Solved: Access Switch Ports configuration for dot1x authentication with ISE

SaintEvn · ‎11-10-2020

Hi,

I'm concerned about my switch configuration for 802.1x authentication with ISE especially the switch port configuration.
We want to use 802.1x authentication with low impact mode for the user and we will use MAB if dot1x failed.

Below is the config I've configured for my switchports that connect to the end users. And that's very much! Is my configuration normal ??

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 115
ip access-group IPV4_PRE_AUTH_ACL in
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 3600
authentication timer inactivity 180
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast edge

>>> Do I need to configure all the access switch ports with the same config in order to work with dot1x ?? What if the ports not configured like above ?? The user will get all the access ??

Can you please help me with sample working switch configuration for dot1x ??

Thank you so much all!!

Arne Bier · ‎11-10-2020

Hello @SaintEvn

It depends on your software version - and whether or not you want to perhaps do things differently (new syntax,using IBNS 2.0) - your config contains the 'classic' style 802.1X/MAB where each interface has to contain all these many commands. Overtime it becomes error prone (add a command, lose a command .... inconsistencies). it might be better to create a port template and then apply the port template to your interfaces. Port templates cannot include ALL the commands - but they can include most of them.

Then there is IBNS 2.0 - a new way to do NAC on switches - new command syntax, and a different philosophy of how the events are handled. It's more powerful than the classic method - but it comes at a price - complexity.

I would recommend you read the excellent Prescriptive Guide - it guides you all the way to success.

To answer your question of whether or not your config is correct depends on what you want to achieve - I think the ip access list is not required for open mode. And the rest of the config is also important (e.g. the aaa commands) - check the prescriptive guide!

View solution in original post

Arne Bier · ‎11-10-2020

Hello @SaintEvn

It depends on your software version - and whether or not you want to perhaps do things differently (new syntax,using IBNS 2.0) - your config contains the 'classic' style 802.1X/MAB where each interface has to contain all these many commands. Overtime it becomes error prone (add a command, lose a command .... inconsistencies). it might be better to create a port template and then apply the port template to your interfaces. Port templates cannot include ALL the commands - but they can include most of them.

Then there is IBNS 2.0 - a new way to do NAC on switches - new command syntax, and a different philosophy of how the events are handled. It's more powerful than the classic method - but it comes at a price - complexity.

I would recommend you read the excellent Prescriptive Guide - it guides you all the way to success.

To answer your question of whether or not your config is correct depends on what you want to achieve - I think the ip access list is not required for open mode. And the rest of the config is also important (e.g. the aaa commands) - check the prescriptive guide!