topic ISE w/ FlexConnect APs in Network Access Control

ISE w/ FlexConnect APs

Razmeth — Thu, 24 May 2018 13:27:01 GMT

I am looking to find how to connect a FlexConnect AP to a port and have it authenticate, but all users connecting wirelessly through it not be prompted for authentication from the switch. I've seen a few solutions using interface templates, but they each require the port to be configured with multi-host, which would require configuring a port special for each AP, as the rest of the environment ports are configured as multi-auth.

The client I am creating this for specifically does not want a port with multi-host in which a user could disconnect an AP, connect something like a phone which authenticates, then connect their laptop to the phone and have full access. Is there a way, with interface templates or otherwise, to use the below interface configuration, and configure a port for a FlexConnect or Autonomous AP?

interface GigabitEthernet 1/0/1

ip access-group ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action authorize voice

authentication event server dead action authorize vlan 123

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

dot1x timeout tx-period 10

dot1x timeout held-period 300

dot1x timeout quiet-period 300

dot1x timeout ratelimit-period 300

mab

dot1x pae authenticator

Re: ISE w/ FlexConnect APs

paul — Thu, 24 May 2018 15:47:50 GMT

If they are using FlexConnect most likely those ports will turn into trunk ports some day. i would just plan to use AutoSmart ports to remove the ISE configuration when the AP is plugged in. When the AP is unplugged it goes back to a standard access port.

The result in ISE for your Access points tells the switch to run the smart port macro.

! show macro auto interface

! Note: older IOS version use -eq instead of == in the if statements

no macro auto global control device

no macro auto global control detection

no macro auto global control trigger

macro auto global processing

shell trigger ISE-AP-CONFIG Cisco Access Points

macro auto execute ISE-AP-CONFIG {

if [[ $LINKUP == YES ]]; then

conf t

default interface $INTERFACE

interface $INTERFACE

description Access Point

macro description $TRIGGER

switchport mode trunk

switchport trunk native vlan 123

switchport trunk allowed vlan 123

spanning-tree portfast trunk

exit

if [[ $LINKUP == NO ]]; then

conf t

default interface $INTERFACE

interface $INTERFACE

ip access-group ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action authorize voice

authentication event server dead action authorize vlan 123

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

dot1x timeout tx-period 10

dot1x timeout held-period 300

dot1x timeout quiet-period 300

dot1x timeout ratelimit-period 300

mab

dot1x pae authenticator

exit

}

Re: ISE w/ FlexConnect APs

Razmeth — Thu, 24 May 2018 16:27:00 GMT

I've sen some mention in certain posts of issues where if the macro had been run, with an AP plugged in, then the switch lost power, the macro configuration would be permanent and not reset. Do you know if this is still a concern?

Re: ISE w/ FlexConnect APs

paul — Thu, 24 May 2018 16:35:39 GMT

I haven’t tested that. I would almost consider that is a bug. If the AP comes up after the reboot and the port is in the Up condition then the macro should be there. When the AP is unplugged I would expect the Down condition to run.