Cisco ISE NAC MAB – 傻瓜的日記

由於這個只是實驗性質, 以免測試過程中, Lock了這個Mac address, 影響結果, 可以先停用這個Suppress Repeated Failed Clients

Administration -> System -> Settings -> Protocols -> RADIUS

再來就是Join domain

Administration -> Identity Management -> External Identity Sources -> Active Directory -> Add

輸入AD domain

然後就會看到Completed

然後再增加相對的Devices

Administration -> Network Resources -> Network Devices -> Add

修改一下Default Policy

Policy -> Policy Sets -> Default -> 按右邊的 >

停用Basic_Authenticated_Access, 這個還未想到什麼用途, 但是會令到本來不能通過的都Allow了, 然後按Save

現在設定switch看看

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author
client xxx.xxx.xxx.15 server-key cisco123

ip device tracking

dot1x system-auth-control

radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 5 tries 3
radius-server deadtime 10
radius-server host xxx.xxx.xxx.15 auth-port 1645 acct-port 1646 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication

interface GigabitEthernet0/1
switchport access vlan 172
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 172
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast