IEEE 802.1x (Dot1x) authentication and device-sensor configuration template for Cisco 3650

Configure dot1x

// Enable aaa//

!  
aaa new-model

!

// Create local username password for admin authentication //

!

username admin privilege 15 secret admin1

enable secret admin1

aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local

!

// Define radius server, ISE server ip = 10.10.10.10//

!

radius server ise-psn01
 address ipv4 10.10.10.10 auth-port  1812 acct-port 1813
 key Cisco123

!

// Create ISE group//

aaa group server radius ISE

 server name  ise-psn01

// AAA configuration for dot1x authentication //

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

ip radius source-interface Vlan10

//Enable dot1x globally //

dot1x system-auth-control

// for Change of Authorization (CoA)" messages from the RADIUS server.//

aaa server radius dynamic-author

 client 10.10.10.10 server-key  Cisco123

// Interface configuration //

interface GigabitEthernet1/0/1

 switchport access vlan 88

 switchport mode access

 switchport voice vlan 118

 switchport port-security maximum 2

 switchport port-security

 spanning-tree portfast

 spanning-tree bpduguard enable

 authentication host-mode multi-auth

 dot1x pae authenticator

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 mab

 authentication event fail action next-method

 dot1x timeout tx-period 2

 end

PAE = port access entity 

#############################################################

Configure Device Sensor

device-sensor accounting

device-sensor notify all-changes

radius-server vsa send accounting

// Creates a TLV list and enters DHCP-LIST sensor configuration mode, where you can configure individual TLVs. //

device-sensor filter-list dhcp list dhcp-list

 option name host-name

 option name domain-name

 option number 50

Note:  DHCP option 50 is used to let clients request a specific IP address ;

// Creates a TLV list and enters CDP sensor configuration mode, where you can configure individual TLVs.//

device-sensor filter-list cdp list cdp-list

 tlv name device-name

 tlv name address-type

 tlv number 34

// Creates a TLV list and enters LLDP sensor configuration mode, where you can configure individual TLVs.//

device-sensor filter-list lldp list lldp-list

 tlv name chassis-id

 tlv name management-address

 tlv number 28

Command to verify 

Switch # sh device-sensor details

Switch #sh device-sensor cache all

Switch # sh device-sensor cache int g1/0/1

Switch # sh device-sensor cache mac <mac-address>