© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 70
To define the Cisco Catalyst 3850, on the ISE screen, navigate to Administration Network Resources
Network Devices as in Figure 2.
Figure 2. Device Definition in ISE
The dot1x needs to be enabled on the switch globally for wired and wireless clients.
dot1x system-auth-control
!
802.1X for wired users is configured per port. Here is the port configuration:
interface GigabitEthernet1/0/13
switchport access vlan 12
switchport mode access
access-session port-control auto
access-session host-mode single-host
dot1x pae authenticator
service-policy type control subscriber DOT1X
The Cisco Catalyst 3850 also introduces session-aware networking (SaNet), which is a replacement for Auth
Manager that is present in current Cisco IOS® Software platforms.
The objective of having SaNet is to have no dependency between features applied to sessions or authentication
method. Thus, with appropriate AAA interactions, any authentication method should derive authorization data for
any feature, to be activated on a session. This can be accomplished by using a policy model similar to Modular
Policy Framework (MPF), which is used in routing protocols, firewall rules, quality of service (QoS), and so on. For
more details, see SaNet documentation at http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-
3se/3850/san-overview.html. The following policy is an example for SaNet: