Cisco 9200 - 802.1x switchport configuration

jmins · ‎09-12-2023

After configuring the switch and switch port, our laptop is connecting to the network but there are no logs confirming the the successful authentication in our NAC. Is there something wrong with the configuration? We would like to configure a range of ports to allow either 802.1x or MAC devices to authenticate.

aaa new-model
!
aaa group server radius XXXXXX
server name Radius_Cloud
server name Radius_Local
!
aaa authentication dot1x default group XXXXXX
aaa authorization network default group XXXXXX
aaa accounting update newinfo periodic 120
aaa accounting dot1x default start-stop group XXXXXX
!
aaa server radius dynamic-author
client 52.232.122.157 server-key 0 xxxxx
client 192.168.254.213 server-key 0 xxxxx
!
dot1x system-auth-control
dot1x critical eapol block
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 5
!
radius server Radius_Cloud
address ipv4 XXX auth-port XXX acct-port XXX
key 0 xxxxx
!
radius server Radius_Local
address ipv4 XXX auth-port XXX acct-port XXX
key 0 xxxxx
!
ip device tracking
device-tracking policy POLICY
 tracking enable
!
interface range Gig1/0/1 - 15
switchport mode access
device-tracking attach-policy POLICY
no logging event link-status
no logging event power-inline-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
spanning-tree guard root
service-policy output output-q

Thanks.

balaji.bandi · ‎09-12-2023

what NAC you using? is the Device able to allocated IP and able to acess resouce, and you only not able to view logs ?

below my testing config works as expected using ISE :

Port config

Vlan 2*** and 3*** corrosponds to the local vlan on that switch

switchport access vlan 2***

switchport mode access

switchport voice vlan 3***

no logging event link-status

authentication event fail action next-method

authentication event server dead action authorize vlan 2***

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 3

no mdix auto

spanning-tree portfast

Look some detailed guide :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DanielP211 · ‎09-12-2023

Hello,

Check the command: show auth session int gig1/0/X for details regarding your issue.

Also check if you have everthing open on the firewall between the switch and the radius server.

BR

****Kindly rate all useful posts*****