Access Switch/Port Configuration For ISE

Today when I was going through my harddisk folders, I found a txt file which I prepared for an ISE project. The file which contain Access switch/port configurations commands and explanation for each command.I thought of sharing it here which may help someone.


aaa new-model >>>Creates an 802.1X port-based authentication method list


radius server ISE1

address ipv4 <<ISE IP>> auth-port 1812 acct-port 1813

key <<KEY>> >>>This is the shared key that we configured on ISE when we added this NAD


aaa group server radius dot1x_auth

server name ISE1 >>>We configure this a few lines back. If you have multiple ISE nodes, you’d add them all to this RADIUS group


aaa authentication dot1x default group dot1x_auth >>>Required for VLAN/ACL assignment

aaa authorization network default group dot1x_auth >>>Authentication & authorization for webauth transactions

aaa accounting update newinfo >>>Enables periodic interim accounting records to be sent to the accounting server.

aaa accounting dot1x default start-stop group dot1x_auth >>>Enables accounting for 802.1X and MAB authentications


aaa server radius dynamic-author

client <<ISE IP >> server-key <<KEY>>

Enables ISE to act as a AAA server when interacting with the client at IP address


dot1x system-auth-control >>>This command line turns 802.1X authentication on for switch ports, globally.

dot1x critical eapol >>>To support supplicant authentication requests over the LAN, enable EAP for critical authentications (Inaccessible Authentication Bypass).


ip access-list extended PREAUTH >>> Default Port Acl Befor Authenticating

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

permit ip any host <<ISE IP>>

permit ip any host <<DC>>

deny ip any any


ip access-list extended redirectacl >>> REdirect ACl for Cleint Provisioning

deny udp any eq bootpc any eq bootps

deny udp any any eq domain

deny ip any host <<ISE IP>>

permit ip any any 


ip device tracking probe delay 10 >>>This command does not allow a switch to send a probe for 10 seconds when it detects a link UP/flap, which minimizes the possibility to
have the probe sent while the host on the other side of the link checks for duplicate IP addresses.

mab request format attribute 32 vlan access-vlan >>>To enable VLAN ID-based MAC authentication on a switch


radius-server attribute 6 on-for-login-auth >>>Used to identify the Service-Type this RADIUS request is used for

radius-server attribute 6 support-multiple >>>Supports multiple Service-Type values for each RADIUS profile

radius-server attribute 8 include-in-access-req >>>Include RADIUS attribute 8 in every Access-Request

radius-server attribute 25 access-request include >>>Include RADIUS attribute 25 in every Access-Request

radius-server attribute 31 mac format ietf upper-case >>>This is to specify the MAC address in the Calling Station ID. I recommend using IETF on this one

radius-server attribute 31 send nas-port-detail >>>This includes all NAS port details in the Calling Station ID

radius-server dead-criteria tries 2 >>>wiat 2 x default seconds before marking RADIUS server as dead

radius-server key <<KEY>>

radius-server vsa send authentication >>>Tells the switch to send authentication vendor-specific attributes

radius-server vsa send accounting >>>Tells the switch to send authentication vendor-specific attributes


ip radius source-interface vl 20 >>>Radius Communication source interface




switchport mode access

switchport access vlan 91

switchport voice vlan 55

ip access-group PREAUTH in

Under the port configuration, the following set of commands enables re-authentication via RADIUS Session-Timeout:

authentication event fail action next-method

authentication event server dead action reinitialize vlan 50

authentication event server dead action authorize voice

authentication timer reauthenticate server

authentication timer inactivity server

authentication host-mode multi-domain >>>The following command allows voice and multiple endpoints on the same physical access port:

These commands are here to specify that IOS Flex-Auth authentication should perform 802.1X first and then MAB:

authentication order dot1x mab

authentication priority dot1x mab

These commands enable port-based authentication on the interface:

authentication port-control auto

authentication violation restrict

This command enables re-authentication on the interface:

authentication periodic

authentication timer reauthenticate server

mab >>>This command enables MAC Authentication Bypass (MAB) on the interface:

dot1x pae authenticator >>This command enables 802.1x authentication in the interface:

dot1x timeout tx-period 3 >>>This command sets the retransmit period to 10 seconds:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s