Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
148
Views
1
Helpful
4
Replies

ISE Integration queries with Catalyst Switch

Go to solution
hashimwajid1
Level 3
Level 3

‎09-25-2025 12:35 AM

Hi,

I've below queries regarding ISE integration with Catalyst Switch (9300 etc.) for AAA and 802.1x

 

1- is it true that we can use Catalyst dedicated OOB management port for AAA/TACACS only

2- but we cannot use catalyst dedicated OOB Management interface for 802.1x as its required in-band SVI to communicate with ISE due to port authentication required to check default VRF. (Please correct me)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-25-2025 12:42 AM

@hashimwajid1  you can use the mgmt port for AAA communication (RADIUS and TACACS), as long as routing is setup to allow the communication. The user ports configured with 802.1X don't need to be in the same VRF as the RADIUS source interface, as it's the switches source interface that communicates with RADIUS for authentication.

https://community.cisco.com/t5/network-access-control/radius-over-vrf/td-p/4106242

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-25-2025 12:42 AM

@hashimwajid1  you can use the mgmt port for AAA communication (RADIUS and TACACS), as long as routing is setup to allow the communication. The user ports configured with 802.1X don't need to be in the same VRF as the RADIUS source interface, as it's the switches source interface that communicates with RADIUS for authentication.

https://community.cisco.com/t5/network-access-control/radius-over-vrf/td-p/4106242

 

 

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Rob Ingram

‎09-25-2025 01:05 AM

Thanks for Answer,

its mean even if I just assign IP to OOB Mgmt. Interface, that will be more then enough to handle 802.1x/MAB and Device admin traffic? no in-band SVI

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to hashimwajid1

‎09-25-2025 01:25 AM

@hashimwajid1 Yes, the mgmt interface is enough to do the RADIUS/TACACS authentications. You do need to do more than just assign IP address to the mgmt interface though, you need the routing and connectivity in place etc.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Rob Ingram

‎09-25-2025 11:13 PM

Apart from all the usual routing stuff you need, when involving a VRF in management processes such as RADIUS, TACACS, NTP, DNS, etc. requires careful configuration to always quote the VRF in all of these cases. One case that always catches me out is the RADIUS CoA on Catalysts - e.g.

aaa server radius dynamic-author
 client 172.16.0.100 vrf Mgmt-vrf server-key .....

and

aaa group server radius dnac-client-radius-group
 server name dnac-radius_172.16.0.100
 ip radius source-interface Vlan6
 ip vrf forwarding Mgmt-vrf

 

Customers Also Viewed These Support Documents