Ethernet 802.1X configuration – Cisco (most models)

In this topic, you will learn how to configure Cisco switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

General configuration (IOS/NX-OS)

This is a general configuration template for Cisco switches with the IOS or NX-OS operating system.

Warning: We tested this configuration on several models and several versions of Cisco operating systems (IOS and NX-OS) but we cannot guarantee that it will cover every Cisco model. Also, the configuration is general and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Cisco on these topics for your particular device model and OS version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces by replacing the values presented as underlined italics.
  1. Enable AAA services on the device. 
    aaa new-model
  2. Create a new RADIUS server group. 
    aaa group server radius PORTNOX

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add a group member to represent the US RADIUS server. 
      server name PORTNOX-CLOUD-US
    2. Add a group member to represent the Europe RADIUS server. 
      server name PORTNOX-CLOUD-EMEA
    3. Exit group member configuration. 
      exit
  3. Configure the switch to use the RADIUS server group for authentication. 
    aaa authentication dot1x default group PORTNOX
  4. Configure the switch to use the RADIUS server group for authorization. 
    aaa authorization network default group PORTNOX
  5. Send new accounting information to the RADIUS server group. 
    aaa accounting update newinfo
  6. Send all session start and stop events to the RADIUS server group.
    Warning: If your switch responds with the following warning, type No and proceed to the next step:

    This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue?.

    Do not answer Yes, or you may irreversibly change your configuration; to fix it, you will have to reset your switch to factory settings.

    aaa accounting identity default start-stop group PORTNOX
  7. Send all session stop events to the RADIUS server group even if there is no start event. 
    aaa accounting send stop-record always
  8. Enable 802.1X port-based authentication on the device. 
    dot1x system-auth-control
  9. Optional: Enable critical EAP over LAN (EAPOL) frames, allowing them to be processed with higher priority in the authentication process. 
    dot1x critical eapol
  10. Optional: Specify the time interval during which critical EAP over LAN (EAPOL) frames must be received for successful recovery in case of interruption. 
    dot1x critical recovery delay 2000
  11. Optional: Specify that the switch considers the RADIUS server as dead if no response is received within 30 seconds for four consecutive attempts. 
    radius-server dead-criteria time 30 tries 4
  12. Optional: Set the amount of time during which a RADIUS server is considered unreachable or dead after a specified number of consecutive failed attempts. 
    radius-server deadtime 30
  13. Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    1. Add the US Cloud RADIUS server: 
      radius server PORTNOX-CLOUD-US
      address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
      key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      exit
    2. Add the Europe Cloud RADIUS server: 
      radius server PORTNOX-CLOUD-EMEA
      address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
      key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      exit
  14. Configure 802.1X authentication on interface 0/1: 
    interface gigabitethernet 0/1
    Note: This is an example interface. Adjust the interface in the configuration to your specific interface.
    1. Enable auto port control for authentication, allowing the switch port to dynamically determine whether to permit or restrict traffic based on the authentication status of the connected device. 
      authentication port-control auto
      Note: On some switch models, notably Cisco 9300, you may have to first run the following command: 
      switchport mode access
    2. Configure the 802.1X Port Access Entity (PAE) on a switch port to operate in authenticator mode, enabling the port to control access based on the authentication status of connected devices. 
      dot1x pae authenticator
    3. Enable the single-host mode for authentication, allowing only one MAC address per port to be authenticated, preventing multiple devices from connecting through a single port. 
      authentication host-mode single-host
    4. Optional: Enable MAC address bypass authentication on the interface. 
      mab
    5. Configure the order in which authentication methods are attempted on a port, specifying that the switch should first attempt 802.1X authentication and then fall back to MAC Authentication Bypass (MAB) if 802.1X authentication is not successful. 
      authentication order dot1x mab
  15. Configure a critical auth VLAN
    Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    Note: This function may be unsupported on some switches. Consult Cisco documentation for more information about its availability for your specific model and software version.
    1. Define the VLAN that will be used for critical authentication: 
      vlan 10

      In this example, we are using VLAN 10, but you can use a different configuration.

    2. Assign an IP Address to the VLAN: 
      interface vlan 10 ip address 10.0.10.0 255.255.255.0

      In this example, we are using the network 10.0.10.0/24 but you can use a different configuration.

    3. Configure the g0/1 interface to use the critical auth VLAN: 
      interface gigabitethernet g0/1
      authentication event server dead action authorize vlan 10

      If you’re using a different VLAN, change the vlan 10 parameter.

  16. Verify the 802.1X configuration. 
    show dot1x all

    Expected output:

    Sysauthcontrol Enabled
Dot1x Protocol Version 2
Dot1x Info for GigabitEthernet0/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Critical Auth VLAN = 10
Server Dead Action = Authorize VLAN 10
  17. Optional: Debug the 802.1X configuration, if necessary. 
    debug mab all
    debug dot1x all
    debug radius
    debug aaa authentication
    debug aaa authorization

Here is the entire example configuration for your convenience:

aaa new-model
!
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
!
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
aaa accounting update newinfo
aaa accounting identity default start-stop group PORTNOX
aaa accounting send stop-record always
!
dot1x system-auth-control
!
dot1x critical eapol
dot1x critical recovery delay 2000
!
radius-server dead-criteria time 30 tries 4
radius-server deadtime 30
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
!
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
!
interface gigabitethernet 0/1
  authentication port-control auto
  dot1x pae authenticator
  authentication host-mode single-host 
  mab
  authentication order dot1x mab
!
vlan 10
interface vlan 10 ip address 10.0.10.0 255.255.255.0
!
interface gigabitethernet 0/1
authentication event server dead action authorize vlan 10

IBNS 2.0 (multi-domain)

This is a multi-domain configuration template for Cisco switches with IBNS 2.0.

  1. Enable AAA services on the device. 
    aaa new-model
  2. Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    1. Add the US Cloud RADIUS server: 
      radius server PORTNOX-CLOUD-US
      address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
      key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      exit
    2. Add the Europe Cloud RADIUS server: 
      radius server PORTNOX-CLOUD-EMEA
      address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
      key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      exit
  3. Create a new RADIUS server group. 
    aaa group server radius PORTNOX

    In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.

    1. Add a group member to represent the US RADIUS server. 
      server name PORTNOX-CLOUD-US
    2. Add a group member to represent the Europe RADIUS server. 
      server name PORTNOX-CLOUD-EMEA
    3. Exit group member configuration. 
      exit
  4. Configure the switch to use the RADIUS server group for authentication. 
    aaa authentication dot1x default group PORTNOX
  5. Configure the switch to use the RADIUS server group for authorization. 
    aaa authorization network default group PORTNOX
  6. Enable 802.1X port-based authentication on the device. 
    dot1x system-auth-control
  7. Verify or configure the needed class-map types that will be used in the interface policy-map supporting 802.1X. 
    class-map type control subscriber match-all DOT1X
      match method dot1x
    class-map type control subscriber match-all DOT1X_FAILED
      match method dot1x
      match result-type method dot1x authoritative
    class-map type control subscriber match-all DOT1X_NO_RESP
      match method dot1x
      match result-type method dot1x agent-not-found
    class-map type control subscriber match-all MAB
      match method mab
    class-map type control subscriber match-all MAB_FAILED
      match method mab
      match result-type method mab authoritative
  8. Configure the subscriber policy-map that will be used to control 802.1X authentication. 
    policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
      event session-started match-all
        10 class always do-until-failure
          10 authenticate using dot1x priority 10
          20 authenticate using mab priority 20
      event authentication-failure match-first
        10 class DOT1X_FAILED do-until-failure
          10 terminate dot1x
        20 class MAB_FAILED do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10
        30 class DOT1X_NO_RESP do-until-failure
          10 terminate dot1x
          20 authentication-restart 60
        40 class always do-until-failure
          10 terminate mab
          20 terminate dot1x
          30 authentication-restart 60
      event agent-found match-all
        10 class always do-until-failure
          10 terminate mab
          20 authenticate using dot1x priority 10
  9. Configure appropriate interfaces to use 802.1X authentication. 
    interface GigabitEthernet1/0/1
      switchport access vlan 613
      switchport mode access
      switchport voice vlan 612
      access-session closed
      access-session host-mode multi-domain
      access-session port-control auto
      mab
      dot1x pae authenticator
      spanning-tree portfast
      service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN
  10. Optional: Debug the 802.1X configuration, if necessary. 
    debug mab all
    debug dot1x all
    debug radius
    debug pre all
    Note: Optionally, for debug pre, you can use only event and/or rule to limit the output to the information relevant to IBNS 2.0.
    debug aaa authentication
    debug aaa authorization

Here is the entire example configuration for your convenience:

aaa new-model
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
!
dot1x system-auth-control
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
      20 authenticate using mab priority 20
  event authentication-failure match-first
    10 class DOT1X_FAILED do-until-failure
      10 terminate dot1x
    20 class MAB_FAILED do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
    30 class DOT1X_NO_RESP do-until-failure
      10 terminate dot1x
      20 authentication-restart 60
    40 class always do-until-failure
      10 terminate mab
      20 terminate dot1x
      30 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
!
interface GigabitEthernet1/0/1
  switchport access vlan 613
  switchport mode access
  switchport voice vlan 612
  access-session closed
  access-session host-mode multi-domain
  access-session port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN
Note: The following is an alternative policy map segment of the configuration. We recommend this setup if the above configuration causes the NAS device to attempt MAB authentication even for 802.1X devices, resulting in excess alerts.
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
event session-started match-all
  10 class always do-until-failure
    10 authenticate using dot1x priority 10
event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
  20 class MAB_FAILED do-until-failure
    10 terminate dot1x
    20 authentication-restart 60
  30 class DOT1X_FAILED do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20   
  40 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 60
event agent-found match-all
  10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x priority 10
!