Security

Hi,

I don`t know if this is the correct community, but I would like to see a port configuration on a Cisco 9300 switch for 802.1x/MAB.

There is also some Clearpass configuration, I would like to see, just basic stuff.

/Flemming

-------------------------------------------

Not sure what OS the 9300 runs, but the Wired Policy Enforcement (Solution Guide) may provide the needed configuration snippets.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi Herman,

Thank you for replying to my post.

I have seen the Wired Policy Enforcement Guide, but this is based on old Cisco 2960 switches.
It is possible, that I can use some of it and I will give it a try.

Regards

Flemming

-------------------------------------------

Original Message:
Sent: Jan 15, 2026 05:44 AM
From: Herman Robers
Subject: AAA on Cisco 9300

Not sure what OS the 9300 runs, but the Wired Policy Enforcement (Solution Guide) may provide the needed configuration snippets.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

We are running Cisco IOS-XE version 17.12 on our 9300 switches. The IOS commands for 802.1x/MAB are the same as what you will find in the link Herman provided. You can also find lots of information on Cisco's support site.

-------------------------------------------

Original Message:
Sent: Jan 15, 2026 06:21 AM
From: Flic
Subject: AAA on Cisco 9300

Hi Herman,

Thank you for replying to my post.

I have seen the Wired Policy Enforcement Guide, but this is based on old Cisco 2960 switches.
It is possible, that I can use some of it and I will give it a try.

Regards

Flemming

This a great resource: https://www.ise-support.com/cisco-ise-nad-configuration-templates/

The templates here can easily be adapted for use with ClearPass or any other RADIUS server.

-------------------------------------------

From the Networking Support Portal you can get the Wired Enforcement tech note, https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

In this document you will find both the switch configuration for different switches and also ClearPass configuration guidance. 

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 16, 2026 09:52 AM
From: ahollifield
Subject: AAA on Cisco 9300

This a great resource: https://www.ise-support.com/cisco-ise-nad-configuration-templates/

The templates here can easily be adapted for use with ClearPass or any other RADIUS server.

Hi Jonas, 

Thank you, I know about this tech note and I guess it will lead me in the right direction.

/Flemming

-------------------------------------------

Original Message:
Sent: Jan 16, 2026 10:10 AM
From: jonas.hammarback
Subject: AAA on Cisco 9300

From the Networking Support Portal you can get the Wired Enforcement tech note, https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

In this document you will find both the switch configuration for different switches and also ClearPass configuration guidance. 

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------


Original Message:
Sent: Jan 16, 2026 09:52 AM
From: ahollifield
Subject: AAA on Cisco 9300

This a great resource: https://www.ise-support.com/cisco-ise-nad-configuration-templates/

The templates here can easily be adapted for use with ClearPass or any other RADIUS server.

The tech note is very detailed. If the syntax is different in some ways, between the different versions of the Cisco switches I think you will be able to find a way to translate with Cisco specific guides for your switch model. 802.1x and MAB is more or less the same regardless of vendor, just a little bit of different syntax

The general steps in the switch are:

1. Configure one or more RADIUS servers
2. Add the servers to a group (optional)
3. Configure dynamic authorization (CoA)
4. Enable authentication on global level in the switch
5. Enable authentication on ports

In ClearPass it's the same configuration regardless of switch vendor, until the Enforcement profile is sent. If you stay with IETF standard RADIUS all (most) vendors will understand the attributes.

To be able to send VSA (Vendor Specific Attributes) you have to enable the vendor attributes in ClearPass and specify the vendor in the Network Device configuration.

If you have multiple vendors, i.e. both Cisco and Aruba, you can either create one service for each vendor and place the Network Devices in different Network Device Groups and use the Network Device Group in the Service filter to get the requests to be handled by the correct service.

Or, have one service for both vendors and in the role mapping or enforcement policy select the correct profile to send in each case.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 16, 2026 10:17 AM
From: Flic
Subject: AAA on Cisco 9300

Hi Jonas, 

Thank you, I know about this tech note and I guess it will lead me in the right direction.

/Flemming

Original Message:
Sent: Jan 16, 2026 10:10 AM
From: jonas.hammarback
Subject: AAA on Cisco 9300

From the Networking Support Portal you can get the Wired Enforcement tech note, https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us

In this document you will find both the switch configuration for different switches and also ClearPass configuration guidance. 

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

I'll give you what I have for port config on a 9300 that is working for mac auth.   I won't claim that I'm an expert, or that this is the best possible way to go about it, or that the timeouts are ideal, because I wouldn't want to claim this as expert advice.  It does, however, work for me.

 switchport mode access
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout server-timeout 30
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-req 3
 dot1x max-reauth-req 1
 spanning-tree portfast

There are only a couple changes that I need to do, when we do dot1x auth, which is more common in our org.   You have to also have the switch globally set properly to do authentication, and of course the proper service settings in clearpass.

-------------------------------------------