cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2150
Views
10
Helpful
2
Replies

Cisco ISE with existing AD user

SaintEvn
Level 1
Level 1

Hi, 

We planned to add cisco ISE to our infra. We will use 802.1x authentication for Wired and Wireless user.
We already have existing AD and all the computers are joined to the same domain.

What I would like to know is, after I've added Cisco ISE to the infra and enable 802.1x authentication on user switch ports, the user who already join to AD will still need to do 802.1x on his computer?

Are there anything I can do on AD side?

Can I get sample switch port configuration for dot1x and MAB configuration that is used in normal implementation?

Thanks a lot for the help!

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hello @SaintEvn 

 

Long answer - you will need to do two things

1) Prepare the user's devices - for wired 802.1X you need to push Microsoft Group Policy to enable the Wired Service to enabled 802.1X on Ethernet interfaces. Then go through the laborious steps of configuring the supplicant (correctly) - this involves many steps and stages - it's not obvious to most, but it might be sufficient to just configure the supplicant to use Machine authentication - this means that when a machine boots up, it will do 802.1X - as long as the machine is kept running (user logs in/out etc) all is well. For wireless you need to create a WLAN profile and push to devices

2) Put policies in ISE - the wireless 802.1X config is pretty simple because we don't have to deal with the decisions of what the user might do on the WLAN - it's 802.1X or nothing. The wired 802.1X/MAB config on switches is the trickier part - for that I would recommend the Wired Prescriptive Guide.  It's not easy to answer your question off the bat, because you need to tell us what IOS/IOS-XE you have and whether you would be happy with IBNS 2.0 style of config.

 

I can share my recent experience on a Cisco 9300 running IOS-XE 16.12.x where I documented the steps to deploy this. The intention was to have two options - 802.1X first then MAB, and MAB first then 802.1X - I wanted to port templates that I could apply as required. And it uses IBNS 2.0 - not for the faint hearted. But this is what is typically required. I have scattered my comments throughout the code snippet below. I have included ALL the other stuff like device tracking and device sensor:

 

IBNS 1.0 to IBNS 2.0 Steps to Success - CLOSED MODE configuration

Start off with a config that is in legacy mode

Step 1) Create a NAC Port config in the old (legacy style)
e.g. on a spare interface gig 1/0/1


device-tracking policy CCC_IPDT
 security-level glean
 no protocol ndp
 tracking enable reachable-lifetime 10
no device-tracking logging theft
device-tracking tracking auto-source override
device-tracking tracking retry-interval 60
!
default int gig 1/0/1
int gig 1/0/1
 switchport mode access
 switchport access vlan 666
 spanning-tree portfast
 spanning-tree bpduguard enable
 device-tracking attach-policy CCC_IPDT
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 mab
 authentication host-mode single-host
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 
 
2) Then create a few more bits and pieces that are not going to trigger IBNS 2.0 auto conversion 
 
ip access-list extended ACL_WEBAUTH_REDIRECT
 10 permit tcp any any eq www
 20 permit tcp any any eq 443
ip access-list extended BLOCKHOLE
 10 permit tcp any any eq www
 20 permit tcp any any eq 443
ip access-list extended CRITICAL_AUTH_ACL
 10 remark ISE down permit all access
 10 permit ip any any
ip access-list extended IPV4_PRE_AUTH_ACL
 10 permit udp any eq bootpc any eq bootps
 20 permit udp any any eq domain
 30 deny   ip any any


radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 2
!
radius server RADIUS-SERVER-1
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 automate-tester username NAD-Tester ignore-acct-port probe-on
 key 0 mysecretgoeshere
 
radius server RADIUS-SERVER-2
 address ipv4 10.1.1.2 auth-port 1812 acct-port 1813
 automate-tester username NAD-Tester ignore-acct-port probe-on
 key 0 mysecretgoeshere
 
 

aaa group server radius RADIUS-SERVER-GROUP
 server name RADIUS-SERVER-1
 server name RADIUS-SERVER-2
 ip radius source-interface Vlan33

aaa session-id common
aaa authentication dot1x default group RADIUS-SERVER-GROUP
aaa authorization network default group RADIUS-SERVER-GROUP
aaa authorization network auth-list group RADIUS-SERVER-GROUP
aaa authorization auth-proxy default group RADIUS-SERVER-GROUP
aaa accounting update newinfo periodic 2880

!
aaa server radius dynamic-author
 client 10.1.1.1 server-key 0 mysecretgoeshere
 client 10.1.1.2 server-key 0 mysecretgoeshere



dot1x system-auth-control
dot1x critical eapol

 
 
device-sensor filter-list dhcp list dhcp-list
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list lldp list lldp-list
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-list cdp list cdp-list
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor notify all-changes
!
!
!
authentication critical recovery delay 1000



3) Stop Here and do the conversion. The reason is, that any further commands that you issue
will get you into trouble potentially - so, do it consciously with the following command:
In Priv Exec mode:

CCC-SW-113#authentication display new-style

Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.

(1) If you save the config in this mode, it will be written
    to NVRAM in NEW-style config, and if you subsequently
    reload the router without reverting to legacy config and
    saving that, you will no longer be able to revert.

(2) In this and legacy mode, Webauth is not IPv6-capable. It
    will only become IPv6-capable once you have entered new-
    style config manually, or have reloaded with config saved
    in 'authentication display new' mode.

(3) 'Default' and 'rollback' commands should not be used in this
    display mode. Either remain in legacy display mode or switch
    to new-style configuration mode before use.

!! You will see that the interface config now has a template associated  - that means SUCCESS!!

CCC-SW-113#show run int gig 1/0/1
Building configuration...

Current configuration : 486 bytes
!
interface GigabitEthernet1/0/1
 switchport access vlan 666
 switchport mode access
 device-tracking attach-policy CCC_IPDT
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode single-host
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber POLICY_Gi1/0/1   <-------
end

!! This is only the beginning. IOS has created policy maps, class maps and templates. IBNS 2.0 stuff :)
!! e.g.
! class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
! class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
! class-map type control subscriber match-all DOT1X
! class-map type control subscriber match-all DOT1X_FAILED
! class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
! class-map type control subscriber match-all DOT1X_NO_RESP
! class-map type control subscriber match-all DOT1X_TIMEOUT
! class-map type control subscriber match-all MAB
! class-map type control subscriber match-all MAB_FAILED

! Check the mode
CCC-SW-113#authentication display config-mode
Current configuration mode is new-style

!! Now you can configure the rest - see below

access-session attributes filter-list list DS_LIST
 vlan-id
 cdp
 lldp
 dhcp
 http
access-session authentication attributes filter-spec include list DS_LIST
access-session accounting attributes filter-spec include list DS_LIST
access-session monitor
access-session mac-move deny
access-session acl default passthrough

aaa accounting identity default start-stop group RADIUS-SERVER-GROUP

class-map type control subscriber match-any IN_CRITICAL_AUTH
 match activated-service-template CRITICAL_AUTH
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
 match activated-service-template CRITICAL_AUTH


policy-map type control subscriber MABFIRST_AUTH_POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab retries 2 retry-time 0 priority 10
 event authentication-failure match-first
  5 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 20
  15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template CRITICAL_AUTH
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all
 event violation match-all
  10 class always do-until-failure
   10 replace
!

policy-map type control subscriber DOT1XFIRST_AUTH_POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template CRITICAL_AUTH
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all
 event violation match-all
  10 class always do-until-failure
   10 replace
!



template CCC-MABFIRST-AUTH-01
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 storm-control broadcast level 10.00
 storm-control multicast level 20.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan 666
 switchport mode access
 mab
 access-session host-mode single-host
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber MABFIRST_AUTH_POLICY


! Now apply all this on a spare port and leave gig 1/0/1 in tact for comparison
default int gig 1/0/2
interface GigabitEthernet1/0/2
 description Test Port
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 source template CCC-MABFIRST-AUTH-01
 spanning-tree portfast
 

Example:
CCC-SW-113#show run int gi1/0/2
!
interface GigabitEthernet1/0/2
 description Test Port
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 source template CCC-MABFIRST-AUTH-01
 spanning-tree portfast
end



CCC-SW-113#show derived-config in gi 1/0/2
!
interface GigabitEthernet1/0/2
 description Test Port
 switchport access vlan 666
 switchport mode access
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode single-host
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 storm-control broadcast level 10.00
 storm-control multicast level 20.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber MABFIRST_AUTH_POLICY
end

 
copy running startup

 

 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Hello @SaintEvn 

 

Long answer - you will need to do two things

1) Prepare the user's devices - for wired 802.1X you need to push Microsoft Group Policy to enable the Wired Service to enabled 802.1X on Ethernet interfaces. Then go through the laborious steps of configuring the supplicant (correctly) - this involves many steps and stages - it's not obvious to most, but it might be sufficient to just configure the supplicant to use Machine authentication - this means that when a machine boots up, it will do 802.1X - as long as the machine is kept running (user logs in/out etc) all is well. For wireless you need to create a WLAN profile and push to devices

2) Put policies in ISE - the wireless 802.1X config is pretty simple because we don't have to deal with the decisions of what the user might do on the WLAN - it's 802.1X or nothing. The wired 802.1X/MAB config on switches is the trickier part - for that I would recommend the Wired Prescriptive Guide.  It's not easy to answer your question off the bat, because you need to tell us what IOS/IOS-XE you have and whether you would be happy with IBNS 2.0 style of config.

 

I can share my recent experience on a Cisco 9300 running IOS-XE 16.12.x where I documented the steps to deploy this. The intention was to have two options - 802.1X first then MAB, and MAB first then 802.1X - I wanted to port templates that I could apply as required. And it uses IBNS 2.0 - not for the faint hearted. But this is what is typically required. I have scattered my comments throughout the code snippet below. I have included ALL the other stuff like device tracking and device sensor:

 

IBNS 1.0 to IBNS 2.0 Steps to Success - CLOSED MODE configuration

Start off with a config that is in legacy mode

Step 1) Create a NAC Port config in the old (legacy style)
e.g. on a spare interface gig 1/0/1


device-tracking policy CCC_IPDT
 security-level glean
 no protocol ndp
 tracking enable reachable-lifetime 10
no device-tracking logging theft
device-tracking tracking auto-source override
device-tracking tracking retry-interval 60
!
default int gig 1/0/1
int gig 1/0/1
 switchport mode access
 switchport access vlan 666
 spanning-tree portfast
 spanning-tree bpduguard enable
 device-tracking attach-policy CCC_IPDT
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 mab
 authentication host-mode single-host
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 
 
2) Then create a few more bits and pieces that are not going to trigger IBNS 2.0 auto conversion 
 
ip access-list extended ACL_WEBAUTH_REDIRECT
 10 permit tcp any any eq www
 20 permit tcp any any eq 443
ip access-list extended BLOCKHOLE
 10 permit tcp any any eq www
 20 permit tcp any any eq 443
ip access-list extended CRITICAL_AUTH_ACL
 10 remark ISE down permit all access
 10 permit ip any any
ip access-list extended IPV4_PRE_AUTH_ACL
 10 permit udp any eq bootpc any eq bootps
 20 permit udp any any eq domain
 30 deny   ip any any


radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 2
!
radius server RADIUS-SERVER-1
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 automate-tester username NAD-Tester ignore-acct-port probe-on
 key 0 mysecretgoeshere
 
radius server RADIUS-SERVER-2
 address ipv4 10.1.1.2 auth-port 1812 acct-port 1813
 automate-tester username NAD-Tester ignore-acct-port probe-on
 key 0 mysecretgoeshere
 
 

aaa group server radius RADIUS-SERVER-GROUP
 server name RADIUS-SERVER-1
 server name RADIUS-SERVER-2
 ip radius source-interface Vlan33

aaa session-id common
aaa authentication dot1x default group RADIUS-SERVER-GROUP
aaa authorization network default group RADIUS-SERVER-GROUP
aaa authorization network auth-list group RADIUS-SERVER-GROUP
aaa authorization auth-proxy default group RADIUS-SERVER-GROUP
aaa accounting update newinfo periodic 2880

!
aaa server radius dynamic-author
 client 10.1.1.1 server-key 0 mysecretgoeshere
 client 10.1.1.2 server-key 0 mysecretgoeshere



dot1x system-auth-control
dot1x critical eapol

 
 
device-sensor filter-list dhcp list dhcp-list
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list lldp list lldp-list
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-list cdp list cdp-list
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor notify all-changes
!
!
!
authentication critical recovery delay 1000



3) Stop Here and do the conversion. The reason is, that any further commands that you issue
will get you into trouble potentially - so, do it consciously with the following command:
In Priv Exec mode:

CCC-SW-113#authentication display new-style

Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.

