Switch Configuration for ISE

Configuring a network switch for 802.1X and MAC Authentication Bypass (MAB) is a key step in securing your network by controlling who and what can access your resources. When integrated with Identity Services Engine (ISE), these technologies allow for dynamic and secure access control based on the identity of users and devices. 802.1X provides strong authentication for devices capable of it. At the same time, MAB serves as a fallback for non-802.1X devices, such as printers or IoT devices, ensuring they can still be identified and managed securely. In this blog, we will walk through the configuration of a network switch to enable 802.1X and MAB for seamless integration with Cisco ISE, providing a balanced approach to network security and access control.

We will start by enabling AAA and configuring the AAA method lists on the switch.

aaa new-model
aaa session-id common
aaa authentication dot1x default group ISE-SERVERS
aaa authorization network default group ISE-SERVERS
aaa accounting dot1x default start-stop group ISE-SERVERS
aaa accounting network default start-stop group ISE-SERVERS
aaa accounting update newinfo periodic 2880

Configure the RADIUS server and server group

radius server name
address ipv4 ise-ip-address auth-port 1812 acct-port 1813
key shared-secret

aaa group server radius ISE-SERVERS
server name server-name
deadtime 15

(Optional) You may wish to add an automated tester to verify connectivity to the radius server.

username radius-test-username secret password
radius server name
automated-tester username radius-test-username

Configure the RADIUS dead criteria.

radius-server dead-criteria time 5 tries 3

Configure RADIUS Change of Authorization (CoA).

aaa server radius dynamic-author
client ise-ip-address
server-key shared-secret

Enabling the switch to send RADIUS Vendor-Specific Attributes (VSAs).

radius-server vsa send authentication
radius-server vsa send accounting

Configure the RADIUS Vendor-Specific Attributes (VSAs).

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only

Configure the source interface for RADIUS. This should be the interface with the IP address configured for the NAD in ISE.

ip radius source-interface interface-name

Enable 802.1x globally on the switch.

dot1x system-auth-control
dot1x critical eapol
authenticate mac-move permit
epm access-control open

Generate crypto keys.

crypto key generate rsa general-keys mod 2048

If you plan on doing HTTP redirect, the following commands are necessary.

ip http server
ip http active-session-modules none
ip http secure-active-session-modules none
ip http max-connections 40

IOS version 12-15.x: Enable IP device tracking on the switch.

ip device tracking
ip device tracking probe auto-source
ip device tracking probe delay 10

IOS version 16.x and new versions of IOS-XE: Enable IP device tracking on the switch.

device-tracking policy policy-name
tracking enable
device-tracking tracking auto-source

interface range access-interfaces
device-tracking attach-policy policy-name

Create local access control lists.

ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark ICMP
permit icmp any any
remark PXE/TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log

ip access-list extended WEBAUTH-REDIRECT
remark Deny DNS from being redirected to ISE
deny udp any any eq 53
remark redirect all applicable traffic to ISE
permit tcp any any eq 80
permit tcp any any eq 443
remark All other traffic will be denied from redirection

Configure the interfaces as layer 2 host interfaces.

interface range FirstInterface-LastInterface
switchport
switchport host

Configure FlexAuth on the ports.

authentication priority dot1x mab
authentication order dot1x mab
authentication event fail action next-method

Configure the port behavior if RADIUS is unavailable.

authentication event server dead action authorize vlan vlan-id
authentication event server dead action authorize voice
authentication event server alive action reinitialize

Configure host mode on the switch ports.

authentication host-mode multi-auth
authentication violation restrict

Configure authentication settings on the ports.

authentication open
mab
dot1x pae authenticator

Configure the authentication timer on the ports.

dot1x timeout tx-period 10

Apply the pre-auth ACL.

ip access-group ACL-DEFAULT

Enable authentication.

authentication port-control auto

Configure CDP and LLDP, if not already enabled.

cdp run
lldp run

interface range StartInterface-EndInterface
cdp enable
lldp receive
lldp transmit

Enable the DHCP Helper address on an SVI or Layer 3 interface.

interface SVI-or-Layer3-Interface
ip helper-address ise-ip-address

First, configure DHCP snooping so the IOS Device Sensor can send the DHCP packets.

interface uplink-port
ip dhcp snooping trust
exit

ip dhcp snooping
ip dhcp snooping vlan StartVLAN-EndVlan

Next, configure the filter lists to send only the necessary fields with the RADIUS packets.

device-sensor filter-list dhcp list dhcp_list_name
option name host-name
option name class-identifier
option name client-identifier
option name parameter-request-list

device-sensor filter-list cdp list cdp_list_name
tlv name device-name
tlv name platform-type
tlv name version-type
tlv name capabilities-type

device-sensor filter-list lldp list lldp_list_name
tlv name port-id 
tlv name system-name
tlv name system-description

device-sensor filter-spec dhcp include list dhcp_list_name
device-sensor filter-spec cdp include list cdp_list_name
device-sensor filter-spec lldp include list lldp_list_name

Finally, enable the device sensor.

device-sensor accounting
device-sensor notify all-changes

This would be configured if you’re using older Cisco switches. However, if using IOS Device Sensor, you will not need to configure this. If the SNMP probe is to be used, configure the source interface globally on the switch to match the IP address that ISE has configured for the NAD.

snmp-server trap-source interface-name
snmp-server source-interface informs interface-name

Configure the SNMP probes on the switch.

interface range StartInterface-EndInterface
snmp trap mac-notification change added
snmp trap mac-notification change removed
exit

mac address-table notification change
mac address-table notification mac-move
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host ise-ip-address version 2c string
snmp-server community string RO

Bonus: If you want more switch NAD configuration templates, check out my friend Brad Johnson’s page.