3.4 802.1X Deployment for SD-Access
3.4.1 Authentication Deployment Modes
Phased Deployment Approach
┌─────────────────────────────────────────────────────────────────────────────────┐
│ 802.1X PHASED DEPLOYMENT APPROACH │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PHASE 1: MONITOR MODE (Weeks 1-4) │
│ ───────────────────────────────── │
│ • Authentication enabled, authorization bypassed │
│ • All traffic permitted regardless of auth result │
│ • Collect data on endpoints, authentication methods │
│ • Identify non-802.1X devices for MAB whitelist │
│ • No user impact │
│ │
│ PHASE 2: LOW-IMPACT MODE (Weeks 5-8) │
│ ──────────────────────────────────── │
│ • Pre-auth ACL allows critical traffic (DHCP, DNS, AD) │
│ • Failed auth gets limited access (not full deny) │
│ • Successful auth gets full access │
│ • Minimal user impact │
│ │
│ PHASE 3: CLOSED MODE (Weeks 9-10) │
│ ───────────────────────────────── │
│ • Full enforcement - no access without authentication │
│ • Critical VLAN for ISE-unreachable scenarios │
│ • Failed auth denied or quarantined │
│ • Full security enforcement │
│ │
│ PHASE 4: PRODUCTION (Ongoing) │
│ ──────────────────────────────── │
│ • Continuous monitoring and tuning │
│ • Exception handling process │
│ • Periodic compliance audits │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
3.4.2 Global AAA Configuration
AAA Commands for Fabric Edge
! ============================================================
! AAA GLOBAL CONFIGURATION - ALL FABRIC EDGE NODES
! ============================================================
! Enable AAA
aaa new-model
! Authentication Methods
aaa authentication dot1x default group radius
aaa authentication login default local
aaa authentication login CONSOLE none
! Authorization Methods
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa authorization configuration default group radius
! Accounting Methods
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group radius
! Enable 802.1X globally
dot1x system-auth-control
dot1x critical eapol
! RADIUS Server Configuration
radius server ISE-PSN-1
address ipv4 10.252.31.11 auth-port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 <encrypted-key>
radius server ISE-PSN-2
address ipv4 10.252.31.12 auth-port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 <encrypted-key>
! RADIUS Server Group
aaa group server radius ISE-SERVERS
server name ISE-PSN-1
server name ISE-PSN-2
ip radius source-interface Loopback0
load-balance method least-outstanding
! RADIUS Attributes
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 3
radius-server vsa send authentication
radius-server vsa send accounting
! CoA (Change of Authorization)
aaa server radius dynamic-author
client 10.252.31.11 server-key <coa-key>
client 10.252.31.12 server-key <coa-key>
port 1700
auth-type any
3.4.3 Device Tracking Configuration
IP Device Tracking (IPDT)
! ============================================================
! DEVICE TRACKING CONFIGURATION
! ============================================================
! Upgrade to new-style device tracking
device-tracking upgrade-cli force
! Device Tracking Policy
device-tracking policy IPDT-POLICY
tracking enable
limit address-count 10
security-level glean
no protocol udp
no protocol ndp
! Device Tracking for DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 100-199
no ip dhcp snooping information option
! Apply to interfaces
interface range GigabitEthernet1/0/1-48
device-tracking attach-policy IPDT-POLICY
ip dhcp snooping limit rate 100
3.4.4 Phase 1: Monitor Mode Configuration
Monitor Mode Interface Template
! ============================================================
! PHASE 1: MONITOR MODE - LEARNING PHASE
! ============================================================
! Purpose: Log all authentication attempts, permit all traffic
! Duration: 4 weeks minimum
! Impact: None - all traffic permitted
interface GigabitEthernet1/0/1
description USER-PORT-MONITOR-MODE
switchport mode access
switchport access vlan 100
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! Authentication Configuration
authentication event fail action authorize vlan 100
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 3600
authentication violation restrict
! MAB Configuration
mab
! 802.1X Configuration
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-reauth-req 2
! Device Sensor for Profiling
snmp trap mac-notification change added
snmp trap mac-notification change removed
! Spanning Tree
spanning-tree portfast edge
spanning-tree bpduguard enable
Monitor Mode Validation
! Verify authentication attempts
show authentication sessions
! Check authentication method used
show authentication sessions interface Gi1/0/1 details
! Review failed authentications
show authentication sessions | include Failed
! Check RADIUS statistics
show aaa servers
! Analyze for profiling
show device-tracking database
3.4.5 Phase 2: Low-Impact Mode Configuration
Pre-Authentication ACL
! ============================================================
! PRE-AUTHENTICATION ACL FOR LOW-IMPACT MODE
! ============================================================
! ACL applied before authentication completes
ip access-list extended ACL-PRE-AUTH
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark Allow TFTP for IP phones
permit udp any any eq tftp
remark Allow ping
permit icmp any any
remark Allow AD Authentication
permit tcp any host 10.252.1.50 eq 88
permit tcp any host 10.252.1.51 eq 88
permit udp any host 10.252.1.50 eq 88
permit udp any host 10.252.1.51 eq 88
permit tcp any host 10.252.1.50 eq 389
permit tcp any host 10.252.1.51 eq 389
remark Deny all other
deny ip any any
! Default ACL for authenticated users (if no dACL from ISE)
ip access-list extended ACL-DEFAULT-PERMIT
permit ip any any
Low-Impact Mode Interface Template
! ============================================================
! PHASE 2: LOW-IMPACT MODE
! ============================================================
! Purpose: Pre-auth ACL permits critical traffic
! Duration: 4 weeks
! Impact: Minimal - failed auth gets limited access
interface GigabitEthernet1/0/1
description USER-PORT-LOW-IMPACT-MODE
switchport mode access
switchport access vlan 100
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! Pre-Authentication ACL (Low-Impact)
ip access-group ACL-PRE-AUTH in
! Authentication Configuration
authentication event fail action authorize vlan 100
authentication event server dead action authorize vlan 999
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication event no-response action authorize vlan 100
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
! MAB Fallback
mab
! 802.1X
dot1x pae authenticator
dot1x timeout tx-period 10
! Spanning Tree
spanning-tree portfast edge
spanning-tree bpduguard enable
3.4.6 Phase 3: Closed Mode Configuration
Closed Mode Interface Template
! ============================================================
! PHASE 3: CLOSED MODE - FULL ENFORCEMENT
! ============================================================
! Purpose: No access without successful authentication
! Duration: Ongoing production
! Impact: Full - failed auth denied
interface GigabitEthernet1/0/1
description USER-PORT-CLOSED-MODE
switchport mode access
switchport access vlan 100
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! NO Pre-Auth ACL (Closed Mode)
no ip access-group ACL-PRE-AUTH in
! Authentication Configuration - CLOSED
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication event no-response action authorize vlan 999
authentication host-mode multi-auth
no authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
! MAB Fallback
mab
! 802.1X
dot1x pae authenticator
dot1x timeout tx-period 10
! Spanning Tree
spanning-tree portfast edge
spanning-tree bpduguard enable
Critical VLAN Configuration
! ============================================================
! CRITICAL VLAN (ISE Unreachable Scenario)
! ============================================================
! VLAN Definition
vlan 999
name CRITICAL-AUTH
! SVI for Critical VLAN
interface Vlan999
description CRITICAL-AUTH-VLAN
ip address 10.199.0.1 255.255.255.0
ip helper-address 10.252.1.40
no shutdown
! Critical Authentication ACL
ip access-list extended ACL-CRITICAL
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark Allow ISE for re-auth when available
permit ip any host 10.252.31.11
permit ip any host 10.252.31.12
remark Deny all other
deny ip any any log
3.4.7 Multi-Domain Authentication (Voice + Data)
Voice VLAN Configuration
! ============================================================
! MULTI-DOMAIN AUTHENTICATION (MDA) FOR VOICE + DATA
! ============================================================
interface GigabitEthernet1/0/1
description USER-PORT-WITH-PHONE
switchport mode access
switchport access vlan 100
switchport voice vlan 200
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! Multi-Domain Host Mode
authentication host-mode multi-domain
! Authentication Order and Priority
authentication order dot1x mab
authentication priority dot1x mab
! Authentication Control
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
! Event Actions
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication event no-response action authorize vlan 999
! Domain Control
authentication violation restrict
! MAB for phones that don't support 802.1X
mab
! 802.1X
dot1x pae authenticator
dot1x timeout tx-period 10
! Spanning Tree
spanning-tree portfast edge
spanning-tree bpduguard enable
! Voice VLAN
vlan 200
name VOICE
interface Vlan200
description VOICE-VLAN
ip address 10.200.0.1 255.255.255.0
ip helper-address 10.252.1.40
3.4.8 Multi-Auth Mode (Multiple Devices per Port)
Multi-Auth Configuration
! ============================================================
! MULTI-AUTH MODE (IP Phones, Hubs, Multiple Devices)
! ============================================================
interface GigabitEthernet1/0/1
description USER-PORT-MULTI-AUTH
switchport mode access
switchport access vlan 100
switchport voice vlan 200
! Multi-Auth Host Mode (multiple data + one voice)
authentication host-mode multi-auth
! Authentication Settings
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
! Events
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
authentication event server dead action authorize voice
authentication event server alive action reinitialize
! Violation handling
authentication violation restrict
! MAB
mab
! 802.1X
dot1x pae authenticator
dot1x timeout tx-period 10
3.4.9 IBNS 2.0 / C3PL Configuration (Modern Approach)
Service Template Configuration
! ============================================================
! IBNS 2.0 / C3PL (Cisco Common Classification Policy Language)
! Modern approach using service templates and policy maps
! ============================================================
! Class Maps for Matching
class-map type control subscriber match-all AAA-DOWN
match result-type aaa-timeout
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
class-map type control subscriber match-all MAB-FAILED
match method mab
match result-type method mab authoritative
class-map type control subscriber match-all DOT1X-SUCCESS
match method dot1x
match result-type method dot1x success
class-map type control subscriber match-all MAB-SUCCESS
match method mab
match result-type method mab success
class-map type control subscriber match-all IN-CRITICAL-VLAN
match current-method-priority gt 0
! Policy Map for Authentication
policy-map type control subscriber DOT1X-MAB-POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class DOT1X-FAILED do-until-failure
10 authenticate using mab priority 20
20 class MAB-FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
30 class AAA-DOWN do-until-failure
10 activate service-template CRITICAL-AUTH
20 authorize
30 pause reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT-ACCESS
event aaa-available match-all
10 class IN-CRITICAL-VLAN do-until-failure
10 clear-session
event agent-found match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
! Service Templates
service-template CRITICAL-AUTH
vlan 999
access-group ACL-CRITICAL
service-template DEFAULT-ACCESS
access-group ACL-DEFAULT-PERMIT
! Apply to Interface
interface GigabitEthernet1/0/1
description USER-PORT-IBNS2
switchport mode access
switchport access vlan 100
switchport voice vlan 200
device-tracking attach-policy IPDT-POLICY
access-session port-control auto
access-session closed
access-session host-mode multi-auth
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy type control subscriber DOT1X-MAB-POLICY
spanning-tree portfast edge
3.4.10 DNAC Interface Templates
Template for SD-Access Fabric Edge
# DNAC Template: SDA-DOT1X-CLOSED-MODE
# Apply via: Provision > Fabric > Host Onboarding > Port Assignment
Template_Name: SDA-DOT1X-CLOSED-MODE
Description: Closed mode 802.1X for SD-Access fabric edge ports
Device_Type: Fabric Edge
Configuration:
Authentication_Mode: Closed Mode
Host_Mode: Multi-Auth
Pre_Auth_ACL: None
Order: DOT1X, MAB
Priority: DOT1X, MAB
Events:
Auth_Fail: VLAN 999
Server_Dead: VLAN 999
No_Response: VLAN 999
Timers:
Tx_Period: 10
Reauth: Server
Inactivity: 3600
Device_Tracking: Enabled
Port_Fast: Enabled
BPDU_Guard: Enabled
Template Variables
# Template Variables for DNAC
Variables:
DATA_VLAN: "{{ pool_vlan }}"
VOICE_VLAN: "{{ voice_vlan }}"
CRITICAL_VLAN: 999
ISE_PSN_1: 10.252.31.11
ISE_PSN_2: 10.252.31.12
RADIUS_KEY: "{{ radius_secret }}"
3.4.11 Special Port Configurations
AP Port Configuration
! ============================================================
! ACCESS POINT PORT (Trunk with MAB)
! ============================================================
interface GigabitEthernet1/0/48
description AP-PORT
switchport mode trunk
switchport trunk native vlan 150
switchport trunk allowed vlan 150,100-110,200
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! Authentication for AP
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
! MAB only (APs typically don't do 802.1X)
mab
! Spanning Tree
spanning-tree portfast trunk
Printer/IoT Port Configuration
! ============================================================
! PRINTER/IOT PORT (MAB Only)
! ============================================================
interface GigabitEthernet1/0/47
description PRINTER-PORT-MAB-ONLY
switchport mode access
switchport access vlan 100
! Device Tracking
device-tracking attach-policy IPDT-POLICY
! MAB Only - No 802.1X
authentication host-mode single-host
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event fail action authorize vlan 999
authentication event server dead action authorize vlan 999
! MAB
mab
! NO 802.1X for printers
no dot1x pae authenticator
! Spanning Tree
spanning-tree portfast edge
spanning-tree bpduguard enable
3.4.12 CoA (Change of Authorization) Configuration
CoA Handling
! ============================================================
! CHANGE OF AUTHORIZATION (CoA) CONFIGURATION
! ============================================================
! CoA Server Configuration (already in AAA section)
aaa server radius dynamic-author
client 10.252.31.11 server-key <coa-key>
client 10.252.31.12 server-key <coa-key>
port 1700
auth-type any
! CoA Types Supported:
! - Session Terminate (disconnect user)
! - Session Reauthenticate (re-run authentication)
! - Port Bounce (shut/no shut interface)
! - Push ACL (apply new dACL)
! Verify CoA Statistics
show aaa servers | section Dynamic
3.4.13 Troubleshooting Commands
Authentication Troubleshooting
! Show all authentication sessions
show authentication sessions
! Show specific interface details
show authentication sessions interface Gi1/0/1 details
! Show authentication method details
show authentication sessions method dot1x
! Show MAB sessions
show authentication sessions method mab
! Check failed authentications
show authentication sessions | include Failed|Unauth
! RADIUS server status
show aaa servers
! RADIUS statistics
show radius statistics
! Debug authentication (use with caution)
debug dot1x all
debug radius authentication
debug radius accounting
! Clear authentication session
clear authentication sessions interface Gi1/0/1
3.4.14 Deployment Checklist
| Phase |
Task |
Status |
Date |
| Pre-Deployment |
|
|
|
|
AAA global config applied |
☐ |
|
|
RADIUS servers configured |
☐ |
|
|
Device tracking enabled |
☐ |
|
|
Critical VLAN created |
☐ |
|
| Phase 1: Monitor |
|
|
|
|
Monitor mode template applied |
☐ |
|
|
Authentication logging verified |
☐ |
|
|
Endpoint inventory collected |
☐ |
|
|
Non-802.1X devices identified |
☐ |
|
| Phase 2: Low-Impact |
|
|
|
|
Pre-auth ACL configured |
☐ |
|
|
Low-impact mode applied |
☐ |
|
|
Critical services tested |
☐ |
|
|
MAB whitelist populated |
☐ |
|
| Phase 3: Closed |
|
|
|
|
Closed mode applied |
☐ |
|
|
Authentication enforcement verified |
☐ |
|
|
Exception process documented |
☐ |
|
|
User communication complete |
☐ |
|
| Production |
|
|
|
|
Monitoring dashboards configured |
☐ |
|
|
Alerting enabled |
☐ |
|
|
Runbook documented |
☐ |
|