802.1X
Port-based network access control with EAP-TLS, PEAP, and MAB fallback on Cisco switches.
AAA Foundation
Enable AAA — required foundation, must be configured before any 802.1X commands
aaa new-model802.1X authentication method — use RADIUS server group for EAP authentication
aaa authentication dot1x default group radiusNetwork authorization — allows RADIUS to push VLAN, dACL, SGT to the switch port
aaa authorization network default group radiusRADIUS accounting — logs session start/stop with duration, bytes, identity to MnT
aaa accounting dot1x default start-stop group radiusGlobal 802.1X enable — turns on the authenticator role on the switch, without this nothing works
dot1x system-auth-controlRADIUS Server Config
Define RADIUS server — specify ISE PSN with authentication and accounting ports
radius server ISE-PSN-1
address ipv4 10.50.1.20 auth-port 1812 acct-port 1813RADIUS shared secret — must match exactly between switch and ISE network device definition
key 0 <shared-secret>RADIUS server group — group multiple PSNs for failover, reference in aaa methods
aaa group server radius ISE-SERVERS
server name ISE-PSN-1Port Configuration
Enable port authentication —
auto requires successful auth before traffic flowsinterface GigabitEthernet1/0/1
authentication port-control autoOpen mode — allow traffic before auth completes, apply restrictive dACL, useful for staged deployment
authentication openDevice tracking — required for dynamic ACLs and RADIUS CoA, tracks IP-to-port binding
ip device trackingAuthentication Modes
Authentication order — try 802.1X first, fall back to MAB if no supplicant responds
authentication order dot1x mabAuthentication priority — if MAB succeeds first, still preempt with dot1x when supplicant appears
authentication priority dot1x mabMAC Authentication Bypass — authenticate devices without supplicant by MAC address (printers, IoT)
mabMulti-auth mode — each MAC on port authenticates independently, required for IP phones + PC
authentication host-mode multi-authViolation mode —
restrict logs and drops new MACs, replace removes old session, shutdown errsauthentication violation restrictAuth-fail VLAN — place failed authentications in quarantine VLAN for remediation
authentication event fail action authorize vlan 999Critical auth VLAN — if all RADIUS servers are unreachable, allow access to data VLAN
authentication event server dead action authorize vlan 10Critical voice — maintain voice VLAN access during RADIUS outage, phones keep working
authentication event server dead action authorize voiceTimers & Resilience
Dead server detection — mark RADIUS server dead after 3 failed attempts within 10 seconds
radius-server dead-criteria time 10 tries 3Dead server holddown — skip dead servers for 15 minutes before retrying
radius-server deadtime 15Reauth timer from RADIUS — ISE controls reauth interval via Session-Timeout attribute
authentication timer reauthenticate serverEAP request timeout — seconds to wait for supplicant response before retrying or falling back to MAB
dot1x timeout tx-period 10Max reauth requests — number of EAP-Request/Identity retries before declaring no supplicant
dot1x max-reauth-req 2Server alive action — when RADIUS recovers, force re-authentication of critical-auth sessions
authentication event server alive action reinitializeVerification & Debug
Detailed port auth status — shows method, identity, VLAN, dACL, SGT, session state
show authentication sessions interface Gi1/0/1 detailsAll authenticated sessions — overview of every port’s auth status across the switch
show authentication sessions | include Gi802.1X global and per-port config — verify system-auth-control, tx-period, max-reauth
show dot1x allDebug 802.1X — verbose EAP exchange and RADIUS transaction logging, disable after troubleshooting
debug dot1x all
debug radius authenticationTest RADIUS connectivity — verify switch can reach ISE and authenticate test credentials
test aaa group ISE-SERVERS evan Cisco123 new-code