Appendix

CLI commands on Cisco Switch running 15.2.

#show configuration

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname myswitch

boot-start-marker

boot-end-marker

enable password Cisco

username admin privilege 15 secret 5 $1$mUVx$5lNk8ibYzrj4fyRtVPhb91

aaa new-model

aaa group server radius radiusgroup

server name radiusserver

aaa authentication login default local

aaa authentication enable default enable

aaa authentication dot1x default group radiusgroup

aaa authorization network default group radiusgroup

aaa authorization auth-proxy default group radiusgroup

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting identity default start-stop broadcast group radiusgroup

aaa accounting network default start-stop group radiusgroup

aaa server radius dynamic-author

client 10.209.126.152 server-key 12345

port 3799

auth-type all

ignore session-key

ignore server-key

aaa session-id common

clock timezone IST 5 30

switch 1 provision ws-c2960x-24pd-l

ip dhcp snooping

ip domain-name pps.local

crypto pki trustpoint TP-self-signed-3051400704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3051400704

revocation-check none

rsakeypair TP-self-signed-3051400704

crypto pki certificate chain TP-self-signed-3051400704

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

dot1x system-auth-control

dot1x test timeout 30

service-template webauth-global-inactive

inactivity-timer 3600

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

match result-type aaa-timeout

match authorization-status authorized

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

match result-type aaa-timeout

match authorization-status unauthorized

class-map type control subscriber match-all DOT1X

match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_MEDIUM_PRIO

match authorizing-method-priority gt 20

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

class-map type control subscriber match-all MAB

match method mab

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

policy-map type control subscriber POLICY_Gi1/0/2

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

event authentication-failure match-first

5 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

10 class DOT1X_NO_RESP do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

20 class MAB_FAILED do-until-failure

10 terminate mab

20 authentication-restart 60

40 class always do-until-failure

10 terminate dot1x

20 terminate mab

30 authentication-restart 60

event agent-found match-all

10 class always do-until-failure

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-success match-all

10 class always do-until-failure

10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

policy-map type control subscriber POLICY_Gi1/0/3

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

event authentication-failure match-first

5 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

10 class DOT1X_NO_RESP do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

20 class MAB_FAILED do-until-failure

10 terminate mab

20 authentication-restart 60

40 class always do-until-failure

10 terminate dot1x

20 terminate mab

30 authentication-restart 60

event agent-found match-all

10 class always do-until-failure

10 terminate mab

20 authenticate using dot1x priority 10

event authentication-success match-all

10 class always do-until-failure

10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

interface FastEthernet0

no ip address

interface GigabitEthernet1/0/1

interface GigabitEthernet1/0/2

description ################GUEST_ACCESS##############

switchport mode access

switchport port-security

authentication periodic

access-session host-mode single-host

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

service-policy type control subscriber POLICY_Gi1/0/2

interface GigabitEthernet1/0/3

description #############802.1x############

switchport mode access

switchport port-security

authentication periodic

authentication timer reauthenticate 43200

access-session host-mode single-host

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

service-policy type control subscriber POLICY_Gi1/0/3

interface GigabitEthernet1/0/4

switchport access vlan 60

switchport mode access

authentication periodic

authentication timer reauthenticate server

access-session port-control auto

dot1x pae authenticator

spanning-tree portfast

interface GigabitEthernet1/0/5

interface Vlan1

ip address 10.209.216.96 255.255.255.0

ip default-gateway 10.209.126.254

ip http server

ip http secure-server

ip access-list extended PERMIT-ALL

permit ip any any

ip access-list extended RESTRICT-ALL

deny udp any any eq domain

deny ip any host 10.209.126.152

permit ip any any

ip radius source-interface Vlan1

!

snmp-server community public RO

snmp-server community private RW

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

!

radius server radiusserver

address ipv4 10.209.226.152 auth-port 1812 acct-port 1813

key 12345

no vstack

line con 0

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

end