Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Network Access Control
- Cisco ISE with existing AD user
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
3055
Views
10
Helpful
2
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2020 11:19 AM
Hi,
We planned to add cisco ISE to our infra. We will use 802.1x authentication for Wired and Wireless user.
We already have existing AD and all the computers are joined to the same domain.
What I would like to know is, after I've added Cisco ISE to the infra and enable 802.1x authentication on user switch ports, the user who already join to AD will still need to do 802.1x on his computer?
Are there anything I can do on AD side?
Can I get sample switch port configuration for dot1x and MAB configuration that is used in normal implementation?
Thanks a lot for the help!
Solved! Go to Solution.
Labels:
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2020 12:37 PM
Hello @SaintEvn
Long answer - you will need to do two things
1) Prepare the user's devices - for wired 802.1X you need to push Microsoft Group Policy to enable the Wired Service to enabled 802.1X on Ethernet interfaces. Then go through the laborious steps of configuring the supplicant (correctly) - this involves many steps and stages - it's not obvious to most, but it might be sufficient to just configure the supplicant to use Machine authentication - this means that when a machine boots up, it will do 802.1X - as long as the machine is kept running (user logs in/out etc) all is well. For wireless you need to create a WLAN profile and push to devices
2) Put policies in ISE - the wireless 802.1X config is pretty simple because we don't have to deal with the decisions of what the user might do on the WLAN - it's 802.1X or nothing. The wired 802.1X/MAB config on switches is the trickier part - for that I would recommend the Wired Prescriptive Guide. It's not easy to answer your question off the bat, because you need to tell us what IOS/IOS-XE you have and whether you would be happy with IBNS 2.0 style of config.
I can share my recent experience on a Cisco 9300 running IOS-XE 16.12.x where I documented the steps to deploy this. The intention was to have two options - 802.1X first then MAB, and MAB first then 802.1X - I wanted to port templates that I could apply as required. And it uses IBNS 2.0 - not for the faint hearted. But this is what is typically required. I have scattered my comments throughout the code snippet below. I have included ALL the other stuff like device tracking and device sensor:
IBNS 1.0 to IBNS 2.0 Steps to Success - CLOSED MODE configuration
Start off with a config that is in legacy mode
Step 1) Create a NAC Port config in the old (legacy style)
e.g. on a spare interface gig 1/0/1
device-tracking policy CCC_IPDT
security-level glean
no protocol ndp
tracking enable reachable-lifetime 10
no device-tracking logging theft
device-tracking tracking auto-source override
device-tracking tracking retry-interval 60
!
default int gig 1/0/1
int gig 1/0/1
switchport mode access
switchport access vlan 666
spanning-tree portfast
spanning-tree bpduguard enable
device-tracking attach-policy CCC_IPDT
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
mab
authentication host-mode single-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
2) Then create a few more bits and pieces that are not going to trigger IBNS 2.0 auto conversion
ip access-list extended ACL_WEBAUTH_REDIRECT
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended BLOCKHOLE
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended CRITICAL_AUTH_ACL
10 remark ISE down permit all access
10 permit ip any any
ip access-list extended IPV4_PRE_AUTH_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 deny ip any any
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 2
!
radius server RADIUS-SERVER-1
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
automate-tester username NAD-Tester ignore-acct-port probe-on
key 0 mysecretgoeshere
radius server RADIUS-SERVER-2
address ipv4 10.1.1.2 auth-port 1812 acct-port 1813
automate-tester username NAD-Tester ignore-acct-port probe-on
key 0 mysecretgoeshere
aaa group server radius RADIUS-SERVER-GROUP
server name RADIUS-SERVER-1
server name RADIUS-SERVER-2
ip radius source-interface Vlan33
aaa session-id common
aaa authentication dot1x default group RADIUS-SERVER-GROUP
aaa authorization network default group RADIUS-SERVER-GROUP
aaa authorization network auth-list group RADIUS-SERVER-GROUP
aaa authorization auth-proxy default group RADIUS-SERVER-GROUP
aaa accounting update newinfo periodic 2880
!
aaa server radius dynamic-author
client 10.1.1.1 server-key 0 mysecretgoeshere
client 10.1.1.2 server-key 0 mysecretgoeshere
dot1x system-auth-control
dot1x critical eapol
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor notify all-changes
!
!
!
authentication critical recovery delay 1000
3) Stop Here and do the conversion. The reason is, that any further commands that you issue
will get you into trouble potentially - so, do it consciously with the following command:
In Priv Exec mode:
CCC-SW-113#authentication display new-style
Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.
(1) If you save the config in this mode, it will be written
to NVRAM in NEW-style config, and if you subsequently
reload the router without reverting to legacy config and
saving that, you will no longer be able to revert.
(2) In this and legacy mode, Webauth is not IPv6-capable. It
will only become IPv6-capable once you have entered new-
style config manually, or have reloaded with config saved
in 'authentication display new' mode.
(3) 'Default' and 'rollback' commands should not be used in this
display mode. Either remain in legacy display mode or switch
to new-style configuration mode before use.
!! You will see that the interface config now has a template associated - that means SUCCESS!!
CCC-SW-113#show run int gig 1/0/1
Building configuration...
Current configuration : 486 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 666
switchport mode access
device-tracking attach-policy CCC_IPDT
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_Gi1/0/1 <-------
end
!! This is only the beginning. IOS has created policy maps, class maps and templates. IBNS 2.0 stuff :)
!! e.g.
! class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
! class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
! class-map type control subscriber match-all DOT1X
! class-map type control subscriber match-all DOT1X_FAILED
! class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
! class-map type control subscriber match-all DOT1X_NO_RESP
! class-map type control subscriber match-all DOT1X_TIMEOUT
! class-map type control subscriber match-all MAB
! class-map type control subscriber match-all MAB_FAILED
! Check the mode
CCC-SW-113#authentication display config-mode
Current configuration mode is new-style
!! Now you can configure the rest - see below
access-session attributes filter-list list DS_LIST
vlan-id
cdp
lldp
dhcp
http
access-session authentication attributes filter-spec include list DS_LIST
access-session accounting attributes filter-spec include list DS_LIST
access-session monitor
access-session mac-move deny
access-session acl default passthrough
aaa accounting identity default start-stop group RADIUS-SERVER-GROUP
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
policy-map type control subscriber MABFIRST_AUTH_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 20
15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 replace
!
policy-map type control subscriber DOT1XFIRST_AUTH_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 replace
!
template CCC-MABFIRST-AUTH-01
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
storm-control broadcast level 10.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 666
switchport mode access
mab
access-session host-mode single-host
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber MABFIRST_AUTH_POLICY
! Now apply all this on a spare port and leave gig 1/0/1 in tact for comparison
default int gig 1/0/2
interface GigabitEthernet1/0/2
description Test Port
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
source template CCC-MABFIRST-AUTH-01
spanning-tree portfast
Example:
CCC-SW-113#show run int gi1/0/2
!
interface GigabitEthernet1/0/2
description Test Port
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
source template CCC-MABFIRST-AUTH-01
spanning-tree portfast
end
CCC-SW-113#show derived-config in gi 1/0/2
!
interface GigabitEthernet1/0/2
description Test Port
switchport access vlan 666
switchport mode access
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
storm-control broadcast level 10.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber MABFIRST_AUTH_POLICY
end
copy running startup
2 Replies 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2020 12:37 PM
Hello @SaintEvn
Long answer - you will need to do two things
1) Prepare the user's devices - for wired 802.1X you need to push Microsoft Group Policy to enable the Wired Service to enabled 802.1X on Ethernet interfaces. Then go through the laborious steps of configuring the supplicant (correctly) - this involves many steps and stages - it's not obvious to most, but it might be sufficient to just configure the supplicant to use Machine authentication - this means that when a machine boots up, it will do 802.1X - as long as the machine is kept running (user logs in/out etc) all is well. For wireless you need to create a WLAN profile and push to devices
2) Put policies in ISE - the wireless 802.1X config is pretty simple because we don't have to deal with the decisions of what the user might do on the WLAN - it's 802.1X or nothing. The wired 802.1X/MAB config on switches is the trickier part - for that I would recommend the Wired Prescriptive Guide. It's not easy to answer your question off the bat, because you need to tell us what IOS/IOS-XE you have and whether you would be happy with IBNS 2.0 style of config.
I can share my recent experience on a Cisco 9300 running IOS-XE 16.12.x where I documented the steps to deploy this. The intention was to have two options - 802.1X first then MAB, and MAB first then 802.1X - I wanted to port templates that I could apply as required. And it uses IBNS 2.0 - not for the faint hearted. But this is what is typically required. I have scattered my comments throughout the code snippet below. I have included ALL the other stuff like device tracking and device sensor:
IBNS 1.0 to IBNS 2.0 Steps to Success - CLOSED MODE configuration
Start off with a config that is in legacy mode
Step 1) Create a NAC Port config in the old (legacy style)
e.g. on a spare interface gig 1/0/1
device-tracking policy CCC_IPDT
security-level glean
no protocol ndp
tracking enable reachable-lifetime 10
no device-tracking logging theft
device-tracking tracking auto-source override
device-tracking tracking retry-interval 60
!
default int gig 1/0/1
int gig 1/0/1
switchport mode access
switchport access vlan 666
spanning-tree portfast
spanning-tree bpduguard enable
device-tracking attach-policy CCC_IPDT
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
mab
authentication host-mode single-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
2) Then create a few more bits and pieces that are not going to trigger IBNS 2.0 auto conversion
ip access-list extended ACL_WEBAUTH_REDIRECT
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended BLOCKHOLE
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended CRITICAL_AUTH_ACL
10 remark ISE down permit all access
10 permit ip any any
ip access-list extended IPV4_PRE_AUTH_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 deny ip any any
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 2
!
