topic Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding in Network Access Control

IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Dan — Mon, 11 Mar 2019 08:53:50 GMT

I'm attemping to automatically configure an interface using a template. The template is already on the switch, ISE is pushing the template name with the Authz. Standard IBNS 2.0 stuff.

Config here:

template APAutoConfig
switchport trunk native vlan 120
switchport mode trunk
access-session host-mode multi-host
access-session interface-template sticky timer 10

template Dot1x-Port
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
switchport access vlan 120
switchport mode access
switchport voice vlan 170
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_AND_MAB
description - Dot1x -

interface GigabitEthernet1/0/22
no logging event link-status
access-session closed
no snmp trap link-status
snmp ifindex persist
source template Dot1x-Port
spanning-tree portfast edge

I'm on Version 15.2(4)E7. The APAutoConfig template gets applied, then seconds later gets unapplied and it goes through this constantly, every 3-20 seconds.

TEMPLATE EVENT: Gi1/0/22: Unbinding template APAutoConfig
TEMPLATE EVENT: APAutoConfig :ccb_bound(FALSE), visible(TRUE), pref_count(0)
TEMPLATE EVENT: Gi1/0/22: Binding template APAutoConfig

What's going on here? I've taken each line out of the base Dot1x-Port to see if it's causing a problem but it's made no change. Changing the sticky timer made no difference. I'm sure this worked on an older IOS version because I tested it before putting it on this switch config. I had to update for another reason - I've tried 2 different IOS versions - and it's simply not working. Is this a bug or am I missing something here?

Thanks

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Andrii Oliinyk — Thu, 18 Apr 2019 02:04:03 GMT

Hi Dan

hopefully u've already resolved the problem. If u didnt just dont change host-mode within dynamic server template. Just stay with single host-mode multi-auth.

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Dan — Thu, 18 Apr 2019 09:07:49 GMT

Unfortunately that wouldn't work, for the access point to work you need 'host-mode multi-host' to work, but we don't want the same on an access port connected to a PC.

We did figure it out though - for whatever reason, in certain versions, Cisco have broken the template assignment. We were trying the newer, recommended IOS versions and they were all giving us problems. Luckily, the version that came with all ~330 of our 2960Xs works most of the time with a few configuration tweaks. Certain things in this version can't be applied on an interface-template, that could be in the newer versions.

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

joeswain1 — Fri, 20 Jan 2023 10:40:14 GMT

Hello all,

Has there been any resolution to this at all please? I am coming across the same problem using 9300 switches and this is the only thing on the Internet I can find about it. The testing we have done on a switch using code 16.12.02 worked fine, however moving to 17.6.1r[FC2] the scripts try to apply but then give the same log messages as Dan has displayed. Our script only applies native VLAN, trunk mode and allowed VLANs on the trunk.

Thanks,
Joe

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Andrii Oliinyk — Sat, 21 Jan 2023 19:07:31 GMT

more clarification on the workaround with "host-mode multi-auth". it's still possible with "open" authentication. but pre-authen acl is needed to allow AP to authenticate with AuthZ result built with template (port trunk + native VLAN) & DACL allowing traffic for clients.

Drawback is obvious: switch will perform configured on the port aaa sequence for wireless clients (ISE will be full of fails) but with authen open & proper authZ profile it wont block users.

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Andrii Oliinyk — Sat, 21 Jan 2023 19:24:45 GMT

as u might understood from above u have 2 choices:
1) configure host mode multi-host on flex-AP port & dont try to change it. it's something u cant change dynamically

2) configure host mode multi-auth with mentioned above precautions. if u want to be unified across all the access ports it will change model of your deployment from close to low-impact