IBNS 2.0 Monitor Mode Only

mstraessle — Wed, 11 May 2016 21:22:20 GMT

I maybe have a stupid question, but I did not find any useful way for my problem.

My customer ist using 3850 access switches. He want to enable monitor mode in first phase to do the inventory of all connected endpoints. Second phase he wants to move to low impact mode. However, I simply started with IBNS 1.0 open mode, which worked fine so far. Then I used one switch and upgraded tp 3.6.4 and changed to "new style". Unfortunatly the monitor configuration seams not to be converted.

This is my initial configuration:

interface GigabitEthernet1/0/13

...

switchport access vlan 10

switchport mode access

switchport voice vlan 20

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action authorize vlan 10

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

no cdp enable

spanning-tree portfast

After the convertion I had the following config:

service-template CRITICAL_AUTH_VLAN_105

vlan 105

policy-map type control subscriber DEFAULT_POLICY

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

5 class DOT1X_FAILED do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

10 activate service-template CRITICAL_AUTH_VLAN_10

20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

30 authorize

40 pause reauthentication

20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

10 pause reauthentication

20 authorize

30 class DOT1X_NO_RESP do-until-failure

10 terminate dot1x

20 authenticate using mab priority 20

40 class MAB_FAILED do-until-failure

10 terminate mab

20 authentication-restart 60

60 class always do-until-failure

10 terminate dot1x

20 terminate mab

30 authentication-restart 60

event agent-found match-all

10 class always do-until-failure

10 terminate mab

20 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-success match-all

10 class always do-until-failure

10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

interface GigabitEthernet1/0/13

service-policy type control subscriber DEFAULT_POLICY

Is it true, that the "authentication open" command does not get converted?

Or is the monitor mode simply not supported with IBNS 2.0? Even when I trie to add the commands to the "old style" interface again, it did not work at all. Any hints are highly welcome.

Thanks, Marco

Re: IBNS 2.0 Monitor Mode Only

howon — Wed, 11 May 2016 21:36:11 GMT

Marco, with IBNS 2.0, the open mode is the default whereas with IBNS 1.0, closed mode was the default setting. So what you are seeing is expected. Even though you are not seeing the command, the interface will operate in open mode. You can run 'show run all' to see the command.

IBNS 2.0:

Open mode (Default): no access-session closed

Closed mode: access-session closed

IBNS 1.0

Open mode: authentication open

Closed mode (Default): no authentication open

Hosuk

Re: IBNS 2.0 Monitor Mode Only

mstraessle — Wed, 11 May 2016 21:47:45 GMT

Hi Hosuk

Thanks for this clarification. In this case I have to check the software Version. Since even when I go back to old-style, the switch did not work as expected (to be honest I not checked before change to "new style"!)

Do you have any experience with 3850 IOS XE 3.6.4?

Next week I will check another IOS Version, maybe 3.7.3 or any other suggestion?

Thanks, Marco

Re: IBNS 2.0 Monitor Mode Only

Timothy Abbott — Thu, 12 May 2016 13:40:08 GMT

Marco,

Currently, we recommend IOS-XE 3.6.3 with 3.6.4 most likely to be the new recommended version once ISE 2.1 is available. I'm pretty sure 3.7.3 would work as well since it contains a lot of identity related fixes that are in 3.6.3 and 3.6.4.

Regards,

-Tim

topic Re: IBNS 2.0 Monitor Mode Only in Network Access Control

IBNS 2.0 Monitor Mode Only

Re: IBNS 2.0 Monitor Mode Only

Re: IBNS 2.0 Monitor Mode Only

Re: IBNS 2.0 Monitor Mode Only