radius server RADIUS-SERVER-1
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
automate-tester username NAD-Tester ignore-acct-port probe-on
key 0 mysecretgoeshere
radius server RADIUS-SERVER-2
address ipv4 10.1.1.2 auth-port 1812 acct-port 1813
automate-tester username NAD-Tester ignore-acct-port probe-on
key 0 mysecretgoeshere
aaa group server radius RADIUS-SERVER-GROUP
server name RADIUS-SERVER-1
server name RADIUS-SERVER-2
ip radius source-interface Vlan33
aaa session-id common
aaa authentication dot1x default group RADIUS-SERVER-GROUP
aaa authorization network default group RADIUS-SERVER-GROUP
aaa authorization network auth-list group RADIUS-SERVER-GROUP
aaa authorization auth-proxy default group RADIUS-SERVER-GROUP
aaa accounting update newinfo periodic 2880
!
aaa server radius dynamic-author
client 10.1.1.1 server-key 0 mysecretgoeshere
client 10.1.1.2 server-key 0 mysecretgoeshere
dot1x system-auth-control
dot1x critical eapol
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor notify all-changes
!
!
!
authentication critical recovery delay 1000
3) Stop Here and do the conversion. The reason is, that any further commands that you issue
will get you into trouble potentially - so, do it consciously with the following command:
In Priv Exec mode:
CCC-SW-113#authentication display new-style
Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.
(1) If you save the config in this mode, it will be written
to NVRAM in NEW-style config, and if you subsequently
reload the router without reverting to legacy config and
saving that, you will no longer be able to revert.
(2) In this and legacy mode, Webauth is not IPv6-capable. It
will only become IPv6-capable once you have entered new-
style config manually, or have reloaded with config saved
in 'authentication display new' mode.
(3) 'Default' and 'rollback' commands should not be used in this
display mode. Either remain in legacy display mode or switch
to new-style configuration mode before use.
!! You will see that the interface config now has a template associated - that means SUCCESS!!
CCC-SW-113#show run int gig 1/0/1
Building configuration...
Current configuration : 486 bytes
!
interface GigabitEthernet1/0/1
switchport access vlan 666
switchport mode access
device-tracking attach-policy CCC_IPDT
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_Gi1/0/1 <-------
end
!! This is only the beginning. IOS has created policy maps, class maps and templates. IBNS 2.0 stuff :)
!! e.g.
! class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
! class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
! class-map type control subscriber match-all DOT1X
! class-map type control subscriber match-all DOT1X_FAILED
! class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
! class-map type control subscriber match-all DOT1X_NO_RESP
! class-map type control subscriber match-all DOT1X_TIMEOUT
! class-map type control subscriber match-all MAB
! class-map type control subscriber match-all MAB_FAILED
! Check the mode
CCC-SW-113#authentication display config-mode
Current configuration mode is new-style
!! Now you can configure the rest - see below
access-session attributes filter-list list DS_LIST
vlan-id
cdp
lldp
dhcp
http
access-session authentication attributes filter-spec include list DS_LIST
access-session accounting attributes filter-spec include list DS_LIST
access-session monitor
access-session mac-move deny
access-session acl default passthrough
aaa accounting identity default start-stop group RADIUS-SERVER-GROUP
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template CRITICAL_AUTH
policy-map type control subscriber MABFIRST_AUTH_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 20
15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 replace
!
policy-map type control subscriber DOT1XFIRST_AUTH_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH
20 authorize
30 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 replace
!
template CCC-MABFIRST-AUTH-01
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
storm-control broadcast level 10.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
switchport access vlan 666
switchport mode access
mab
access-session host-mode single-host
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber MABFIRST_AUTH_POLICY
! Now apply all this on a spare port and leave gig 1/0/1 in tact for comparison
default int gig 1/0/2
interface GigabitEthernet1/0/2
description Test Port
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
source template CCC-MABFIRST-AUTH-01
spanning-tree portfast
Example:
CCC-SW-113#show run int gi1/0/2
!
interface GigabitEthernet1/0/2
description Test Port
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
source template CCC-MABFIRST-AUTH-01
spanning-tree portfast
end
CCC-SW-113#show derived-config in gi 1/0/2
!
interface GigabitEthernet1/0/2
description Test Port
switchport access vlan 666
switchport mode access
switchport priority extend trust
device-tracking attach-policy CCC_IPDT
authentication periodic
authentication timer reauthenticate server
access-session host-mode single-host
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
storm-control broadcast level 10.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber MABFIRST_AUTH_POLICY
end
copy running startup
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2020 09:22 PM
Thank you so much .It was a great help!!
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents