Cisco Catalyst
IOS / IOS-XE
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
Global AAA and RADIUS server group.
! --- AAA core ---
aaa new-model
aaa session-id common
! --- Two Edge appliances ---
radius server EDGE1
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
key ARBITER_PSK
!
radius server EDGE2
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
key ARBITER_PSK
!
aaa group server radius ARBITER
server name EDGE1
server name EDGE2
deadtime 1
!
! --- Bind AAA to ARBITER group ---
aaa authentication dot1x default group ARBITER
aaa authorization network default group ARBITER
aaa accounting dot1x default start-stop group ARBITER
aaa accounting update newinfo periodic 5
aaa server radius dynamic-author
client 10.10.10.10 server-key ARBITER_PSK
client 10.10.10.11 server-key ARBITER_PSK
auth-type any
!
! --- 802.1X + MAB on an access port ---
dot1x system-auth-control
!
interface range GigabitEthernet1/0/1-48
switchport mode access
switchport access vlan 10
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfastWireless: 802.1X SSID
Catalyst 9800 WLC. Note the non-default CoA port (1700/udp) and the radius-server attribute 6 on-for-login-auth setting commonly needed for MAB.
radius server EDGE1-9800
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
key ARBITER_PSK
!
radius server EDGE2-9800
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
key ARBITER_PSK
!
aaa group server radius ARBITER-WLC
server name EDGE1-9800
server name EDGE2-9800
deadtime 1
!
aaa server radius dynamic-author
client 10.10.10.10 server-key ARBITER_PSK port 1700
client 10.10.10.11 server-key ARBITER_PSK port 1700
!
wlan corp-1x 1 corp-1x
security wpa wpa2 ciphers aes
security dot1x authentication-list ARBITER-WLC
aaa-override
no shutdownGuest SSID: open with captive portal redirect
Open SSID with MAB-driven URL redirect. Arbiter returns the redirect URL via the cisco-av-pair attribute and an associated downloadable ACL.
ip access-list extended ARBITER-GUEST-REDIRECT
deny udp any any eq domain
deny udp any any eq bootpc
deny udp any any eq bootps
deny tcp any host 10.10.10.10 eq www
deny tcp any host 10.10.10.11 eq www
permit tcp any any eq www
permit tcp any any eq 443
!
wlan guest 2 guest
no security wpa
mac-filtering ARBITER-WLC
aaa-override
no shutdown
! Arbiter returns these AVPs on the open-SSID MAB Access-Accept:
! cisco-av-pair = url-redirect-acl=ARBITER-GUEST-REDIRECT
! cisco-av-pair = url-redirect=https://acme-7f3-guest.arbiter.ie/
! After T&C acceptance, Arbiter issues CoA-Reauth -> re-MAB -> production VLAN.DHCP relay to Edge
Set ip helper-address on the SVI for each user VLAN. Include your real DHCP server and both Edges. Order does not matter, but the real DHCP server should always be present.
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip helper-address 10.0.0.5 ! real DHCP server
ip helper-address 10.10.10.10 ! Edge #1
ip helper-address 10.10.10.11 ! Edge #2AAA dead-server detection
Optional but recommended. The switch only ever talks to a local Edge appliance on your LAN, so round-trips are sub-millisecond and there is no slow cloud hop to wait out. Use standard tight values: declare a server dead after about 5 seconds across 3 attempts, then hold the dead flag briefly before retrying. The Edge handles its own cloud failover and serves cached and locally-terminated authentications when the WAN is down, so the only job left to the switch is to fail over quickly between the two on-LAN Edges.
! 1. Declare the server dead after ~5s with no reply across 3 attempts
radius-server dead-criteria time 5 tries 3
! 2. Hold the dead flag for 1 minute before trying again
radius-server deadtime 1CoA listener
Catalyst 9800 wireless controllers listen on UDP/1700 by default. Catalyst switches use UDP/3799. Register the correct port per NAS in the Arbiter portal.
aaa server radius dynamic-author
client 10.10.10.10 server-key ARBITER_PSK ! 3799 by default on switches
client 10.10.10.11 server-key ARBITER_PSK
auth-type anyNotes
- Use 'authentication host-mode multi-auth' on user-access ports so phones (voice VLAN) and PCs (data VLAN) can both authenticate independently.
- If you run Cisco IP phones, Arbiter returns cisco-av-pair = device-traffic-class=voice for the phone. No separate voice-VLAN AVP is needed.
- On IOS-XE 17.6+, the newer 'policy-map type control subscriber' framework can replace the legacy 'authentication' commands. Both work; legacy syntax is shown for breadth of compatibility.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.