Cisco AAA/802.1x Configuration Template

This post provides configuration template for a Cisco switch interacting with Clearpass NAC for AAA/802.1x setup. This has been tested out in a Cisco C9300/9500 switch running 16.12.x code version in a multi-vrf environment.

#Enable AAA:
aaa new-model

#Define Radius Server:
radius server CLEARPASS-DC-1
 address ipv4 auth-port 1645 acct-port 1646
 key <KEY HERE>

#Create Radius Server Group:
aaa group server radius CLEARPASS
 server name CLEARPASS-DC-1
 ip vrf forwarding NETWORK_VRF
 ip radius source-interface Loopback0

#Load balancing:
radius-server load-balance method least-outstanding

#Change of Authorization:
aaa server radius dynamic-author
 client server-key <KEY HERE>

#AAA Radius Configuration:
aaa authentication dot1x default group CLEARPASS
aaa authorization network default group CLEARPASS
aaa accounting dot1x default start-stop group CLEARPASS
aaa accounting update newinfo

#Radius Attributes:
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
radius-server vsa send authentication
radius-server vsa send accounting

#Enable 802.1x:
dot1x system-auth-control
authentication mac-move permit