A complete 802.1X deployment on a Cisco Catalyst 9300 involves configuration at three levels: global (enabling the framework and defining RADIUS servers), interface (enabling authentication and selecting policy behavior), and VLAN (ensuring fallback VLANs exist and are correctly assigned). Skipping any layer produces non-obvious failures.
This article uses IOS XE 17.9.x syntax. The switch management IP is 10.0.99.1, and ISE runs at 10.0.0.10. For the authentication flow those commands produce, see [Article 7: 802.1X Authentication Flow Step by Step: From EAPOL Start to RADIUS Accept]. For ISE-side configuration that pairs with this switch config, see [Article 9: Configuring Cisco ISE as a RADIUS Server for 802.1X].
Global Configuration
AAA and RADIUS Framework
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
radius server ISE
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key ISEsecret123
timeout 5
retransmit 3
automate-tester username radiustest probe-on
!
aaa group server radius RADIUS_GROUP
server name ISE
deadtime 15
!
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa accounting dot1x default start-stop group RADIUS_GROUP
!
dot1x system-auth-control
dot1x logging verbose
Line-by-line explanation:
aaa new-model — activates the AAA framework. Without this, no AAA commands function. This is a global prerequisite for all 802.1X work.
aaa authentication dot1x default group radius — tells the switch to use RADIUS for 802.1X authentication. The default method list is applied globally; interface-level method list overrides are possible but rarely needed in single-ISE deployments.
aaa authorization network default group radius — enables authorization, which is what carries dynamic VLAN and dACL attributes back from ISE. Without authorization, the switch performs authentication only and ignores VSAs in the Access-Accept.
aaa accounting dot1x default start-stop group radius — sends RADIUS accounting Start records when a session is authorized and Stop records when it ends. ISE uses these for session visibility in the Endpoint context and for CoA operations. Required for ISE's Change of Authorization (CoA) to function correctly. See [Article 19: Change of Authorization (CoA) in 802.1X] for CoA configuration.
radius server ISE — defines a named RADIUS server. Named servers (introduced in IOS XE) replace the older radius-server host syntax and are required for server-group configurations.
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813 — specifies ISE's IP and the standard RADIUS ports.
key ISEsecret123 — the shared secret. Must match exactly what is configured on ISE under Administration > Network Resources > Network Devices. Case-sensitive.
timeout 5 — seconds the switch waits for a RADIUS response before retransmitting. The default of 5 seconds is appropriate for most LAN deployments. Increase to 10 for WAN-connected ISE nodes.
retransmit 3 — number of times the switch retransmits before marking the server dead.
automate-tester username radiustest probe-on — sends periodic test authentication requests to detect when a dead RADIUS server comes back online. Requires a test user account on ISE (or the acceptance of Access-Reject responses as proof of reachability). This is the standard mechanism for RADIUS dead server recovery. See [Article 28: RADIUS Redundancy and Failover in 802.1X Deployments] for the full redundancy design.
aaa group server radius RADIUS_GROUP — groups named RADIUS servers. Using a server group is required when you want to apply deadtime per group or reference multiple ISE nodes.
deadtime 15 — marks a non-responsive server as dead and skips it for 15 minutes, preventing per-packet timeout delays during an ISE outage. After 15 minutes (or when the automate-tester detects recovery), the server is tried again.
dot1x system-auth-control — enables 802.1X globally. Without this command, dot1x pae authenticator on individual interfaces has no effect. Ports do not authenticate.
dot1x logging verbose — logs detailed 802.1X state machine events to the syslog buffer. Essential for troubleshooting without running debug commands.
VLAN Pre-requisites
All VLANs referenced in authentication policy must exist on the switch before 802.1X is configured on the ports. Missing VLANs cause dynamic VLAN assignment to fail silently.
vlan 10
name Data
vlan 20
name Voice
vlan 30
name Guest
vlan 40
name Auth-Fail
vlan 50
name Critical
vlan 99
name Management
Interface Configuration — Standard Access Port
This is the baseline configuration for a campus access port connecting a Windows 10/11 endpoint. Apply this to any port on the Catalyst 9300 that will authenticate wired endpoints.
interface GigabitEthernet1/0/1
description User Access Port - 802.1X
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
storm-control broadcast level 20.00
storm-control action shutdown
!
