topic Switch AAA config for forescout in Network Access Control

Switch AAA config for forescout

Danfurqan — Sat, 16 Nov 2024 19:33:01 GMT

Dear experts,

We are moving from ISE to forescout, I need the Cisco switch AAA configuration (global & interface) to allow the scenario of

1. Limited access of endpoint while it's authenticating

2. If host authentication is successful and Futher compliance check by forescout is passed, the host would receive a CoA from radius server to full access ACL.

If compliance check fails, the host remains in the limited ACL to remediate.

Re: Switch AAA config for forescout

Torbjørn — Sat, 16 Nov 2024 22:48:25 GMT

Your switch config will most likely stay the same, assuming that you have the same functionality configured today. You will however have to define new radius server groups. See the following documentation for this: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-12/configuration_guide/sec/b_1712_sec_9200_cg/configuring_radius.html

If you post your the output of "show run aaa" here we will be able to help you further(remember to remove any sensitive data!).

Re: Switch AAA config for forescout

Danfurqan — Sun, 17 Nov 2024 11:57:29 GMT

aaa authentication login AUTHENXX group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group loc1FO
aaa authentication username-prompt Local_Username:
aaa authentication password-prompt Local_Password:
aaa authentication attempts login 5
aaa authorization exec default group tacacs+ local
aaa authorization exec console local
aaa authorization exec AUTHOR-XX group tacacs+ local if-authenticated
aaa authorization network default group loc1FO
aaa authorization commands 0 console none
aaa authorization commands 0 AUTHOR-XX group tacacs+ local if-authenticated
aaa authorization commands 15 console none
aaa authorization commands 15 AUTHOR-XX group tacacs+ local if-authenticated
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting dot1x default start-stop group loc1FO
aaa accounting delay-start all
aaa accounting update newinfo periodic 1440

aaa server radius dynamic-author
client rad1 server-key xxx
client rad2 server-key xxx
client rad3 server-key xxx
!
!
radius server loc1
address ipv4 rad1 auth-port 1812 acct-port 1813

!
radius server loc2
address ipv4 rad2 auth-port 1812 acct-port 1813

!
radius server loc1DR
address ipv4 rad3 auth-port 1812 acct-port 1813

!
radius-server dead-criteria time 30 tries 3

!
aaa group server radius loc1FO
server name loc1
server name loc2
server name loc1DR
!
!
!
aaa new-model
aaa session-id common
!
!

interface GigabitEthernet1/0/2
description ### Data & Voice ###
switchport access vlan 403
switchport mode access
switchport voice vlan 455
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast