1.1.1 255.255.255.255 192.168.2.4
ip route 3.3.3.3 255.255.255.255 192.168.3.2
ip route 4.4.4.4 255.255.255.255 192.168.3.2
ip route 21.1.0.0 255.255.0.0 192.168.3.2
ip route 21.21.21.0 255.255.255.0 22.22.22.1
ip route 147.1.0.0 255.255.255.0 205.147.0.147
ip route 192.168.1.0 255.255.255.0 20.1.1.2
ip route 192.168.20.0 255.255.255.0 20.1.1.2
!
cdp timer 6
cdp holdtime 12
arp 10.10.10.1 2222.2222.2211 ARPA
ipv6 route 130:147::/64 147:205::147
ipv6 route 2001::/64 2002::1
ipv6 route 2010:AB8:0:1::/64 147:205::147
ipv6 router ospf 1
router-id 2.2.2.2
!
!
!
radius-server host 10.10.50.65 auth-port 1812 key test
radius-server vsa send authentication
!
!
vstack
!
line con 0
exec-timeout 0 0
line vty 0 4
exec-timeout 0 0
password test
line vty 5 15
!
end

Re: Switch config for ISE

Rob Ingram — Sun, 09 Oct 2022 07:56:06 GMT

@networker4424 that switch does support 802.1X, you just appear not to have any 802.1X configuration on the interfaces (Gi0/1), so 802.1X will never run.

To setup wired 802.1X and ISE, refer to this guide to configured wired dot1x or this Cisco guide https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1018207729 though this guide is more for newer hardware.

Re: Switch config for ISE

networker4424 — Mon, 10 Oct 2022 03:08:37 GMT

Thank you so much Rob, that first one worked out very well, though some commands syntax was a little different but worked pretty well in the end. Thanks again.

topic Re: Switch config for ISE in Network Access Control

Switch config for ISE

Re: Switch config for ISE

Re: Switch config for ISE