Cisco – dot1x port configuration

Radius connection

interface GigabitEthernet0/1
aaa new-model
!
aaa group server radius ISE-RADIUS
server name ISE-KEY
!
aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting dot1x default start-stop group ISE-RADIUS
!
ip device tracking
!
dot1x system-auth-control
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ISE-KEY
 address ipv4 10.10.2.20 auth-port 1812 acct-port 1813
 key radius-key

Monitor Mode:

interface GigabitEthernet0/1
description Interface
switchport access vlan 9
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

closed Mode:

interface GigabitEthernet0/1
interface GigabitEthernet0/1
description Interface
switchport access vlan 9
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

MAB Mode:

interface GigabitEthernet0/1
interface GigabitEthernet0/1
description Interface
switchport access vlan 9
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Low Impact mode

interface GigabitEthernet0/1
 description Employee-PC
 switchport access vlan 9
 switchport mode access
 ip access-group Basic-ACL in
 authentication host-mode multi-auth
 authentication open
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
!
ip access-list extended Basic-ACL
 permit udp any any eq bootps
 permit udp any any eq domain
 permit tcp any host 10.10.3.20 eq www

Leave a Reply

Your email address will not be published. Required fields are marked *