Back to Blog
โ˜…โ˜…โ˜…Advanced๐Ÿ” Network Security
Cisco ISE802.1XRADIUSNetwork SecurityAuthenticationNAC

Cisco ISE & 802.1X: Wired Authentication, Policy Design, and Troubleshooting

March 13, 2026ยท12 min read

Overview

802.1X with Cisco ISE is the industry standard for controlling which devices and users get network access. Without it, any device plugged into a switch port joins the network automatically. With ISE, every connection triggers a RADIUS authentication exchange โ€” the switch (authenticator) forwards credentials to ISE (authentication server), which checks Active Directory, issues a VLAN assignment, and optionally pushes a downloadable ACL to limit what the device can reach.

Authentication Flow

// 802.1X AUTHENTICATION FLOW โ€” EAP OVER RADIUS Endpoint Supplicant Access Switch Authenticator (NAS) Cisco ISE RADIUS Auth Server Active Directory EAPOL RADIUS LDAP AUTHORIZATION RESULT โœ“ VLAN Assignment โœ“ dACL Push โœ“ SGT Tag MAB Fallback VLAN 10 (Corp) permit tcp any any eq 443 SGT 10 = Employee MAC bypass CoA (Change of Authorization) โ€” ISE can dynamically update policy without re-auth

Part 1 โ€” Switch Port Configuration

AAA and RADIUS Setup

cisco
! Global AAA configurationaaa new-modelaaa authentication dot1x default group ISE-SERVERSaaa authorization network default group ISE-SERVERSaaa accounting dot1x default start-stop group ISE-SERVERS! RADIUS server group pointing to ISE PSN nodesradius server ISE-PSN-01 address ipv4 192.0.2.10 auth-port 1812 acct-port 1813 key Str0ngRADIUSk3y! timeout 5 retransmit 2radius server ISE-PSN-02 address ipv4 192.0.2.11 auth-port 1812 acct-port 1813 key Str0ngRADIUSk3y! timeout 5 retransmit 2aaa group server radius ISE-SERVERS server name ISE-PSN-01 server name ISE-PSN-02 load-balance method least-outstanding! Enable CoA โ€” required for ISE to push policy changes dynamicallyaaa server radius dynamic-author client 192.0.2.10 server-key Str0ngRADIUSk3y! client 192.0.2.11 server-key Str0ngRADIUSk3y! port 1700! Global dot1x settingsdot1x system-auth-controldot1x critical eapol

Access Port Configuration

cisco
interface GigabitEthernet1/0/1 description CORP-WORKSTATION switchport mode access switchport access vlan 999 ! VLAN 999 = restricted/pre-auth VLAN, ISE will assign the real VLAN authentication event fail action next-method authentication event server dead action reinitialize vlan 10 authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate 3600 mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast

Note: multi-auth allows one 802.1X device plus unlimited MAB devices on the same port โ€” ideal for IP phones with a PC connected behind them.

VLAN and dACL Return from ISE

ISE sends VLAN and ACL via RADIUS Access-Accept attributes:

cisco
! ISE sends these RADIUS VSAs in the Access-Accept:! Tunnel-Type = VLAN (13)! Tunnel-Medium-Type = 802 (6)! Tunnel-Private-Group-ID = "10"  <- VLAN number as string! Cisco-AVPair = "ip:inacl#1=permit tcp any any eq 443"! Cisco-AVPair = "ip:inacl#2=permit udp any any eq 53"! Cisco-AVPair = "ip:inacl#3=deny ip any any"
Cisco ISE 3.3 › Policy › Policy Sets › Corporate-Wired-8021X
Home
Context Visibility
Policy
Administration
Operations
Policy
Policy Sets
Authentication
Authorization
Profiling
Posture
Client Provisioning
Work Centers
Network Access
Guest Access
Authentication Policy โ€” Corporate-Wired-8021X
Status Rule name If (Conditions) Then Use Identity Store Hits
Corp-Machine-EAP-TLS Wired_802.1X AND AD:ExternalGroups ⊃ Domain Computers EAP-TLS AD1 (corp.local) 5,214
Corp-User-PEAP Wired_802.1X AND AD:ExternalGroups ⊃ Domain Users PEAP-MSCHAPv2 AD1 (corp.local) 3,881
MAB-Cisco-IPPhone Wired_MAB AND Endpoint-Profile ⊃ Cisco-IP-Phone MAB (Lookup) Internal Endpoints 248
MAB-Printers-IoT Wired_MAB AND Endpoint-Profile ⊃ Printer MAB (Lookup) Internal Endpoints 97
Default (no match) DenyAccess โ€” 31
AuthZ results sent in Access-Accept: VLAN 10 (Tunnel-Private-Group-ID) + dACL-Corp (Cisco-AVPair) + SGT 10 for TrustSec. Hits counter resets daily at 00:00 UTC.

Part 2 โ€” ISE Policy Set Design

Policy Set Structure

ISE evaluates policies top-down in this order:

bash
Policy Sets  โ†’  Authentication Policy  โ†’  Authorization Policy     |                  |                         |  Match on:         Which store?              What to give?  NAS-IP             AD / LDAP              VLAN + dACL + SGT  Protocol           Local DB              Session timeout  Location           Certificate           Posture required

Recommended Policy Set Layout

Policy SetConditionAuth PolicyResult
Corporate WiredWired_802.1X AND NAS-IP in Corp-SwitchesAD domain check + machine certVLAN 10, dACL-Corp, SGT 10
Guest WiredWired_MAB AND NAS-IP in Corp-SwitchesMAC OUI lookupVLAN 50 (Guest), dACL-Guest
Printers / IoTWired_MAB AND Endpoint-Profile = PrinterProfiling-basedVLAN 60 (IoT), dACL-PrinterOnly
BYODWired_802.1X AND cert CN contains @byodInternal CA certVLAN 70 (BYOD), dACL-Internet-Only

Part 3 โ€” MAB Fallback for Non-802.1X Devices

Devices like printers, IP cameras, and VoIP phones cannot run an 802.1X supplicant. MAB (MAC Authentication Bypass) lets ISE authenticate them by their MAC address.

cisco
! On the switch โ€” authentication order tries dot1x first, MAB secondauthentication order dot1x mabauthentication priority dot1x mab! MAB timeout โ€” how long to wait for dot1x before falling backdot1x timeout tx-period 10! After 3 retries (30 seconds total), the switch falls back to MAB

On ISE, create an endpoint group for known MAC addresses:

bash
ISE โ†’ Work Centers โ†’ Network Access โ†’ Identities โ†’ Endpoints โ†’ Create endpoint: MAC = 00:1A:2B:3C:4D:5E โ†’ Assign to group: Printers

Then in the Authorization Policy, match Endpoint-Profile = Printers and return the printer VLAN.

Real-World Scenario

The situation: After deploying ISE 802.1X on a floor of 80 access ports, 15 workstations authenticate correctly but 3 HP laser printers and 2 IP cameras get stuck in the restricted VLAN. Network team assumes MAB is broken.

Symptoms observed:

  • show authentication sessions interface Gi1/0/5 shows Status: Unauthorized, Method: mab, State: Authc Failed
  • ISE Live Logs shows Authentication failed: 15023 - Endpoint abandoned EAP session and started new
  • Printers can ping 192.0.2.1 (default gateway) but can't reach print server at 10.10.10.50

Root cause: The printers were not in ISE's Endpoint database. MAB reached ISE but the MAC address matched no endpoint group, so the default authorization rule returned DenyAccess.

Fix โ€” add MACs to ISE and create authorization rule:

bash
ISE โ†’ Administration โ†’ Identity Management โ†’ Identities โ†’ Endpoints โ†’ Import CSV with MAC addresses โ†’ Assign group: PrintersISE โ†’ Policy โ†’ Policy Sets โ†’ Corporate Wired โ†’ Authorization Policy โ†’ Add rule above default:    Condition: Network-Access-Authentication-Passed AND AD-Groups = n/a AND Endpoint-Profile = Printers    Result: PermitAccess, VLAN=60, dACL=Printer-ACL

Verification:

