Cisco ISE NAD Configuration Templates

I’m going to use this page for links to the configuration templates I use when deploying Cisco ISE. These templates are provided As-Is with no guarantee. Yes, even I sometimes have a fat finger error. I will be updating them on the share if/when I find better configurations.

Be sure to check the Network Component Compatibility list for your version of Cisco ISE as well as the feature list for your NAD OS release before trying to apply any configuration settings. Otherwise, you may just receive a lot of errors.

Switch Templates for Cisco ISE Authentication

Note: The C3PL templates are based on IBNS 2.0 but do not have most of the features you want with IBNS 2.0. It was just shorter by a couple of characters to name them C3PL (what will I do with the time saved?). These are more for reference.

The following four C3PL configurations will authenticate Dot1x and MAB at the same time. It will work for most deployments but can cause duplicate records to show up in the Live Logs (1 for MAB, 1 for Dot1x). Be sure to test if this will work for your deployment. Note that running Dot1x and MAB concurrently is not fully supported by Cisco. To change this behavior, replace the policy map in these templates with the policy map found in the Cisco ISE IBNS 2.0 Switch Config template below.

Cisco ISE C3PL Switch Config Template
Cisco ISE C3PL Switch Denali Config Template

Cisco ISE C3PL & TrustSec Config Template
Cisco ISE C3PL & TrustSec Denali Config Template

Preferred IBNS 2.0 template

The following C3PL configuration is fully IBNS 2.0 compliant. Dot1x and MAB run separately (MAB after Dot1x failure).

Cisco ISE IBNS 2.0 Switch Config Template for IOS 15.2 and up

In the IBNS 2.0 compliant template, there is one section to edit in order to change the behavior so Dot1x and MAB run simultaneously. I want to state again that running Dot1x and MAB concurrently is not yet fully supported by Cisco. If you want to utilize that functionality, change this:

policy-map type control subscriber Dot1x-Default
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
 event authentication-failure match-first
  5 class Dot1x_Failed do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20

to this:

policy-map type control subscriber Dot1x-Default
event session-started match-all
10 class always do-all
 10 authenticate using dot1x priority 10
 20 authenticate using mab priority 20

Making that change will cause the switch to send an authentication/authorization attempt using both dot1x and MAB. MAB will always hit something but dot1x will only be attempted to authenticate if there is an EAPoL packet received by the switch. If a dot1x response is received from ISE to the switch, the dot1x result will take priority.

IBNS 1.0 compliant templates

These templates are for switches that do not support IBNS 2.0.

Cisco ISE non-C3PL with Device Sensors Config Template
Cisco ISE non-C3PL without Device Sensors Config Template

TACACS configuration templates

IOS/IOS-XE

Cisco ISE IOS/IOS-XE TACACS+ Auth Template

Adaptive Security Appliance (ASA) Templates for Cisco ISE Authentication

Cisco ISE ASA TACACS+ Authentication Template