How to configure Wired 802.1x on ISE 1.3…
1. Add an external identity source e.g. AD
If you have multiple identity sources, create an identity source sequence
Add ISE(s) as join points to AD
Add AD OUs as groups
To enable machine authentication; go to Administration, external ID sources, Advance settings – Tick the check boxes for Password change, Machine authentication and Machine access restriction
Under System, make sure you see all the ISE nodes their roles and services status
2. Add network resources.
Simply add the dot1x switches
3. Create authentication policy
From Policy -> Result -> Authentication, create an authentication allowed protocol e.g. “PEAP-TLS”
Now create an authentication policy by duplicating the default wired condition. Rename the authentication policy and allow the protocol “PEAP-TLS” created in (3). Replace “Internal end points” with the authentication sequence you created in (1b).
4. Create authorization profile
Duplicate wired 802.1x authorization profile; rename it for example, “Wired-802.1x-users” save
Now create Condition and result for this rule.
Duplicate Wired 802.1x Condition and rename it for example, “Wired-dot1x-users”. With the AND operator add Domain user group to Frames and Ethernet.
Duplicate an existing result name it “Allowed-WD –Access” under authorisation profile, Create DACL and select the appropriate Data Vlan and Tag. Save configuration.
5. Create Authorization policy
Duplicate 802.1x authorization policy; rename it… e.g. (Wired-Auth-Policy)
Using the Condition and the authorization profile result you created earlier, update the authorization policy you just created.
Note: There are two options in matching policy rules. 1. First match and 2. Multi-Match. User the dropdown at the top to select between both as it suites you environment.