topic Auto Smartports Feature in Network Access Control

Auto Smartports Feature

umahar — Wed, 17 May 2017 17:57:52 GMT

Has anyone implemented macros via auto-smart port AVP ?

I am able to make the macro work when the endpoint authenticates but anti-macro does not seem to work when the endpoint unplugs.

My macro looks something like this

macro auto execute changeofvlan {

if [[ $LINKUP -eq YES ]]; then

configure terminal

interface $INTERFACE

description Guest

switchport access vlan 20

shut

no shut

exit

if [[ $LINKUP -eq NO ]] ; then

configure terminal

interface $INTERFACE

switchport access vlan 10

exit

}

Re: Auto Smartports Feature

paul — Wed, 17 May 2017 18:02:34 GMT

It has been 3 years since I have done this but you are missing the "macro description $TRIGGER" statement in your YES setup. This is what I did for FlexConnect APs using Smart Ports:

if [[ $LINKUP == YES ]]; then

conf t

default interface $INTERFACE

interface $INTERFACE

description Access Point Port Configured by ISE Macro

macro description $TRIGGER

switchport mode trunk

switchport trunk native vlan 582

switchport trunk allowed vlan 582

spanning-tree portfast trunk

exit

if [[ $LINKUP == NO ]]; then

conf t

default interface $INTERFACE

interface $INTERFACE

description **DOT1X Auth**

switchport access vlan 582

switchport mode access

authentication event server dead action reinitialize vlan 582

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication violation restrict

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

authentication control-direction in

exit

}

Re: Auto Smartports Feature

umahar — Wed, 17 May 2017 18:45:05 GMT

Hi Paul,

Thanks a lot for your response.

1. What does this command do ? When I added this command the first part of the macro is also not working. When I removed I am able to get the first part ($LINK==YES) work.

2. In your case if you removed the AP I am assuming all the commands under anti-macro got reapplied. Is that correct ?

In my case too I want to reapply the commands (which were over ridden by macro) when the endpoint is disconnected.

Re: Auto Smartports Feature

paul — Wed, 17 May 2017 18:53:13 GMT

Again it has been years since I worked on this (5 years now that I look back at my notes). The issue I was trying to solve is FlexConnect APs run on trunk ports so ISE can’t be applied there, but customer was concerned that someone could unplug the AP and attempt to access the network. I demonstrated how they could use AutoSmart ports to mitigate this. I showed them two ways to use AutoSmart ports. The first was using CDP detection and second using ISE assigned smart port macro. The port was a normal ISE controlled port, when an AP was attached either CDP or ISE would apply the smart port macro and completely rebuild the interface. See how I defaulted the interface in both the UP and DOWN condition. Then when the AP was unplugged the interface was rebuilt back to the ISE controlled setup. The trigger statement was needed to allow the switch to know what macro to use when the port went down.

Here are my testing notes from back then (I wasn’t doing a trunk at the time, but was just testing to see it worked):

CDP Detection

Standard 802.1X Port

ISE-Test#show run int gig 1/0/23

interface GigabitEthernet1/0/23

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

AP is Connected and Recognized by Auto SmartPorts via CDP

Dec 12 22:21:28.813 UTC: %AUTOSMARTPORT-5-INSERT: Device LightWeight Access Point detected on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

Port is Reconfigured (not trunking for now, but the concept worked)

ISE-Test#show run int gig 1/0/23

Building configuration...

Current configuration : 197 bytes

interface GigabitEthernet1/0/23

description Access Point

switchport access vlan 555

switchport mode access

macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

spanning-tree portfast

end

AP is Disconnected and Event is Recognized by Auto SmartPorts

Dec 12 22:22:14.598 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT to remove the configuration

Port is Back to 802.1x Port

ISE-Test#show run int gig 1/0/23

Building configuration...

Current configuration : 750 bytes

interface GigabitEthernet1/0/23

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

end

ISE AV Pair Push

Configure ISE AV Pair in Result

You can see in the attached script I created a trigger and macro called ISE-AP-CONFIG. Here is where I call it up in the result:

Create an Authorization Rule to Use Result

Plug in AP and Watch for the Magic

Dec 13 14:13:12.223 UTC: %AUTOSMARTPORT-5-INSERT: MAB device detected on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG

See Port Changed

ISE-Test#show run int gi 1/0/32

Building configuration...

Current configuration : 175 bytes

interface GigabitEthernet1/0/32

description Access Point

switchport access vlan 555

switchport mode access

macro description ISE-AP-CONFIG

spanning-tree portfast

end

Unplug AP and Watch for the Magic

Dec 13 14:17:32.489 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG to remove the configuration

See Port Changed Back

ISE-Test#show run int gi 1/0/32

Building configuration...

Current configuration : 750 bytes

interface GigabitEthernet1/0/32

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

end

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Auto Smartports Feature

umahar — Wed, 17 May 2017 20:12:27 GMT

Thanks a lot Paul.

That explains how we are binding the macro to the interface for the switch to run the anti-macro portion of it when the endpoint unplugs.

Re: Auto Smartports Feature

umahar — Wed, 07 Jun 2017 13:28:43 GMT

Paul,

What is the global command needed to enable macro functionality ?

I used 'macro auto global processing' command to make the custom macro work but it seems it is also enabling all the inbuilt macros . The ports connected to APs and Cisco IP phones are also getting built in macro applied to the interface which we do not require.

Do you remember how we can disable builtin macros and only enable custom macros ?

Re: Auto Smartports Feature

Jason Kunst — Wed, 07 Jun 2017 15:12:32 GMT

I would also recommend reaching out to switching team

Re: Auto Smartports Feature

paul — Wed, 07 Jun 2017 19:28:15 GMT

Utkarsh,

I had to laugh a bit when I read this as here is what I have in my notes:

! Turn on device control only for lightweight APs

macro auto global control device lightweight-ap

! Turn off the default trigger, forgetting this could shoot yourself in the foot

no macro auto global control trigger

macro auto global processing

See you shot yourself in the foot. ☺ Play with the “macro auto global control device” command to enable only what you want and shut off everything else with “no macro auto global control trigger”

In my case when I was testing it ran the smart macro on my switch uplink because it detected a Cisco switch and ran the built in macro for that. I lost my connection and had to go console in and fix it.

Try that and let me know.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Auto Smartports Feature

umahar — Wed, 07 Jun 2017 19:32:13 GMT

Thanks Paul,

You are a life saver.