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 30
authentication event server dead action authorize vlan 50
authentication event server dead action authorize voice
authentication event server alive action reinitialize
!
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 15
dot1x max-reauth-req 3
!
mab
!
ip access-group ACL_PREAUTH in
no shutdown
Line-by-line explanation:
switchport mode access — hard-sets the port to access mode. Never use switchport mode dynamic desirable or dynamic auto on 802.1X ports. DTP negotiation can interfere with authentication state.
switchport access vlan 10 — sets the default access VLAN. This is the VLAN the port falls into if static assignment is used. Dynamic VLAN assignment from ISE overrides this value at runtime but this serves as the fallback if AAA authorization is not configured.
switchport nonegotiate — disables DTP. Combined with switchport mode access, this locks the port to access mode with no negotiation.
spanning-tree portfast — skips the STP Listening and Learning states, allowing the port to pass traffic immediately after link-up. Critical for 802.1X: without PortFast, the supplicant's EAPOL-Start may be sent and timeout before the port transitions out of Blocking state. The EAP identity request is lost and authentication fails.
spanning-tree bpduguard enable — if a BPDU is received on this PortFast port, it shuts down immediately. Prevents loop formation if a switch is connected to an access port.
authentication host-mode multi-auth — allows multiple authenticated endpoints per port, each in its own authentication session. Required for ports that may have a soft phone, a docking station, or a second device. See [Article 13: 802.1X Authentication Host Modes: Single-Host, Multi-Host, Multi-Domain, Multi-Auth] for a full comparison of all modes.
authentication order dot1x mab — tries 802.1X first. If the endpoint does not respond to EAP-Request/Identity (after tx-period * max-reauth-req seconds), falls back to MAB. For endpoints that always have a supplicant, put dot1x first. For ports that mix supplicant and non-supplicant devices, the order and priority settings together control the fallback behavior. See [Article 12: MAC Authentication Bypass (MAB) Configuration on Cisco IOS XE and ISE] for MAB-specific configuration.
authentication priority dot1x mab — if MAB is already running and an EAPOL frame arrives (supplicant starts late), dot1x takes priority and overrides the MAB session. This is the correct setting for most environments — you want a proper 802.1X authentication to replace a MAB session whenever the supplicant is available.
authentication port-control auto — the standard mode. The port starts unauthorized, performs authentication, and transitions to authorized on success. force-authorized disables authentication (used for uplinks). force-unauthorized permanently blocks the port.
authentication periodic — enables periodic reauthentication. Without this, a session is authenticated once and never re-evaluated by ISE. ISE posture and CoA rely on session state being refreshable.
authentication timer reauthenticate server — the reauthentication interval is set by ISE's Session-Timeout attribute in the Access-Accept, rather than a hardcoded value on the switch. This allows ISE to control session lifetime per endpoint type or policy.
authentication event fail action authorize vlan 40 — if authentication fails (ISE returns Access-Reject), the port moves to Auth-Fail VLAN 40. Use this for endpoints where you want restricted access rather than complete denial. For example, a corporate laptop with an expired password goes to VLAN 40, which may allow a password reset portal but nothing else.
authentication event no-response action authorize vlan 30 — if no EAPOL response is received (the endpoint has no supplicant), the port moves to Guest VLAN 30 after timeout. Appropriate for conference room ports or shared spaces. For production environments, consider whether Guest VLAN is appropriate or if MAB should handle non-supplicant devices instead.
authentication event server dead action authorize vlan 50 — if ISE is unreachable (RADIUS timeout), the port moves to Critical VLAN 50. This allows pre-authorized endpoints to maintain network access during an ISE outage. See [Article 15: Guest VLAN, Auth-Fail VLAN, and Critical VLAN in 802.1X] for design guidance on Critical VLAN.
