topic parameter AutoSmartPort, dynamic dead action vlan in Network Access Control

parameter AutoSmartPort, dynamic dead action vlan

ChristianBur — Thu, 24 Aug 2017 13:00:39 GMT

Hello,

we plan to use dynamic vlan with cisco switches (IOS Version 15.2.x) and cisco ISE (2.1.0), this works so far.

For the error case, I would like to set the dead action vlan dynamically.

The only possibility I know is the AutoSmartPort feature on the cisco switches.

macro auto execute CRITICAL_AUTH_VLAN CAVLAN=7 {

if [[ $LINKUP == YES ]]

then conf t

interface $INTERFACE

macro description $TRIGGER

description CAVLAN_7

if [[ $AUTH_ENABLED -eq YES ]]

then authentication event server dead action reinitialize vlan $CAVLAN

end

if [[ $LINKUP == NO ]]

then conf t

interface $INTERFACE

no macro description

no description CAVLAN_44

if [[ $AUTH_ENABLED -eq YES ]]

then authentication event server dead action reinitialize vlan 44

end

}

macro auto global processing

On the ISE i use this in the Authorization Profile

cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN

Question: is it possible to change the $CAVLAN value withe the "cisco-av-pair = auto-smart-port" Parameter?

for example: cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN CAVLAN=55

The background of the question is, the crit vlan should always have the value of the last successful logon (with dynamic vlan). There are about 10-15 dynamic vlans, if i could set the parameter CAVLAN on the ISE, i need only one macro on the switch, otherwise it would copy the macro 10-15 and only the vlan id would differ.

Re: parameter AutoSmartPort, dynamic dead action vlan

Craig Hyps — Fri, 25 Aug 2017 08:43:33 GMT

No, you cannot specify variables in the A/V pair. ASP is generally tricky on switchports with RADIUS authorization since they write to switch config, not just temporary config elements in mem for given session. Have you looked at session-aware command logic that would allow policy template to set the desired behavior? ISE also supports the retrieval of service and interface templates via RADIUS.

/Craig

Re: parameter AutoSmartPort, dynamic dead action vlan

ChristianBur — Fri, 25 Aug 2017 09:47:53 GMT

Exactly this is the tick, the command (authentication event server dead action reinitialize vlan) should NOT be session-aware.

When the radius servers are not reachable or down and e.g. the radius session expires, the clients should use the vlan of the last successful logon. If the commando is session-aware, the setting disappears after the radius session expires.

Do I now have to create a single macro for each access vlan?

Re: parameter AutoSmartPort, dynamic dead action vlan

Craig Hyps — Sat, 26 Aug 2017 17:37:54 GMT

This is a unique use case, so cannot say I have had similar request. Others reviewing thread may be able to comment on their experience, but question is more specific to switching team and options to achieve desired goal are limited to ASP feature, or if able to leverage IBNS 2.0 policy to achieve. May even be able to achieve via EMM, but always a balance between complexity and utility.

As I recall, the critical VLAN initiates on reauth or connection state change such that existing sessions not impacted. It appears that you are trying to permit existing host access to same VLAN after AAA down. Of course this would allow any endpoint that connects to port to get the privs of previous host. Critical VLAN is often used to provide a minimum common denominator access when AAA down.

/Craig

Re: parameter AutoSmartPort, dynamic dead action vlan

Lukasz Luczak — Fri, 15 Mar 2024 08:10:40 GMT

very good question and idea that I also faced.
but there is no answer in this thread as to whether anyone has solved this problem to automatically send the vlan number for authentication event server dead action reinitialize vlan

/Lukasz