topic IBNS 2.0 Config Check in Network Access Control https://community.cisco.com/t5/network-access-control/ibns-2-0-config-check/m-p/3413171#M547990 <P>Hi</P> <P>&nbsp;</P> <P>I am testing changing our switch config over from old style to new IBNS 2.0. I have it working but was hoping someone could check it for me and see if i'm on the right track and help me with a couple of things:</P> <P>&nbsp;</P> <P>service policy:</P> <PRE>policy-map type control subscriber DOT1X_AND_MAB event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 5 class DOT1X-FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 10 class DOT1X-NO-RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 30 class MAB-FAILED do-until-failure 10 terminate mab 20 authentication-restart 60 40 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 50 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure 10 pause reauthentication event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event aaa-available match-all 10 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure 10 resume reauthentication event violation match-all 10 class always do-until-failure 10 restrict</PRE> <P>&nbsp;</P> <PRE>class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST match result-type aaa-timeout match authorization-status authorized class-map type control subscriber match-all MAB-FAILED match method mab match result-type method mab authoritative class-map type control subscriber match-all DOT1X-FAILED match method dot1x match result-type method dot1x authoritative class-map type control subscriber match-all DOT1X-NO-RESP match method dot1x match result-type method dot1x agent-not-found </PRE> <P>interface config:</P> <P>template Dot1x-Port</P> <PRE> dot1x pae authenticator switchport access vlan 1xx switchport mode access switchport voice vlan 1xx mab access-session closed access-session port-control auto access-session host-mode multi-auth authentication periodic authentication timer reauthenticate server service-policy type control subscriber DOT1X_AND_MAB description - Dot1x - </PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This works ok but I'm having trouble figuring out how to authorize the voice vlan if the AAA server goes down but I DON'T want to authorize anything else or enable the critical VLAN with ACL (we are working in closed mode) - i still need the 'critical' voice VLAN to be the same as it is now. I can see there is this config:</P> <PRE>10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize</PRE> <P>&nbsp;</P> <P>But will this authorize all the ports and any devices on any other VLAN as well?</P> Fri, 21 Feb 2020 19:00:37 GMT Dan 2020-02-21T19:00:37Z IBNS 2.0 Config Check https://community.cisco.com/t5/network-access-control/ibns-2-0-config-check/m-p/3413171#M547990 <P>Hi</P> <P>&nbsp;</P> <P>I am testing changing our switch config over from old style to new IBNS 2.0. I have it working but was hoping someone could check it for me and see if i'm on the right track and help me with a couple of things:</P> <P>&nbsp;</P> <P>service policy:</P> <PRE>policy-map type control subscriber DOT1X_AND_MAB event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 5 class DOT1X-FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 10 class DOT1X-NO-RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 30 class MAB-FAILED do-until-failure 10 terminate mab 20 authentication-restart 60 40 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 50 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure 10 pause reauthentication event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event aaa-available match-all 10 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure 10 resume reauthentication event violation match-all 10 class always do-until-failure 10 restrict</PRE> <P>&nbsp;</P> <PRE>class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST match result-type aaa-timeout match authorization-status authorized class-map type control subscriber match-all MAB-FAILED match method mab match result-type method mab authoritative class-map type control subscriber match-all DOT1X-FAILED match method dot1x match result-type method dot1x authoritative class-map type control subscriber match-all DOT1X-NO-RESP match method dot1x match result-type method dot1x agent-not-found </PRE> <P>interface config:</P> <P>template Dot1x-Port</P> <PRE> dot1x pae authenticator switchport access vlan 1xx switchport mode access switchport voice vlan 1xx mab access-session closed access-session port-control auto access-session host-mode multi-auth authentication periodic authentication timer reauthenticate server service-policy type control subscriber DOT1X_AND_MAB description - Dot1x - </PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This works ok but I'm having trouble figuring out how to authorize the voice vlan if the AAA server goes down but I DON'T want to authorize anything else or enable the critical VLAN with ACL (we are working in closed mode) - i still need the 'critical' voice VLAN to be the same as it is now. I can see there is this config:</P> <PRE>10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize</PRE> <P>&nbsp;</P> <P>But will this authorize all the ports and any devices on any other VLAN as well?</P> Fri, 21 Feb 2020 19:00:37 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-config-check/m-p/3413171#M547990 Dan 2020-02-21T19:00:37Z