Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
5
Helpful
1
Replies

Wired 802.1x

Go to solution
Amit Kulshrestha
Level 1
Level 1

‎08-23-2019 02:02 AM

Hi All,

I have recently done wired 802.1x implementation and its seem very thing is working fine, but still i would request you kindly suggest what more best can be done in below mentioned script.

ISE :-2.3 patch 2,3,5

L2 SW:- 2960 series

IOS Ver :- 15.2

 

===================================================================

L2 Switch Global level 802.1x commands:-

 

aaa group server radius ISE
server name ISE-ISE
ip radius source-interface vlan 5
!
aaa authentication login default local enable
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
!
aaa server radius dynamic-author
client 10.10.10.71 server-key 7 090D40031B
server-key 7 0152080E59
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server deadtime 30
!
ip radius source-interface Vlan5
!
radius server ISE-ISE
address ipv4 10.10.10.71 auth-port 1812 acct-port 1813
key 7 086042440B

 

===============================================================================

L2 Switch USERS INTERFACE LEVEL 802.1x commands:-

switchport mode access
authentication open
authentication event fail action next-method
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

================================================================

 

Regards

Amit

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-23-2019 05:52 AM

At some point you will want to replace authentication open with authentication closed. In doing so you will want to create some sort of Base ACL for your interface config that then later gets overridden by something like a dacl upon successful authc/authz. Something else to consider is to determine whether or not you want to configure dot1x max-reauth-req to statically configure how many times it re-sends request-identity frames. One quick last thing to consider is to maybe configure an auth fail vlan via the authentication event fail action authorize vlan ## and move hosts into a restricted area upon failure. This all depends on your requirements. Good luck & HTH!

View solution in original post

1 Reply 1

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-23-2019 05:52 AM

At some point you will want to replace authentication open with authentication closed. In doing so you will want to create some sort of Base ACL for your interface config that then later gets overridden by something like a dacl upon successful authc/authz. Something else to consider is to determine whether or not you want to configure dot1x max-reauth-req to statically configure how many times it re-sends request-identity frames. One quick last thing to consider is to maybe configure an auth fail vlan via the authentication event fail action authorize vlan ## and move hosts into a restricted area upon failure. This all depends on your requirements. Good luck & HTH!
Customers Also Viewed These Support Documents