ZBISE06 – Cisco ISE 2.3 Adding Network Access Devices (NADs) – Cisco Switch

Hey Ziglets, its ISE ISE Baby time!! Today we are continuing with our Cisco ISE 2.3 Blog Series by adding our NADs, or Network Access Devices, into our ISE Cluster. We are going to add our Lab Cisco 3750e switch into our ISE Cluster! This is our last blog post for 2017 so lets jump right into it!

Network and Server Diagram:

Here is our reference diagram that we will be using throughout this blog series.

Related Posts:

If you haven’t seen these posts yet, you should check them out

The Steps!!

We are going to add our lab Cisco 3750e switch ( as a Network Access Device, or NAD, into ISE.  There are a number of configurations that will need to be added to both the 3750 and the ISE Cluster.

1. The Global Switch configuration:

Launch your favorite SSH / Telnet client and log into your network switch.  For our lab this is our Cisco 3750e and we will utilize the Loopback 0 address of to ssh to it.

Now that we are logged into our switch, we are going to apply the following configurations.

NOTE: These configurations may not be the same on your IOS Version or Model of device.  The commands may just not be available or they may have a different syntax altogether.  Also, we are not enabling the Device sensor configurations because they are not supported on the IOS version we are running on this Cisco 3750e.

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius  
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 2880
aaa server radius dynamic-author
 client server-key ZBISE_INSTALL
 client server-key ZBISE_INSTALL
aaa session-id common

In this first section of configurations we enable Authentication, Authorization, and Accounting (AAA) and configure a number of settings to support it.  The “aaa server radius dynamic-author” portion is specifically important here because it enables Change of Authorization (CoA) for this Network Access Device.

Below is a screenshot of what we did in our lab.

dot1x system-auth-control
dot1x critical eapol
epm logging
lldp run
ip device tracking
ip device tracking probe count 30
ip device tracking probe delay 10

In this section, we enable Dot1x, LLDP, and Device tracking on the switch. Dot1x is of course for authentication while Device Tracking is to find out the IP Addresses for the devices being connected to our NAD.

Here is what we did in the lab.

ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host auth-port 1812 acct-port 1813 key ZBISE_INSTALL
radius-server host auth-port 1812 acct-port 1813 key ZBISE_INSTALL
radius-server retry method reorder
radius-server retransmit 1
radius-server timeout 3
radius-server vsa send accounting
radius-server vsa send authentication

This section is the Radius configuration section.  For your radius servers, you should only need to add the PSNs in your deployment.  You will see that I have ISE03 and ISE04 in this configuration only.  You will also notice that I am sourcing all radius traffic from my loopback 0 address.  I highly recommend doing this for all protocols as possible.  If you do not have a loopback address then I would use a Layer 3 interface / SVI.

Here is our lab screenshot

authentication critical recovery delay 1000
logging origin-id ip
logging source-interface Loopback0
ip access-list standard ISE-SNMP
 deny any
snmp-server community ZBISE_INSTALL RO ISE-SNMP
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server enable traps
snmp-server enable traps snmp linkdown linkup

This is the Logging and SNMP section of the configuration, which for the most part should be self-explanatory.  You will notice a standard ACL that is being used to restrict our SNMP community string.  I personally like to do this so that I can limit what devices in my deployment can use a community string.  In this case, the community string is read-only but you could make one that is read-write.

Here is our lab screenshot for these as well

mac-notification change move threshold
mac address-table notification change interval 0
mac address-table notification change
mac address-table notification mac-move

This final section helps ISE receive mac address information to assist with profiling of devices.

2. The Switch Interface Configuration:

Now that we have the Global configurations completed on the Switch, we would normally configure a few test ports for ISE.  Before configuring any port, I usually like to show the current configuration incase I need to revert the configuration in the future for any reason.

switchport access vlan 2000
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 2000
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Above is the ISE Specific switchport configuration that we apply to enable ISE Authentication on a port.  When we have applied this configuration, sometimes with a few modifications, we state that we have “ISED” the port/device.

Here is how this looks on our lab switch.

NOTE: In our Lab we are only really applying these configurations to one port, but in a real world deployment you would be applying these to a ton of ports.  I highly recommend the use of the “default interface” and “interface range” commands to help you speed up this process, just make sure you check to see if there is any POE (show power inline) or CDP (show cdp n) device that may not have been identified before hand or you might just break a device’s connectivity when you ISE the port.

Here is a sample Default Interface and Interface range configuration and how it looks.

default interface range g1/0/1-48
default interface range g2/0/1-48
interface range g1/0/1-48
! insert port config here
no shut 
interface range g2/0/1-48
! insert port config here
no shut

4. The ISE Cluster Configuration

Now that we have the switch configured for ISE, we need to configure the ISE Cluster for the switch.  Launch a browser, browse to your ISE Cluster, and log into it.  As usual my browser of choice is Chrome.

Once logged into your ISE Cluster, we are going to create a Network Device Group called Switches.  To do this travel too Administration -> Network Resources -> Network Device Groups. As usual, here is a screenshot showing you this menu path as well.

On this next screen, the Network Device groups window, click the Add button to create a new group.

NOTE: You can really do a lot with different Network Device Groups.  I traditionally will try to make an organization plan before I start which will reflect my specific use cases I am looking to implement.  For example, you can create a number of Device Groups based on device type and then you can create a number of Device Groups based on the actual location of the device.

In this next little popup window, we are going to name our Group “Switches” and select All Device Types as the Parent Group.  This allows us to create nested groups that we can use later on if we want.  Once you have your information filled out appropriately, select Save.

Now lets actually add our switch.  Navigate to Administration -> Network Resources -> Network Devices.

On the next window, find the Add button on the right pane and click it.

On this next window is where you are going to enter all of your switch’s specific information from IP Address, name, radius settings, snmp settings, and any other functionality you want to run between ISE and your switch. In our lab we are going to run Radius and SNMP so you will see our we configured it below.

Name, IP Address, and Device Group Selection for our Switch.

The Radius settings for our switch.

And finally, the SNMP settings for our switch.

Once you have filled in all of the settings for your device, click the save button.

You should now see a list of the devices you have configured, in our screenshot we only have the one 3750e configured currently.

Thats it, we now have our 3750e switch and ISE configured to work together.

Related Resources:

Cisco ISE Community

How To: Universal IOS Switch Config for ISE

Ask questions and give feedback

Engage with Zigbits further:

Engage with me further:


This post may contain affiliate links to products or services were I may receive a level of compensation from your actions by following those links. This is seamless to you and does not add any additional cost to the products or services in question. In addition, I do not let any affiliate relationship cloud my judgement or my recommendation of a product or service. My recommendations will always be above reproach.  This is my commitment to you Ziglets!

Michael “Zig” Zsiga II, CCDE™ 2016::32, CCIE™ #44883 has been in the networking industry a little over 15 years. He is currently a Lead Technical Architect at ePlus in the New England region of the United States. Zig holds an active CCDE and two CCIE certifications, one in Routing and Switching and the second in Service Provider. Zig also holds a Bachelor’s of Science in Computer Science from Park University. Zig is a father, a husband, a United States Marine, a gamer, a nerd, a geek and a big soccer fan. Zig loves all technology and can usually be found in the lab learning and teaching others. Zig is a co-organizer of The Boston Network Operators Group (www.bosnog.org), runs multiple CCIE Study groups, and is a newly published author. Zig lives in New Hampshire, USA with his wife, Julie and their son Gunnar.

Leave a Reply

Your email address will not be published. Required fields are marked *