cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1664
Views
30
Helpful
5
Replies
hoaithanhdo
Beginner

dot1X authentication switch c2960s with aruba clearpass as a radius

Hello bros, 

My manager planed to use dot1x port-based for sw c2960s with aruba clearpass as a radius server. While We wait setup Aruba ClearPass Server. I have configured as below . could you take a look a give me your opinion. 

 

aaa new-model
session-id common
aaa group server radius ClearPass-RADIUS
server-private 10.92.a.b auth-port 1812 acct-port 1813 key abc@123


aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS


dot1x system-auth-control


aaa server radius dynamic-author
port 3799
auth-type all
client 10.92.a.b server-key abc@123

radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert

@hoaithanhdo 

You probably want to enable periodic updates globally.

aaa accounting update newinfo periodic 2880

The timers configured under the interface a bit long, Cisco recommends the following:-

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

Enable the following timer settings under the interfaces

c9300-Sw(config-if)# authentication periodic
c9300-Sw(config-if)# authentication timer inactivity server dynamic

You can find more Cisco best practice information at the link below (obviously ignore the ISE configuration, but in the main the switch configuration should apply).

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

View solution in original post

5 REPLIES 5
Rob Ingram
VIP Expert

@hoaithanhdo 

You probably want to enable periodic updates globally.

aaa accounting update newinfo periodic 2880

The timers configured under the interface a bit long, Cisco recommends the following:-

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

Enable the following timer settings under the interfaces

c9300-Sw(config-if)# authentication periodic
c9300-Sw(config-if)# authentication timer inactivity server dynamic

You can find more Cisco best practice information at the link below (obviously ignore the ISE configuration, but in the main the switch configuration should apply).

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

Hello , 

I am using switch c2960s .  your command is still ok ?

Sincerely !

Thanks !

 

@hoaithanhdo I don't have a 2960s to test, but I don't see why not. Those commands aren't new.

balaji.bandi
VIP Guru

high level seems to be good, but to use priority :

 

authentication priority dot1x mab

 

But again, the config need to test again server, when it live and may work as expected, but any issue need to capture debug logs.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks bros.

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube