3850 Switch Wired C3PL Configuration
for Cisco Identity Services Engine
Secure Access How -To Guides Series
Author: Hosuk Won
Date: August 2012
SECURE ACCESS HOW-TO GUIDES
Table of Contents
3850 Switch Wired C3PL Configuration ........................................................................................................................ 3
Overall Design............................................................................................................................................ 3
3850 Switch C3PL Configuration Steps ..................................................................................................... 4
Configure the HTTP Server on the Switch ................................................................................................. 4
Configure the Global AAA Commands ....................................................................................................... 5
Configure the Global RADIUS Commands................................................................................................. 6
Configure Local Access Control Lists and Local Service Templates .......................................................... 8
Configure the Global 802.1X Commands ................................................................................................... 9
Configure Control Class ............................................................................................................................. 9
Configure Control Policy .......................................................................................................................... 10
ISE Configuration .......................................................................................................................................................... 15
Cisco Systems © 2015
Page 2
SECURE ACCESS HOW-TO GUIDES
3850 Switch Wired C3PL Configuration
This configuration example shows how to configure Cisco 3850 switches with new C3PL syntax for wired access layer
authentication. The Cisco Catalyst 3850 is the first stackable access switching platform that enables wired plus
wireless services on a single Cisco IOS XE Software-based platform. It provides a host of rich capabilities such as high
availability based on stateful switchover (SSO) on stacking, granular QoS, security, and Flexible Netflow (FNF) across
wired and wireless in a seamless fashion. Also, the wired plus wireless features are bundled into a single Cisco IOS
Software image, which reduces the number of software images that users have to qualify/certify before enabling them
in their network. The single console port for command-line interface (CLI) management reduces the number of touch
points to manage for wired plus wireless services, thereby reducing network complexity, simplifying network
operations, and lowering the TCO to manage the infrastructure.
Although 3850 with IOS-XR accepts legacy auth manager syntax, the example provided in this document will
primarily focus on new syntax. Also, this document only covers wired aspect of the configuration. There are many
benefits to the new syntax, but most notably is the fact that 802.1x and MAB can run simultaneously without having to
sequence the two distinctive authentication process whereby 802.1X authentication has to be failed for MAB to start
and secondly use of service templates to control pre-configured ACL on the interface in the event of RADIUS not
being available. With the legacy platforms, sequencing of 802.1X and MAB resulted in certain MAB endpoints not
being able to get IP address in timely manner. By processing 802.1X and MAB simultaneously, the endpoint can get
DHCP assigned IP address in timely manner. Also, with legacy platforms when a static ACL was applied on the
interfaces to restrict network access for devices in pre-authentication stage, the ACL would be applied to devices
connecting while RADIUS server is not available, resulting in denial of service until the RADIUS server is reachable.
With the introduction of service templates, another ACL that would provide network access can be applied to the
interface when certain condition matches such as RADIUS server is not reachable.
Overall Design
Following diagram shows the overall layout of the components. There are two types of users, Employee user and
Contractor user. Employee users will authenticate via Active Directory and Contractor user will authenticate locally
via ISE internal database. Also Contractor user will be assigned VLAN 40 using the service template feature on 3850
switch. Although we won't go into the details of different Bring Your Own Device (BYOD) policies or posture policies
within Cisco Identity Services Engine (ISE), this setup will provide a baseline for such operations. This document will
only cover the baseline configurations on 3850 switches for wired configuration using C3PL syntax, for deploying
3850 on wireless network or other ISE configurations please refer to respective ISE How-to documents.
Figure 1. 3850 Switch Wired C3PL Configuration
Components

Cisco ISE 1.2.0.899
Cisco Systems © 2015
Page 3
SECURE ACCESS HOW-TO GUIDES


Cisco 3850 running IOS-XE version 03.02.02.SE
Microsoft Windows 2008 as AD/DNS/DHCP server
3850 Switch C3PL Configuration Steps
This configuration example shows how to integrate Cisco 3850 switches for authentication with ISE to provide basis
for advanced identity functionality such as BYOD and Posture assessment. The example provided in this document
will primarily focus on C3PL command line interface on the 3850 for wired access configuration.
Enable Class-Based Policy Language (C3PL)
Session Aware Networking introduces new Cisco IOS commands that replace many of the previously supported
authentication and policy commands. These new commands are available only after enabling the Cisco common
classification policy language (C3PL) display mode that supports Session Aware Networking.
Note: If there are existing auth manager commands in place, they will be converted to C3PL format. If this is not
desired, make sure there are no auth manager commands in place before starting this procedure
Step 1
Configure new-style display option.
Run following command to view authentication commands in new style:
3850#authentication display new-style
Sample output
3850#authentication display new-style
Please note that while you can revert to legacy style
configuration at any time unless you have explicitly
entered new-style configuration, the following caveats
should be carefully read and understood.
(1) If you save the config in this mode, it will be written
to NVRAM in NEW-style config, and if you subsequently
reload the router without reverting to legacy config and
saving that, you will no longer be able to revert.
(2) In this and legacy mode, Webauth is not IPv6-capable. It
will only become IPv6-capable once you have entered newstyle config manually, or have reloaded with config saved
in 'authentication display new' mode.
3850#
Note: Simply put, once we start entering CPL based commands, we will not be able to revert back to the legacy style
configuration mode. Warning will appear when C3PL commands are entered. To go back to legacy mode enter
‘authentication display legacy’.
Configure the HTTP Server on the Switch
Step 1
Set the DNS domain name on the switch.
Cisco Systems © 2015
Page 4
SECURE ACCESS HOW-TO GUIDES
Cisco IOS® Software does not allow for certificates, or even self-generated keys, to be created and
installed without first defining a DNS domain name on the device. Enter the following:
3850(config)#ip domain-name example.com
Step 2
Generate keys to be used for HTTPS by entering the following:
3850(config)#crypto key generate rsa general-keys modulus 2048
Note: To avoid possible certificate mismatch errors during web redirection, we recommend that you use a
certificate that is issued by your trusted certificate authority instead of a local certificate. This topic is
beyond the scope of this document.
Step 3
Enable the HTTP servers on the switch.
The HTTP server must be enabled on the switch to perform the HTTP / HTTPS capture and redirection.
Enter the following:
3850(config)#ip http server
3850(config)#ip http secure-server
Note: Do not run the ip http secure-server command prior to generating the keys in step 2. If you
perform the commands out of order, the switch will automatically generate a certificate with a smaller key
size. This certificate can cause undesirable behaviour when redirecting HTTPS traffic. Unlike WLC with
AireOS, 3850 Series wireless supports redirection of HTTPS request, however, endpoints will be prompted
to trust the switch’s self-signed certificate during the redirection.
Step 4
Disable HTTP & HTTPS for other switch management functions (Optional):
3850(config)#ip http active-session-modules none
3850(config)#ip http secure-active-session-modules none
Note: This will disable management access to the 3850 wireless configuration as well as configuration from NCS
Prime Infrastructure.
Configure the Global AAA Commands
Step 1
Enable authentication, authorization, and accounting (AAA) on the access switches.
By default, the AAA “subsystem” of the Cisco switch is disabled. Prior to enabling the AAA subsystem,
none of the required commands will be available in the configuration. Enter the following:
3850(config)#aaa new-model
Cisco Systems © 2015
Page 5
SECURE ACCESS HOW-TO GUIDES
3850(config)#aaa session-id common
Note: This command enables any of the services that AAA network security services provide—for example, local
login authentication and authorization, defining and applying method lists, and so on. For further details, please refer
to the Cisco IOS Security Configuration Guide.
Step 2
Create an authentication method for 802.1X.
An authentication method is required to instruct the switch on which group of RADIUS servers to use for
802.1X authentication requests:
3850(config)#aaa authentication dot1x default group radius
Step 3
Create an authorization method for 802.1X.
The method created in step 2 will enable the user/device identity (username/password or certificate) to be
validated by the RADIUS server. However, simply having valid credentials is not enough. There must be
an authorization as well. The authorization is what defines that the user or device is actually allowed to
access the network, and what level of access is actually permitted.
3850(config)#aaa authorization network default group radius
Step 4
Create an accounting method for 802.1X.
RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of
packets will help ensure that the RADIUS server (Cisco ISE) knows the exact state of the interface and
endpoint. Without the accounting packets, Cisco ISE would have knowledge only of the authentication and
authorization communication. Accounting packets provide information on length of the authorized session,
as well as bandwidth usage of the client.
3850(config)#aaa accounting dot1x default start-stop group radius
Step 5
Configure periodic RADIUS accounting update.
Periodic RADIUS accounting packets allows Cisco ISE to track which sessions are still active on the
network. This command sends periodic updates every 15 minutes.
3850(config)#aaa accounting update periodic 15
Configure the Global RADIUS Commands
We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will
send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response
from the server. A success message is not necessary; a failed authentication will suffice, because it shows that the
server is alive.
Cisco Systems © 2015
Page 6
SECURE ACCESS HOW-TO GUIDES
Best Practice: With ISE 1.2 there is a feature to suppress authentications with certain conditions. We will use that
feature to suppress any RADIUS keepalive messages. See end of this document for instructions.
Step 1
Add the Cisco ISE servers to the RADIUS group.
In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the
radius-test account. Repeat for each PSN.
3850(config)#radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radiustest idle-time 5 key cisco123
Note: The server will be proactively checked for responses once every 5 minutes, in addition to any authentications or
authorizations occurring through normal processes. This value may be too aggressive for non ISE 1.2 deployments due
to lack of log suppression feature on older versions of ISE, in that case increase this value to 60 minutes or higher.
Step 2
Set the dead criteria.
The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the
counters on the switch to determine if the server is alive or dead. Our settings will be to wait 10 seconds for a response
from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesn’t
have a valid response within 30 seconds, it will be marked as dead. Also deadtime defines how long the switch will
mark the server dead, which we are setting it to 15 minutes.
3850(config)#radius-server dead-criteria time 10 tries 3
3850(config)#radius-server deadtime 15
Note: We will discuss high availability in more detail in the deployment mode sections.
Step 3
Enable change of authorization (CoA).
Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However,
we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing,
also within global configuration mode, as follows:
3850(config)#aaa server radius dynamic-author
3850(config-locsvr-da-radius)#client 192.168.201.88 server-key cisco123
3850(config-locsvr-da-radius)#auth-type any
Step 4
Next, we will enable the vendor-specific attributes (VSAs).
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
3850(config)#radius-server
Step 5
attribute
attribute
attribute
attribute
attribute
6 on-for-login-auth
8 include-in-access-req
25 access-request include
31 mac format ietf upper-case
31 send nas-port-detail mac-only
Ensure the switch always sends traffic from the correct interface for RADIUS request.
Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always
force any management communications to occur through a specific interface. This interface IP address
must match the IP address defined in the Cisco ISE Network Device object.
Cisco Systems © 2015
Page 7
SECURE ACCESS HOW-TO GUIDES
Cisco Best Practice: As a network management best practice, use a loopback adapter for all management
communications, and advertise that loopback interface into the internal routing protocol.
3850(config)#ip radius source-interface vlan 201
Configure Local Access Control Lists and Local Service Templates
Certain functions on the switch require the use of locally configured access control lists (ACLs), such as URL
redirection. Some of these ACLs created will be used immediately, and some may not be used until a much later phase
of your deployment. The goal of this section is to prepare the switches for all possible deployment models at one time,
and limit the operational expense of repeated switch configuration.
Service templates are new to 3850 switches. It is similar to ISE Authorization Profile, but can be locally present on the
switch. It is collection of VLAN, Named ACL, Timer, and URL Redirect string that can be applied based on the C3PL
event. Here, we are creating one locally to apply when none of the configured RADIUS servers are reachable to
process 802.1x or MAB request.
Step 1
Add the following ACL to be used for URL redirection with web authentication:
3850(config)#ip access-list extended REDIRECT-ACL
3850(config-ext-nacl)#deny udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#deny udp any eq bootpc any eq bootps
3850(config-ext-nacl)#deny ip any host 192.168.201.88
3850(config-ext-nacl)#permit ip any any
Step 2
Add the following ACL to be used for initial ACL on the interface prior to authentication:
3850(config)#ip access-list extended DEFAULT-ACL
3850(config-ext-nacl)#permit udp any host 192.168.201.72 eq 53
3850(config-ext-nacl)#permit udp any eq bootpc any eq bootps
3850(config-ext-nacl)#deny ip any any
Step 3
Add the following ACL to be used for when none of the RADIUS servers are reachable:
3850(config)#ip access-list extended PERMIT-ANY
3850(config-ext-nacl)#permit ip any any
Step 4
Add the following Service Template called ‘CRITICAL’ to be used for when none of the RADIUS servers
are reachable:
3850(config)#service-template CRITICAL
3850(config-service-template)#description Apply When none of the RADIUS servers are reachable
3850(config-service-template)#access-group PERMIT-ANY
Cisco Systems © 2015
Page 8
SECURE ACCESS HOW-TO GUIDES
Note: Just like Downloadable ACL (DACL), Service Template can be centrally located on ISE and be downloaded
during authorization, however, the purpose of above template is to be used while none of the ISE nodes are available,
which means there will be no way to download the service template, as such we are creating a local service template.
Configure the Global 802.1X Commands
Step 1
Enable 802.1X globally on the switch.
Enabling 802.1X globally on the switch does not actually enable authentication on any of the WLANs or
interfaces.
3850(config)#
Step 2
Enable Downloadable ACLs to function.
Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco ISE
deployment. In order for dACLs to function properly on a switch, IP device tracking must be enabled
globally, as follows:
3850(config)#
Note: There are some uncommon cases with Windows 7 and devices that do not respond to ARPs where it may be
required to use the command ‘ip device tracking use SVI’.
Configure Control Class
A control class defines the conditions under which the actions of a control policy are executed. You define
whether all, any, or none of the conditions must evaluate true to execute the actions of the control policy.
Control classes are evaluated based on the event specified in the control policy.
Note: If this is first time C3PL type commands are being used on this switch, then it will present a warning that it
cannot revert to legacy mode unless the switch configuration is cleared.
Step 1
Configure Control Class for when none of the RADIUS servers are available.
3850(config)#class-map type control subscriber match-any AAA-DOWN
3850(config-filter-control-classmap)#match result-type aaa-timeout
Step 2
Configure Control Class for when 802.1x authentication failed for the session.
3850(config)#class-map type control subscriber match-all DOT1X-FAILED
3850(config-filter-control-classmap)#match method dot1x
3850(config-filter-control-classmap)#match result-type method dot1x authoritative
Cisco Systems © 2015
Page 9
SECURE ACCESS HOW-TO GUIDES
Configure Control Policy
Control policies determine the actions that the system takes in response to specified events and conditions. It
contains one or more control policy rules that associate a control class with one or more actions. The actions
that you can configure in a policy rule depend on the type of event that you specify. Control policies
typically control the authentication of subscriber identity and the activation of services on sessions and are
applied to an interface. Below diagram shows relationships among events, classes, and actions within the
control policy.
Figure 2. Control Policy
Here, the control policy will be created with control class created in the previous section and finally apply it to range of
interfaces.
Step 3
Configure control policy that will be applied to all 802.1X/MAB-enabled interfaces.
3850(config-service-template)#policy-map type control subscriber DOT1X-DEFAULT
Step 4
Configure actions for when session starts.
Following configuration will allow to run 802.1x and MAB simultaneously.
3850(config-event-control-policymap)#event session-started match-all
3850(config-class-control-policymap)#10 class always do-all
3850(config-action-control-policymap)#10 authenticate using dot1x priority 10
3850(config-action-control-policymap)#20 authenticate using mab priority 20
Cisco Systems © 2015
Page 10
SECURE ACCESS HOW-TO GUIDES
Step 5
Configure actions when policy violation occurs.
In case of violation, the following configuration will allow existing session to be intact and violation event
will be logged.
3850(config-action-control-policymap)#event violation match-all
3850(config-class-control-policymap)#10 class always do-all
3850(config-action-control-policymap)#10 restrict
Step 6
When a supplicant is detected on the endpoint, switch will attempt to authenticate the endpoint using
802.1X.
3850(config-action-control-policymap)#event agent-found match-all
3850(config-class-control-policymap)#10 class always do-all
3850(config-action-control-policymap)#10 authenticate using dot1x
Step 7
Configure action for when 802.1X authentication failed due to lack of available RADIUS servers or due to
failed authentication.
This is broken into two parts. First failure is when there are no RADIUS server is available to process the
authentication request. In this case, the policy will activate local service template called ‘CRITICAL’,
which will apply permit-all ACL and a specific VLAN if necessary. The second failure is when
authentication for 802.1x fails, in which case MAB will be performed.
3850(config-action-control-policymap)#event authentication-failure match-all
3850(config-class-control-policymap)#10 class AAA-DOWN do-all
3850(config-action-control-policymap)#10 authorize
3850(config-action-control-policymap)#20 activate service-template CRITICAL
3850(config-action-control-policymap)#30 terminate dot1x
3850(config-action-control-policymap)#40 terminate mab
3850(config-action-control-policymap)#20 class DOT1X-FAILED do-all
3850(config-action-control-policymap)#10 authenticate using mab
Note: Since we will be using Central WebAuth, which sends ACCESS-ACCEPT even for unknown MAC address,
there will be no failure for MAB, thus failure event for MAB is not defined in the above configuration.
Apply control policy to the interfaces
Step 1
Apply Control policy to the interface range
3850(config)#interface range gigabitEthernet 1/0/1 – 48
3850(config-if-range)#description DOT1X Enabled Ports
3850(config-if-range)#switchport mode access
3850(config-if-range)#service-policy type control subscriber DOT1X-DEFAULT
Step 2
Apply rest of the interface specific 802.1X configuration.
Although many parts of 802.1X configuration have been folded into C3PL format, there are few commands that are
still in legacy format that needs to be entered individually.
Cisco Systems © 2015
Page 11
SECURE ACCESS HOW-TO GUIDES
3850(config-if-range)#spanning-tree portfast
3850(config-if-range)#authentication periodic
3850(config-if-range)#authentication timer reauthenticate server
3850(config-if-range)#mab
3850(config-if-range)#ip access-group DEFAULT-ACL in
3850(config-if-range)#access-session host-mode multi-auth
3850(config-if-range)#no access-session closed
3850(config-if-range)#dot1x timeout tx-period 10
3850(config-if-range)#access-session port-control auto
3850(config-if-range)#no shutdown
Cisco Systems © 2015
Page 12
SECURE ACCESS HOW-TO GUIDES
3850 Example Configuration
hostname 3850
!
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 15
!
aaa server radius dynamic-author
client 192.168.201.88 server-key cisco123
auth-type any
!
vlan 10
name USER
vlan 11
name VOICE
!
interface vlan 10
ip address 192.168.10.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
interface vlan 11
ip address 192.168.11.1
ip helper 192.168.201.72
ip helper 192.168.201.88
no shut
!
ip device tracking
!
ip domain-name example.com
!
crypto key generate rsa general-keys modulus 2048
!
dot1x system-auth-control
!
ip http serverw
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
!
ip access-list extended DEFAULT-ACL
permit udp any host 192.168.201.72 eq domain
permit udp any eq bootpc any eq bootps
deny
ip any any
ip access-list extended PERMIT-ANY
permit ip any any
ip access-list extended REDIRECT-ACL
deny
udp any host 192.168.201.72 eq domain
deny
udp any eq bootpc any eq bootps
deny
ip any host 192.168.201.88
permit ip any any
!
service-template CRITICAL
description Apply When none of the RADIUS servers are reachable
access-group PERMIT-ANY
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
Cisco Systems © 2015
Page 13
SECURE ACCESS HOW-TO GUIDES
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
ip radius source-interface Vlan201
snmp-server community cisco123 RO
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server host 192.168.201.88 auth-port 1812 acct-port 1813 test username radius-test idletime 5 key cisco123
radius-server deadtime 15
!
interface GigabitEthernet x/y/z
description DOT1X Enabled Ports
switchport access vlan 30
switchport mode access
ip access-group DEFAULT-ACL in
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
access-session port-control auto
no shutdown
!
Cisco Systems © 2015
Page 14
SECURE ACCESS HOW-TO GUIDES
ISE Configuration
With ISE 1.2, service-template can be configured and be applied during authorization on the 3850 switches. The
service templates are collection of authorizations such as VLANs, ACL, URL-redirect ACLs, etc. that can be applied
as part of authorization once an endpoint is authenticated via 802.1X, MAB, WebAuth, or CoA. Service template can
be configured locally on the switch as well as on the ISE. When ISE applies a service template as part of authorization
and if the service template does not exist on the switch, the switch will retrieve the service-template from ISE. This
operation is similar to how dACL works between IOS platforms and ISE. Other than service template, there are no
specific configurations for ISE to integrate with 3850 switches. While this document covers policies related to BYOD,
please refer to BYOD how-to guide for configuring the underlying services to enable BYOD. This includes
configuration of CA server, external identity sources, and supplicant provisioning policy.
Create Identity Sequence
We will create an identity sequence to process authentication request from the switch. This sequence will authenticate
endpoints via certificate, AD, or internal user database.
Step
Step
Step
Step
1
2
3
4
Login to ISE primary admin node.
Navigate to Administration  Identity Management  Identity Source Sequences.
Click Add.
Create a sequence with following name CAP_AD_Internal.
Figure 3. Create Identity Sequence
Step 5
Click Save.
Cisco Systems © 2015
Page 15
SECURE ACCESS HOW-TO GUIDES
Create User group and assign user
In this example contract users will authenticate via ISE internal database while employee users will authenticate via
certificate or AD user account. An ISE user group will be created for contract users.
Step
Step
Step
Step
Step
Step
Step
1
2
3
4
5
6
7
Navigate to Administration  Identity Management  Groups  User Identity Groups.
Click Add.
Enter Contractor as group name and click Submit.
Navigate to Administration  Identity Management  Identities  Users.
Click Add.
Enter ‘contractor1’ as user name and enter password.
Select ‘Contractor’ as User Groups and click ‘Submit.’
Enable policy Set
Policy set feature within ISE 1.2 allows administrator to create complex identity policy. In this document we will
create two policy sets that maps to each of the WLANs and create underlying policies within each policy set. This
provides clarity on how policies apply to each use cases with ISE policy structure.
Step 1
Step 2
To enable policy set feature navigate to Administration  System  Settings  Policy Sets.
Select ‘Enabled’ and click ‘Save’
Note: Once policy set feature is enabled, policy will need to be recreated if one wants to go back to classic mode.
However, the initial policy will be copied to the default policy set when the feature is enabled.
Configure Authorization Profile
Here, we will be creating two authorization profiles. First one is regular Authorization profile where upon successful
authentication a dACL permit full access is pushed to the switch for that interface. The second Authorization profile
will be used for contractor user where a service template will be pushed which includes set of authorization attributes.
The Actual template will reside on the ISE so the switch will send another request after the initial user authentication
to download the template content. See following diagram, which describes service template operation:
Figure 4. Service Template Operation
Step 3
Navigate to Policy  Policy Elements  Authorization  Authorization Profiles.
Cisco Systems © 2015
Page 16
SECURE ACCESS HOW-TO GUIDES
Step 4
Click on Add to create Permit_ACL Authorization Profile with following parameters.
Table 1. Authorization Profile Parameters
Step 5
Step 6
Name
Permit_ACL
Common Tasks
DACL Name
DACL Name
PERMIT_ALL_TRAFFIC
Click ‘Save’
Click on Add to create Internet_VLAN_Template profile with following parameters.
Table 2. Internet VLAN Parameters
Step 7
Name
Internet_VLAN_Template
Service Template
Checked
Common Tasks
VLAN
VLAN
40
RADIUS:SessionTimeout
7200
Click Save.
Configure Policy
Step 1
Step 2
Navigate to Policy  Policy Set.
Click on the + sign on the left pane and click Create Above.
