Cisco Cisco Identity Services Engine 1.1 Prospecto
! Enable authenticator switch to authenticate the supplicant switch.
dot1x system−auth−control
! Enable CISP framework.
cisp enable
! configure uplink port as access and dot1x authentication.
interface FastEthernet0/6
switchport mode access
authentication port−control auto
dot1x pae authenticator
spanning−tree portfast
CISP is enabled globally, and the interconnecting port is configured in authenticator and access mode.
Supplicant Switch Configuration
Accurate supplicant configuration is crucial for the entire setup to work as expected. This example
configuration contains a typical AAA and dot1x configuration.
configuration contains a typical AAA and dot1x configuration.
This is the basic AAA configuration:
aaa new−model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start−stop group radius
radius−server host 10.48.66.107 auth−port 1812 acct−port 1813 key cisco
! Enable supplicant switch to authenticate devices connected
dot1x system−auth−control
! Forces the switch to send only multicast EAPOL packets when it receives either
unicast or multicast packets, which allows NEAT to work on the supplicant
switch in all host modes.
dot1x supplicant force−multicast
! Enable CISP framework operation.
cisp enable
The supplicant should have configured credentials and should supply an Extensible Authentication Protocol
(EAP) method to be used.
(EAP) method to be used.
The supplicant can use EAP−Message Digest 5 (MD5) and EAP−Flexible Authentication via Secure Protocol
(FAST) (among other EAP types) for authentication in case of CISP. In order to keep the ISE configuration to
a minimum, this example uses EAP−MD5 for authentication of the supplicant to the authenticator. (The
default would force use of EAP−FAST, which requires Protected Access Credential [PAC] provisioning; this
document does not cover that scenario.)
(FAST) (among other EAP types) for authentication in case of CISP. In order to keep the ISE configuration to
a minimum, this example uses EAP−MD5 for authentication of the supplicant to the authenticator. (The
default would force use of EAP−FAST, which requires Protected Access Credential [PAC] provisioning; this
document does not cover that scenario.)
! configure EAP mode used by supplicant switch to authenticate itself to
authenticator switch eap profile EAP_PRO
method md5
! Configure credentials use by supplicant switch during that authentication.
dot1x credentials CRED_PRO
username bsnsswitch
password 0 C1sco123
The connection of the supplicant to the authenticator is already configured to be a trunk port (in contrast to
access port configuration on the authenticator). At this stage, this is expected; configuration will dynamically
change when the ISE returns the correct attribute.
access port configuration on the authenticator). At this stage, this is expected; configuration will dynamically
change when the ISE returns the correct attribute.