cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4145
Views
25
Helpful
7
Replies

ISE C3PL Switch Configuration

lilianamartinez
Level 1
Level 1

Hi everyone, 

I have a new-style switches and we are deploying DOT1X auth with cisco AnyConnect , I'm using the next script but users have internet acces even when they are not authenticating , on legacy mode it works correctly I would like if something is missing.

 

!
aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 15
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE
!
aaa server radius dynamic-author
client 10.x.x.x1 server-key xxxxxxxxxx
client 10.x.x.x2 server-key xxxxxxxxxx
server-key R4d1uss3g0b
!
aaa session-id common
!
login on-success log
access-session mac-move deny
epm logging
no device-tracking logging theft
device-tracking tracking
!
dot1x system-auth-control
dot1x critical eapol
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
!
service-policy type control subscriber DOT1X-DEFAULT
!
ip http server
no ip http port 8080
ip http authentication local
ip http secure-server
ip http active-session-modules none
ip http client source-interface Vlan15
!
ip access-list extended ISE-REDIRECT
10 deny ip any host 10.x.x.x1
20 deny ip any host 10.x.x.x2
30 deny udp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443
!
ip radius source-interface Vlan45
logging origin-id ip
logging source-interface Vlan45
logging host 10.x.x.x1 transport udp port 20514
logging host 10.x.x.x2 transport udp port 20514
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 30
radius-server load-balance method least-outstanding
!
radius server ISE1
address ipv4 10.x.x.x1 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key xxxxxxxxxx
!
radius server ISE2
address ipv4 10.x.x.x2 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
key xxxxxxxxxxx
!