Deploy 802.1x to Cisco 9300

Overview

This runbook covers deploying the Day0 base configuration and DayN 802.1x/IBNS2 configuration to a Cisco Catalyst 9300 switch using Jinja2 templates and netapi.

Prerequisites

Switch Requirements

  • Cisco Catalyst 9300 with IOS-XE 17.x

  • RESTCONF enabled (or SSH access)

  • Management IP reachable from workstation

Workstation Requirements

  • j2cli installed: pip install j2cli[yaml]

  • netapi available: uv run netapi --help

  • dsec configured with switch credentials

Enable RESTCONF on Switch (if not already)

ip http secure-server
restconf

Procedure

Step 1: Load Secrets

dsource d000 dev/network

Verify credentials are available:

echo $SWITCH_9300_IP
echo $SWITCH_9300_USER

Step 2: Verify Connectivity

ping -c 3 $SWITCH_9300_IP
uv run netapi ios info

Step 3: Backup Current Config

uv run netapi ios exec "show running-config" > backup-$(date +%Y%m%d-%H%M).txt

Step 4: Render Day0 Base Template

cd ~/atelier/_bibliotheca/domus-automation-ops
j2 templates/cisco-ios/day0-base.j2 vars/domus-home.yml > /tmp/day0-config.txt

Review the output:

cat /tmp/day0-config.txt

Step 5: Apply Day0 Configuration

uv run netapi ios config --file /tmp/day0-config.txt
Alternative: SSH
ssh $SWITCH_9300_USER@$SWITCH_9300_IP < /tmp/day0-config.txt

Step 6: Render DayN 802.1x Template

j2 templates/cisco-ios/dayn-802.1x-ibns2.j2 vars/domus-home.yml \
  -e access_port_range="GigabitEthernet1/0/1-24" \
  > /tmp/dayn-802.1x-config.txt

Review the output:

cat /tmp/dayn-802.1x-config.txt

Step 7: Apply 802.1x Configuration

uv run netapi ios config --file /tmp/dayn-802.1x-config.txt

Step 8: Verify Deployment

Check AAA configuration:

uv run netapi ios exec "show aaa servers"

Check 802.1x status:

uv run netapi ios exec "show dot1x all"

Check RADIUS connectivity:

uv run netapi ios exec "test aaa group ISE-RADIUS ise_probe legacy"

Check interface template application:

uv run netapi ios exec "show derived-config interface GigabitEthernet1/0/1"

Step 9: Save Configuration

uv run netapi ios exec "write memory"

Variables Reference

The templates use variables from vars/domus-home.yml:

Variable Description Example

ise.psn_nodes

List of ISE Policy Service Nodes

[{ip: 10.50.1.21}, {ip: 10.50.1.20}]

source_interface

RADIUS/TACACS source interface

Vlan100

vlans.auth_fail.id

Critical auth VLAN

999

dot1x.policy_set

Policy map name

Wired_802.1X_Closed

access_port_range

Interfaces to configure (runtime)

GigabitEthernet1/0/1-24

Secrets

Secrets are referenced but not embedded in templates:

Secret Source

vault_radius_key_encrypted

dsec: d000/dev/network/RADIUS_KEY

vault_tacacs_key_encrypted

dsec: d000/dev/network/TACACS_KEY

vault_coa_key_encrypted

dsec: d000/dev/network/COA_KEY

To inject secrets at render time:

j2 templates/cisco-ios/dayn-802.1x-ibns2.j2 vars/domus-home.yml \
  -e vault_radius_key_encrypted="$RADIUS_KEY_TYPE7" \
  -e access_port_range="GigabitEthernet1/0/1-24" \
  > /tmp/dayn-802.1x-config.txt

Rollback

If issues occur, restore from backup:

uv run netapi ios config --file backup-YYYYMMDD-HHMM.txt

Or remove 802.1x from specific ports:

uv run netapi ios exec "configure terminal"
uv run netapi ios exec "interface range GigabitEthernet1/0/1-24"
uv run netapi ios exec "no source template Wired_802_1X_Closed_Template"
uv run netapi ios exec "end"

Troubleshooting

RADIUS Server Unreachable

uv run netapi ios exec "show aaa servers"
uv run netapi ios exec "debug radius authentication"

Check ISE is reachable:

uv run netapi ise mnt health

Client Not Authenticating

uv run netapi ios exec "show access-session interface Gi1/0/1 details"
uv run netapi ios exec "show authentication sessions"

Check ISE live logs:

uv run netapi ise mnt sessions --mac AA:BB:CC:DD:EE:FF

Template Not Applied to Port

uv run netapi ios exec "show running-config interface Gi1/0/1"
uv run netapi ios exec "show derived-config interface Gi1/0/1"

Related Documentation

  • ISE Authorization Policy (ise-linux)

  • ISE Operations (ise-ops)

  • Infrastructure Operations (infra-ops)