RADIUS CoA lets ISE push policy updates to the switch mid-session, no re-auth required. Here is the IOS XE and ISE config, plus the posture remediation use case.
Web authentication adds a captive portal as an 802.1X fallback for guests, contractors, and unmanaged endpoints. Here is the Cisco IOS XE and ISE config.
Multi-domain authentication lets an IP phone and a PC share one 802.1X port with separate voice and data VLANs. Here is the Cisco IOS XE config and verification.
dACLs move ACL definitions off the switch and into ISE, delivered per session via RADIUS. Here is how the download mechanism works and how to configure both sides.
Guest VLAN, Auth-Fail VLAN, and Critical VLAN cover the three 802.1X failure paths: no supplicant, wrong credentials, and RADIUS down. Here is when and how to use each.
Dynamic VLAN assignment returns the target VLAN in RADIUS Tunnel attributes, so identity (not cabling) decides the network segment. Here is the ISE and IOS XE config.
Single-host, multi-host, multi-domain, and multi-auth control how many MACs can use an 802.1X port. Pick the wrong mode and you get silent failures or open ports.
show authentication sessions is your first 802.1X diagnostic. Here is how to read the output, when to escalate to debug dot1x and debug radius, and how to stay sane.
dACL not applying usually means ISE sent the wrong AVPair name, the switch cannot download it, or the ACL content parsed badly. Here is the full troubleshooting path.
Dynamic VLAN not working breaks down to four causes: ISE not sending Tunnel attributes, wrong values, switch not processing them, or VLAN not in the database. Here is how to isolate.
When a switch marks ISE DEAD, every 802.1X port is affected. Here is how to confirm the outage fast, check shared secret and routing, and restore service.
A client stuck in Unauthorized covers five different failures: no EAPOL, supp timeout, dot1x missing, Access-Reject, or post-auth policy failure. Here is how to tell them apart.