authentication event server dead action authorize voice — when ISE is unreachable, IP phones in multi-domain mode are authorized on the Voice VLAN without authentication. Prevents a phone outage during an ISE failure.
authentication event server alive action reinitialize — when a previously dead RADIUS server comes back online, all sessions on this port are re-authenticated immediately. This ensures endpoints that authenticated against the Critical VLAN are properly evaluated by ISE once it recovers.
dot1x pae authenticator — enables 802.1X on the interface, making the switch act as the authenticator (PAE = Port Access Entity). Without this, the interface does not send EAP-Request/Identity frames.
dot1x timeout tx-period 10 — reduces the default 30-second retransmit timer to 10 seconds. A supplicant that doesn't respond within 10 seconds triggers a retransmit. With max-reauth-req 3, the total wait before MAB fallback is approximately 30 seconds. Tune this based on your supplicant's typical response time.
dot1x timeout supp-timeout 15 — how long the switch waits for a supplicant response to an EAP-Request before retransmitting at the EAP level. 15 seconds is appropriate for most environments.
dot1x max-reauth-req 3 — maximum EAP retransmissions before the switch considers the supplicant non-responsive and attempts MAB.
mab — enables MAC Authentication Bypass as a fallback. When dot1x times out with no supplicant response, the switch sends the endpoint's MAC address to ISE as the username and password in a RADIUS Access-Request. ISE evaluates the MAC against its endpoint database.
ip access-group ACL_PREAUTH in — applies a pre-authentication ACL to the port. This ACL restricts traffic before authentication completes, allowing only DHCP, DNS, and RADIUS-related traffic. Define this ACL globally before applying it. Unauthenticated endpoints should not be able to reach production resources.
Pre-Authentication ACL
ip access-list extended ACL_PREAUTH
10 permit udp any any eq 67
20 permit udp any any eq 68
30 permit udp any host 10.0.0.10 eq 1812
40 deny ip any any log
This ACL allows DHCP (ports 67/68) and RADIUS authentication traffic but blocks all other IP traffic until authentication completes. After authentication, ISE either assigns a dACL via RADIUS attributes or the pre-auth ACL is removed.
Interface Configuration — Uplink / Trunk Ports
Uplink ports connecting to distribution switches, routers, or ISE itself must never have 802.1X enabled. Use authentication port-control force-authorized or simply omit all authentication commands.
interface TenGigabitEthernet1/1/1
description Uplink to Distribution Switch
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50,99
spanning-tree guard root
no dot1x pae authenticator
authentication port-control force-authorized
force-authorized ensures the port is always in the authorized state regardless of AAA configuration. Even if dot1x system-auth-control is enabled globally, this port passes traffic unconditionally.
Using Interface Templates (Recommended for Scale)
On the Catalyst 9300, applying 802.1X configuration via Interface Templates is preferred over configuring each port individually. Templates ensure consistency and simplify compliance audits.
template DOT1X_ACCESS
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 30
authentication event server dead action authorize vlan 50
authentication event server dead action authorize voice
authentication event server alive action reinitialize
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
mab
ip access-group ACL_PREAUTH in
Apply the template to an interface or a range:
interface range GigabitEthernet1/0/1 - 48
source template DOT1X_ACCESS
switchport access vlan 10
description User Access Port
The source template command applies all commands from the template while still allowing interface-specific overrides (like VLAN assignment or description).
Verifying the Configuration
Global 802.1X Status
C9300# show dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3
Dot1x Info for GigabitEthernet1/0/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
ReAuthentication = Enabled
ReAuthPeriod = 0 (Locally configured)
ReAuthAction = Reauthenticate
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 15
MaxReq = 3
TxPeriod = 10
RateLimitPeriod = 0
Session Summary
C9300# show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/1 a4b1.e9f0.3c22 dot1x DATA Auth 0A006301000001B4
Gi1/0/2 0050.56a1.b234 mab DATA Auth 0A006301000001B5
Gi1/0/3 001a.2b3c.4d5e dot1x VOICE Auth 0A006301000001B6
Gi1/0/4 0000.0000.0000 dot1x DATA Unauth 0A006301000001B7
This table shows four ports: one authenticated via 802.1X, one via MAB (a printer or similar non-supplicant device), one voice domain session, and one unauthorized port actively attempting authentication.
Per-Interface Detail
C9300# show authentication sessions interface GigabitEthernet1/0/1 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1D4A6B2C
MAC Address: a4b1.e9f0.3c22
IPv6 Address: Unknown
IPv4 Address: 10.0.10.105
User-Name: CORP\jsmith
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 36000s (server), Remaining: 35821s
Common Session ID: 0A006301000001B4E2D34F10
Acct Session ID: 0x00000012
Handle: 0xC5000013
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 10
ACS ACL: xACSACLx-IP-PERMIT_CORP_ACCESS-5f3a2b1c
Method status list:
Method State
dot1x Authc Success
Key verification points:
Status: Authorized— port is authenticated and passing trafficDomain: DATA— session is in the DATA domain (not VOICE or UNKNOWN)Session timeout: 36000s (server)— ISE returned a 10-hour session timeout via Session-Timeout attributeVlan Group: Vlan: 10— dynamic VLAN from ISE is activeACS ACL— ISE returned a downloadable ACL (dACL) and it is applied. See [Article 16: Downloadable ACLs (dACLs) with Cisco ISE and 802.1X]Method: dot1x / Authc Success— 802.1X succeeded, MAB fallback was not needed
Troubleshooting
Symptom: All ports remain unauthorized after global configuration; show dot1x all shows PAE is not set to AUTHENTICATOR on any interface.
Cause: dot1x pae authenticator was not configured on the interfaces, or the Interface Template was not applied.
Fix: Verify with show run interface GigabitEthernet1/0/1 that the template is applied (source template DOT1X_ACCESS) or that dot1x pae authenticator appears directly. If using templates, confirm the template name is correct with show template DOT1X_ACCESS.
Symptom: Endpoints authenticate successfully but receive the wrong VLAN; switch stays on the static access VLAN instead of the ISE-assigned VLAN.
Cause: aaa authorization network default group RADIUS_GROUP is missing from the global config. Without this, the switch does not process RADIUS VSAs (VLAN attributes) from the Access-Accept.
Fix: Add aaa authorization network default group RADIUS_GROUP and verify with show running-config | include aaa authorization. After adding, trigger reauthentication with authentication reinitialize interface GigabitEthernet1/0/1 and recheck the session details.
Symptom: EAPOL-Start is sent by the supplicant but authentication never completes; the port eventually falls to Guest VLAN.
Cause: RADIUS packets are not reaching ISE. Common causes: the radius server ISE key does not match ISE's Network Device shared secret, or the switch is sourcing RADIUS from an interface ISE does not expect.
Fix: Add ip radius source-interface Vlan99 to force RADIUS sourcing from the management interface (10.0.99.1). Verify the shared secret on ISE under Administration > Network Resources > Network Devices > [Switch entry] > Authentication Settings. Use debug radius to confirm Access-Requests are transmitted and whether responses arrive.
Symptom: Dynamic VLAN assignment works but authentication event server dead action authorize vlan 50 does not trigger during an ISE outage; ports go unauthorized instead.
Cause: The RADIUS server must be definitively declared dead (deadtime triggered) before the dead-server action fires. If deadtime is not configured on the AAA server group, the switch may keep retrying indefinitely.
Fix: Confirm deadtime 15 is configured under aaa group server radius RADIUS_GROUP. Also verify the Critical VLAN (50) exists on the switch with show vlan brief.
What's Next: [Article 9: Configuring Cisco ISE as a RADIUS Server for 802.1X] — the ISE-side configuration to pair with this switch setup, including Network Device definition, Authentication Policy, Authorization Policy, and Authorization Profile creation for dynamic VLAN assignment.
