Below is a sample from my Cisco switch configuration in eve-ng that works to connect a Cisco switch to an ISE server. My config doesn’t include the ASA router that assigns an IP dynamically based on the OU group e1/0 and e1/1 have Windows PCs that log with a student of staff, based on that configures if the IP address is .20 or .30.
Current configuration : 5186 bytes
!
! Last configuration change at 23:34:51 UTC Thu Feb 6 2025 by admin
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
username cisco password 0 admin
username admin password 0 cisco
aaa new-model
!
!
!
!
aaa group server radius ISE-GROUP
server name ISE
ip radius source-interface Vlan10
!
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP
aaa authorization network cts-list group ISE-GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE-GROUP
!
!
!
!
!
aaa server radius dynamic-author
client 10.1.1.200 server-key eve1
!
aaa session-id common
!
!
!
ip domain-name eve
ip cef
no ipv6 cef
!
!
cts authorization list cts-list
cts role-based sgt-map 10.1.1.100 sgt 2
cts role-based sgt-map 10.1.1.200 sgt 2
cts role-based sgt-map 10.1.1.201 sgt 2
cts role-based sgt-map 10.1.1.253 sgt 2
cts role-based sgt-map 10.1.1.254 sgt 2
cts sxp enable
cts sxp default source-ip 10.1.1.252
cts sxp default password eve1
cts sxp connection peer 10.1.1.200 source 10.1.1.252 password default mode local speaker hold-time 0
dot1x system-auth-control
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
description mgmt node
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
description ise node
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/3
description ise node
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet1/0
description win10 node
switchport access vlan 100
switchport mode access
negotiation auto
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface GigabitEthernet1/1
description win10 node
switchport access vlan 100
switchport mode access
negotiation auto
authentication host-mode multi-auth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
interface GigabitEthernet1/2
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface Vlan10
ip address 10.1.1.253 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
snmp-server community eve1 RO
snmp-server enable traps snmp linkdown linkup
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server timeout 2
!
radius server ISE
address ipv4 10.1.1.200 auth-port 1812 acct-port 1813
pac key eve1
!
!
control-plane
username admin password cisco
# not included in show running-config
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
transport input ssh
!
!
cts credentials id SW02 password eve1
# not included in show running-config
end
