Procedure 6 - Configure The Global 802.1X Commands

Step 1
Enable 802.1X globally on the switch.

Enabling 802.1X globally on the switch does not actually enable authentication on any of the switchports.

Authentication will be configured, but not enabled until we configure Monitor Mode.

  • C3750X(config)#dot1x system-auth-control
Step 2
Enable Downloadable ACLs to function.

Downloadable access control lists (dACLs) are a very common enforcement mechanism in a Cisco TrustSec deployment. In order for dACLs to function properly on a switch, IP device tracking must be enabled globally, as follows:

  • C3750X(config)#ip device tracking
Step 3
Enable syslog on the switch.

Syslog may be generated on Cisco IOS® Software in many events. Some of the syslog messages can be sent to Cisco ISE to be used for troubleshooting. To help ensure that Cisco ISE is able to compile appropriate syslog messages from the switch, use the following commands:

  • C3750X(config)#logging monitor informational
  • C3750X(config)#logging origin-id ip
  • C3750X(config)#logging source-interface
  • C3750X(config)#logging host transport udp port 20514
Set up standard logging functions on the switch to support possible troubleshooting / recording for Cisco ISE functions. The Enforcement Policy Module (EPM) is a part of the Cisco IOS Software responsible for features such as web authentication and downloadable ACL: Enabling EPM logging generates a syslog related to downloadable ACL authorization, and part of the log can be correlated inside Cisco ISE when such logs are sent to Cisco ISE.

  • C3750X(config)#epm logging
Only the following NAD syslog messages are actually collected and used by Cisco ISE:

  • AP-6-AUTH_PROXY_AUDIT_START
  • AP-6-AUTH_PROXY_AUDIT_STOP
  • AP-1-AUTH_PROXY_DOS_ATTACK
  • AP-1-AUTH_PROXY_RETRIES_EXCEEDED
  • AP-1-AUTH_PROXY_FALLBACK_REQ
  • AP-1-AUTH_PROXY_AAA_DOWN
  • AUTHMGR-5-MACMOVE
  • AUTHMGR-5-MACREPLACE
  • MKA-5-SESSION_START
  • MKA-5-SESSION_STOP
  • MKA-5-SESSION_REAUTH
  • MKA-5-SESSION_UNSECURED
  • MKA-5-SESSION_SECURED
  • MKA-5-KEEPALIVE_TIMEOUT
  • DOT1X-5-SUCCESS / FAIL
  • MAB-5-SUCCESS / FAIL
  • AUTHMGR-5-START / SUCCESS / FAIL
  • AUTHMGR-SP-5-VLANASSIGN / VLANASSIGNERR
  • EPM-6-POLICY_REQ
  • EPM-6-POLICY_APP_SUCCESS / FAILURE
  • EPM-6-IPEVENT:
  • DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND
  • RADIUS-4-RADIUS_DEAD