Cisco switch authentication problem with ISE

keith-mk-li · ‎09-21-2024

Dear All,

I have an issue with the following switches, switch 1 its could authenticate with ISE, whereas switch 2 its doesn't, when i run "sh authentication session" its has traffic in switch 1 and switch 2 no session show at all, and when i run aaa test command to verify connectivity in switch 1 its show success whereas 2 doesn't, can anyone take a look any issue found on the switch 2 compared with switch 1 ? the configured was configured by former colleague, and i believe switch 1 is using ibns 2 whereas switch 1 did not, any help would be appreicated

Switch 1

Building configuration...

Current configuration : 119811 bytes
!
! Last configuration change at 15:01:38 HKG Fri Sep 20 2024 by adm_kli
! NVRAM config last updated at 10:57:09 HKG Mon Sep 16 2024 by adm_klam
!
version 17.9
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service call-home
platform punt-keepalive disable-kernel-core
!
hostname SW
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
--More-- !
logging buffered 40960
aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 300
!
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting identity default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.121.102.215 server-key 7 062XXXXXXXXXXXXXXX
client 10.121.102.216 server-key 7 12XXXXXXXXXXXXXX
--More-- !
aaa session-id common
!
!
!
clock timezone HKG 8 0
switch 1 provision c9200-48p
switch 2 provision c9200-48p
switch 3 provision c9200-48p
switch 4 provision c9200-48p
switch 5 provision c9200-48p
!
!
!
!
!
ip domain name ABC.Com
!
!
!
login on-success log
vtp mode transparent
vtp version 1
--More-- !
!
!
!
!
!
flow exporter 10.12.101.76
destination 10.12.101.76
transport udp 6007
!
access-session mac-move deny
device-tracking tracking
!
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-6xxxxxxxx
--More-- enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-6xxxxxx
revocation-check none
rsakeypair TP-self-signed-6XXXXXXXXXXX
!
crypto pki trustpoint sdn-network-infra-iwan
enrollment url http://10.12.101.76:80/ejbca/publicweb/apply/scep/sdnscep
fqdn SW.ABC.Com
subject-name CN=C9200-48P_JAD23220QV9_sdn-network-infra-iwan
revocation-check crl
source interface Vlan505
rsakeypair sdn-network-infra-iwan
auto-enroll 80 regenerate
!
crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface Vlan505
!
!
crypto pki certificate chain SLA-TrustPoint
--More-- certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
--More-- 5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-6XXXXXXXXX
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36373632 36353333 32301E17 0D323430 33303130 39333334
385A170D 33343033 30313039 33333438 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3637 36323635
33333230 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 B0AD4AA1 76EFDE80 421D2ECC 9B235E20 28DF875E 8FB7DF7A 020DE40A
6FA22A6E 49FC7C25 A94B7B7E 5D836147 B5AFD0C1 E31A6C6B 001BD128 0B8735C7
AD64442D EEBD4A5E 3D5466EF 7E874FCB ECB9777D 6DAF4B67 61812D3E 3C18B507
CF0AD58C 1DCB974C 784BA3BB 3E2C5C2E 6835C662 BB82FCCB 3787026F 96F377EF
839ADF72 9432D91B FC3DD26A 665DC3BF 1FC34676 1226CDE5 A6AD8F85 7CB82F5C
D6E04790 DF3872B0 9D084071 6455DC92 0D7BA79E ACF208DD 92F36057 5A0EE7EB
6C4C282E 0C13163A AD822826 2A6C26FC A9AFE7C6 4B27B80B 70415DA1 306778B1
D09F4CF2 63708DDB F2321C74 26751509 C13A0590 8B30BFD6 632C3652 8A7D7151
C4C4D237 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 1680145A 166E7255 7B6B7B03 9F1EFCB8 D94FE207 D2BFA730
--More-- 1D060355 1D0E0416 04145A16 6E72557B 6B7B039F 1EFCB8D9 4FE207D2 BFA7300D
06092A86 4886F70D 01010505 00038201 01007102 B6F86DE8 C746857F 64265590
B2386F76 68647CB0 84A5C74A 10D09C32 366A2913 FB60ADBE D04076F1 9D474077
D2E19B78 E76F8924 61ED51D7 D396EF5D 6DB6156E 89BA6421 CFBEF115 C7DC3C7A
F2367DE2 4E3BF6CE 74230B1E 05389557 664E26C2 8EF3A0A9 D84535C9 51F10C79
E18B706C A6F44833 F1F9DE84 C8B9D1EB 18FACAC5 5D1D3C5E DBBAB9DC 56AACA56
B80E798C EFD11FEC DF0AE218 28AE6354 45E93764 5A22233F 90B409C5 CEBB4501
2133E476 ACD52F92 EC3BA863 3CAEF6E2 F72B7396 E3BADB1C 0EA25AD5 7DE8F607
6F57AD23 4B9CE430 A6DAAF10 9E6C8A48 6C8C9F89 A28387D4 59D821E4 DA8B72DE
D2D64C84 4165E722 C7C3C689 9B2D5F9A D2BF
quit
crypto pki certificate chain sdn-network-infra-iwan
certificate 2XXXXXXXXXXXXXXX
30820387 3082026F A0030201 02020822 AF4F5993 CB60FE30 0D06092A 864886F7
0D01010D 0500301F 311D301B 06035504 030C1473 646E2D6E 6574776F 726B2D69
6E667261 2D636130 1E170D32 34303532 32313530 3031395A 170D3235 30353232
31353030 31395A30 67312E30 2C06092A 864886F7 0D010902 0C1F4865 726D6573
5F343246 5F446174 615F5357 2E41746C 61732E48 65726D65 73313530 33060355
04030C2C 43393230 302D3438 505F4A41 44323332 32305156 395F7364 6E2D6E65
74776F72 6B2D696E 6672612D 6977616E 30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101 00B9BDCB FF09532F BD6F3C24 EDC96D0F
58307F9F A521832D AB6FC68E D3BF6359 F1EFA8A5 F7EBCFCE 6D47AEAB 87FFB7C3
1109D25E 88C09CA1 75CB43AC 6DD7B169 4ABD8A9F EA22CE00 4784BF3F CBA70117
--More-- ABDCA3E7 95DC8A8A C750E425 BAE8834B 1489F27F A8506CCD 0F5AE9E1 DAE2ACD7
FB0D8E46 4E823F3A E21B6587 16EC36F5 B22CE3FB 5B0C67EC 82479131 9A02E539
02DFFE24 5D281970 63C29C83 B8EFDE9E 26518FA4 F1A217EE A750C2AF D4CAA9C5
6C82AC39 2C5A5E07 4BFA6195 A7232319 C3543378 62285E20 83917D7F 71C8E7EB
C78F1E49 904216DF 5AF1AD5D 9E444C56 D4841E44 688DFC42 544017D6 CEBF84D8
F0CA1B5A 88C588A2 A734A42B 862938F6 A3020301 0001A37F 307D300C 0603551D
130101FF 04023000 301F0603 551D2304 18301680 14C006E4 73F7139F 0ED3230A
9B836D1D B99E4608 37301D06 03551D25 04163014 06082B06 01050507 03020608
2B060105 05070304 301D0603 551D0E04 16041430 CBA1C688 CF469958 05FBB8B2
AE086DAA E80C9A30 0E060355 1D0F0101 FF040403 0205E030 0D06092A 864886F7
0D01010D 05000382 0101001D 83EED128 280FE6DB 8AF403D9 B4695739 E3CEEE72
3C232130 75B88C21 4BACAF15 C14978BA B3E7D3F7 C9EC1263 20DCA649 ABEAFDDE
B4442E6F 11D048ED BBF27B5E CE9818EC 2F27935A DE1527EE D5F9EAF9 5DE9462F
92E25FA2 D05BD836 BA7542B7 EC00737E 1E051148 8C6F97FA 8A657D15 DF7C4097
1EB4B284 43D1135B 8A4A24C8 5152EDA8 9FC46C12 B8E11808 1725BABB D6D37AD3
2EF49576 27A4C8FB 1D607589 95B232CD 556C67C4 D88D0EF1 7F0BD04E AA89AE6D
33F531F1 BD553DC5 8244F229 CCB5C642 7D2D2329 185AF418 F3F0D00B 82359732
4BF10DFA 4965F819 6104A8C5 F0BC6E21 F8BCD5C9 FA251633 0DE414E2 92B3F9C7
BF2F99BD B9027424 24B646
quit
certificate ca 3XXXXXXXXXXXXXXXXX
30820323 3082020B A0030201 02020837 F3973A9E 07A82830 0D06092A 864886F7
0D01010D 0500301F 311D301B 06035504 030C1473 646E2D6E 6574776F 726B2D69
--More-- 6E667261 2D636130 1E170D32 31303730 39303531 3832335A 170D3236 30373038
30353138 32335A30 1F311D30 1B060355 04030C14 73646E2D 6E657477 6F726B2D
696E6672 612D6361 30820122 300D0609 2A864886 F70D0101 01050003 82010F00
3082010A 02820101 0086D719 8B092105 706D2459 D5A5315A CA9395DC E8215847
2F8483FC DB3C9E33 F9852BB5 91422E91 54059093 319EBF69 38637D9E CB571680
F07544B0 78135D37 61694107 D2937940 F926535E A7EA22A5 DF40B6DC B06AC4D8
9A56F84F 1EF7AFF2 678E801F 002DC685 D283E0FF A4A00C69 CDC9629D 826DB043
05490FD5 72338425 A22E56B1 0D0AAB47 9DB253A3 21B73741 D1CE2951 B9508096
5AC4E35B 34CB3A6B BDEFB4C7 0F43411D 8FB96931 6B4D6BC3 73747D76 755715F6
C0420444 3B1B5482 C7FECB7A E38AAB1C 9C815208 46D137D3 784373E8 174B6874
DA1F2154 B7A9B25E F0D9C988 9E3D93BE EBA7EACE F787233A ABB46C4D 957DE518
F4B08C57 9C34C090 35020301 0001A363 3061300F 0603551D 130101FF 04053003
0101FF30 1F060355 1D230418 30168014 C006E473 F7139F0E D3230A9B 836D1DB9
9E460837 301D0603 551D0E04 160414C0 06E473F7 139F0ED3 230A9B83 6D1DB99E
46083730 0E060355 1D0F0101 FF040403 02018630 0D06092A 864886F7 0D01010D
05000382 0101001A 6F895C34 DCDBA5F0 5EC1A5EB 25933F58 35E8A11D B0B7B53C
2D25F4AD 7D80C727 A36DF067 B5D0E18B 668FA21A 5B5093F7 15521BCA B8DAAF48
60512976 981307CF D7E97B9D 7C671EF2 F5512C5D 7B1D41FC BF2002EA 495162B6
63EB998D 62EF34E0 269CA858 C238633C E0618864 FAE61636 A1CF40D3 39CAB298
36699FEF 42396EF6 A1C84E59 2E59E3DE D5DEDF72 E45C3477 85BD8798 7CC228E3
88719E33 64D98F1A 4072CB22 33CA9753 E45DB76D AC7B9B88 540A435C 930E9890
A2B5E6FA 0F753E71 85AC99FB BEFF1AFF 8FE7385B 56F4EF14 96621D91 26D0CFEB
2B740B94 560407D2 693A0A05 C3E33173 59BF0DDE 09CA2D98 5BA2DB2A A45DD031
--More-- 4D5885EE F468A4
quit
crypto pki certificate chain DNAC-CA
certificate ca 00C56CXXXXXXXXXXXXXXXXXXXXXXXXXX
308203A5 3082028D A0030201 02021400 C56C5A21 DE24B023 61D38C07 9CA5AB02
673EB530 0D06092A 864886F7 0D01010B 05003062 312D302B 06035504 030C2439
35363363 3635652D 65373732 2D376363 372D3361 63662D38 66323937 36643538
63376631 16301406 0355040A 0C0D4369 73636F20 53797374 656D7331 19301706
0355040B 0C104369 73636F20 444E4120 43656E74 6572301E 170D3233 31323237
30323430 33305A17 0D323630 39323230 32343033 305A3062 312D302B 06035504
030C2439 35363363 3635652D 65373732 2D376363 372D3361 63662D38 66323937
36643538 63376631 16301406 0355040A 0C0D4369 73636F20 53797374 656D7331
19301706 0355040B 0C104369 73636F20 444E4120 43656E74 65723082 0122300D
06092A86 4886F70D 01010105 00038201 0F003082 010A0282 010100AF 59D66EA5
B702C823 4205DB7E FB6FBFFE 5AE6DC3D 5749ABFF 4326C055 504CF955 164A33C8
45ABEEED FDA24523 A227D3AA 14A52C28 C4798F50 D64C1B1A 5E20871F 30DFFC3A
71D290B0 8560DE40 BC4B5EF6 FA86D2AA FEC38E06 CACF684C FD7EBE9A D0DEE337
DD22C3C0 BA9A8AE2 CAD49389 B0F29C8A D67378A4 3E27FC0C 25FC37E6 B57231E8
01D83CDF DA7EFC54 41B750D8 2827FA49 5E0EF1F4 34026F6D ED73BF04 A7E0AB36
E2824F8A 85C4CF81 4D9ADCBD AFDE2B48 F43F31C7 ACB5CA88 4DF69F7B D666F0F2
33F15616 C50987C8 97726CDD 116E3742 E759727D 31598AC2 E6703960 277798D6
28007533 BE88284F 685D3000 22853502 C88DE29A B58300F3 713B1B02 03010001
A3533051 301D0603 551D0E04 160414F1 C3981A19 3035060E A8DF56AF F79DCA1D
--More-- 11155630 1F060355 1D230418 30168014 F1C3981A 19303506 0EA8DF56 AFF79DCA
1D111556 300F0603 551D1301 01FF0405 30030101 FF300D06 092A8648 86F70D01
010B0500 03820101 0006FC51 4F99BFB8 230FB729 54F7EA5A 5C209F37 BDB7900D
FBD29CBB 7172C401 43DDDD6D BB87320E 4A4B48D5 FFEC2998 8555D282 71491594
6E7D11FC C18FF691 1DAD9842 C03E942E 346D3617 EE0C3A6F 28100A52 06EDE5EF
267B1DEA 2F0A5E9F CD79014F CFD869B7 EF5733F4 3CFA1128 C692F107 ED00CDF4
DA94A751 664A103A BE43C4CB BCB286FD 54A517C1 D815850C 4619F972 3A9012EA
49FA33FD 9D0304E4 B53B454F DEC9F394 F5114563 3214AD0A F77AB955 09B6646A
03D3CFA5 D7F451F4 EDEBED1F E3D19769 8441AC6F AFD7E75B 38D918A7 E86858C5
9103DC54 0493E1C2 817135BF 4876BB94 1993823B 67AD7336 9941A11B ECE9F32F
499BFAC3 46177B56 B3
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
license boot level network-essentials addon dna-essentials
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
--More-- service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template webauth-global-inactive
inactivity-timer 3600
dot1x system-auth-control
memory free low-watermark processor 22699
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$mqcNJ9t3Bxxxxxxxxxxxxxxxxxx.5XvM1DvLp7c
!
username adm secret 9 $9$wWqmmTnA9tBuB.$1n1q/rtzUFxxxxxxxxxxxxxxxxxxxxxxx
username adm_ secret 9 $9$Fv4qQI8k613/RE$I//BU/Uxxxxxxxxxxxxxxxxxxxxxxxx
username cis_login privilege 15 secret 9 $9$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username adm_secret 9 $9$ZbQw6QCoqLACqE$exxxxxxxxxxxxxxxxxxxxxxxxxx
--More-- !
redundancy
mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
monitoring
!
!
vlan 3
name Adyen
!
vlan 55
name Door
!
vlan 100
name Voice
!
vlan 2
--More-- name WiFi
!
vlan 505
name Device
!
vlan 10
name User
!
vlan 535
name AccessPoint
!
vlan 29
name Guest
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
--More-- match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
--More-- !
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
--More-- description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
--More-- !
!
policy-map type control subscriber ISE_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
10 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
20 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
40 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
--More-- 20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
--More-- interface Port-channel1
description *** PortChannel to 9500 ***
switchport mode trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
!
interface GigabitEthernet1/0/1
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
--More-- !
interface GigabitEthernet1/0/2
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/3
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
--More-- access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/4
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
--More-- interface GigabitEthernet1/0/5
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/6
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
--More-- access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/7
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/8
--More-- description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/9
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
--More-- mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/10
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/11
description *** User ***
--More-- switchport access vlan 510
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/12
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
--More-- dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/13
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/14
description *** User ***
switchport access vlan 10
--More-- switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/15
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
--More-- dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/16
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/17
description *** User ***
switchport access vlan 10
switchport mode access
--More-- device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/18
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
--More-- spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/19
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/20
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
--More-- authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/21
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
--More-- service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/22
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/23
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
--More-- authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/24
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
--More-- !
interface GigabitEthernet1/0/25
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/26
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
--More-- access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/27
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
--More-- interface GigabitEthernet1/0/28
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/29
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
--More-- access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/30
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/31
--More-- description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/32
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
--More-- mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/33
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/34
description *** User ***
--More-- switchport access vlan 510
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/35
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
--More-- dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/36
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/37
description *** User ***
switchport access vlan 10
switchport mode access
--More-- device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/38
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
--More-- spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/39
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/40
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
--More-- authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/41
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
--More-- service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/42
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/43
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
--More-- authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/44
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
--More-- !
interface GigabitEthernet1/0/45
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/46
description *** User ***
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
--More-- access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/47
description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/0/48
--More-- description *** User ***
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber ISE_POLICY
!
interface GigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
shutdown
!
interface GigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
shutdown
!
interface GigabitEthernet1/1/3
--More-- device-tracking attach-policy IPDT_POLICY
shutdown
!
interface GigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
shutdown
!
interface TenGigabitEthernet1/1/1
description *** UpLink_to_9500 ***
switchport mode trunk
channel-group 1 mode active
!
interface TenGigabitEthernet1/1/2
description *** UpLink_to_9500 ***
switchport mode trunk
channel-group 1 mode active
!
interface TenGigabitEthernet1/1/3
device-tracking attach-policy IPDT_POLICY
shutdown
!
interface TenGigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
--More-- shutdown
!

!
interface Vlan1
no ip address
!
interface Vlan5
description Door vlan
no ip address
!
interface Vlan100
description Voice vlan
ip address 10.121.1.230 255.255.255.0
--More-- !
interface Vlan2
description WiFi Vlan
no ip address
!
interface Vlan505
description Device Vlan
ip address 10.121.102.230 255.255.255.0
!
interface Vlan10
description User Vlan
ip address 10.121.100.250 255.255.255.0
!
interface Vlan35
no ip address
!
interface Vlan29
description Guest
no ip address
!
ip default-gateway 10.121.102.252
no ip http server
no ip http secure-server
--More-- ip http client source-interface Vlan505
ip forward-protocol nd
ip ssh time-out 60
ip ssh source-interface Vlan505
ip ssh version 2
!
!
logging source-interface Vlan505
logging host 10.121.101.76
ip access-list standard 99
10 permit 10.12.100.211
20 permit 10.12.121.0 0.0.0.255
30 deny any
!
snmp-server community 84F6xxxxxxxxx RO 99
snmp-server community R4xxxxxxxxx RW 99
snmp-server trap-source Vlan505
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps entity-perf throughput-notif
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
--More-- snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps bfd
snmp-server enable traps license
snmp-server enable traps smart-license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps rep
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps flash insertion removal lowspace
--More-- snmp-server enable traps power-ethernet group 1 threshold 80
snmp-server enable traps power-ethernet group 2 threshold 80
snmp-server enable traps power-ethernet group 3 threshold 80
snmp-server enable traps power-ethernet group 4 threshold 80
snmp-server enable traps power-ethernet group 5 threshold 80
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps udld link-fail-rpt
snmp-server enable traps udld status-change
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps envmon
snmp-server enable traps stackwise
snmp-server enable traps dhcp
snmp-server enable traps event-manager
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
--More-- snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps ipmulticast
snmp-server enable traps pimstdmib neighbor-loss invalid-register invalid-join-prune rp-mapping-change interface-election
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server enable traps vlan-membership
--More-- snmp-server enable traps transceiver all
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps rf
snmp-server host 10.12.101.76 version 2c 84F6t{_=n@SJ
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
!
radius server ISE1
address ipv4 10.121.102.215 auth-port 1812 acct-port 1813
timeout 10
key 7 080xxxxxxxxxxxxxxxxx
!
radius server ISE2
address ipv4 10.121.102.216 auth-port 1812 acct-port 1813
timeout 10
key 7 00xxxxxxxxxxxxxxxxxxxx
!
!
!
control-plane
service-policy input system-cpp-policy
--More-- !
!
line con 0
password 7 00xxxxxxxxxxxxxx
logging synchronous
stopbits 1
line aux 0
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-s@cisco.com
profile "Cisco-1"
active
destination transport-method http
--More-- ntp logging
ntp server 10.12.101.19
!
!
!
!
!
!
telemetry ietf subscription 500
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_port_detail
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 501
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_module
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
--More-- receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 502
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_stack
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 503
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_switch
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 504
encoding encode-tdl
filter nested-uri /services;serviceName=ios_oper/platform_component;cname=0?platform_properties
receiver-type protocol
source-address 10.121.102.230
--More-- stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 550
encoding encode-tdl
filter tdl-uri /services;serviceName=smevent/sessionevent
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 551
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/session_context_data
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 552
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/sisf_mac_oper_state
receiver-type protocol
--More-- source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 553
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/sisf_db_wired_mac
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 554
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 555
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
--More-- receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 600
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 601
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 602
encoding encode-tdl
--More-- filter tdl-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/sessions
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 603
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_tcp_session_state
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 604
encoding encode-tdl
filter nested-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/instances;iid=0/af;iaftype=LISP_TDL_IAF_IPV4/lisp_publisher
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
--More-- receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 605
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_pubsub_session_state
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 606
encoding encode-tdl
filter nested-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/remote_locator_sets;name=default-etr-locator-set-ipv4/rem_loc_set_rlocs_si
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 607
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_etr_si_type
receiver-type protocol
source-address 10.121.102.230
--More-- stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 608
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/cts_env_data
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 750
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/environment_sensor
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 751
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/platform_component
receiver-type protocol
--More-- source-address 10.121.102.230
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 1020
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/install_status
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 8882
encoding encode-tdl
filter tdl-transform trustSecCounterDelta
receiver-type protocol
source-address 10.121.102.230
stream native
update-policy periodic 90000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry receiver protocol DNAC_ASSURANCE_RECEIVER
host ip-address 10.121.101.76 25103
protocol tls-native profile sdn-network-infra-iwan
--More-- telemetry transform trustSecCounterDelta
input table cts_rolebased_policy
field dst_sgt
field src_sgt
field sgacl_name
field monitor_mode
field num_of_sgacl
field policy_life_time
field total_deny_count
field last_updated_time
field total_permit_count
join-key cts_role_based_policy_key
logical-op and
type mandatory
uri /services;serviceName=ios_emul_oper/cts_rolebased_policy
operation 1
output-field 1
field cts_rolebased_policy.src_sgt
output-field 2
field cts_rolebased_policy.dst_sgt
output-field 3
field cts_rolebased_policy.total_permit_count
output-op type delta
--More-- output-field 4
field cts_rolebased_policy.total_deny_count
output-op type delta
output-field 5
field cts_rolebased_policy.sgacl_name
output-field 6
field cts_rolebased_policy.monitor_mode
output-field 7
field cts_rolebased_policy.num_of_sgacl
output-field 8
field cts_rolebased_policy.policy_life_time
output-field 9
field cts_rolebased_policy.last_updated_time
specified
netconf-yang
netconf-yang feature candidate-datastore
end

SW# exit

======================================================================================

SWITCH 2

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.09.21 16:40:22 =~=~=~=~=~=~=~=~=~=~=~=
login as: adm
Using keyboard-interactive authentication.
Password:

SW2>en
Password:
SW2#sh run
Building configuration...

Current configuration : 37022 bytes
!
! Last configuration change at 17:07:29 HKG Fri Sep 20 2024 by adm
! NVRAM config last updated at 11:08:23 HKG Fri Sep 20 2024 by adm
!
version 17.9
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname SW
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
--More-- !
logging buffered 40960
aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 300
!
aaa group server radius HHK-ISE
server name HKRAD01
deadtime 5
!
aaa authentication login default local
aaa authentication login NO_AUTH none
aaa authentication login SSH-LOGIN local
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE
--More-- aaa accounting dot1x default start-stop group ISE
aaa accounting network default start-stop group ISE
!
!
aaa server radius dynamic-author
client 10.12.101.59 server-key 7 1XXXXXXXX
client 10.121.102.215 server-key 7 1XXXXXXXXX
client 10.121.102.216 server-key 7 0XXXXXXXXXXX
!
aaa session-id common
!
!
!
clock timezone HKG 8 0
boot system switch all flash:packages.conf
software auto-upgrade enable
!
switch 1 provision c9200-24p
!
!
!
!
!
--More-- ip domain name abc.com
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
!
flow exporter 10.12.101.76
destination 10.12.101.76
transport udp 6007
!
device-tracking tracking
!
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
!
--More-- crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-36XXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-36XXXXXXXX
revocation-check none
rsakeypair TP-self-signed-362XXXXXXXXX
!
crypto pki trustpoint sdn-network-infra-iwan
enrollment url http://10.12.101.76:80/ejbca/publicweb/apply/scep/sdnscep
fqdn SW2.ABC.com
subject-name CN=C9200-24P_JAD23200XH1_sdn-network-infra-iwan
revocation-check crl
source interface Vlan1
rsakeypair sdn-network-infra-iwan
auto-enroll 80 regenerate
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
--More-- 32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
--More-- 418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-36XXXXXXXXXX
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363239 31323732 3235301E 170D3139 30383036 30363434
31335A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36323931
32373232 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100B715 A9D79A86 8E89464D 3031E15F A3F24049 BA400B3F 92E7F2DF
3A61BCB0 9397ED84 828D0CC4 99F61E8C 18103EA5 2F9BE8A3 4899038B CF99DE15
C1FC62DB 18BDD626 3F1AE62E DCAE7D86 2E4040EB 7115A421 DCEE8A53 4ADF3493
DB1F37C9 B6F2AD11 420AE20C A3F5D436 26E94BF2 FD173593 4B6140F9 B2658948
F09C7F47 1E3F87F7 843766F7 E7FEE848 5BD616CB C57A3A31 9969248E 3A79E0F6
0906FCB4 4D247C4F 4AD1E81C 48B27360 C1F23640 E602C8F5 4BA52EBE A51934A4
88F1F5A7 BCCD568F 161E3506 E3D56B87 3F8309C8 06C5DBEE BEBE3A30 3CC57AA1
D22FA054 F19D337A 1A5E5335 8E5BB8FC 26F62F8B C67D2AC5 9EE233A3 A9744399
23AEFDD3 52050203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 142FB966 A9C51D02 BCF1A6B3 5487B25C 4180AB14
16301D06 03551D0E 04160414 2FB966A9 C51D02BC F1A6B354 87B25C41 80AB1416
300D0609 2A864886 F70D0101 05050003 82010100 94462828 67C7190E 860CD047
--More-- AA909108 C0692EBA 9FC042C8 887CA26B C6A2D252 A76E7A02 0025AACA C1C5D288
8EA2D467 2E81CF09 81FDEC3F 41FD166D 516B0034 9C665779 4BDAD54E AED76E91
27EA3C59 DBACDCFE 32609CFC 8EFCC899 8B12FF9B 4C9DBA8D C96E4694 CF6872B1
144EC296 80D2A8D3 7418DB1F A3D83A5B 71B8FD49 2C777AB2 9B502331 430DCA18
6ABC14EA 1B30E1F1 25FB23F4 603BC55B A71BF169 8F738251 0803FB53 B0D15DFF
AAD7F13A 7119431D 238DD6CD 97CE557F 7A94570D E7CC4CE9 47E19E49 28FCABF8
38B7AE50 CD7BCED4 D9E8F462 4AF4ACD4 BBCDEAE1 326C09CD B4D5C30B 22AF34CF
DAF365DC 28A63958 9A594DF0 7142F6D8 870B5025
quit
crypto pki certificate chain sdn-network-infra-iwan
certificate 02XXXXXXXXXXX
30820384 3082026C A0030201 02020802 162D0880 7EF62430 0D06092A 864886F7
0D01010D 0500301F 311D301B 06035504 030C1473 646E2D6E 6574776F 726B2D69
6E667261 2D636130 1E170D32 34303730 39303230 3433345A 170D3235 30373039
30323034 33345A30 64312B30 2906092A 864886F7 0D010902 0C1C4865 726D6573
5F536169 6E744C6F 7569732E 6865726D 65732E63 6F6D3135 30330603 5504030C
2C433932 30302D32 34505F4A 41443233 32303058 48315F73 646E2D6E 6574776F
726B2D69 6E667261 2D697761 6E308201 22300D06 092A8648 86F70D01 01010500
0382010F 00308201 0A028201 01008E74 CBBD667B 9137062F 305EBF6C 0AAF6EAA
8C21E637 1088C427 2DA4CE8C 622A2F87 AF7CF84E 3ADA4F8D EFC5336C FFA5ACBD
13AA5C69 F8A8E420 95DA9A50 6D963C6F 7557E8A8 338899C6 3B8AF7B9 3DB67F71
24570DE1 E0F8B390 4785E450 C48620BF 7B1D73DF CD17BCCE 4FF8629D 66C40898
38A5E33C 7C619D16 ACB5E85D 99B5B03C 86ADFA85 A94BB029 11B26769 F7879C63
--More-- 5029016C 16666B53 504D18E7 CF64D2AC CFCB310A B3F0583F 7063F427 2356480C
8F773A1E D8DB1374 6F948C18 DB9CEE23 85A04A94 DD793552 FC83B86F 770337F1
81B1C479 0D381494 DB0176B3 C250A356 DABEC423 0DF9B2FA 9F3B17A6 CC74A598
33C44C34 D5F4532B 2463440D AC430203 010001A3 7F307D30 0C060355 1D130101
FF040230 00301F06 03551D23 04183016 8014C006 E473F713 9F0ED323 0A9B836D
1DB99E46 0837301D 0603551D 25041630 1406082B 06010505 07030206 082B0601
05050703 04301D06 03551D0E 04160414 2EA86930 CBB42FBA 87DAC874 401A269C
42EC0376 300E0603 551D0F01 01FF0404 030205E0 300D0609 2A864886 F70D0101
0D050003 82010100 5B4CE50E E66B60A0 805BEC58 F6937580 38A65A1C C8FD9CAF
44883B7F 06A4DD10 27EAD5AF 74ECD3F1 D09D72F9 977A5EAE 8BE4F57B 0F51DEC9
77EE6564 B8A1B3DE DEC9FBD5 91B48AAC 9DE3B87A D36FB0A3 C8B51596 C89BD83A
E35B03AF 979CC4CF 483CAE20 781C581F 9B864786 6483C37B 49698BE1 9D6E7AC8
D754A45A 8A83C12F E60D7B6E F914EA54 FE56BC4E 62264CD1 0D501FDD D119BEDC
A9D77288 94E155B7 07B5464D 374075E5 53D2CE55 D7292B40 2AFE0EED 7847A16E
88E3C9DE 5F5D2E04 B55A475F 898D457D 4F0A5F79 B5E6840C 5D8CB416 0629752F
F8A240EA AA862C72 A7D4A849 123B01CD E4D5805F C049C9D8 B128180C A5E9FDC6
C9B1E94D BE9EA71F
quit
certificate ca 37XXXXXXXXXXXXXX
30820323 3082020B A0030201 02020837 F3973A9E 07A82830 0D06092A 864886F7
0D01010D 0500301F 311D301B 06035504 030C1473 646E2D6E 6574776F 726B2D69
6E667261 2D636130 1E170D32 31303730 39303531 3832335A 170D3236 30373038
30353138 32335A30 1F311D30 1B060355 04030C14 73646E2D 6E657477 6F726B2D
--More-- 696E6672 612D6361 30820122 300D0609 2A864886 F70D0101 01050003 82010F00
3082010A 02820101 0086D719 8B092105 706D2459 D5A5315A CA9395DC E8215847
2F8483FC DB3C9E33 F9852BB5 91422E91 54059093 319EBF69 38637D9E CB571680
F07544B0 78135D37 61694107 D2937940 F926535E A7EA22A5 DF40B6DC B06AC4D8
9A56F84F 1EF7AFF2 678E801F 002DC685 D283E0FF A4A00C69 CDC9629D 826DB043
05490FD5 72338425 A22E56B1 0D0AAB47 9DB253A3 21B73741 D1CE2951 B9508096
5AC4E35B 34CB3A6B BDEFB4C7 0F43411D 8FB96931 6B4D6BC3 73747D76 755715F6
C0420444 3B1B5482 C7FECB7A E38AAB1C 9C815208 46D137D3 784373E8 174B6874
DA1F2154 B7A9B25E F0D9C988 9E3D93BE EBA7EACE F787233A ABB46C4D 957DE518
F4B08C57 9C34C090 35020301 0001A363 3061300F 0603551D 130101FF 04053003
0101FF30 1F060355 1D230418 30168014 C006E473 F7139F0E D3230A9B 836D1DB9
9E460837 301D0603 551D0E04 160414C0 06E473F7 139F0ED3 230A9B83 6D1DB99E
46083730 0E060355 1D0F0101 FF040403 02018630 0D06092A 864886F7 0D01010D
05000382 0101001A 6F895C34 DCDBA5F0 5EC1A5EB 25933F58 35E8A11D B0B7B53C
2D25F4AD 7D80C727 A36DF067 B5D0E18B 668FA21A 5B5093F7 15521BCA B8DAAF48
60512976 981307CF D7E97B9D 7C671EF2 F5512C5D 7B1D41FC BF2002EA 495162B6
63EB998D 62EF34E0 269CA858 C238633C E0618864 FAE61636 A1CF40D3 39CAB298
36699FEF 42396EF6 A1C84E59 2E59E3DE D5DEDF72 E45C3477 85BD8798 7CC228E3
88719E33 64D98F1A 4072CB22 33CA9753 E45DB76D AC7B9B88 540A435C 930E9890
A2B5E6FA 0F753E71 85AC99FB BEFF1AFF 8FE7385B 56F4EF14 96621D91 26D0CFEB
2B740B94 560407D2 693A0A05 C3E33173 59BF0DDE 09CA2D98 5BA2DB2A A45DD031
4D5885EE F468A4
quit
--More-- !
license boot level network-essentials addon dna-essentials
dot1x system-auth-control
memory free low-watermark processor 87534
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 8 $8$.NgW/4EhgJxrVXXXXXXXXXXXXXXXXXXXXXX.a2agw
!
username adm secret 9 $9$PBHsSrVgqXXXXXXXXXXXXXXXXXXXXXXXXX
username adm_asecret 9 $9$0ANq/alg9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username cisc_login privilege 15 secret 8 $8$KdXWjGrunYPRWk$IOXJOe5XXXXXXXXXXXXXXXXXXXXXXXXXXX
username adm_WW secret 9 $9$Ifzf8rEX2Wls7.$Vyt36JXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
--More-- redundancy
mode sso
crypto engine compliance shield disable
!
!
!
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
--More-- description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
--More-- description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
--More-- !
interface Port-channel1
description *** Synology DS215+ NAS ***
switchport mode access
switchport nonegotiate
!
interface Port-channel2
description *** Synology DS214+ NAS ***
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
!
interface GigabitEthernet1/0/1
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
--More-- authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
--More-- mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
--More-- interface GigabitEthernet1/0/4
description Terminal
switchport access vlan 3
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication host-mode multi-host
authentication order mab
mab
dot1x pae authenticator
spanning-tree portfast
!
interface GigabitEthernet1/0/5
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
--More-- authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/6
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
--More-- !
interface GigabitEthernet1/0/7
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
--More-- authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/9
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
--More-- authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
--More-- dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description *** Printer ***
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/12
--More-- description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
--More-- authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
--More-- authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface GigabitEthernet1/0/15
description User data port
switchport mode access
device-tracking attach-policy IPDT_POLICY
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
--More-- spanning-tree portfast
!
interface GigabitEthernet1/0/16
description *** Synology DS214+ NAS ***
switchport mode access
switchport nonegotiate
channel-group 2 mode active
spanning-tree portfast
!
interface GigabitEthernet1/0/17
description *** Synology DS214+ NAS ***
switchport mode access
switchport nonegotiate
channel-group 2 mode active
spanning-tree portfast
!
interface GigabitEthernet1/0/18
description *** Synology DS215+ NAS ***
switchport mode access
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast
!
--More-- interface GigabitEthernet1/0/19
description *** Synology DS215+ NAS ***
switchport mode access
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast
!
interface GigabitEthernet1/0/20
description Wireless
switchport trunk native vlan 2
switchport mode trunk
!
interface GigabitEthernet1/0/21
description Wireless
switchport trunk native vlan 2
switchport mode trunk
!
interface GigabitEthernet1/0/22
description Backup-Router-WiFi
switchport access vlan 2
switchport mode access
device-tracking attach-policy IPDT_POLICY
!
--More-- interface GigabitEthernet1/0/23
description Backup-Router-Data
switchport mode access
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/0/24
description To-Primary_Router
switchport mode trunk
!
interface GigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/3
device-tracking attach-policy IPDT_POLICY
!
interface GigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/1
device-tracking attach-policy IPDT_POLICY
--More-- !
interface TenGigabitEthernet1/1/2
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/3
device-tracking attach-policy IPDT_POLICY
!
interface TenGigabitEthernet1/1/4
device-tracking attach-policy IPDT_POLICY
!
interface Vlan1
description Data Subnet 10.12.118.0/24
ip address 10.12.118.230 255.255.255.0
!
interface Vlan4
description Adyen Subnet 10.141.68.0/24
no ip address
!
interface Vlan2
description Wifi Subnet 10.12.168.0/24
ip address 10.12.168.230 255.255.255.0
!
ip default-gateway 10.12.118.245
--More-- no ip http server
no ip http secure-server
ip http client source-interface Vlan1
ip forward-protocol nd
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Vlan1
ip ssh logging events
ip ssh version 2
!
!
ip radius source-interface Vlan1
logging source-interface Vlan1
logging host 10.12.101.76
ip access-list standard 99
10 permit 10.12.100.211
20 permit 10.121.101.0 0.0.0.255
30 deny any
!
snmp-server community $AzXXXXX RO
snmp-server community nXXXXXXX RW
snmp-server community 84XXXXXX RO 99
snmp-server community RXXXXXXX RW 99
--More-- snmp-server community 2C:3F:0B:C9:D4:70 RW
snmp-server trap-source Vlan1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps entity-perf throughput-notif
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps bfd
snmp-server enable traps license
snmp-server enable traps smart-license
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps rep
--More-- snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps flash insertion removal lowspace
snmp-server enable traps power-ethernet group 1 threshold 80
snmp-server enable traps power-ethernet police
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps udld link-fail-rpt
snmp-server enable traps udld status-change
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps port-security
snmp-server enable traps envmon
snmp-server enable traps stackwise
snmp-server enable traps dhcp
snmp-server enable traps event-manager
snmp-server enable traps ike policy add
--More-- snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps ipmulticast
snmp-server enable traps pimstdmib neighbor-loss invalid-register invalid-join-prune rp-mapping-change interface-election
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
--More-- snmp-server enable traps bulkstat collection transfer
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server enable traps vlan-membership
snmp-server enable traps transceiver all
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server enable traps rf
snmp-server host 10.12.101.76 version 2c 2C:3F:0B:C9:D4:70
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
!
radius server ISE1
address ipv4 10.121.102.215 auth-port 1812 acct-port 1813
timeout 10
key 7 121A0C041104
!
radius server ISE2
address ipv4 10.121.102.216 auth-port 1812 acct-port 1813
timeout 10
key 7 045802150C2E
!
--More-- radius server HKHHKLPSVCRAD01
address ipv4 10.12.101.59 auth-port 1812 acct-port 1813
timeout 10
key 7 01100F175804
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password 7 000A4312100B0F0716
logging synchronous
login authentication NO_AUTH
stopbits 1
line aux 0
line vty 0 4
password 7 030A0B1F125F254D57
logging synchronous
login authentication SSH-LOGIN
transport input ssh
line vty 5 15
--More-- password 7 030A0B1F125F254D57
logging synchronous
login authentication SSH-LOGIN
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-@cisco.com
profile "Cisco"
active
destination transport-method http
ntp logging
ntp source Vlan1
ntp server 10.12.101.10
!
!
!
!
!
!
--More-- netconf-yang
netconf-yang feature candidate-datastore
telemetry ietf subscription 500
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_port_detail
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 501
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_module
receiver-type protocol
source-address 10.141.118.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 502
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_stack
receiver-type protocol
source-address 10.12.118.230
--More-- stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 503
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_switch
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 504
encoding encode-tdl
filter nested-uri /services;serviceName=ios_oper/platform_component;cname=0?platform_properties
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 550
encoding encode-tdl
filter tdl-uri /services;serviceName=smevent/sessionevent
--More-- receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 551
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/session_context_data
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 552
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/sisf_mac_oper_state
receiver-type protocol
source-address 10.141.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 553
encoding encode-tdl
--More-- filter tdl-uri /services;serviceName=ios_oper/sisf_db_wired_mac
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 554
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 555
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_detail
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 600
--More-- encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 601
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/tbl_aaa_servers_stat
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 602
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/sessions
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
--More-- receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 603
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_tcp_session_state
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 604
encoding encode-tdl
filter nested-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/instances;iid=0/af;iaftype=LISP_TDL_IAF_IPV4/lisp_publisher
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 605
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_pubsub_session_state
receiver-type protocol
source-address 10.12.118.230
--More-- stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 606
encoding encode-tdl
filter nested-uri /services;serviceName=ios_emul_oper/lisp_routers;top_id=0/remote_locator_sets;name=default-etr-locator-set-ipv4/rem_loc_set_rlocs_si
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 360000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 607
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/lisp_etr_si_type
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 608
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/cts_env_data
--More-- receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 60000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 750
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/environment_sensor
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 751
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/platform_component
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 30000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 1020
encoding encode-tdl
--More-- filter tdl-uri /services;serviceName=iosevent/install_status
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy on-change
receiver name DNAC_ASSURANCE_RECEIVER
telemetry ietf subscription 8882
encoding encode-tdl
filter tdl-transform trustSecCounterDelta
receiver-type protocol
source-address 10.12.118.230
stream native
update-policy periodic 90000
receiver name DNAC_ASSURANCE_RECEIVER
telemetry receiver protocol DNAC_ASSURANCE_RECEIVER
host ip-address 10.12.101.76 25103
protocol tls-native profile sdn-network-infra-iwan
telemetry transform trustSecCounterDelta
input table cts_rolebased_policy
field dst_sgt
field src_sgt
field sgacl_name
field monitor_mode
--More-- field num_of_sgacl
field policy_life_time
field total_deny_count
field last_updated_time
field total_permit_count
join-key cts_role_based_policy_key
logical-op and
type mandatory
uri /services;serviceName=ios_emul_oper/cts_rolebased_policy
operation 1
output-field 1
field cts_rolebased_policy.src_sgt
output-field 2
field cts_rolebased_policy.dst_sgt
output-field 3
field cts_rolebased_policy.total_permit_count
output-op type delta
output-field 4
field cts_rolebased_policy.total_deny_count
output-op type delta
output-field 5
field cts_rolebased_policy.sgacl_name
output-field 6
--More-- field cts_rolebased_policy.monitor_mode
output-field 7
field cts_rolebased_policy.num_of_sgacl
output-field 8
field cts_rolebased_policy.policy_life_time
output-field 9
field cts_rolebased_policy.last_updated_time
specified
end

PIAA

MHM Cisco World · ‎09-21-2024

One use specific port 1812/1813 other not?

Maybe this issue here

MHM

keith-mk-li · ‎09-21-2024

i see that both switches using port 1812/1813, did you see one not ?

ammahend · ‎09-21-2024

your auth is set to use local account for both switches, set it to use ISE group and try "aaa authentication login default local"

-hope this helps-

keith-mk-li · ‎09-22-2024

but why switch 1 can authentication and switch 2 can not as both switches use local account for auth ? need to change to below ?

Switch 1
aaa authentication login default local <--> aaa authentication login default ISE
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting identity default start-stop group ISE
aaa accounting network default start-stop group ISE

Switch 2
aaa authentication login default local <--> aaa authentication login default ISE
aaa authentication login NO_AUTH none
aaa authentication login SSH-LOGIN local
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa accounting delay-start all
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE

MHM Cisco World · ‎09-22-2024

You use ISE for admin or for network access ?

Share

Show aaa servers

MHM

keith-mk-li · ‎09-22-2024

there you go

SW#sh aaa servers

RADIUS: id 1, priority 1, host 10.121.102.215, auth-port 1812, acct-port 1813, hostname ISE1
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 5
Platform State from SMD: current UP, duration 4294967s, previous duration 40s
SMD Platform Dead: total time 121143s, count 156
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 145239, timeouts 1573, failover 48, retransmission 1409
Response: accept 14616, reject 13513, challenge 115535
Response: unexpected 0, server error 0, incorrect 0, time 306783502ms
--More-- Transaction: success 143666, failure 176
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 123525, avg response time: 112ms
Transaction: timeouts 150, failover 28
Transaction: total 8140, success 7919, failure 221
MAC auth transactions:
Response: total responses: 20125, avg response time: 208ms
Transaction: timeouts 26, failover 20
Transaction: total 20151, success 6692, failure 13459
Author: request 4, timeouts 0, failover 0, retransmission 0
Response: accept 4, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 130ms
Transaction: success 4, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
--More-- Account: request 57868, timeouts 1045, failover 25, retransmission 1011
Request: start 11931, interim 33023, stop 11901
Response: start 11930, interim 33004, stop 11887
Response: unexpected 29, server error 0, incorrect 0, time 110ms
Transaction: success 56823, failure 34
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 14w2d11h44m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 144
SMD Platform : max 83, current 0 total 144
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 1386
SMD Platform : max 335, current 0 total 1386
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
--More-- high - 1 hours, 58 minutes ago: 1
low - 11 hours, 43 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.151.102.216, auth-port 1812, acct-port 1813, hostname ISE2
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 5
Platform State from SMD: current UP, duration 4294967s, previous duration 18000s
SMD Platform Dead: total time 224725s, count 36
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 681, timeouts 529, failover 135, retransmission 378
--More-- Response: accept 6, reject 41, challenge 106
Response: unexpected 0, server error 0, incorrect 0, time 123ms
Transaction: success 153, failure 154
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 112, avg response time: 115ms
Transaction: timeouts 130, failover 113
Transaction: total 136, success 2, failure 134
MAC auth transactions:
Response: total responses: 41, avg response time: 145ms
Transaction: timeouts 24, failover 22
Transaction: total 65, success 4, failure 61
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
--More-- Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 185, timeouts 128, failover 32, retransmission 94
Request: start 3, interim 51, stop 37
Response: start 3, interim 35, stop 19
Response: unexpected 0, server error 0, incorrect 0, time 114ms
Transaction: success 57, failure 34
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 14w2d11h43m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 164
SMD Platform : max 84, current 30 total 164
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 579
SMD Platform : max 336, current 86 total 579
WNCD Platform: max 0, current 0 total 0
--More-- IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
high - 11 hours, 43 minutes ago: 0
low - 11 hours, 43 minutes ago: 0
average: 0

====================================================================

SW2#sh aaa servers

RADIUS: id 1, priority 1, host 10.121.102.215, auth-port 1812, acct-port 1813, hostname ISE1
State: current UP, duration 190599s, previous duration 0s
Dead: total time 0s, count 8
Platform State from SMD: current UP, duration 4294967s, previous duration 0s
SMD Platform Dead: total time 18000s, count 3
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 8, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 8, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 118ms
Transaction: success 8, failure 0
--More-- Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
--More-- Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 2d4h56m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
high - 1 hours, 50 minutes ago: 7
--More-- low - 4 hours, 56 minutes ago: 0
average: 0

RADIUS: id 2, priority 2, host 10.151.102.216, auth-port 1812, acct-port 1813, hostname ISE2
State: current UP, duration 190702s, previous duration 0s
Dead: total time 0s, count 5
Platform State from SMD: current UP, duration 4294967s, previous duration 39641s
SMD Platform Dead: total time 18000s, count 2
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
--More-- Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
--More-- Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 2d4h58m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
--More-- Requests per minute past 24 hours:
high - 4 hours, 58 minutes ago: 0
low - 4 hours, 58 minutes ago: 0
average: 0

RADIUS: id 3, priority 3, host 10.12.101.59, auth-port 1812, acct-port 1813, hostname HKHHKLPSVCRAD01
State: current UP, duration 190597s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 4294967s, previous duration 0s
SMD Platform Dead: total time 0s, count 0
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP
Platform State from WNCD (6) : current UP
Platform State from WNCD (7) : current UP
Platform State from WNCD (8) : current UP, duration 0s, previous duration 0s
WNCD Platform Dead: total time 0s, count 0UP
Quarantined: No
--More-- Authen: request 1, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 1, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 92ms
Transaction: success 1, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Dot1x transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
MAC auth transactions:
Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
MAC author transactions:
--More-- Response: total responses: 0, avg response time: 0ms
Transaction: timeouts 0, failover 0
Transaction: total 0, success 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Malformed responses: 0
Bad authenticators: 0
Elapsed time since counters last cleared: 2d4h56m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Consecutive Response Failures: total 0
SMD Platform : max 0, current 0 total 0
WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Consecutive Timeouts: total 0
SMD Platform : max 0, current 0 total 0
--More-- WNCD Platform: max 0, current 0 total 0
IOSD Platform : max 0, current 0 total 0
Requests per minute past 24 hours:
high - 4 hours, 56 minutes ago: 0
low - 4 hours, 56 minutes ago: 0
average: 0

Piaa

MHM Cisco World · ‎09-22-2024

I think the issue with SW2' ypu can see the SW2 send to ISE1 and all request is reject' so the issue with ISE not for SW

Authen: request 8, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 8, challenge 0

Arne Bier · ‎09-22-2024

@keith-mk-li - just a few suggestions when providing show run output from devices. Your output is very long and hard to read because of the paging breaks. It's helpful to always issue this command when there is more than one page/screen of output involved

terminal length 0

Next, you can restrict the output just for your RADIUS config, by using the command

show run | section radius
show run | in aaa

That narrows it down a lot. But in fairness showing us the interface and additional lines of config is useful.

From your output I can see that on switch 2 you didn't explicitly set an access VLAN on any of your interfaces. In a non-NAC configuration, the IOS would default to VLAN 1. Please set an access vlan (unless it's VLAN 1, which would be the implied default)

Is the L3 address of Vlan1 (10.12.118.230) the correct source interface to be used for RADIUS, and is this also the IP address configured in ISE for SW2? It's messy - you are using that for users and for network management?

From the "show aaa servers" you can see a bunch of rejects from ISE. What is ISE reporting in the Live Logs details?

RADIUS shared secret in switch2 and ISE match?