KB ID 0001077
Problem
Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE).
Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for good housekeeping.
Solution
1. From within ISE > Authentication > Network Resources > Network Devices > Network Devices > Add.
2. Specify a name and description for the device > Set its IP address > Set the device type and location (we will change these in a minute) > Under authentication settings select RADIUS and enter a shared secret, (you can set these up globally if you prefer).
3. Create a Device Type: Administration > Network Devices > Network Device Groups > Groups > All Device Types > Add.
Note: You can have as many of these as you like to make managing your network easier, I’m just going to set one up for Cisco Switches.
4. Give the group a name and description > Submit.
5. Create a Location: On the same page > All Locations > Add.
6. Give the location a name and description > Submit.
7. You can now go back to the network device you created earlier, and set the location and group accordingly.
8. Now you can configure the Cisco switch for RADIUS Authentication.
Note: 192.168.100.12 is the IP address of the ISE server, and 666999 is the shared secret we setup in step 2.
[box]
Petes-3750(config)#aaa new-model Petes-3750(config)#aaa group server radius ISE Petes-3750(config-sg-radius)#server-private 192.168.200.12 key 666999 Petes-3750(config-sg-radius)#exit Petes-3750(config)#aaa authentication dot1x default group ISE Petes-3750(config)#aaa authorization network default group ISE Petes-3750(config)#dot1x system-auth-control Petes-3750(config)#do write Building configuration... [OK] Petes-3750(config)#
[/box]
9. To configure the port that our supplicant is going to connect to;
Note: I’m setting the host-mode to multi-host because my clients are all in VMware ESXi and are coming from a VMware vSwitch into the Cisco switch.
[box]
Petes-3750(config)#interface fastEthernet 1/0/4 Petes-3750(config-if)#authentication host-mode multi-host Petes-3750(config-if)# authentication port-control auto Petes-3750(config-if)# dot1x pae authenticator Petes-3750(config-if)#exit Petes-3750(config)#exit Petes-3750#write mem Building configuration... [OK] Petes-3750#
[/box]
10. Once a supplicant has been authenticated you can check like so;
[box]
Petes-3750#show dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Fa1/0/4 AUTH 0050.56b1.5f5c AUTHORIZED
Petes-3750#
[/box]
Related Articles, References, Credits, or External Links
Cisco ISE – Basic 802.1x With Windows – Part Four – Configuring The Windows Clients (Supplicants)