10-18-2019 10:48 AM - edited 10-18-2019 11:41 AM
Hello
I'm running ISE 2.4 and I'm trying to get NAC via dot1x/radius working. I have a NX-OS 9K switch in my network devices with correct radius key. I also have a default policy set to accept dotx wired users and allow them to do anything. On the switch I have aaa setup to use ISE as a radius server and I've confirmed reachability. I've also enabled dot1x on a test port I have a laptop connected to. When I connect I get 'authorization pending' and see nothing else in show dot1x all or show radius. I see nothing in ISE's radius logs so I assume I'm not even talking to it. What else can I check? I followed directions below:
Switch configs:
feature dot1x
radius-server host 1.3.5.7 key 7 "x" authentication accounting timeout 5 retransmit 3
radius-server host 2.4.6.8 key 7 "x" authentication accounting timeout 5 retransmit 3
aaa group server radius MuhISE
server 1.3.5.7
server 2.4.6.8
source-interface mgmt0
!
dot1x radius-accounting
dot1x radius-accounting
dot1x system-auth-control
!
ip access-list ALLOW-ALL
10 permit ip any any
!
aaa authentication dot1x default group MuhISE
aaa accounting dot1x default group MuhISE
aaa authentication login error-enable
!
interface Ethernet1/1
ip access-group ALLOW-ALL in
switchport
dot1x pae authenticator
dot1x port-control auto
dot1x re-authentication
dot1x timeout tx-period 10
switchport access vlan 666
spanning-tree port type edge
spanning-tree bpduguard enable
mtu 9216
no shutdown
ISE Configs:
network devices - nexus switch above added using mgmt0 interface in vrf
policy (radius = 802.1x)
authentication (wired mab and default both look in all stores0
authorization (wired mab and default both allow all)
Solved! Go to Solution.
10-18-2019 12:23 PM
10-18-2019 12:23 PM
10-18-2019 12:25 PM
10-21-2019 03:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide