802.1X Bootstrap configuration

Before we begin the 802.1X bootstrap configuration, we must first grasp two other terms. 

If an end-user and the services that run on that end-user workstation/laptop are referred to as supplicant, you can execute the EAPoL massages and then enter the username and password for the user. Dot1x authentication refers to this type of thinking.

802.1X Bootstrap configuration

Note: – The end-user where the wired auto services are running that end user is going to call as a supplicant.

So, whenever you see 802.1X authentication means 100% a supplicant is running with username and password.

When an end-user isn’t running any services, which implies he isn’t a supplicant, his identity will be used as the MAC Address, and this kind of authentication is referred to as MAB.

802.1X Bootstrap configuration

Now the configuration of NAD BOX802.1X Bootstrap configuration

We’ll break down the NAD Configuration into ten simple steps.

But first, let’s look at the image below using this example, and then we’ll go through all 10 steps with configuration commands.

802.1X Bootstrap configuration

We will take an example of the above image IPs, VLANs, etc in the below commands.

Step – 1

Define the VLAN

#Vlan 8

#Desc data

#Vlan 1

#Desc MGMT

Step – 2

Creating the SVI

#Int vlan 1

#Ip address

#No Sh

#Interface Vlan 8

#IP add

#No sh

Step – 3

Enable AAA on the BOX

#AAA new-model

Step – 4

Define the AAA Server with the protocol.

#Radius server ISE-P

#Address IPv6 auth-port 1812 act-port 1813

#Key Cisco

Ip want to add secondary or tertiary ISE server

#Radius server ISE-S

#Add IPv4 auth-port 1812 act-port 1813

#Key Cisco

And—->>For Device admin

#Tacacs server ISE-P

#Address IPv4

#Key Cisco

Step – 5

Group the AAA Server

#AAA group server radius ISE

#Server ISE-P

#Server ISE-S

#Server ISE-T

Step – 6

Point out the AAA against this group

#AAA authentication dot1X default group ISE

Note: -In single mode deployment no need for “Group” (Group name) instead of Group use “RADIUS” after Group.
#aaa authorization network default group ISE
#aaa accounting update newinfo ……
Note: – Any current information on accounting send it to ISE

#AAA accounting Dot1X default start-Stop group ISE

Step – 7

RADIUS attribute, what RADIUS attribute need to define?

#Radius-server attribute 6 on-for-login auth

#Radius-server attribute 8 include-in-access-req

#Radius-server attribute 31 mac format ietf upper-case

#Radius-server attribute 31 send nas-port-detail

#Radius-server vsa send authentication

#Radius-server vsa send accounting

Note: –By default attribute number 1, 2, 4, 6 are enabled.

Username: -Attribute -1

Password: -Attribute -2

IP address of NAS: -Attribute -4

Service-Type: -Attribute -6

Step – 8

Define the three commands (Global commands)

#Ip routing

#Ip device tracking

#dot1X system-auth-control

Step -9

Define the source VLAN

# IP radius source-interface VLAN 1

Note: – Radius has two types of ports 1645/1646, these are the legacy ports numbers (Old port numbers)

ISE Can listen to both legacy as well as new port numbers (1812, 1813)

Step – 10

Configuration of the port

#Int gig 1/0/10

#Switch mode access

#Switch access VLAN 8

#Switch voice VLAN 100

Note: – Do we need to define VLAN?

VLAN 8 will be push by ISE, this is called authorization.

#Authentication host mode multi domain

#Authentication port-control auth


#Authentication auto

#Authentication force-authorized

#Authentication force-unauthorized

To know more about force-authorized, unauthorized, and auto, read this blog Host Mode.

We here at Zindagi Technologies, have a team of certified Subject Matter Experts who specializes in SD-Access solutions, SD-WAN, ACI, and multiple technologies If you are looking for Planning / Designing / Implementation / PoC services for SD-Access and other technologies reach us at Zindagi Technologies Pvt. Ltd. Or drop us a WhatsApp on +91-9773973971.

Ravi Kumar Singh
Consultant – Network Security

Leave a comment