Configuring Cisco 2620 for Guest Wired Authentication

policy-map type control subscriber POLICY_Gi1/0/24

 event session-started match-all

10 class always do-until-failure

  10 authenticate using mab priority 10

 event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

  10 terminate dot1x

  20 authentication-restart 60

  10 class MAB_FAILED do-until-failure

  10 terminate mab

   20 authenticate using dot1x priority 20

  20 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authentication-restart 60

  40 class always do-until-failure

   10 terminate mab

   20 terminate dot1x

   30 authentication-restart 60

  event agent-found match-all

  10 class DOT1X_MEDIUM_PRIO do-until-failure

   10 authenticate using dot1x priority 20

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

Configuring Interface

switchport mode access

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session port-control auto

no snmp trap link-status

dot1x pae authenticator

spanning-tree portfast

service-policy type control subscriber POLICY_Gi1/0/24

Configuring ACLs

C2960X(config)#ip access-list extended as-redirect (Configure the same on Ivanti Policy Secure Radius Return Attributes)

C2960X(config-ext-nacl)#deny ip any host 10.xxx.xx.xxx (Ivanti Policy Secure IP)

C2960X(config-ext-nacl)#permit ip any any

C2960X(config-ext-nacl)#do wr mem

Configuring RADIUS CoA

under aaa server radius dynamic-author :

client 10.xxx.xx.xxx server-key xxx . Save

radius server test

address ipv4 10.xxx.xx.xxx auth-port 1645 acct-port 1646

key r

C2960X(config)#aaa group server radius dsad-IPV6

C2960X(config-sg-radius)#server name test

/**Go to interface : type mab and save**/

C2960X(config)#interface GigabitEthernet 1/0/14

C2960X(config-if)#mab