Step 1 : Create Network Device Group
Go to Administration --> Network Device Groups --> All Locations --> Add New
Step 2 : Create Network Devices
Go to Administration --> Network Devices --> Add Device --> Switch Name & ip --> Add device in Device Group created in above step
Step 3 : Add Password to Radius Server
Go to Administration --> Network Devices --> Add Password for Radius Server
Step 4 : Add User
Go to Administration --> Identity Management --> Identities --> Add user
Step 5 :
aaa new-model
aaa authentication login default enable --> default login authentication method list using the enable password
SW1(config)# Radius Server ISE
SW1(config-radius-server)# address ipv4 192.168.1.117 auth-port 1812 acct-port 1813
key Welcome123
SW1(config)# aaa group server radius ISE-group
(config-sg-radius)server name ISE
SW1(config)# radius-server vsa send authentication
SW1(config)# radius-server vsa (vendor specific attributes) send accounting
SW1(config)# ip device tracking --> The main IPDT task is to keep track of connected hosts (association of MAC and IP address)
SW1# test aaa group ISE-group bob Welcome123 new-code
Use ISE server for dot1x authentication
SW1(config)# aaa authentication dot1x default group radius
Use ISE server for network authorization
SW1(config)# aaa authorization network default group radius
Send accounting records to ISE
SW1(config)# aaa accounting dot1x default start-stop group radius
include endpoint ip in authentication req
SW1(config)# radius-server attribute 8 include-in-access-req
enable dot1x
dot1x system-auth-control
SW1(config)# int Gig0/7
switchport host --> to put switch in access mode & enable portfast
SW1(config-if)# authentication host-mode multi-auth-control
SW1(config-if)# authentication open
SW1(config-if)# authentication periodic -- default 3600 sec
SW1(config-if)# authentication timer reauthentication server
SW1(config-if)# dot1x pae authenticator --> set port as authenticator
SW1(config-if)# dot1x timeout tx-period 10 --> supplicant retry timeout
SW1(config-if)# authentication port-control auto --> enable 802.1x control of port
show dot1x all
Go to services.msc ---> wired autoconfig --> The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
Now Go to Network Adaptor and enable IEEE 802.1x authentication
Let it be Microsoft PEAP and go to setting and can enable validate server certificate.
Secured password (EAP-MSCHAP v2) --> Configure to automatically use my domain user and password.
Now click additional setting
Now select user or computer authentication
Say user credential then save credential
Comments