Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
0
Helpful
17
Replies

Authenticate my switch using ISE server

Go to solution
schadracpierre
Level 1
Level 1

‎09-19-2023 07:14 AM - last edited on ‎10-16-2023 04:45 AM by Community Manager

Hello everyone,

I am trying to configure my switch so everyone who has an account on my AD can log in using ISE authentification server. I use DMVPN to my spokes with the Hub. All my spoke routers and hub devices are well configured and can use my ISE to log except my switches behind my spokes routers. Here is the configuration in one switch: 

SPOKE-3-CORE#sh run
Building configuration...

Current configuration : 3139 bytes
!
! Last configuration change at 13:58:14 UTC Tue Sep 19 2023 by test
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SPOKE-3-CORE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$f7H2$UCn.F1lPhqTRgQeH8wJts.
!
username test privilege 15 secret 5 $1$P1pM$xKL/W5qLN.ZWbtOqFZsCC1
aaa new-model
!
!
aaa group server radius ISE
server 10.10.10.12
ip radius source-interface Loopback10
!
aaa authentication login default local group ISE
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization exec default local group ISE
aaa authorization network default group ISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group ISE
!
aaa server radius dynamic-author
client 10.10.10.12 server-key C!sc0
!
aaa session-id common
!
ip dhcp excluded-address 10.10.13.9 10.10.13.12
ip dhcp excluded-address 10.10.13.17 10.10.13.20
ip dhcp excluded-address 10.10.13.25 10.10.13.28
!
ip dhcp pool DATA
network 10.10.13.8 255.255.255.248
default-router 10.10.13.9
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.9
lease 0 8
!
ip dhcp pool VoIP
network 10.10.13.16 255.255.255.248
default-router 10.10.13.17
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.17
lease 0 8
!
ip dhcp pool IT
network 10.10.13.24 255.255.255.248
default-router 10.10.13.25
domain-name techplus.edu.org
dns-server 10.10.10.10 8.8.8.8
option 150 ip 10.10.13.25
lease 0 8
!
!
no ip domain-lookup
ip domain-name techplus.edu.org
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface Loopback10
ip address 10.3.255.9 255.255.255.255
!
interface Ethernet0/0
description "Interface towards the router"
no switchport
ip address 10.10.13.2 255.255.255.252
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
interface Ethernet0/3
switchport access vlan 30
switchport mode access
!
interface Vlan10
ip address 10.10.13.9 255.255.255.248
!
interface Vlan20
ip address 10.10.13.17 255.255.255.248
!
interface Vlan30
ip address 10.10.13.25 255.255.255.248
!
!
router eigrp 10
network 10.0.0.0 255.255.0.0
network 192.168.1.0 255.255.255.0
!
ip forward-protocol nd
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 10.10.13.1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
ip radius source-interface Loopback10
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server ISE
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
key C!sc0
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
monitor session 1 source interface Et0/0
!
!
end


Please provide any thoughts you think might help.

 

TIA

Labels:
0 Helpful
17 Replies 17

Go to solution
paul driver
VIP
VIP
In response to schadracpierre

‎09-21-2023 01:51 AM

Hello

@schadracpierre wrote:

*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.10.12:1812,1813 is not responding.
*Sep 20 23:24:07.693: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.10.12:1812,1813 is being marked alive.
% Authentication failed

But I used to have that on other equipment I used to log as well. just to let you know.

Got to ask, is the ISE then compatible with this make of switch?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
schadracpierre
Level 1
Level 1
In response to paul driver

‎09-21-2023 02:05 PM

is the ISE then compatible with this make of switch?

For that, I don't know. I am using a Cisco IOL virtual switch.

0 Helpful

Go to solution
schadracpierre
Level 1
Level 1

‎10-05-2023 04:48 PM - last edited on ‎10-17-2023 03:01 AM by Community Manager

I found the error and fixed it. the issue was the bandwidth on the tunnel. 

Changed the source

interface to ethernet 0/0

and under the tunnel interface, I changed the bandwidth to 85k

interface tunnel 10
bandwidth 85000
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card