This post provides configuration template for a Cisco switch interacting with Clearpass NAC for AAA/802.1x setup. This has been tested out in a Cisco C9300/9500 switch running 16.12.x code version in a multi-vrf environment.
#Enable AAA:
aaa new-model
#Define Radius Server:
radius server CLEARPASS-DC-1
address ipv4 10.10.10.10 auth-port 1645 acct-port 1646
key <KEY HERE>
#Create Radius Server Group:
aaa group server radius CLEARPASS
server name CLEARPASS-DC-1
ip vrf forwarding NETWORK_VRF
ip radius source-interface Loopback0
#Load balancing:
radius-server load-balance method least-outstanding
#Change of Authorization:
aaa server radius dynamic-author
client 10.10.10.10 server-key <KEY HERE>
#AAA Radius Configuration:
aaa authentication dot1x default group CLEARPASS
aaa authorization network default group CLEARPASS
aaa accounting dot1x default start-stop group CLEARPASS
aaa accounting update newinfo
#Radius Attributes:
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
radius-server vsa send authentication
radius-server vsa send accounting
#Enable 802.1x:
dot1x system-auth-control
authentication mac-move permit
Reference: https://www.ciscozine.com/dot1x-global-configuration-deployment-guide/