| Step 1 |
| Enable
authentication, authorization, and accounting (AAA) on the access
switches. By default, the AAA "subsystem" of the Cisco switch is disabled. Prior to enabling the AAA subsystem, none of the required commands will be available in the configuration. Enter the following:
|
| Step 2 |
| Create an
authentication method for 802.1X. An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X authentication requests:
|
| Step 3 |
| Create an
authorization method for 802.1X. The method created in step 2 will enable the user/device identity (username/password or certificate) to be validated by the RADIUS server. However, simply having valid credentials is not enough. There must be an authorization as well. The authorization is what defines that the user or device is actually allowed to access the network, and what level of access is actually permitted.
|
| Step 4 |
| Create an accounting
method for 802.1X. RADIUS accounting packets are extremely useful and are required for many ISE functions. These types of packets will help ensure that the RADIUS server (Cisco ISE) knows the exact state of the switchport and endpoint. Without theaccounting packets, Cisco ISE would have knowledge only of the authentication and authorization communication. Accounting packets provide information on length of the authorized session, as well as local decisions made by the switch (such as AuthFail VLAN assignment, and so on).
|