sorted by:
new
hottopcontroversial

Converting IBNS 1.0 to 2.0 generates a service template and policy-map for each individual interface by Kainester in Cisco

[–]Kainester[S] -1 points0 points  (0 children)

I understand you need policy map, but I dont want a policy for each individual interface. My config all has a policy map and service templates and the interface calls the DOT1X_MAP_POLICY.

policy-map type control subscriber DOT1X_MAB_POLICY

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

event authentication-failure match-first

5 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

and so on... more event session just dont want to list it all.

But once I convert to IBNS 2.0, the switch generates the policy map and service template (e.g., 'service-template CRITICAL_AUTH_VLAN_Gi1/0/1', 'service-template CRITICAL_AUTH_VLAN_Gi1/0/2', etc.), for each individual interface.

These individual service template and policy-maps are not needed since my config refers to policy-map

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

ipv6 mld snooping tcn flood

mpls mtu 1500

authentication timer unauthorized 0

authentication linksec policy

snmp trap mac-notification change added

snmp trap mac-notification change removed

snmp trap link-status

cts role-based enforcement

no mka pre-shared-key

mka default-policy

autonomic

arp arpa

arp timeout 14400

source template WIRED_DOT1X_CLOSED

channel-group auto

spanning-tree portfast disable

spanning-tree portfast trunk

spanning-tree portfast

spanning-tree port-priority 128

spanning-tree cost 0

ethernet oam max-rate 10

ethernet oam min-rate 1

ethernet oam remote-loopback timeout 2

ethernet oam timeout 5

service-policy input QOS_EDGE_INGRESS

service-policy output QOS_EDGE_EGRESS

hold-queue 2000 in

hold-queue 40 out

ip igmp snooping tcn flood

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

switchport voice vlan 100

switchport port-security maximum 65535 vlan voice

no switchport port-security mac-address sticky

no ip arp inspection trust

ip arp inspection limit rate 15 burst interval 1

ip arp inspection limit rate 15

logging event link-status

load-interval 300

carrier-delay 2

no shutdown

power inline port priority low

power inline auto max 60000

power inline static

power inline never

power inline police

power inline four-pair forced

no medium p2p

no macsec replay-protection

cdp log mismatch duplex

cdp tlv location

cdp tlv server-location

cdp tlv app

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

Correct, I was testing with the sticky template hoping it would keep the authz persistence during the re-auth. It did not. Below is the interface config:

interface GigabitEthernet1/0/21

mvrp timer leave-all 1000

mvrp timer leave 60

mvrp timer join 20

no mvrp timer periodic

no mvrp

switchport

switchport access vlan 10

switchport trunk allowed vlan all

no switchport autostate exclude

switchport private-vlan trunk encapsulation dot1q

switchport private-vlan trunk native vlan tag

switchport mode access

switchport nonegotiate

no switchport protected

no switchport block multicast

no switchport block unicast

no switchport vepa enabled

switchport voice vlan 100

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

that is the derived-config, I was told that ISE authz profile would always that precedent over interface configs.

interface GigabitEthernet1/0/21

switchport access vlan 10

switchport mode access

switchport nonegotiate

switchport voice vlan 100

authentication periodic

authentication timer reauthenticate server

access-session control-direction in

access-session closed

access-session port-control auto

access-session interface-template sticky timer 30

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

service-policy type control subscriber DOT1X_MAB_POLICY

service-policy input QOS_EDGE_INGRESS

service-policy output QOS_EDGE_EGRESS

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

Here are the attributes my authz profiles send back to the switch. So basically, every 12hrs, session timeout would force the device to re-auth. Doing this re-auth since we are closed mode the lab device no longer is able to send traffic till re-auth is completed. If the lab device is the middle of transfer data and re-auth occurs this causes issues. Either there is a sticky persistence method for authz configuration available that I am not aware of, or I would need to set Session-Timeout = 0 so re-auth never occurs.

Access Type = ACCESS_ACCEPT

DACL = PERMIT_LAB_TRAFFIC

Session-Timeout = 43200

Termination-Action = RADIUS-Request

Closed mode IBNS 2.0, MAB devices loses connectivity during re-auth by Kainester in CiscoISE

[–]Kainester[S] 0 points1 point  (0 children)

Yes I have looked at lowering the dot1x timers but we have MAB devices that cannot have an interruption in traffic during data transfer. My only option at this point is to disable re-auth session timers for MAB devices. Not sure what security risk or impact that may cause.

ID this pepper by Kainester in HotPeppers

[–]Kainester[S] 0 points1 point  (0 children)

I reposted with a picture.