RADIUS in the 802.1X Architecture
In an 802.1X deployment, RADIUS sits between the authenticator (Cisco Catalyst 9300) and the authentication server (Cisco ISE 3.2). The switch is the RADIUS client; ISE is the RADIUS server. The RADIUS exchange carries the EAP authentication conversation — relayed from the EAPOL segment — and returns the access decision along with policy attributes.
RADIUS is defined in RFC 2865 (authentication) and RFC 2866 (accounting). It operates over UDP — port 1812 for authentication and authorization, port 1813 for accounting. The UDP choice has implications: RADIUS handles its own retransmission logic at the application layer, and there is no TCP connection state to maintain between exchanges.
Understanding RADIUS is critical for 802.1X operations because most authentication failures manifest in the RADIUS exchange. EAPOL issues are local to the port; RADIUS issues cross the network to ISE. These require different troubleshooting approaches.
RADIUS Packet Types
RADIUS uses a simple set of packet types (the Code field in the RADIUS header):
Access-Request (Code 1): Sent by the switch to ISE. Contains the supplicant's identity and EAP payload. For 802.1X, the EAP payload is the EAPOL message received from the endpoint, re-encapsulated in the RADIUS EAP-Message attribute.
Access-Challenge (Code 11): Sent by ISE to the switch when more information is needed — specifically, when the EAP exchange requires multiple round trips (which it always does for PEAP and EAP-TLS). ISE sends an Access-Challenge containing the next EAP message (server's TLS record, MSCHAPv2 challenge, etc.). The switch unwraps it, sends it to the endpoint as EAPOL, receives the response, and sends a new Access-Request back to ISE.
Access-Accept (Code 2): Sent by ISE when authentication succeeds. Contains the access decision and policy attributes — VLAN, dACL, SGT, session timeout. The switch reads these attributes and applies them to the port.
Access-Reject (Code 3): Sent by ISE when authentication fails — wrong credentials, invalid certificate, policy denial. The switch receives this and sends EAPOL-Failure to the endpoint. The port stays unauthorized (or transitions to Auth-Fail VLAN if configured).
Accounting-Request (Code 4): Sent by the switch to ISE's accounting port (1813). Reports session start, interim updates, and session stop events. Contains session statistics — bytes transferred, session duration, disconnect reason.
Accounting-Response (Code 5): Sent by ISE to acknowledge an Accounting-Request.
For a standard PEAP authentication, the exchange is: multiple Access-Request / Access-Challenge pairs (one per EAP round trip), followed by a final Access-Accept or Access-Reject.
RADIUS Packet Structure
Every RADIUS packet has the same header structure:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator (16 bytes) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
Code: Packet type (1=Access-Request, 2=Access-Accept, etc.)
Identifier: Matches requests to responses. ISE echoes the Identifier from the Access-Request in its response.
Length: Total length of the RADIUS packet in bytes.
Authenticator: 16-byte field. In Access-Request, this is a random value (the Request Authenticator). In responses, this is an MD5 hash of the response packet + Request Authenticator + shared secret — this is how RADIUS provides basic message integrity. This is not full encryption of the packet; only the User-Password attribute is obscured (XOR with MD5 of shared secret + authenticator).
The Authenticator field is also why the RADIUS shared secret is security-critical. If the shared secret is weak or compromised, RADIUS packets can be forged or tampered with.
Attributes: The remainder of the packet is a list of Type-Length-Value (TLV) encoded attributes.
RADIUS Attributes in 802.1X
RADIUS attributes carry all meaningful data — the username, the EAP payload, the returned policy. Each attribute is encoded as:
- Type (1 byte): Attribute number (1-255 for standard; 26 for Vendor-Specific)
- Length (1 byte): Total length of this TLV
- Value: Attribute-specific data
Key Attributes in Access-Request (Switch → ISE)
Attribute 1 — User-Name: The outer identity from the EAPOL-Response/Identity. For PEAP, this is the anonymous outer identity. For MAB, this is the MAC address.
Attribute 4 — NAS-IP-Address: The switch's IP address as a RADIUS client. This is typically the management interface IP — 10.0.99.1 in this lab. ISE uses this to identify which network device is sending the request and apply the correct network device policy.
Attribute 5 — NAS-Port: The physical port number. ISE can use this in policy conditions, though NAS-Port-Id (Attribute 87) is more human-readable.
Attribute 6 — Service-Type: For 802.1X, this is typically Framed (2). For MAB, it's Call-Check (10) — ISE uses this to distinguish MAB from 802.1X.
Attribute 61 — NAS-Port-Type: Ethernet (15) for wired 802.1X.
Attribute 79 — EAP-Message: Contains the EAP payload from the EAPOL exchange, chunked into 253-byte segments if needed. Multiple EAP-Message attributes in a single RADIUS packet are concatenated in order.
Attribute 80 — Message-Authenticator: HMAC-MD5 of the entire RADIUS packet using the shared secret. Required in all RADIUS packets that contain EAP-Message. If this attribute is missing or invalid, ISE discards the packet. Missing Message-Authenticator is a common cause of RADIUS request drops.
Attribute 87 — NAS-Port-Id: Human-readable port identifier, e.g., GigabitEthernet1/0/1. ISE uses this in Live Logs for easy identification of the source port.
Key Attributes in Access-Accept (ISE → Switch)
Attribute 79 — EAP-Message: The final EAP-Success message, confirming to the switch that it should send EAPOL-Success to the endpoint.
Attribute 80 — Message-Authenticator: Same integrity-protection as in Access-Request. Required in Access-Accept.
VLAN Assignment — Three attributes together:
Attribute 64 — Tunnel-Type: VLAN (13)
Attribute 65 — Tunnel-Medium-Type: 802 (6)
Attribute 81 — Tunnel-Private-Group-ID: 10 (or "10" as string)
These three attributes, when present together in an Access-Accept, instruct the switch to assign the port to VLAN 10 (Data VLAN in this lab). The switch reads these and issues the VLAN assignment without bouncing the port. VLAN assignment configuration and troubleshooting are covered in Article 14: Dynamic VLAN Assignment with 802.1X and Cisco ISE and Article 23: Dynamic VLAN Assignment Not Working in 802.1X: Troubleshooting Guide.
Downloadable ACL — Cisco VSA:
Attribute 26 (Vendor-Specific) — Vendor ID 9 (Cisco)
Cisco-AVPair: ip:inacl#1=permit ip any any
Or, ISE returns a named ACL reference:
Attribute 11 — Filter-Id: "PERMIT_DATA_VLAN_ONLY.in"
The Filter-Id reference requires the ACL to be pre-defined on the switch. The Cisco-AVPair inline approach downloads the ACL from ISE dynamically. dACL configuration and troubleshooting are in Article 16: Downloadable ACLs (dACLs) with Cisco ISE and 802.1X and Article 24: dACL Not Applying Correctly in 802.1X.
Session Timeout:
Attribute 27 — Session-Timeout: 3600
Attribute 29 — Termination-Action: RADIUS-Request (1)
These instruct the switch to re-authenticate the session after 3600 seconds (1 hour) and send a new Access-Request to ISE at that point.
Class Attribute:
Attribute 25 — Class: [ISE session identifier string]
ISE includes this to correlate the authentication event with subsequent accounting records. The switch echoes the Class attribute in Accounting-Requests.
The RADIUS Shared Secret
The shared secret authenticates RADIUS exchanges and protects the User-Password attribute. In this lab: ISEsecret123. In production, the shared secret must be:
- At least 22 characters
- Randomly generated (not dictionary words)
- Different for each network device or device group
- Stored in ISE's Network Device definition and the switch's
radius serverconfiguration
A shared secret mismatch produces no authentication — ISE discards the packet silently, and the switch receives no response. From the switch's perspective, the RADIUS server is unreachable. This is one of the most common initial configuration errors. RADIUS unreachability diagnosis is covered in Article 22: RADIUS Server Unreachable in 802.1X: Causes and Fixes.
Configuring the RADIUS Server on the Catalyst 9300
On IOS XE 17.9.x, RADIUS server configuration for 802.1X uses the named RADIUS server model:
! Define the ISE server
radius server ISE-PRIMARY
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key ISEsecret123
timeout 5
retransmit 3
! Associate the server with a RADIUS server group
aaa group server radius ISE-GROUP
server name ISE-PRIMARY
ip radius source-interface Vlan99
! Configure AAA for 802.1X
aaa new-model
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP
aaa accounting dot1x default start-stop group ISE-GROUP
Key elements:
radius server ISE-PRIMARY— Named server definition. Named servers are the preferred approach in IOS XE, replacing the olderradius-server hostsyntax.address ipv4 10.0.0.10 auth-port 1812 acct-port 1813— ISE's IP and ports.key ISEsecret123— Shared secret. Must match exactly in ISE's network device definition.timeout 5— Wait 5 seconds for a RADIUS response before retransmitting. Tune based on network latency to ISE; over a WAN, you may need 10-15 seconds.retransmit 3— Retransmit up to 3 times before marking the server dead.ip radius source-interface Vlan99— Forces RADIUS packets to use the management VLAN interface. ISE must have this IP (10.0.99.1) defined as the network device's IP. Without this, RADIUS packets may use a different source IP, causing ISE to reject them as unauthorized clients.
Verifying RADIUS Communication
SW1# show aaa servers
RADIUS: id 1, priority 1, host 10.0.0.10, auth-port 1812, acct-port 1813
State: current UP, duration 86400s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 86400s, previous duration 0s
Platform State from WNCD: current UP, duration 86400s, previous duration 0s
Quarantined: No
Authen: request 247, timeouts 2, failover 0, retransmission 3
Response: accept 198, reject 12, challenge 856
Response: unexpected 0, server-error 0, incorrect 0, time 18ms
Transaction: success 210, failure 14
Throttled: transaction 0, timeout 0, failures 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Account: request 892, timeouts 8, failover 0, retransmission 0
Request: start 410, interim 72, stop 410
Response: start 410, interim 72, stop 410
This output shows:
State: current UP— ISE is reachable and respondingAuthen: request 247— 247 authentication requests sent to ISEResponse: accept 198, reject 12, challenge 856— 198 successes, 12 rejections, 856 challenge responses (challenges are the intermediate PEAP/EAP-TLS round trips — high challenge counts are expected and normal)Response: time 18ms— Average response time. Spikes above 100ms in a LAN environment warrant investigation.Account: request 892— Accounting messages sent; the start/interim/stop counts should be balanced
RADIUS Accounting in 802.1X
Accounting provides the audit trail and enables ISE features that depend on session awareness (CoA, posture, profiling). The switch sends:
Accounting-Start: When a session transitions to authorized. Contains NAS-IP-Address, NAS-Port-Id, User-Name, Calling-Station-Id (endpoint MAC), Acct-Session-Id, and the Class attribute echoed from the Access-Accept.
Accounting-Interim-Update: Periodic updates during the session. Interval is set with aaa accounting update periodic command. Default is disabled; 15-30 minutes is typical in production. Interim updates allow ISE to refresh session data without waiting for session end.
Accounting-Stop: When a session ends — port link down, administrative clear, re-authentication, or CoA terminate. Contains byte counts, session duration, and Acct-Terminate-Cause (reason for session end).
ISE displays this data at Operations > RADIUS > Live Sessions (active) and Operations > RADIUS > Live Logs (historical, with filtering by MAC, username, NAS IP, etc.).
RADIUS CoA: Changing Policy After Authentication
RFC 5176 defines RADIUS Dynamic Authorization — the mechanism ISE uses to push changes to already-authenticated sessions. This is commonly called CoA (Change of Authorization).
ISE initiates CoA by sending a RADIUS Disconnect-Request (Code 40) or CoA-Request (Code 43) to the switch. The switch must be configured to accept these:
aaa server radius dynamic-author
client 10.0.0.10 server-key ISEsecret123
port 3799
auth-type any
The client statement authorizes ISE (10.0.0.10) to send CoA to this switch. The shared secret must match. Port 3799 is the standard CoA port (RFC 5176).
CoA allows ISE to:
- Push a new VLAN assignment (re-authorize)
- Apply a new dACL (re-authorize)
- Terminate the session entirely (Disconnect-Request)
CoA is used heavily in posture workflows (grant limited access initially, upgrade to full access after posture completes) and in security response scenarios (terminate session of a compromised endpoint). Full CoA configuration is in Article 19: Change of Authorization (CoA) in 802.1X: How It Works and How to Configure It.
RADIUS Troubleshooting on the Switch
Symptom: show aaa servers shows State: DEAD
Cause: Switch cannot reach ISE on UDP 1812 — routing issue, firewall blocking UDP, ISE interface down, or shared secret mismatch causing ISE to discard requests silently
Fix: Verify IP reachability with ping 10.0.0.10 source Vlan99. Check that ip radius source-interface Vlan99 is configured. Verify the shared secret in both the switch config and ISE Network Device definition. Check ISE process status. Full diagnosis in Article 22: RADIUS Server Unreachable in 802.1X: Causes and Fixes.
Symptom: RADIUS requests sent but Access-Reject received; ISE Live Logs show authentication failure
Cause: Identity issue (wrong credentials, expired password, account locked), certificate issue (EAP-TLS), or authorization policy doesn't match (ISE allows authentication but no authorization rule matches)
Fix: Check ISE Live Logs at Operations > RADIUS > Live Logs for the failure reason. ISE provides a specific failure reason code (e.g., "22056 Object was not found in the applicable identity store") that pinpoints the cause. Authentication failure codes are distinct from authorization failure codes.
Symptom: RADIUS accounting-stop not received by ISE; sessions stay in live view indefinitely
Cause: Accounting not configured (aaa accounting dot1x default start-stop group ISE-GROUP missing), switch sending accounting to wrong server group, or UDP accounting packets dropped
Fix: Verify aaa accounting configuration. Check show aaa servers for accounting request counts. Verify ISE RADIUS accounting port (1813) is reachable from the switch management interface.
RADIUS vs. TACACS+
Both RADIUS and TACACS+ are AAA protocols, and Cisco uses both. The distinction matters:
RADIUS — Used for network access authentication (802.1X, VPN, wireless). Combines authentication and authorization in a single exchange. UDP-based. Policy attributes (VLAN, ACL) returned in Access-Accept.
TACACS+ — Used for device administration (SSH login to the switch, privilege level control, command authorization). TCP-based. Separates authentication, authorization, and accounting into distinct exchanges.
In this lab, ISE handles both: RADIUS for endpoint 802.1X authentication, and TACACS+ for switch administrative access. These are completely independent configurations on both the switch and ISE. Do not confuse TACACS+ configuration with RADIUS configuration — they use different ports, different AAA method lists, and different ISE policy sets.
What's Next: Article 6: Introduction to Cisco ISE: What It Is and Why It Matters for 802.1X — an overview of ISE 3.2 architecture, the components that matter for 802.1X, and how ISE's Policy Sets, identity stores, and profiling engine work together as the brain of the NAC deployment.