Figure 5. Configure Policy
Step 3
Define Policy set as ‘DOT1X’ as name and following parameters.
Cisco Systems © 2015
Page 17
SECURE ACCESS HOW-TO GUIDES
Figure 6. Define Policy
Step 4
Click Submit.
Configure ISE to suppress RADIUS test messages
You can configure collection filters to suppress syslog messages being sent to the monitoring and external servers. The
suppression can be performed at the Policy Services Node level based on different attribute types. You can disable the
suppression as well. You can define multiple filters with a specific attribute type and corresponding value.
Note: It is recommended to limit the number of collection filter to 20
Step
Step
Step
Step
1
2
3
4
Login to ISE primary admin node.
Navigate to Administration > System > Logging.
Click on Collection Filters on left pane.
Click on Add on the top of the right pane.
Figure 7. Add Collection Filters
Step
Step
Step
Step
5
6
7
8
Select ‘User Name’ from the Attribute pull down menu.
Enter ‘radius-test’ for Value.
Select ‘Filter All’ from the Filter Type pull down menu.
Click Save.
Cisco Systems © 2015
Page 18
SECURE ACCESS HOW-TO GUIDES
Validation
Authenticate Employee device
When Windows PC that is part of the AD domain connects, ISE will authenticate and authorize the device to the
interface. ‘show access-session interface’ command can be used to validate authentication and authorization
information on the interface.
3850#show access-session interface GigabitEthernet 1/0/1 detail
Interface: GigabitEthernet1/0/1
IIF-ID: 0x106E04000000085
MAC Address: 0016.d42e.e8ba
IPv6 Address: Unknown
IPv4 Address: 192.168.30.100
User-Name: host/winxp.example.com
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: C0A8C9FE00000FB30B2FC0AA
Acct Session ID: 0x00000FAA
Handle: 0x23000003
Current Policy: DOT1X-DEFAULT
Server Policies:
Method status list:
Method
dot1x
mab
State
Authc Success
Authc Failed
3850#
3850#
Authenticate Contractor device
When a device with a contractor account connects, ISE will authenticate and authorize the device to the interface using
service template.
3850#show access-session interface GigabitEthernet 1/0/1 detail
Interface: GigabitEthernet1/0/1
IIF-ID: 0x108F9C000000089
MAC Address: 0016.d42e.e8ba
IPv6 Address: Unknown
IPv4 Address: 192.168.40.100
User-Name: contractor1
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 7200s (server), Remaining: 7150s
Timeout action: Reauthenticate
Common Session ID: C0A8C9FE00000FB80B3C89C0
Acct Session ID: 0x00000FB0
Handle: 0x92000007
Current Policy: DOT1X-DEFAULT
Server Policies:
Template: Internet_VLAN_Template (priority 100)
Vlan Group: Vlan: 40
Method status list:
Method
dot1x
Cisco Systems © 2015
State
Authc Success
Page 19
SECURE ACCESS HOW-TO GUIDES
mab
Authc Failed
3850#
3850#
Also, notice that there is an event in ISE that shows username of ‘Internet_VLAN_Template, this is when 3850
requested template content from the ISE.
Figure 8. Template
Authenticate during ISE is unavailable
When a device connects while the ISE is unavailable due to network outage or ISE node being down, the local
template called ‘CRITICAL’ will be applied. This template includes an ACL that allows all network access which will
replace the static ACL that is already applied on the interface.
3850#show access-session interface GigabitEthernet 1/0/1 detail
Interface: GigabitEthernet1/0/1
IIF-ID: 0x108C30000000092
MAC Address: 0016.d42e.e8ba
IPv6 Address: Unknown
IPv4 Address: 192.168.30.107
User-Name: 0016d42ee8ba
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Common Session ID: C0A8C9FE00000FC30F981C6E
Acct Session ID: 0x00000FC9
Handle: 0x43000010
Current Policy: DOT1X-DEFAULT
Local Policies:
Template: CRITICAL (priority 150)
Filter-ID: PERMIT-ANY
Method status list:
Method
dot1x
mab
State
Stopped
Stopped
3850#
3850#
Cisco Systems © 2015
Page 20