(1) If you save the config in this mode, it will be written
    to NVRAM in NEW-style config, and if you subsequently
    reload the router without reverting to legacy config and
    saving that, you will no longer be able to revert.

(2) In this and legacy mode, Webauth is not IPv6-capable. It
    will only become IPv6-capable once you have entered new-
    style config manually, or have reloaded with config saved
    in 'authentication display new' mode.

(3) 'Default' and 'rollback' commands should not be used in this
    display mode. Either remain in legacy display mode or switch
    to new-style configuration mode before use.

!! You will see that the interface config now has a template associated  - that means SUCCESS!!

CCC-SW-113#show run int gig 1/0/1
Building configuration...

Current configuration : 486 bytes
!
interface GigabitEthernet1/0/1
 switchport access vlan 666
 switchport mode access
 device-tracking attach-policy CCC_IPDT
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode single-host
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber POLICY_Gi1/0/1   <-------
end

!! This is only the beginning. IOS has created policy maps, class maps and templates. IBNS 2.0 stuff :)
!! e.g.
! class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
! class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
! class-map type control subscriber match-all DOT1X
! class-map type control subscriber match-all DOT1X_FAILED
! class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
! class-map type control subscriber match-all DOT1X_NO_RESP
! class-map type control subscriber match-all DOT1X_TIMEOUT
! class-map type control subscriber match-all MAB
! class-map type control subscriber match-all MAB_FAILED

! Check the mode
CCC-SW-113#authentication display config-mode
Current configuration mode is new-style

!! Now you can configure the rest - see below

access-session attributes filter-list list DS_LIST
 vlan-id
 cdp
 lldp
 dhcp
 http
access-session authentication attributes filter-spec include list DS_LIST
access-session accounting attributes filter-spec include list DS_LIST
access-session monitor
access-session mac-move deny
access-session acl default passthrough

aaa accounting identity default start-stop group RADIUS-SERVER-GROUP

class-map type control subscriber match-any IN_CRITICAL_AUTH
 match activated-service-template CRITICAL_AUTH
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
 match activated-service-template CRITICAL_AUTH


policy-map type control subscriber MABFIRST_AUTH_POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab retries 2 retry-time 0 priority 10
 event authentication-failure match-first
  5 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 20
  15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template CRITICAL_AUTH
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all
 event violation match-all
  10 class always do-until-failure
   10 replace
!

policy-map type control subscriber DOT1XFIRST_AUTH_POLICY
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  15 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template CRITICAL_AUTH
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all
 event violation match-all
  10 class always do-until-failure
   10 replace
!



template CCC-MABFIRST-AUTH-01
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 storm-control broadcast level 10.00
 storm-control multicast level 20.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan 666
 switchport mode access
 mab
 access-session host-mode single-host
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber MABFIRST_AUTH_POLICY


! Now apply all this on a spare port and leave gig 1/0/1 in tact for comparison
default int gig 1/0/2
interface GigabitEthernet1/0/2
 description Test Port
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 source template CCC-MABFIRST-AUTH-01
 spanning-tree portfast
 

Example:
CCC-SW-113#show run int gi1/0/2
!
interface GigabitEthernet1/0/2
 description Test Port
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 source template CCC-MABFIRST-AUTH-01
 spanning-tree portfast
end



CCC-SW-113#show derived-config in gi 1/0/2
!
interface GigabitEthernet1/0/2
 description Test Port
 switchport access vlan 666
 switchport mode access
 switchport priority extend trust
 device-tracking attach-policy CCC_IPDT
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode single-host
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 storm-control broadcast level 10.00
 storm-control multicast level 20.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber MABFIRST_AUTH_POLICY
end

 
copy running startup

 

 

Thank you so much .It was a great help!!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: