TEST_SWITCH#sh run Building configuration... Current configuration : 9917 bytes ! ! Last configuration change at 07:36:42 UTC Thu Dec 19 2019 by cisco ! NVRAM config last updated at 06:47:36 UTC Thu Dec 19 2019 by cisco ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname TEST_SWITCH ! boot-start-marker boot-end-marker ! enable password cisco ! username admin password 0 cisco123456 username cisco privilege 15 password 0 cisco aaa new-model ! ! aaa group server radius CPPM server name CPPM ip radius source-interface Vlan98 ! aaa authentication login default group tacacs+ line none aaa authentication dot1x default group radius aaa authorization exec default group tacacs+ none aaa authorization network default group radius group tacacs+ if-authenticated aaa authorization auth-proxy default group radius aaa accounting update periodic 1 aaa accounting exec default start-stop group tacacs+ group radius aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ group radius aaa accounting system default start-stop group tacacs+ group radius ! ! ! ! ! aaa server radius dynamic-author client 192.168.1.242 server-key test123 port 3799 auth-type all ! aaa session-id common system mtu routing 1500 ! ! ! ! ! device-sensor filter-list cdp list cdp-list tlv name version-type tlv name platform-type ! device-sensor filter-list lldp list lldp-list tlv name system-description ! device-sensor filter-list dhcp list dhcp-list option name host-name option name parameter-request-list option name class-identifier device-sensor filter-spec dhcp include list dhcp-list device-sensor filter-spec lldp include list lldp-list device-sensor filter-spec cdp include list cdp-list device-sensor notify all-changes ! ! ip dhcp snooping no ip domain-lookup ip name-server 192.168.1.240 ip device tracking probe delay 10 ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3329035008 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3329035008 revocation-check none rsakeypair TP-self-signed-3329035008 ! ! crypto pki certificate chain TP-self-signed-3329035008 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33333239 30333530 3038301E 170D3139 31313234 31383430 34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323930 33353030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BFA1 B6C652F2 C1F5317A 864F9037 E32CB75F 654E4175 577CF0CC F86B6379 C6382691 D393B0E1 BD16D003 E5BD6336 7DE79BFB 46BE829D BA011587 F6196A2F CEAB8601 0C5EF62C 2B57166E 778B7858 47EE1E10 DB1FCDD0 1348DE14 5EB58839 979DE1F4 98698B94 492C4FEA 036DC9C7 1E25A369 A065EBC7 4C631606 D17768ED AB5D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14809A7A CF420560 9C83FA52 8231F07B ADFD5AB9 D1301D06 03551D0E 04160414 809A7ACF 4205609C 83FA5282 31F07BAD FD5AB9D1 300D0609 2A864886 F70D0101 05050003 81810072 B0BD7439 C34AAC6F F8392503 9C5A3C2D 90276CB0 8EA00975 5EF46D58 4A523C3E 985C73E7 0CDA29AB A35E92C3 827A6865 71483B65 528AA68B 33909DB5 48773ED3 E390BD60 7B9FBD18 4363A6FC 964FF1CA 72416DFC D7E345D8 B9FF0C6C B679C947 79584075 E8589047 C96AD149 BC3A927E B0B8407B AF865A10 E5236AD8 67A556 quit dot1x system-auth-control identity profile default service-template webauth-global-inactive inactivity-timer 3600 service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE service-template DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlan ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! ! vlan internal allocation policy ascending ! lldp run class-map type control subscriber match-all ALL_FAILED no-match result-type method dot1x none no-match result-type method dot1x success no-match result-type method mab none no-match result-type method mab success no-match result-type method webauth none no-match result-type method webauth success ! class-map type control subscriber match-any DOT1X match method dot1x match session-type wired ! class-map type control subscriber match-all MAB match method mab ! ! ! policy-map type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 20 20 authenticate using dot1x priority 10 30 authenticate using webauth parameter-map WEBAUTH_DEFAULT priority 30 event authentication-failure match-first 10 class ALL_FAILED do-until-failure 10 authentication-restart 60 event authentication-success match-all 10 class DOT1X do-until-failure 10 terminate mab 20 terminate webauth 20 class MAB do-until-failure 10 terminate webauth event agent-found match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 ! policy-map type control subscriber dot1x_TEST event session-started match-all 1 class DOT1X do-all 1 authenticate using dot1x ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 switchport access vlan 98 switchport mode access ip access-group 2000 in authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/2 switchport access vlan 98 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/3 switchport access vlan 97 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/4 switchport access vlan 97 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/5 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/6 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/7 switchport mode access authentication periodic authentication timer reauthenticate server access-session host-mode multi-host access-session control-direction in access-session port-control auto mab dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 3 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/8 spanning-tree portfast edge service-policy type control subscriber CONCURRENT_DOT1X_MAB_WEBAUTH ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 switchport mode trunk ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface Vlan1 ip address dhcp ! interface Vlan97 ip address 192.168.97.2 255.255.255.0 ip helper-address 192.168.1.242 ip helper-address 192.168.97.1 ! interface Vlan98 ip address 192.168.98.2 255.255.255.0 ip helper-address 192.168.1.242 ip helper-address 192.168.98.1 ! ip default-gateway 192.168.1.1 ip forward-protocol nd ip http server ip http secure-server ip http secure-active-session-modules disable_webmgmt ip http session-module-list disable_webmgmt NONE ip http active-session-modules disable_webmgmt ! ! ip access-list extended Web-Redirect deny udp host 0.0.0.0 host 255.255.255.255 eq bootps deny udp any any eq domain deny tcp any host 192.168.1.242 permit tcp any any ! ip radius source-interface Vlan1 access-list 2000 permit ip any any ! ! radius-server attribute 4 192.168.1.11 ! radius server CPPM address ipv4 192.168.1.242 auth-port 1645 acct-port 1646 key test123 ! no vstack ! line con 0 line vty 5 15 ! mac address-table notification change mac address-table notification threshold end