Hello Katherine, Thank you once again for helping point out something I overlooked...I did not have ip dhcp snooping trust on the uplink interface of my test switch. It appears that systems behind the switch can receive one DHCP allocation for the term of the lease even without trust enabled. What a mind-bender, I assure you. At this point, my 7 node ISE deployment appears to be authenticating via MAB as I haven't set up 802.1x yet. I'm going to post a redacted running config below that cherrypicks your code and http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf. in the event it is useful for anyone . I want to once again give you a big shout out because you've provided something very valuable that hasn't been currently documented for 4 or 5 years version 15.2 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname ISETEST ! boot-start-marker boot-end-marker ! logging buffered 128000 logging monitor informational enable secret 5 XXXXXXXXXXXXXXXXXXXX ! username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX aaa new-model ! aaa group server radius ise-group server name isepolicy01 server name isepolicy02 server name isepolicy03 ! aaa authentication login allports group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group ise-group aaa authorization exec default group tacacs+ local none aaa authorization network default group ise-group aaa authorization auth-proxy default group ise-group aaa accounting update periodic 5 aaa accounting auth-proxy default start-stop group ise-group aaa accounting dot1x default start-stop group ise-group aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! aaa server radius dynamic-author client 10.4.1.204 server-key 7 XXXXXXXXXXXXXXXXXXXX client 10.4.5.185 server-key 7 XXXXXXXXXXXXXXXXXXXX client 10.4.5.186 server-key 7 XXXXXXXXXXXXXXXXXXXX server-key 7 XXXXXXXXXXXXXXXXXXXXXX ! aaa session-id common clock timezone CST -6 0 clock summer-time CDT recurring system mtu routing 1500 device-sensor accounting device-sensor notify all-changes no ip source-route ip routing ! ip dhcp snooping vlan 213,436 no ip dhcp snooping information option ip dhcp snooping no ip domain-lookup ip domain-name XXXXXXXXXXX ip device tracking probe auto-source override vtp mode transparent ! authentication mac-move permit epm logging ! dot1x system-auth-control ! spanning-tree mode rapid-pvst spanning-tree portfast bpduguard default spanning-tree extend system-id auto qos srnd4 errdisable recovery cause bpduguard errdisable recovery cause loopback errdisable recovery interval 30 ! vlan internal allocation policy ascending ! vlan 213,436 ! lldp run ! interface ra FastEthernet0/1-8 switchport access vlan 436 switchport mode access switchport voice vlan 213 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event fail action next-method authentication event server dead action reinitialize vlan 436 authentication event server dead action authorize voice authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast spanning-tree bpduguard enable ! interface Vlan1 ip address 10.254.1.97 255.255.255.0 ! ip forward-protocol nd ip http server ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.254.1.253 ip ssh version 2 ! ip radius source-interface Vlan1 logging origin-id ip logging source-interface Vlan1 logging host 10.4.1.203 transport udp port 20514 ***access lists redacted*** snmp-server community XXXXXXXXXXX RO 25 snmp-server community XXXXXXXXXXX RW 25 snmp-server trap-source Vlan1 snmp-server source-interface informs Vlan1 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move threshold snmp-server host 10.4.1.204 version 2c XXXXXXXXXXX mac-notification snmp-server host 10.4.5.185 version 2c XXXXXXXXXXX mac-notification snmp-server host 10.4.5.186 version 2c XXXXXXXXXXX mac-notification ! radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail radius-server dead-criteria tries 3 radius-server deadtime 30 ! radius server isepolicy01 address ipv4 10.4.1.204 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXXXX ! radius server isepolicy02 address ipv4 10.4.5.185 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXXXX ! radius server isepolicy03 address ipv4 10.4.5.186 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXXXX ! line con 0 line vty 0 4 line vty 5 15 mac address-table notification change interval 0 mac address-table notification change mac address-table notification mac-move !
... View more
Thank you for offering this configuration, it seems like configuration examples as these are hard to come by. Does this configuration "fail-open" so to speak, in that if dot1x or mab fails the user can still access the network or is that completely a function of ISE policies. Today I had a perfectly good configuration that was working for days suddenly stop working and block the wired hosts behind the switch with no anomalies reported in ISE. Tac referred me to this post. Thanks again for your hard work. Regards, CJ
... View more