Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
2
Helpful
1
Replies

How to set port-based dot1x authentication list

Go to solution
maintenanceciscoitni
Level 1
Level 1

‎10-25-2023 02:40 AM

Greetings,

I have several different radius providers for the same campus (one new and one legacy) and need to choose which one to interrogate depending on the port used. For this case I am using a C9300 catalyst switch.

I have found out how to define multiple server groups, as well as how to attach these groups to a specific authentication method list:

 

radius server External1
 address [IP1]
 key [password]
radius server External2
 address [IP2]
 key [password]
radius server Internal1
 address [IP3]
 key [password]
radius server Internal2
 address [IP4]
 key [password]

aaa group server radius Internal-group
 server name Internal1
 server name Internal2
aaa group server radius External-group
 server name External1
 server name External2

aaa authentication dot1x Internal group Internal-group
aaa authentication dot1x External group External-group

 

However, I cannot find how to attach the method list to a specific group.

the Documentation on the topic mentions the following:

> To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports. 

That seems to mean it is possible to set up a different method list on a port, but there is no "dot1x authentication list" or similar command in the interface CLI.

Best regards,

Tancrede

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2023 02:46 AM

@maintenanceciscoitni you can configure differentiated authentication based on the port using IBNS 2.0 syntax, this will allow you to authenticate endpoints to different AAA server based on the interface configuration.

Refer to this CIsco ISE Wired prescriptive guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--409339797

 

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2023 02:46 AM

@maintenanceciscoitni you can configure differentiated authentication based on the port using IBNS 2.0 syntax, this will allow you to authenticate endpoints to different AAA server based on the interface configuration.

Refer to this CIsco ISE Wired prescriptive guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--409339797

 

Customers Also Viewed These Support Documents