Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
0
Helpful
3
Replies

ISE Authenticator MAB config - Cisco 2906X

Go to solution
r1127hyduk
Level 4
Level 4

‎08-17-2020 09:09 AM

Hello team,

Does anyone have a basic script or lessons learned guide to share regarding configuration of MAB for an ISE server and authenticator switch?  The request includes policy set, authentication / authorization variables for the ISE server and detail for the authenticator switch - (aaa commands, are there any concerns configuring tacacs device variables and a radius for aaa commands for a 2960 switch)?

 

sample

aaa authentication login default local group tacacs+
aaa authorization exec default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

 

and then have the following for radius?

 

Ip radius source-interface vlan520

Radius-server attribute 6 on-for-login-auth

Radius-server attribute 6 support multiple

Radius-server attribute 8 include-in-access-req

Radius-server attribute 25 access-request include

!

!

Aaa group server radius ISE

Server name ISE-AAA

Ip radius source-interface vlan520

!

Aaa authentication login default local

Aaa authentication dot1x default group ISE

Aaa authorization network default group ISE

Aaa accounting dot1x default start-stop group ISE

 

Question - what impact if any will there be for aaa authentication based on these variables?

What would a sample interface look like?

Switchport access vlan520
Switchport mode access
Device-tracking attach-policy DT
Authentication host-mode mulit-auth
Authentication order dot1x mab
Authentication priority dot1x mab
Authentication port-control auto
Authentication timer reauthenticate server
Mab
Dot1x pae authenticator
Dot1x timeout tx-period 10

 

More questions to follow … thanks in advance for replies.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to r1127hyduk

‎08-18-2020 05:25 PM

That guide is full of both legacy IBNS and IBNS 2.0 switch configuration examples. There are also switch configuration examples in the ISE Admin Guide, but the ones in the Prescriptive Deployment Guide are more recently updated based upon best practice.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-17-2020 05:12 PM

The command structure you referenced is based on the legacy IBNS framework which has severe caveats and limitations. The Cat 2960X supports the IBNS 2.0 framework, so you should strongly consider using that structure as per the ISE Secure Wired Access Prescriptive Deployment Guide.

0 Helpful

Go to solution
r1127hyduk
Level 4
Level 4
In response to Greg Gibbs

‎08-18-2020 04:55 AM

The guide is nice however, do you have examples of switch configs?
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to r1127hyduk

‎08-18-2020 05:25 PM

That guide is full of both legacy IBNS and IBNS 2.0 switch configuration examples. There are also switch configuration examples in the ISE Admin Guide, but the ones in the Prescriptive Deployment Guide are more recently updated based upon best practice.

0 Helpful
Customers Also Viewed These Support Documents