Sunday, April 12, 2020

802.1x with Cisco ISE on 2960 switches, Am i understand the configuration right?

Hi Guys!

I was assigned to a team that has to config dot1x to a company switches. My main domain is routing and switching only but i have done some research about the command usage.

Here's the template i got from the PM (Port only):

-----------------

interface range fastEthernet 0/1-24

 switchport access vlan X (Data)

 switchport mode access

 switchport voice vlan Y (Voice)

 authentication event fail action next-method

 authentication event server dead action authorize vlan X (Data) (Same Vlan X in the switchport access vlan X command)

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication order dot1x mab webauth

 authentication priority dot1x mab webauth

 authentication port-control auto

mab

 dot1x pae authenticator

 spanning-tree portfast

-----------------

Let me explain the commands with my understanding first.

The commands:

-----------------

authentication host-mode multi-domain

 authentication event fail action next-method

 authentication order dot1x mab webauth

 authentication priority dot1x mab webauth

 authentication port-control auto

-----------------

This is a port which has a Computer with an IP Phone attached to it. The order of authentication is dot1x, MAC Address, webauth, and the last line is enable dot1x on the port.

Now these command that i think i don't fully understand, it would be great if you guys can help me clarify these:

The commands:

-----------------

 authentication event server dead action authorize vlan X (Data)

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

mab

 dot1x pae authenticator

-----------------

When the Radius servers is dead the voice device will be placed in the voice vlan command in the interface configuration, and the computer will be placed in the data vlan in the switchport access command. User start authenticate to Radius server when the servers are up again.

What do the mab and dot1x pae authenticator do?

In this configuration, i don't see the commands that help the PC & IPPhone to authenticate to radius server or talk with ISE when the servers is up but when i use the config, everything works fine. Am i missing something?

I hope you guys can help me.

Many thanks!



No comments:

Post a Comment