802.1X Switch Configuration Templates

Overview

Templates for deploying 802.1X authentication on Cisco Catalyst switches with:

  • EAP-TLS certificate-based authentication

  • MAB fallback for non-supplicant devices

  • ISE integration (RADIUS, CoA)

  • TrustSec SGT assignment

Base Access Switch Template

access-switch-dot1x.j2
! ============================================
! 802.1X Base Configuration - {{ hostname }}
! Generated: {{ ansible_date_time.iso8601 | default(now()) }}
! ============================================

aaa new-model
aaa authentication dot1x default group {{ radius_group | default('ISE-SERVERS') }}
aaa authorization network default group {{ radius_group | default('ISE-SERVERS') }}
aaa accounting dot1x default start-stop group {{ radius_group | default('ISE-SERVERS') }}

dot1x system-auth-control
dot1x critical eapol

! RADIUS Server Configuration
{% for server in radius_servers %}
radius server {{ server.name }}
 address ipv4 {{ server.ip }} auth-port 1812 acct-port 1813
 key {{ server.key }}
{% endfor %}

aaa group server radius {{ radius_group | default('ISE-SERVERS') }}
{% for server in radius_servers %}
 server name {{ server.name }}
{% endfor %}
 deadtime 5

! Global 802.1X Settings
authentication mac-move permit
authentication logging verbose

Interface Template

interface-dot1x.j2
! Interface {{ interface }} - 802.1X Enabled
interface {{ interface }}
 description {{ description | default('802.1X Access Port') }}
 switchport mode access
 switchport access vlan {{ access_vlan }}
 authentication host-mode {{ host_mode | default('multi-auth') }}
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast

Variables (YAML)

# host_vars/access-sw-01.yaml
hostname: access-sw-01
radius_group: ISE-SERVERS
radius_servers:
  - name: ise-01
    ip: 10.1.100.10
    key: "{{ vault_radius_key }}"
  - name: ise-02
    ip: 10.1.100.11
    key: "{{ vault_radius_key }}"

interfaces:
  - interface: GigabitEthernet1/0/1
    description: "Workstation Port"
    access_vlan: 50
    host_mode: single-host
  - interface: GigabitEthernet1/0/2
    description: "Conference Room"
    access_vlan: 50
    host_mode: multi-auth

Integration Points

  • ISE Operations (ise-ops) - Policy and SGT assignment

  • Linux EAP-TLS (ise-linux) - Supplicant configuration

  • Windows EAP-TLS (ise-windows) - GPO deployment

Deployment

# Generate configs
nornir run --task generate_dot1x --filter site=datacenter

# Deploy with verification
nornir run --task deploy_config --filter site=datacenter --dry-run
nornir run --task deploy_config --filter site=datacenter