Switch Configuration for ISE Integration – Part 1 – AAA Functions

Introduction and Documentation Path

There is quite a bit that needs to be configured on a switch in order for the device to integrate with the Identity Service Engine (ISE) correctly. In this series of posts, we will break down the different areas of the full configuration and ensure that we know what each command in each of the major sections does. Remember, we never want to be inserting commands on exam day from rote memory, without a solid grasp on what the command is actually doing.


By the way, should you get rattled on exam day and forget a grouping of commands, or think you may have forgotten a single command – there is an excellent reference of the required commands available to you here in your exam:

Documentation Shortcut on Candidate PC > Products > Security > Access Control and Policy > Cisco Identity Services Engine > End User Guides > Release 1.1.X > Reference > Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Keep in mind that the above reference document covers much more than is typically required in the exam, and will cost you time as you wait for each section of the navigation path above to be fetched from Cisco. The commands really are not that bad once you have gone through my blog posts many times and practiced.

AAA Function Commands

Now let us take a look at those commands that would most likely be required in a typical lab environment. Remember to read the requirements VERY carefully in the event that additional (optional) commands are required:

  • aaa new-model – enables the AAA system on the device
  • aaa authentication dot1x default group radius – configures the default authentication method list for 802.1X to use the RADIUS server; this server is of course the ISE; we will cover the configuration commands required for the RADIUS server in our next post in this series
  • aaa authorization network default group radius – this command is required in order to allow the ISE to do VLAN and ACL assignments
  • aaa accounting dot1x default start-stop group radius – this command enables accounting for the 802.1X sessions
  • aaa server radius dynamic-author
    client <ISE-IP> server-key 0 cisco123  – ensures the switch is able to appropriately handle RADIUS Change of Authorization behavior supporting posture functions from Cisco ISE

In the next post in this series, we will ensure we master the command grouping for proper configuration of the RADIUS server related commands. Thanks for reading! 

8 thoughts on “Switch Configuration for ISE Integration – Part 1 – AAA Functions

  1. My CCNP-DC is on hold. I have cleared DCUCI and DCUFI, but now I need to focus on clearing the CCIE Security.

    Thanks for visiting my blog and commenting!

  2. what will happen if we leave off the “local” argument from this string?

    aaa authentication dot1x default group ISE local

    i am on a 1941 with an older iOS version that does not have the ending “local” option, so what happens if ISE goes down?

Leave a Reply

Your email address will not be published. Required fields are marked *