802.1x Configuration on Wired LAN

Translator · ‎08-04-2025

The 802.1X authentication feature is used on the wired LAN of the Catalyst 9K/1K/2960 switch. The authentication server uses Cisco ISE.

The switch has the following settings, and the 802.1X feature is working, but I am not sure if this setting is appropriate. It is better not to have this setting, it is better to have this setting, the parameter value xxx is the recommended value, etc.

aaa group server radius ISE-Group
server name ISE-1
server name ISE-2
server name ISE-3
deadtime 5
load-balance method least-outstanding
!
aaa authentication dot1x default group ISE-Group
aaa authorization network default group ISE-Group
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-Group
!
aaa server radius dynamic-author
client 10.0.0.1 server-key 7 xxxxxxxxxxxxx
client 10.0.0.2 server-key 7 xxxxxxxxxxxxx
client 10.0.0.3 server-key 7 xxxxxxxxxxxxx
!
dot1x system-auth-control
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 60 tries 5
radius-server deadtime 30
radius-server vsa send cisco-nas-port
!
radius server ISE-1
address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx
!
radius server ISE-2
address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx
!
radius server ISE-3
address ipv4 10.0.0.3 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx
!

Enes Simnica · ‎08-04-2025

I'm not sure if this post is appropriate to respond to, but I'll give it a try anyway.........

The config is solid and aligns with standard 802.1X + Cisco ISE deployments. Using aaa group server radius with load-balance least-outstanding and deadtime 5 is good for efficiency and failover. However, the global radius-server deadtime 30 may conflict, stick with just the group-level deadtime 5 for clarity.

Key settings like attribute 6 on-for-login-auth and attribute 31 mac format ietf upper-case are correct for ISE integration. The 48-hour accounting interval is fine unless tight session tracking is needed. As for the CoA s properly configured for ISE-triggered VLAN changes or session termination—just ensure CoA is enabled in ISE policies. AND Overall, the config works well, but the only suggestion that i have it is to : remove the duplicate deadtime setting to avoid confusion. Let me know if you need help fine-tuning timers or CoA behavior.....

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215525-use-radius-for-device-administration-wit.html

hope it helps...

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Rob Ingram · ‎08-04-2025

@cja56910tf in addition to what has already been mentioned, you should consider configure device sensor for profiling - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

You can also refer to the Cisco Wired Prescriptive Guide for detailed information on the required settings - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

If security is a concern, consider use Radius over DTLS to protect the RADIUS communication. https://community.cisco.com/t5/networking-knowledge-base/configuring-radius-over-dtls-with-cat9k-and-ise-3-0/ta-p/4438427

Don't use Type 7 password as they are insecure, use Type 6-9 https://community.cisco.com/t5/networking-knowledge-base/configuring-type-6-passwords-in-ios-xe/ta-p/4438495

MHM Cisco World · ‎08-04-2025

this sample for config
notice the dead criteria and automate test
for dead time here is 3 but I see other ciscolive recommend 10
I am with using long time 10.
MHM