top of page
  • Writer's pictureMukesh Chanderia

ISE

Step 1 : Create Network Device Group


Go to Administration --> Network Device Groups --> All Locations --> Add New


Step 2 : Create Network Devices


Go to Administration --> Network Devices --> Add Device --> Switch Name & ip --> Add device in Device Group created in above step


Step 3 : Add Password to Radius Server


Go to Administration --> Network Devices --> Add Password for Radius Server


Step 4 : Add User


Go to Administration --> Identity Management --> Identities --> Add user


Step 5 :


aaa new-model


aaa authentication login default enable --> default login authentication method list using the enable password


SW1(config)# Radius Server ISE

SW1(config-radius-server)# address ipv4 192.168.1.117 auth-port 1812 acct-port 1813


key Welcome123


SW1(config)# aaa group server radius ISE-group

(config-sg-radius)server name ISE


SW1(config)# radius-server vsa send authentication

SW1(config)# radius-server vsa (vendor specific attributes) send accounting


SW1(config)# ip device tracking --> The main IPDT task is to keep track of connected hosts (association of MAC and IP address)


SW1# test aaa group ISE-group bob Welcome123 new-code


Use ISE server for dot1x authentication


SW1(config)# aaa authentication dot1x default group radius


Use ISE server for network authorization


SW1(config)# aaa authorization network default group radius


Send accounting records to ISE


SW1(config)# aaa accounting dot1x default start-stop group radius


include endpoint ip in authentication req


SW1(config)# radius-server attribute 8 include-in-access-req


enable dot1x


dot1x system-auth-control


SW1(config)# int Gig0/7

switchport host --> to put switch in access mode & enable portfast


SW1(config-if)# authentication host-mode multi-auth-control


SW1(config-if)# authentication open


SW1(config-if)# authentication periodic -- default 3600 sec


SW1(config-if)# authentication timer reauthentication server


SW1(config-if)# dot1x pae authenticator --> set port as authenticator


SW1(config-if)# dot1x timeout tx-period 10 --> supplicant retry timeout


SW1(config-if)# authentication port-control auto --> enable 802.1x control of port


show dot1x all


Go to services.msc ---> wired autoconfig --> The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.


Now Go to Network Adaptor and enable IEEE 802.1x authentication


Let it be Microsoft PEAP and go to setting and can enable validate server certificate.


Secured password (EAP-MSCHAP v2) --> Configure to automatically use my domain user and password.


Now click additional setting


Now select user or computer authentication


Say user credential then save credential
























8 views0 comments

Recent Posts

See All

Comments


bottom of page