cisco
SW-01# show authentication sessions interface GigabitEthernet1/0/5 detail! Look for: Status = Authorized, VLAN = 60, Method = mabSW-01# show ip access-lists Auth-Default-ACL-OPEN! Verify dACL was applied
Cisco ISE 3.3 › Operations › RADIUS › Live Logs AUTO-REFRESH
Showing last 20 RADIUS events โ€” PSN: ise-psn-01.corp.local (192.0.2.10)
Time Result Username Endpoint MAC NAS / Port Protocol AuthZ Policy VLAN / dACL
08:42:11 ● Pass jsmith A4:C3:F0:12:34:56 192.0.2.25 / Gi1/0/4 EAP-TLS Corp-Machine-EAP-TLS VLAN 10 + dACL-Corp
08:42:03 ● Pass 00:11:22:33:44:55 00:11:22:33:44:55 192.0.2.25 / Gi1/0/12 MAB Lookup MAB-Cisco-IPPhone VLAN 20 (Voice)
08:41:47 ● Fail testuser B8:27:EB:FF:10:23 192.0.2.26 / Gi1/0/8 PEAP-MSCHAPv2 โ€” VLAN 999
► Failure reason: 24408 โ€” User authentication against Active Directory failed โ€” AD account locked out. Check AD on dc01.corp.local. NAS IP: 192.0.2.26, Port: Gi1/0/8.
08:41:30 ● Pass E4:5F:01:AA:BB:CC E4:5F:01:AA:BB:CC 192.0.2.25 / Gi1/0/6 MAB Lookup MAB-Printers-IoT VLAN 60 + dACL-PrinterOnly
Click any row to expand full RADIUS attribute detail โ€” returned AVPairs, CoA history, session duration, endpoint profiling match. ISE-PSN-02 (192.0.2.11) is standby, taking load when PSN-01 exceeds threshold.

Troubleshooting

dot1x supplicant not sending EAPOL

Symptom: show authentication sessions interface Gi1/0/1 shows no sessions. Client connected but nothing happening.

Cause: Supplicant (Windows) wired 802.1X service is disabled, or EAPOL frames are being dropped by a hub between the switch and PC.

Fix:

bash
# Windows โ€” enable Wired AutoConfig servicesc config dot3svc start= autonet start dot3svc# Or via Group Policy: Computer Configuration โ†’ Windows Settings โ†’ Security Settings โ†’ System Services โ†’ Wired AutoConfig

RADIUS timeout โ€” switch falls into critical VLAN

Symptom: show authentication sessions shows Auth SM State: CRITICAL. All new authentications go to the critical VLAN.

Cause: ISE PSN nodes are unreachable โ€” firewall blocking UDP 1812/1813, or ISE application service down.

Fix:

cisco
! Check RADIUS reachability from switchSW-01# test aaa group ISE-SERVERS username testuser password testpass new-code! If timeout: check firewall rules, ISE service status! On ISE: Administration โ†’ System โ†’ Deployment โ†’ check node health

CoA not working โ€” policy change doesn't take effect

Symptom: Changed authorization policy in ISE but active sessions still have old VLAN/ACL.

Cause: Either aaa server radius dynamic-author is not configured, or the switch ACL is blocking UDP 1700 from ISE.

Fix:

cisco
SW-01# show aaa server! Verify dynamic-author section shows ISE IPs! Verify UDP 1700 is permitted in any ACL on the management interfaceSW-01# debug radius dynamic-author! Check for "Access-Request" from ISE on port 1700

Machine authentication succeeds but user VLAN not assigned

Symptom: Endpoint gets machine-auth VLAN at boot, but after user logs in, VLAN doesn't change to user VLAN.

Cause: ISE isn't receiving a user auth request after machine auth because the Windows supplicant isn't configured for user re-authentication on login.

Fix:

bash
Windows GPO: Computer Configuration โ†’ Policies โ†’ Windows Settings โ†’  Security Settings โ†’ Wired Network (IEEE 802.3) Policies  โ†’ Authentication Tab โ†’ Enable IEEE 802.1X authentication  โ†’ Authentication Mode: User or Computer authentication

ISE 802.1X Deployment Checklist

  • RADIUS shared secret is identical on ISE and all network devices โ€” mismatches cause silent auth failures
  • NTP synchronized between ISE, switches, and AD โ€” time drift >5 minutes breaks Kerberos and certificate validation
  • dot1x system-auth-control is enabled globally before configuring any port
  • spanning-tree portfast enabled on all access ports โ€” without it, 802.1X times out before STP converges
  • CoA client configured with correct ISE PSN IPs and matching shared secret on UDP 1700
  • Critical VLAN configured with server dead action reinitialize vlan X โ€” ensures access during ISE outage
  • authentication host-mode multi-auth on ports that have IP phones with PCs โ€” single-host breaks voice
  • MAB endpoint groups created in ISE for all non-supplicant devices before go-live
  • ISE authorization policies tested with a known-good and known-bad endpoint before production cutover
  • Live Logs enabled in ISE Operations during rollout โ€” every auth attempt shows here in real time