Ethernet 802.1X configuration – Cisco (most models)

In this topic, you will learn how to configure Cisco switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Important:

This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.

Important:

All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

General configuration (IOS/NX-OS)

This is a general configuration template for Cisco switches with the IOS or NX-OS operating system.

Warning:

We tested this configuration on several models and several versions of Cisco operating systems (IOS and NX-OS) but we cannot guarantee that it will cover every Cisco model. Also, the configuration is general and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Cisco on these topics for your particular device model and OS version.

Enable AAA services on the device.
```
aaa new-model
```
Create a new RADIUS server group.
```
aaa group server radius PORTNOX
```
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
1. Add a group member to represent the US RADIUS server.
```
server name PORTNOX-CLOUD-US
```
2. Add a group member to represent the Europe RADIUS server.
```
server name PORTNOX-CLOUD-EMEA
```
3. Exit group member configuration.
```
exit
```
Configure the switch to use the RADIUS server group for authentication.
```
aaa authentication dot1x default group PORTNOX
```
Configure the switch to use the RADIUS server group for authorization.
```
aaa authorization network default group PORTNOX
```
Send new accounting information to the RADIUS server group.
```
aaa accounting update newinfo
```
Send all session start and stop events to the RADIUS server group.
Warning:
If your switch responds with the following warning, type No and proceed to the next step:
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue?.
Do not answer Yes, or you may irreversibly change your configuration; to fix it, you will have to reset your switch to factory settings.
```
aaa accounting identity default start-stop group PORTNOX
```
Send all session stop events to the RADIUS server group even if there is no start event.
```
aaa accounting send stop-record always
```
Enable 802.1X port-based authentication on the device.
```
dot1x system-auth-control
```
Optional: Enable critical EAP over LAN (EAPOL) frames, allowing them to be processed with higher priority in the authentication process.
```
dot1x critical eapol
```
Optional: Specify the time interval during which critical EAP over LAN (EAPOL) frames must be received for successful recovery in case of interruption.
```
dot1x critical recovery delay 2000
```
Optional: Specify that the switch considers the RADIUS server as dead if no response is received within 30 seconds for four consecutive attempts.
```
radius-server dead-criteria time 30 tries 4
```
Optional: Set the amount of time (in minutes) during which a RADIUS server is considered unreachable or dead after a specified number of consecutive failed attempts.
```
radius-server deadtime 3
```
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important:
The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
1. Add the US Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-US
```
```
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
```
```
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
```
```
exit
```
2. Add the Europe Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-EMEA
```
```
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
```
```
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
```
```
exit
```
Configure 802.1X authentication on interface 0/1:
```
interface gigabitethernet 0/1
```
Note:
This is an example interface. Adjust the interface in the configuration to your specific interface.
1. Enable auto port control for authentication, allowing the switch port to dynamically determine whether to permit or restrict traffic based on the authentication status of the connected device.
```
authentication port-control auto
```
  Note:
  On some switch models, notably Cisco 9300, you may have to first run the following command:
  switchport mode access
2. Configure the 802.1X Port Access Entity (PAE) on a switch port to operate in authenticator mode, enabling the port to control access based on the authentication status of connected devices.
```
dot1x pae authenticator
```
3. Enable the single-host mode for authentication, allowing only one MAC address per port to be authenticated, preventing multiple devices from connecting through a single port.
```
authentication host-mode single-host
```
4. Optional: Enable MAC address bypass authentication on the interface.
```
mab
```
5. Configure the order in which authentication methods are attempted on a port, specifying that the switch should first attempt 802.1X authentication and then fall back to MAC Authentication Bypass (MAB) if 802.1X authentication is not successful.
```
authentication order dot1x mab
```
Configure a critical auth VLAN

Note:
If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.

Note:
This function may be unsupported on some switches. Consult Cisco documentation for more information about its availability for your specific model and software version.
1. Define the VLAN that will be used for critical authentication:
```
vlan 10
```
  In this example, we are using VLAN 10, but you can use a different configuration.
2. Assign an IP Address to the VLAN:
```
interface vlan 10 ip address 10.0.10.0 255.255.255.0
```
  In this example, we are using the network 10.0.10.0/24 but you can use a different configuration.
3. Configure the g0/1 interface to use the critical auth VLAN:
```
interface gigabitethernet g0/1
```
```
authentication event server dead action authorize vlan 10
```
  If you’re using a different VLAN, change the vlan 10 parameter.

Verify the 802.1X configuration.

show dot1x all

Expected output:

Sysauthcontrol Enabled
Dot1x Protocol Version 2
Dot1x Info for GigabitEthernet0/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Critical Auth VLAN = 10
Server Dead Action = Authorize VLAN 10

Optional: Debug the 802.1X configuration, if necessary.

debug mab all

debug dot1x all

debug radius

debug aaa authentication

debug aaa authorization

Here is the entire example configuration for your convenience:

aaa new-model
!
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
!
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
aaa accounting update newinfo
aaa accounting identity default start-stop group PORTNOX
aaa accounting send stop-record always
!
dot1x system-auth-control
!
dot1x critical eapol
dot1x critical recovery delay 2000
!
radius-server dead-criteria time 30 tries 4
radius-server deadtime 30
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
!
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
!
interface gigabitethernet 0/1
  authentication port-control auto
  dot1x pae authenticator
  authentication host-mode single-host 
  mab
  authentication order dot1x mab
!
vlan 10
interface vlan 10 ip address 10.0.10.0 255.255.255.0
!
interface gigabitethernet 0/1
authentication event server dead action authorize vlan 10

IBNS 2.0 (multi-domain)

This is a multi-domain configuration template for Cisco switches with IBNS 2.0.

Enable AAA services on the device.
```
aaa new-model
```
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important:
The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
1. Add the US Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-US
```
```
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
```
```
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
```
```
exit
```
2. Add the Europe Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-EMEA
```
```
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
```
```
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
```
```
exit
```
Create a new RADIUS server group.
```
aaa group server radius PORTNOX
```
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
1. Add a group member to represent the US RADIUS server.
```
server name PORTNOX-CLOUD-US
```
2. Add a group member to represent the Europe RADIUS server.
```
server name PORTNOX-CLOUD-EMEA
```
3. Exit group member configuration.
```
exit
```
Configure the switch to use the RADIUS server group for authentication.
```
aaa authentication dot1x default group PORTNOX
```
Configure the switch to use the RADIUS server group for authorization.
```
aaa authorization network default group PORTNOX
```
Enable 802.1X port-based authentication on the device.
```
dot1x system-auth-control
```

Verify or configure the needed class-map types that will be used in the interface policy-map supporting 802.1X.

class-map type control subscriber match-all DOT1X

  match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

  match method dot1x

  match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

  match method dot1x

  match result-type method dot1x agent-not-found

class-map type control subscriber match-all MAB

  match method mab

class-map type control subscriber match-all MAB_FAILED

  match method mab

  match result-type method mab authoritative

Configure the subscriber policy-map that will be used to control 802.1X authentication.

policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN

  event session-started match-all

    10 class always do-until-failure

      10 authenticate using dot1x priority 10

      20 authenticate using mab priority 20

  event authentication-failure match-first

    10 class DOT1X_FAILED do-until-failure

      10 terminate dot1x

    20 class MAB_FAILED do-until-failure

      10 terminate mab

      20 authenticate using dot1x priority 10

    30 class DOT1X_NO_RESP do-until-failure

      10 terminate dot1x

      20 authentication-restart 60

    40 class always do-until-failure

      10 terminate mab

      20 terminate dot1x

      30 authentication-restart 60

  event agent-found match-all

    10 class always do-until-failure

      10 terminate mab

      20 authenticate using dot1x priority 10

Configure appropriate interfaces to use 802.1X authentication.

interface GigabitEthernet1/0/1

  switchport access vlan 613

  switchport mode access

  switchport voice vlan 612

  access-session closed

  access-session host-mode multi-domain

  access-session port-control auto

mab

  dot1x pae authenticator

  spanning-tree portfast

  service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN

Optional: Debug the 802.1X configuration, if necessary.
```
debug mab all
```
```
debug dot1x all
```
```
debug radius
```
```
debug pre all
```
Note:
Optionally, for debug pre, you can use only event and/or rule to limit the output to the information relevant to IBNS 2.0.
```
debug aaa authentication
```
```
debug aaa authorization
```

Here is the entire example configuration for your convenience:

aaa new-model
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
!
dot1x system-auth-control
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
      20 authenticate using mab priority 20
  event authentication-failure match-first
    10 class DOT1X_FAILED do-until-failure
      10 terminate dot1x
    20 class MAB_FAILED do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
    30 class DOT1X_NO_RESP do-until-failure
      10 terminate dot1x
      20 authentication-restart 60
    40 class always do-until-failure
      10 terminate mab
      20 terminate dot1x
      30 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
!
interface GigabitEthernet1/0/1
  switchport access vlan 613
  switchport mode access
  switchport voice vlan 612
  access-session closed
  access-session host-mode multi-domain
  access-session port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN

Note:

The following is an alternative policy map segment of the configuration. We recommend this setup if the above configuration causes the NAS device to attempt MAB authentication even for 802.1X devices, resulting in excess alerts.

!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
event session-started match-all
  10 class always do-until-failure
    10 authenticate using dot1x priority 10
event authentication-failure match-first
  10 class DOT1X_NO_RESP do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20
  20 class MAB_FAILED do-until-failure
    10 terminate dot1x
    20 authentication-restart 60
  30 class DOT1X_FAILED do-until-failure
    10 terminate dot1x
    20 authenticate using mab priority 20   
  40 class always do-until-failure
    10 terminate dot1x
    20 terminate mab
    30 authentication-restart 60
event agent-found match-all
  10 class always do-until-failure
    10 terminate mab
    20 authenticate using dot1x priority 10
!

Cisco 9200/9300 RadSec

This section contains an example configuration for the Cisco Catalyst 9200/9300 Ethernet switches and Portnox Cloud RADIUS servers using secure RADIUS (RadSec) connections.

Turn on RadSec connections for your Cloud RADIUS server(s).
1. Open your Portnox Cloud tenant in a web browser.
2. Go to Settings > Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance and select the Cloud RADIUS server that you want to connect to using RadSec. Then, click on the ⋮ > Edit link.
3. Activate the Enable RADIUS over TLS (RadSec) checkbox.
4. Click on the Download root certificate link to download the root CA certificate, which you will need later on in the configuration process.
5. Copy the following information and store it, for example, in a text file. You will need this information later on in the configuration process:
  - Cloud RADIUS IP
  - Authentication port
  - Accounting port
  - Shared Secret (click on the ⧉ icon)
6. Click on the Save button to save your changes.
Import the Portnox root CA certificate using one of the following methods:
- Connect to your Cisco Catalyst switch console and import the root CA certificate:
```
crypto pki trustpool import url https://cacerts.digicert.com/DigiCertTrustedRootG4.crt
```
- Alternatively, use the Cisco web user interface as described below:
1. Alternatively, open your Cisco 9200/9300 web user interface and navigate to Configuration > Security > PKI Management. Then, click on the Trustpool tab.
2. Click on the Import button, and import the root CA certificate that you downloaded earlier from Portnox Cloud.

In the console, configure the interface that you want to use as the source for RadSec connections.

For example:

interface GigabitEthernet1/0/2
switchport mode access
access-session host-mode single-host
access-session port-control auto
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 60
service-policy type control subscriber DOT1X

Add an authentication RADIUS server.

Important:

The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.

For example:

radius server PORTNOX-CLOUD-US-AUTH
address ipv4 20.119.69.248                          
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
tls port 10322
tls idletimeout 75
tls watchdoginterval 10
tls connectiontimeout 10
tls retries 15
tls ip radius source-interface GigabitEthernet1/0/2
tls match-server-identity hostname clear-rad.portnox.com

Add an accounting RADIUS server.

For example:

radius server PORTNOX-CLOUD-US-ACCT
address ipv4 20.119.69.248                          
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
tls port 10323
tls idletimeout 75
tls watchdoginterval 10
tls connectiontimeout 10
tls retries 15
tls ip radius source-interface GigabitEthernet1/0/2
tls match-server-identity hostname clear-rad.portnox.com

Optional: Repeat the two above steps for the second Cloud RADIUS server, if necessary.

For example, you can create servers PORTNOX-CLOUD-EMEA-AUTH and PORTNOX-CLOUD-EMEA-ACCT.

Create a group for RadSec servers.

aaa server group radius PortnoxRadSec                            
server 20.119.69.248 auth port 10322 acct port 10323
server 52.232.122.157 auth port 10476 acct port 10477

Note:

Use the second server command only if you also configured the second Cloud RADIUS server earlier.

Update your AAA commands to use the RadSec server group.

aaa authentication dot1x default group PortnoxRadSec
aaa authorization network default group PortnoxRadSec
aaa accounting dot1x default start-stop group PortnoxRadSec