You want to demonstrate not only wireless 802.1X but also wired 802.1X with a single router that has a built-in AP and switchport(s). This guide will show you how to update the configuration to do 802.1X on one or more of the router switchports.
This guide assumes you have Identity Services Engine (ISE) running in your lab or dCloud.
This guide was created using a Cisco 819HWD @ IOS 15.4(3)M1 and ISE 2.2.
Note that the 819HWD and 8xx series routers in general are only capable of VLAN-based enforcement on the FastEthernet switchports - it cannot handle downloadable ACLs from ISE.
Step 1: Find the IP address used for ISE.
If using ISE in dCloud, this should be in the topology diagram or in the demo documentation:
Step 2: Record the ISE IP address for use in the router's RADIUS configuration.
Step 1: From the router's console, find and verify the router interface and IP address that can reach ISE :
Step 2: Record the router's source IP address (10.64.10.1 in the example above) for use in the RADIUS client configuration for ISE.
Step 1: Get into your router's configuration mode:
Step 2: Copy and paste the global RADIUS client configuration below into your dCloud router after replacing
Step 3: Copy and paste the following 802.1X+MAB configuration below into below into your dCloud router's switchport(s) that you want to enable edge authentication on :
Step 1: In ISE, navigate to Administration > Network Resources > Network Devices
Step 2: Add the dCloud router with the following settings:
|✓ RADIUS Authentication Settings|
|✓ SNMP Settings|
|SNMP RO Community||C1sco12345|
Step 3: Submit the changes.
Create a user identity in ISE if you haven't already. This will be used for the test authentication.
Step 1: In ISE, navigate to Administration > Identity Management > Users
Step 2: Click on +Add to add a new network user
Step 3: Fill in the form with the following settings:
|Network Access User
|Password Type||Internal Users|
Step 4: Click on Submit
You can use the router CLI to perform a RADIUS test authorization from the router to ensure you have RADIUS connectivity to ISE.
Step 1: Open the dCloud Router console
Step 2: Run the test aaa command to ISE which has the format
Example output using the user identity above:
Step 1: Connect an endpoint (Windows, MacOS, Linux) to the dCloud router's switchport interface configured for 802.1X.
Step 2: On the router console You should immediately events for
Step 3: On your endpoint, if 802.1X is enabled for the wired interface you should be prompted to enter your user identity credentials (test:C1sco12345). Enter the credentials and submit them
Step 4: Your identity should immediately be authenticated and your endpoint authorized onto the network.
Step 5: On the router console, view the authentication and authorization events:
Step 6: View the authentication session information for the router interface
Step 7: In ISE, navigate to Operations > RADIUS > Livelogs to view the authentication for user test in ISE
indicates that there was a successful authentication for the user test@20:C9:D0:29:A3:FB
indicates that there is an active RADIUS session for this device
If for some reason you miss the 802.1X authentication challenges and it times out, your endpoint should still be successfully authenticated with MAC Authentication Bypass (MAB).
After approximately 30 seconds (3 x 10 second timeouts) you will see 802.1X fail due to a lack of response from the endpoint:
The switchport will then begin to failover from 802.1X authentication into MAB authentication:
And this should be successful:
You can see how the authentication session information shows a successful MAB authentication for the MAC address (not the username) into the DATA VLAN:
Step 7: In ISE, navigate to Operations > RADIUS > Livelogs to view the MAB authentication for the endpoint MAC address: