Networking, Security & Cloud Knowledge

Friday, June 7, 2024

IEEE 802.1x (Dot1x) authentication and device-sensor configuration template for Cisco 3650

Configure dot1x

// Enable aaa//

!  
aaa new-model

!

// Create local username password for admin authentication //

!

username admin privilege 15 secret admin1

enable secret admin1

aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local

!

// Define radius server, ISE server ip = 10.10.10.10//

!

radius server ise-psn01
 address ipv4 10.10.10.10 auth-port  1812 acct-port 1813
 key Cisco123

!


// Create ISE group//

aaa group server radius ISE
 server name  ise-psn01


// AAA configuration for dot1x authentication //
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE

ip radius source-interface Vlan10

//Enable dot1x globally //
dot1x system-auth-control

// for Change of Authorization (CoA)" messages from the RADIUS server.//
aaa server radius dynamic-author
 client 10.10.10.10 server-key  Cisco123



// Interface configuration //
interface GigabitEthernet1/0/1
 switchport access vlan 88
 switchport mode access
 switchport voice vlan 118
 switchport port-security maximum 2
 switchport port-security
 spanning-tree portfast
 spanning-tree bpduguard enable

 authentication host-mode multi-auth
 dot1x pae authenticator
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 authentication event fail action next-method
 dot1x timeout tx-period 2
 end

PAE = port access entity 





#############################################################
Configure Device Sensor

device-sensor accounting
device-sensor notify all-changes

radius-server vsa send accounting


// Creates a TLV list and enters DHCP-LIST sensor configuration mode, where you can configure individual TLVs. //

device-sensor filter-list dhcp list dhcp-list
 option name host-name
 option name domain-name
 option number 50

Note:  DHCP option 50 is used to let clients request a specific IP address ;

// Creates a TLV list and enters CDP sensor configuration mode, where you can configure individual TLVs.//

device-sensor filter-list cdp list cdp-list
 tlv name device-name
 tlv name address-type
 tlv number 34

// Creates a TLV list and enters LLDP sensor configuration mode, where you can configure individual TLVs.//

device-sensor filter-list lldp list lldp-list
 tlv name chassis-id
 tlv name management-address
 tlv number 28


Command to verify 
Switch # sh device-sensor details
Switch #sh device-sensor cache all
Switch # sh device-sensor cache int g1/0/1
Switch # sh device-sensor cache mac <mac-address>

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.