https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333379#M598317 <P>Hi,</P><P>I've below queries regarding ISE integration with Catalyst Switch (9300 etc.) for AAA and 802.1x</P><P>&nbsp;</P><P>1- is it true that we can use Catalyst dedicated OOB management port for AAA/TACACS only</P><P>2- but we cannot use catalyst dedicated OOB Management interface for 802.1x as its required in-band SVI to communicate with ISE due to port authentication required to check default VRF. (Please correct me)</P> Thu, 25 Sep 2025 07:35:33 GMT hashimwajid1 2025-09-25T07:35:33Z https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333379#M598317 <P>Hi,</P><P>I've below queries regarding ISE integration with Catalyst Switch (9300 etc.) for AAA and 802.1x</P><P>&nbsp;</P><P>1- is it true that we can use Catalyst dedicated OOB management port for AAA/TACACS only</P><P>2- but we cannot use catalyst dedicated OOB Management interface for 802.1x as its required in-band SVI to communicate with ISE due to port authentication required to check default VRF. (Please correct me)</P> Thu, 25 Sep 2025 07:35:33 GMT https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333379#M598317 hashimwajid1 2025-09-25T07:35:33Z https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333380#M598318 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/263732">@hashimwajid1</a>&nbsp; you can use the mgmt port for AAA communication (RADIUS and TACACS), as long as routing is setup to allow the communication. The user ports configured with 802.1X don't need to be in the same VRF as the RADIUS source interface, as it's the switches source interface that communicates with RADIUS for authentication.</P> <P><A href="https://community.cisco.com/t5/network-access-control/radius-over-vrf/td-p/4106242" target="_blank">https://community.cisco.com/t5/network-access-control/radius-over-vrf/td-p/4106242</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 25 Sep 2025 07:42:29 GMT https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333380#M598318 Rob Ingram 2025-09-25T07:42:29Z https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333386#M598319 <P>Thanks for Answer,</P><P>its mean even if I just assign IP to OOB Mgmt. Interface, that will be more then enough to handle 802.1x/MAB and Device admin traffic? no in-band SVI</P> Thu, 25 Sep 2025 08:05:53 GMT https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333386#M598319 hashimwajid1 2025-09-25T08:05:53Z https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333390#M598321 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/263732">@hashimwajid1</a>&nbsp;Yes, the mgmt interface is enough to do the RADIUS/TACACS authentications. You do need to do more than just assign IP address to the mgmt interface though, you need the routing and connectivity in place etc.</P> Thu, 25 Sep 2025 08:25:44 GMT https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333390#M598321 Rob Ingram 2025-09-25T08:25:44Z https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333668#M598333 <P>Apart from all the usual routing stuff you need, when involving a VRF in management processes such as RADIUS, TACACS, NTP, DNS, etc. requires careful configuration to always quote the VRF in all of these cases. One case that always catches me out is the RADIUS CoA on Catalysts - e.g.</P> <LI-CODE lang="markup">aaa server radius dynamic-author client 172.16.0.100 vrf Mgmt-vrf server-key ..... </LI-CODE> <P>and</P> <LI-CODE lang="markup">aaa group server radius dnac-client-radius-group server name dnac-radius_172.16.0.100 ip radius source-interface Vlan6 ip vrf forwarding Mgmt-vrf </LI-CODE> <P>&nbsp;</P> Fri, 26 Sep 2025 06:13:36 GMT https://community.cisco.com/t5/network-access-control/ise-integration-queries-with-catalyst-switch/m-p/5333668#M598333 Arne Bier 2025-09-26T06:13:36Z