Cisco Catalyst setup guide

IOS / IOS-XE

Applies to: Catalyst 9200/9300/9500 on IOS-XE 17.x. Legacy 2960/3650/3850 on 15.x and 16.x use the same command set with minor differences.

Wired — RADIUS server, 802.1X and MAB

Global AAA and RADIUS server group. Note the use of automate-tester for active dead-server detection.

! --- AAA core ---
aaa new-model
aaa session-id common

! --- Two Edge appliances ---
radius server EDGE1
 address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
 automate-tester username arbiter-probe ignore-acct-port probe-on
 key ARBITER_PSK
!
radius server EDGE2
 address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
 automate-tester username arbiter-probe ignore-acct-port probe-on
 key ARBITER_PSK
!
aaa group server radius ARBITER
 server name EDGE1
 server name EDGE2
 deadtime 5
!
! --- Bind AAA to ARBITER group ---
aaa authentication dot1x default group ARBITER
aaa authorization network default group ARBITER
aaa accounting dot1x default start-stop group ARBITER
aaa accounting update newinfo periodic 5
aaa server radius dynamic-author
 client 10.10.10.10 server-key ARBITER_PSK
 client 10.10.10.11 server-key ARBITER_PSK
 auth-type any
!
! --- 802.1X + MAB on an access port ---
dot1x system-auth-control
!
interface range GigabitEthernet1/0/1-48
 switchport mode access
 switchport access vlan 10
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 spanning-tree portfast

Wireless — 802.1X SSID

Catalyst 9800 WLC. Note the non-default CoA port (1700/udp) and the radius-server attribute 6 on-for-login-auth setting commonly needed for MAB.

radius server EDGE1-9800
 address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
 key ARBITER_PSK
!
radius server EDGE2-9800
 address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
 key ARBITER_PSK
!
aaa group server radius ARBITER-WLC
 server name EDGE1-9800
 server name EDGE2-9800
 deadtime 5
!
aaa server radius dynamic-author
 client 10.10.10.10 server-key ARBITER_PSK port 1700
 client 10.10.10.11 server-key ARBITER_PSK port 1700
!
wlan corp-1x 1 corp-1x
 security wpa wpa2 ciphers aes
 security dot1x authentication-list ARBITER-WLC
 aaa-override
 no shutdown

Guest SSID — open with captive portal redirect

Open SSID with MAB-driven URL redirect. Arbiter returns the redirect URL via the cisco-av-pair attribute and an associated downloadable ACL.

ip access-list extended ARBITER-GUEST-REDIRECT
 deny   udp any any eq domain
 deny   udp any any eq bootpc
 deny   udp any any eq bootps
 deny   tcp any host 10.10.10.10 eq www
 deny   tcp any host 10.10.10.11 eq www
 permit tcp any any eq www
 permit tcp any any eq 443
!
wlan guest 2 guest
 no security wpa
 mac-filtering ARBITER-WLC
 aaa-override
 no shutdown

! Arbiter returns these AVPs on the open-SSID MAB Access-Accept:
!   cisco-av-pair = url-redirect-acl=ARBITER-GUEST-REDIRECT
!   cisco-av-pair = url-redirect=https://acme-7f3-guest.arbiter.ie/
! After T&C acceptance, Arbiter issues CoA-Reauth -> re-MAB -> production VLAN.

DHCP relay to Edge

Set ip helper-address on the SVI for each user VLAN. Include your real DHCP server and both Edges. Order does not matter, but the real DHCP server should always be present.

interface Vlan10
 ip address 10.0.10.1 255.255.255.0
 ip helper-address 10.0.0.5      ! real DHCP server
 ip helper-address 10.10.10.10   ! Edge #1
 ip helper-address 10.10.10.11   ! Edge #2

AAA dead-server detection

Optional but recommended. Tells the switch to declare a RADIUS server dead if it does not reply within 30 seconds across four consecutive attempts, then holds the dead flag for 3 minutes before retrying. Keeps failover predictable and faster than the supplicant's own timeout in most cases. Pair with the automate-tester probe so the dead-server flip happens against the probe rather than the next real user.

! 1. Declare the server dead after 30s with no reply across 4 attempts
radius-server dead-criteria time 30 tries 4

! 2. Hold the dead flag for 3 minutes before trying again
radius-server deadtime 3

! On each server entry (shown in Wired section above):
!   automate-tester username arbiter-probe

CoA listener

Catalyst 9800 wireless controllers listen on UDP/1700 by default. Catalyst switches use UDP/3799. Register the correct port per NAS in the Arbiter portal.

aaa server radius dynamic-author
 client 10.10.10.10 server-key ARBITER_PSK   ! 3799 by default on switches
 client 10.10.10.11 server-key ARBITER_PSK
 auth-type any