Step
1 |
Enable 802.1X
globally on the switch.
Enabling 802.1X globally on the switch does not actually enable
authentication on any of the switchports.
Authentication will be configured, but not enabled until we
configure Monitor Mode.
- C3750X(config)#dot1x
system-auth-control
|
Step
2 |
Enable Downloadable
ACLs to function.
Downloadable access control lists (dACLs) are a very common
enforcement mechanism in a Cisco TrustSec deployment. In order for
dACLs to function properly on a switch, IP device tracking must be
enabled globally, as follows:
- C3750X(config)#ip device
tracking
|
Step
3 |
Enable syslog on the
switch.
Syslog may be generated on Cisco IOS® Software in many events. Some
of the syslog messages can be sent to Cisco ISE to be used for
troubleshooting. To help ensure that Cisco ISE is able to compile
appropriate syslog messages from the switch, use the following
commands:
- C3750X(config)#logging monitor
informational
- C3750X(config)#logging origin-id
ip
- C3750X(config)#logging
source-interface
- C3750X(config)#logging host
transport udp port 20514
Set up standard logging functions on the switch to support possible
troubleshooting / recording for Cisco ISE functions. The
Enforcement Policy Module (EPM) is a part of the Cisco IOS Software
responsible for features such as web authentication and
downloadable ACL: Enabling EPM logging generates a syslog related
to downloadable ACL authorization, and part of the log can be
correlated inside Cisco ISE when such logs are sent to Cisco
ISE.
- C3750X(config)#epm
logging
Only the following NAD syslog messages are actually collected and
used by Cisco ISE:
- AP-6-AUTH_PROXY_AUDIT_START
- AP-6-AUTH_PROXY_AUDIT_STOP
- AP-1-AUTH_PROXY_DOS_ATTACK
- AP-1-AUTH_PROXY_RETRIES_EXCEEDED
- AP-1-AUTH_PROXY_FALLBACK_REQ
- AP-1-AUTH_PROXY_AAA_DOWN
- AUTHMGR-5-MACMOVE
- AUTHMGR-5-MACREPLACE
- MKA-5-SESSION_START
- MKA-5-SESSION_STOP
- MKA-5-SESSION_REAUTH
- MKA-5-SESSION_UNSECURED
- MKA-5-SESSION_SECURED
- MKA-5-KEEPALIVE_TIMEOUT
- DOT1X-5-SUCCESS /
FAIL
- MAB-5-SUCCESS / FAIL
- AUTHMGR-5-START / SUCCESS /
FAIL
- AUTHMGR-SP-5-VLANASSIGN /
VLANASSIGNERR
- EPM-6-POLICY_REQ
- EPM-6-POLICY_APP_SUCCESS /
FAILURE
- EPM-6-IPEVENT:
- DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND
- RADIUS-4-RADIUS_DEAD
|