! ***************************************************************
! *IBNS2.0 visibility config template based on IOX-XE 16.12.05b *
! ***************************************************************
!define a test username for RADIUS
!
username radtest secret <yourSecret>
!
!convert config to IBNS2.0
!
authentication convert-to new-style
!accept by typing yes
!
!
!Define ISE PSNs and add to group
!
radius server PSN1
address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
automate-tester username radtest probe-on
key <yourKey>
!
radius server PSN2
address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
automate-tester username radtest probe-on
key 7<yourKey>
!
aaa group server radius ISE-RADIUS
server name PSN1
server name PSN2
deadtime 15
!
!Define additional RADIUS attributes to send
!
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
!
!enable PSNs for CoA
!
aaa server radius dynamic-author
client 10.0.0.1 server-key <yourKey>
client 10.0.0.2 server-key <yourKey>
!
!enable AAA method lists
!
aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-RADIUS
aaa accounting network default start-stop group ISE-RADIUS
!
!
!configure device-sensor protocol filters
!you can add additional lists like cdp here too as needed, follow the profiling design guide
!
device-sensor filter-list lldp list lldp_list
tlv name port-id
tlv name system-name
tlv name system-description
!
device-sensor filter-list dhcp list dhcp_list
option name host-name
option name interface-mtu
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-spec dhcp include list dhcp_list
device-sensor filter-spec lldp include list lldp_list
!
!configure device-sensor accounting
!
device-sensor accounting
device-sensor notify all-changes
!
!configure device-tracking
!
device-tracking tracking auto-source
!
!configure IPDT policies for upstream trunk and downstream access ports
!
device-tracking policy Disable_DT_Trunk
trusted-port
device-role switch
!
device-tracking policy IP-Tracking
limit address-count 10
security-level glean
tracking enable
!
!
!enable device-sensor accounting based on the lists created above
!
access-session attributes filter-list list sensor_list
lldp
dhcp
!
access-session authentication attributes filter-spec include list sensor_list
access-session monitor
access-session acl default passthrough
!
!enable dot1x globally
!
dot1x system-auth-control
dot1x critical eapol
!
!configure visibility policy
!
policy-map type control subscriber ISE_VISIBILITY
event session-started match-all
10 class always do-until-failure
10 authorize
!
!enable http captures securely
!
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http max-connections 40
ip http active-session-modules none
!
!configure Monitor Mode ACLs
!
ip access-list extended AAA-Down
permit ip any any
ip access-list extended ACL_Default
permit ip any any
!
!define RADIUS sourceIF
!
ip radius source-interface Loopback123
!
!enable PSN logging if desired
!
logging host 10.0.0.1 transport udp port 20514
logging host 10.0.0.2 transport udp port 20514
epm logging
!
!enable mac-move SNMP
!
mac address-table notification change
mac address-table notification mac-move
!
!configure visibility on user ports
!
interface range GigabitEthernetx/y/z-zz
service-policy type control subscriber ISE_VISIBILITY
device-tracking attach-policy IP-Tracking
!
!
Verify:
Show access-session
Show device-sensor cache all