© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 70
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
!
policy-map type control subscriber DOT1X
event session-started match-all
1 class always do-until-failure
2 authenticate using dot1x retries 3 retry-time 60
event authentication-success match-all
event authentication-failure match-all
5 class DOT1X_NO_RESP do-until-failure
1 authentication-restart 60
!
802.1X Configuration for Wireless Users
For wireless clients, 802.1x is configured under WLAN configuration mode. The AAA authentication method is
similar to wired clients.
wlan Predator 1 Predator
security dot1x authentication-list CLIENT_AUTH
When a user provides credentials, the ISE server authenticates and authorizes the user. Upon successful
authorization, the user is assigned a specific VLAN, which provides policies based on groups or device types in
ISE. It also provides other policies such as QoS, downloadable access control list (dACL), and so on.
The client session is maintained on the Cisco Catalyst 3850 after authorization, until the session is terminated. The
client states are controlled by the wireless control manager (WCM) process.
Any end station (wired or wireless) authenticating using dot1X is termed as a “client,” and all the policies such as
dACL and QoS that are specific to this client are installed on the client entity in hardware, unlike ports in the
existing 3K switches. This is one way that consistency between wired and wireless clients is achieved.
To look at the overall wired and wireless devices connected on the switch, the following command can be used:
Switch#sh access-session
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 0024.7eda.6440 dot1x DATA Auth 0A0101010000109927B3B90C
Ca1 b065.bdbf.77a3 dot1x DATA Auth 0a01010150f57a300000002e
Ca1 b065.bdb0.a1ad dot1x DATA Auth 0a01010150f57ac20000002f
Session count = 3
Key to Session Events Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress