Deploying wired 802.1x with Cisco ISE is one of those tasks that looks straightforward on paper and bites you in the lab the first time you try it. The pieces are simple individually - a switch, a RADIUS server, a supplicant - but the sequence of clicks in ISE, the correct AAA method lists on the switch, and the order of authentication methods at the interface level all have to line up. This guide walks you through a complete, working Cisco ISE 802.1x wired configuration end to end, from building the Policy Set in ISE to typing the final dot1x pae authenticator on the access port, with the verification commands you will actually run when something breaks.
What This Guide Covers
This is a wired 802.1x deployment guide. The authenticator is a Cisco Catalyst switch running IOS-XE, the authentication server is Cisco ISE acting as a RADIUS server, and the supplicant is a domain-joined Windows or macOS endpoint (or Linux with wpa_supplicant in wired mode). Wireless 802.1x, dot1x on trunk ports, and pure MAB-only deployments are out of scope - MAB appears here only as a fallback after 802.1x times out, which is how most real enterprises actually run the configuration.
You will finish this guide with a lab-validated configuration that authenticates a supplicant via PEAP or EAP-TLS, matches an Authorization Policy in ISE, returns a VLAN or downloadable ACL, and transitions the port to the authorized state. For deeper coverage of specific related topics, see the companion articles on MAB configuration and Guest VLAN, Auth-Fail VLAN, and Critical VLAN behavior.
Prerequisites
Before you start clicking or typing, confirm the versions and licensing lined up in the table below. Mixing IOS-XE trains or running an unlicensed ISE deployment will cause the config to accept but not behave as expected.
| Component | Minimum Version | Notes |
|---|---|---|
| Cisco ISE | 3.1 Patch 6 (or 3.2/3.3) | Earlier 2.x releases work but the Policy Set UI differs and some screens referenced here will look different. |
| Catalyst Switch | 9200/9300/9400/9500 with IOS-XE 17.6+ | 3650/3850 on IOS-XE 16.12 also work with identical CLI. IOS classic switches use older legacy dot1x syntax - not covered here. |
| ISE License | Essentials (formerly Base) | Essentials covers 802.1x, MAB, and basic authorization. Advantage is only needed for profiling, posture, or TrustSec. |
| Switch License | Network Advantage | Network Essentials supports dot1x, but Advantage is what most enterprises run. |
| Supplicant | Windows Wired AutoConfig service or macOS native supplicant | The Windows "Wired AutoConfig" service is disabled by default - enable it via services.msc or GPO. |
Your topology assumption is simple: the Catalyst switch has IP reachability to the ISE Policy Service Node (PSN) on UDP/1812 (auth), UDP/1813 (accounting), and UDP/1700 (Change of Authorization). NTP must be synchronized between the switch, ISE, and any certificate authorities, otherwise EAP-TLS will fail silently on expired or not-yet-valid timestamps. DNS should resolve ISE's FQDN - you will use the FQDN, not the IP, when generating the EAP certificate.
ISE Configuration
ISE configuration breaks into five ordered steps: add the switch as a Network Device, build or reuse an Identity Source, create an Authorization Profile, assemble the Policy Set, and confirm certificate trust. Do them in this order - skipping ahead means you will hit "RADIUS request rejected" errors before you have anything meaningful to debug.
Step 1: Add the switch as a Network Device
Navigate to Administration > Network Resources > Network Devices and click Add. Fill in the name (use the switch hostname for sanity when reading Live Logs later), the management IP (this must be the source IP the switch uses when sending RADIUS packets - usually the SVI of the management VLAN), and set the device profile to Cisco.
Expand RADIUS Authentication Settings and enter a shared secret (this must match the shared secret configured on the switch exactly - copy-paste, do not retype). Tick the CoA Port box and leave it at the default of 1700, because without CoA enabled you will not be able to push Change of Authorization from ISE, which breaks posture remediation and dynamic re-auth.
Step 2: Configure the Identity Source
For most enterprises, the identity source is Active Directory. Navigate to Administration > Identity Management > External Identity Sources > Active Directory, join ISE to the domain, and verify the join status turns green on every PSN (not just the PAN). Create an Identity Source Sequence under Administration > Identity Management > Identity Source Sequences - order matters here, with AD first and the internal ISE user store as a fallback for service accounts or break-glass users.
Step 3: Create the Authorization Profile
The Authorization Profile is the set of RADIUS attributes ISE returns when an endpoint matches your policy. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles and click Add. The table below shows the attributes that matter for a typical wired corporate deployment.
| Attribute | Value | Why it matters |
|---|---|---|
| Access Type | ACCESS_ACCEPT | Without this the switch gets a reject even if the rest of the profile is correct. |
| VLAN | Tag ID = 20, Name = CORP_DATA | Drives dynamic VLAN assignment via Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID. |
| DACL Name | PERMIT_ALL_TRAFFIC (or your own) | Downloadable ACL applied to the session; required if you want per-user ACLs without pre-staging them on every switch. |
| Reauthentication Timer | 3600 seconds | Forces fresh authentication hourly, catching credential changes or revoked certificates without waiting for CoA. |
Step 4: Build the Policy Set
Navigate to Policy > Policy Sets and create a new Policy Set named Wired_Dot1X. The Policy Set condition itself is what limits the rules inside from matching wireless or guest traffic, so use this condition: Wired_802.1X (a built-in compound condition that checks NAS-Port-Type and Service-Type).
Inside the Policy Set, configure two sub-sections. The Authentication Policy decides which identity store to query based on the EAP method. A minimal working policy is shown below.
| Rule Name | Condition | Allowed Protocols | Identity Source |
|---|---|---|---|
| Dot1X_EAP_TLS | Network Access:EapAuthentication EQUALS EAP-TLS | Default Network Access | Certificate Authentication Profile (CAP) > Active Directory |
| Dot1X_PEAP | Network Access:EapAuthentication EQUALS EAP-MSCHAPv2 | Default Network Access | AD_Sequence (your identity source sequence) |
| MAB_Fallback | Wired_MAB | Default Network Access | Internal Endpoints |
The Authorization Policy is where you map authenticated identities to the Authorization Profile created earlier. A working minimum looks like the rules below, matched top-down.
| Rule Name | Condition | Profile |
|---|---|---|
| Corporate_Users | AD:ExternalGroups EQUALS Domain Users | CORP_VLAN_20_PERMIT_ALL |
| Corporate_Computers | AD:ExternalGroups EQUALS Domain Computers | CORP_VLAN_20_PERMIT_ALL |
| MAB_Printers | IdentityGroup:Name EQUALS Printers | PRINTER_VLAN_30 |
| Default | (catch-all) | DenyAccess |
Step 5: Verify certificate trust
For PEAP, ISE presents its EAP certificate to the supplicant. For the supplicant to trust it, the issuing CA must be in the supplicant's Trusted Root Certification Authorities store. For EAP-TLS, the reverse also matters - ISE must trust the CA that issued the client certificate, so import that root/intermediate into Administration > System > Certificates > Trusted Certificates with the Trust for client authentication checkbox enabled. Skipping this causes the infuriating "EAP-TLS failed SSL/TLS handshake" error that looks like a client issue but is actually ISE not trusting the client cert.
Cisco Switch Configuration
The switch side is where most of the nuance lives, because IOS-XE supports two authentication frameworks: the legacy authentication-style commands (IBNS 1.0) and the newer policy-map-based service-policy style (IBNS 2.0). Cisco recommends IBNS 2.0 on all new deployments - it is more flexible, supports event-driven logic, and is what TAC assumes you are running on 17.x code. The configuration below uses IBNS 2.0.
Global AAA and RADIUS
Start with aaa new-model, then define the RADIUS servers as named servers (not the older radius-server host syntax, which is deprecated). The order of the aaa authentication dot1x method list and the matching aaa authorization network list must both reference the same named server group, or the authenticated session will complete but fail to apply the authorization attributes.
aaa new-model
radius server ISE-PSN-01
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
automate-tester username probe-user ignore-acct-port probe-on
key 7 0822455D0A16544541
!
radius server ISE-PSN-02
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
automate-tester username probe-user ignore-acct-port probe-on
key 7 0822455D0A16544541
!
aaa group server radius ISE_RADIUS
server name ISE-PSN-01
server name ISE-PSN-02
deadtime 15
ip radius source-interface Vlan100
!
aaa authentication dot1x default group ISE_RADIUS
aaa authorization network default group ISE_RADIUS
aaa accounting dot1x default start-stop group ISE_RADIUS
aaa accounting update newinfo periodic 2880
!
aaa server radius dynamic-author
client 10.10.10.11 server-key 7 0822455D0A16544541
client 10.10.10.12 server-key 7 0822455D0A16544541
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
radius-server vsa send authentication
radius-server vsa send accounting
!
dot1x system-auth-control
dot1x critical eapol
authentication critical recovery delay 2000
A few of those lines are easy to skip past but directly cause pain if you omit them. automate-tester is what drives the switch's dead-server detection (without it, the switch will not mark ISE dead cleanly and retries stack up). ip radius source-interface must match the IP address you configured in ISE under Network Devices - if it does not, ISE rejects the packet with "unknown NAD" and nothing shows up in Live Logs. radius-server attribute 25 access-request include tells the switch to include the Class attribute on reauth, which ISE needs for session state continuity.
IBNS 2.0 Policy Map and Interface Configuration
IBNS 2.0 uses a policy-map of type control subscriber that reacts to events (session-started, authentication-failure, authentication-success) and executes actions (authenticate using method, authorize, terminate). The block below is a production-grade template that runs dot1x first, falls back to MAB on timeout, and applies the Auth-Fail and Critical VLANs correctly.
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match authorization-status authorized
match result-type aaa-timeout
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match authorization-status unauthorized
match result-type aaa-timeout
!
policy-map type control subscriber DOT1X_MAB_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
20 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_ACCESS
20 authorize
30 pause reauthentication
30 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
!
service-template CRITICAL_AUTH_ACCESS
vlan 999
access-group ACL-CRITICAL-AUTH
With the policy built, the access port configuration becomes short and predictable. Every 802.1x access port uses the same block below - this is what makes IBNS 2.0 worth the up-front complexity: you never touch the interface again when you change policy, because policy changes happen in the policy-map.
interface GigabitEthernet1/0/1
description 802.1X Access Port
switchport mode access
switchport access vlan 10
switchport voice vlan 110
access-session host-mode multi-auth
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 2
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber DOT1X_MAB_POLICY
access-session closed means the port starts in closed mode - no traffic passes until authentication succeeds. For a phased rollout you would use access-session closed only in the final phase, running access-session monitor during early phases so failures are logged but traffic is not blocked. The authentication timer reauthenticate server line tells the switch to use the reauthentication timer ISE sends in the Session-Timeout attribute, which lets you change reauth cadence centrally from ISE without touching switches.
Testing and Verification
Plug a configured supplicant into Gi1/0/1, give it 10 seconds, and then run the commands below. If any of them show unexpected state, skip ahead to the failure scenarios section - do not re-enter configuration blindly.
show dot1x all
This is the global dot1x sanity check. You should see Sysauthcontrol: Enabled and the interface listed with PortControl: Auto. If Sysauthcontrol shows Disabled, you missed dot1x system-auth-control in global config.
switch# show dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3
Dot1x Info for GigabitEthernet1/0/1
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 7
show authentication sessions
This is the command you will live in. It shows every active session on the switch with its identity, method, VLAN, ACL, and state. Use details on a specific interface to see the full attribute list that ISE pushed.
switch# show authentication sessions interface Gi1/0/1 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x1055802000000A7
MAC Address: 0050.5683.8a5c
IPv4 Address: 10.20.20.55
User-Name: CORP\alice
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3582s
Common Session ID: 0A141001000000B96A7C3E14
Acct Session ID: 0x000000C4
Handle: 0xA4000089
Current Policy: DOT1X_MAB_POLICY
Server Policies:
Vlan Group: Vlan: 20
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5f4dcc3b
Method status list:
Method State
dot1x Authc Success
The two lines that tell you it worked are Status: Authorized and Method: dot1x, State: Authc Success. A status of Running means dot1x is still in progress (wait 30 seconds), Unauthorized means it failed, and no session at all means the supplicant never sent EAPOL-Start.
debug dot1x and debug radius
When a session fails silently, turn on targeted debugs. Be careful with debug radius authentication on production - it is verbose. Always pair it with debug condition interface Gi1/0/1 to limit output to a single port.
switch# debug condition interface GigabitEthernet1/0/1
switch# debug dot1x events
switch# debug dot1x errors
switch# debug radius authentication
switch# terminal monitor
Run your test, then undebug all immediately. In the debug output you are looking for RADIUS: Received from id ... Access-Accept (success) or Access-Reject (check ISE Live Logs for the reason), and for dot1x you want to see EAP-Request/Identity and EAP-Response/Identity in both directions.
ISE Live Logs
On the ISE side, navigate to Operations > RADIUS > Live Logs. Every authentication attempt, successful or failed, shows up here within 5 seconds. Click the magnifying glass on any row to see the full attribute dump, the Authentication Policy that matched, the Authorization Profile that was selected, and the reason for failure if it failed. Live Logs are the single most useful troubleshooting surface in ISE - most problems reveal themselves as an obvious "Identity not found" or "Authentication method not allowed" entry in the failure reason field.
Common Failure Scenarios and Fixes
The table below is the short list of failure modes you will hit, in descending order of frequency. Work it top-down - most "802.1x is broken" tickets are one of the first three.
| Symptom | Likely Cause | Fix |
|---|---|---|
| No session appears on the switch at all | Supplicant not sending EAPOL-Start, or Windows Wired AutoConfig service not running | On the client: Get-Service dot3svc - should be Running. Start it via GPO or manually. |
show aaa servers shows state DEAD | Switch cannot reach ISE on 1812/1813, or shared secret mismatch, or NAD IP mismatch | Verify IP reachability, then confirm shared secret character-by-character, then confirm the switch's source IP matches the IP configured in ISE Network Devices. |
| ISE Live Logs show 5440 Endpoint abandoned EAP session | Supplicant dropped mid-handshake, usually certificate trust issue | On the client, install the ISE EAP certificate's issuing CA into Trusted Root. For EAP-TLS, verify the client cert has Client Authentication EKU. |
| ISE Live Logs show 22056 Subject not found in the applicable identity store | Username not in AD, or Identity Source Sequence pointed at the wrong store, or AD join is unhealthy | Confirm the username exists in AD with net user /domain, check ISE AD join status, verify the Authentication Policy's identity source selection. |
| Port authorizes but ends up in the wrong VLAN | Authorization Profile VLAN attribute is a name that does not exist on the switch, or a different policy is matching first | Use show authentication sessions ... details to see which Authorization Profile was returned. If it is wrong, fix the policy order in ISE. If it is right but the VLAN is wrong, ensure switchport access vlan matches what ISE returns (or create the VLAN on the switch). |
| EAP-TLS fails with 12520 EAP-TLS failed SSL/TLS handshake | ISE does not trust the client certificate's issuing CA, or the cert's subject/SAN does not match what CAP expects | Import the client CA into ISE's Trusted Certificates with Trust for client authentication enabled. Verify the Certificate Authentication Profile matches on the correct field (SAN, CN, or identity). |
| Port stuck in Running state for 30+ seconds | Supplicant configured for an EAP method that ISE is not offering, or certificate issue stalls the TLS tunnel | Match the Allowed Protocols in ISE's Authentication Policy to the supplicant's configured EAP method. On the client, temporarily enable Wired AutoConfig's logging via netsh trace start scenario=Wireless_WlanAutoconfig for the wired equivalent. |
| MAB fallback takes 90+ seconds | Default dot1x timeout tx-period is 30 seconds, and the policy retries 3 times before failing to MAB | Set dot1x timeout tx-period 7 and dot1x max-reauth-req 2 at the interface. 802.1x will now fail over to MAB in about 21 seconds total. |
Key Takeaways
A working Cisco ISE 802.1x wired configuration is the intersection of three independently-correct pieces: a supplicant that sends EAPOL, a switch with matching AAA method lists and an IBNS 2.0 policy-map, and an ISE Policy Set that authenticates against a reachable identity store and returns a valid Authorization Profile. If any of the three is wrong, the other two will appear to be working.
Use IBNS 2.0 (policy-map type control subscriber) on every new deployment - the legacy authentication commands still work but Cisco has deprecated them and TAC will push you to IBNS 2.0 on any case you open. Always enable automate-tester on your RADIUS servers so dead-server detection works cleanly, and always configure CoA (aaa server radius dynamic-author) because you will need it the moment you try to add posture, profiling, or any runtime policy change.
When you deploy this for real, ramp in phases. Start with access-session monitor so failures log without blocking traffic, let ISE Live Logs tell you which endpoints are not ready, fix or exempt them, then flip to access-session closed. Combine this guide with the companion articles on MAB fallback, Guest, Auth-Fail, and Critical VLANs, and show authentication sessions troubleshooting for the edge cases this guide intentionally leaves to dedicated references.