Configure dot1x
// Enable aaa//
!
aaa new-model
!
// Create local username password for admin authentication //
!
username admin privilege 15 secret admin1
enable secret admin1
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
// Define radius server, ISE server ip = 10.10.10.10//
!
radius server ise-psn01
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
key Cisco123
!
// Create ISE group//
aaa group server radius ISE
server name ise-psn01
// AAA configuration for dot1x authentication //
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
ip radius source-interface Vlan10
//Enable dot1x globally //
dot1x system-auth-control
// for Change of Authorization (CoA)" messages from the RADIUS server.//
aaa server radius dynamic-author
client 10.10.10.10 server-key Cisco123
// Interface configuration //
interface GigabitEthernet1/0/1
switchport access vlan 88
switchport mode access
switchport voice vlan 118
switchport port-security maximum 2
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
authentication host-mode multi-auth
dot1x pae authenticator
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
authentication event fail action next-method
dot1x timeout tx-period 2
end
PAE = port access entity
#############################################################
Configure Device Sensor
device-sensor accounting
device-sensor notify all-changes
radius-server vsa send accounting
// Creates a TLV list and enters DHCP-LIST sensor configuration mode, where you can configure individual TLVs. //
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option number 50
Note: DHCP option 50 is used to let clients request a specific IP address ;
// Creates a TLV list and enters CDP sensor configuration mode, where you can configure individual TLVs.//
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv number 34
// Creates a TLV list and enters LLDP sensor configuration mode, where you can configure individual TLVs.//
device-sensor filter-list lldp list lldp-list
tlv name chassis-id
tlv name management-address
tlv number 28
Command to verify
Switch # sh device-sensor details
Switch #sh device-sensor cache all
Switch # sh device-sensor cache int g1/0/1
Switch # sh device-sensor cache mac <mac-address>
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.