https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/3346868#M55968 <P>Hi John,</P> <P>&nbsp;</P> <P>Even if you change the switchport mode to trunk, I'm not sure you'll be able to pass client's traffic because each MAC will have to be authenticated from switch perspective.(you'll need most likely a multi-host mode, so that one MAC - AP - would grant access to all MACs.</P> <P>Stil, multi-auth would usually place all other MACs into the same VLAN of the first authenticated host. You have to double check.</P> <P>&nbsp;</P> <P>Still, the good news is that you can use a service-template (I don't have ISE interface available now to check - this is how I remeber it's called - it's one of the first options in the authz profile settings) and send to the switch a specific string. When that string is received, the switch can apply a macro to your interface doing what you don't want to do manually <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Just a quick hint:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/automacr.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/automacr.pdf</A></P> <P>&nbsp;</P> <P>I don't have anything more specific now, but I think that will do.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Octavian</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 12 Mar 2018 15:56:33 GMT Octavian Szolga 2018-03-12T15:56:33Z https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/2666560#M55966 <P>I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)</P><P>My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future.&nbsp;Below is the configuration used on the ports.</P><P>cisp enable<BR />!<BR />interface FastEthernet0/2<BR />&nbsp;description *** Client Device ***<BR />&nbsp;switchport access vlan 2<BR />&nbsp;switchport mode access<BR />&nbsp;no logging event link-status<BR />&nbsp;authentication event fail action next-method<BR />&nbsp;authentication event server dead action reinitialize vlan 3<BR />&nbsp;authentication event server alive action reinitialize<BR />&nbsp;authentication order mab dot1x webauth<BR />&nbsp;authentication priority mab dot1x webauth<BR />&nbsp;authentication port-control auto<BR />&nbsp;authentication fallback GUEST_FALLBACK<BR />&nbsp;mab eap<BR />&nbsp;dot1x pae authenticator<BR />&nbsp;dot1x timeout tx-period 3<BR />&nbsp;dot1x timeout supp-timeout 10<BR />&nbsp;dot1x max-reauth-req 1<BR />&nbsp;dot1x timeout auth-period 600<BR />&nbsp;no cdp enable<BR />&nbsp;spanning-tree portfast</P><P>Any help will be greatly appreciated.&nbsp;</P><P>Thanks<BR />John</P> Mon, 11 Mar 2019 05:39:04 GMT https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/2666560#M55966 John Quick 2019-03-11T05:39:04Z https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/3345682#M55967 <P>I am looking at doing something similar to this for some flexconnect APs that I want to deploy.&nbsp; I would imagine that adding a switchport trunk allowed vlans x,y,z to the initial port config would suffice and that the access vlan would become the native vlan for the trunk.</P> <P>&nbsp;</P> <P>Is this what you did or did you accomplish this some other way?</P> Fri, 09 Mar 2018 16:41:39 GMT https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/3345682#M55967 dmurech0488 2018-03-09T16:41:39Z https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/3346868#M55968 <P>Hi John,</P> <P>&nbsp;</P> <P>Even if you change the switchport mode to trunk, I'm not sure you'll be able to pass client's traffic because each MAC will have to be authenticated from switch perspective.(you'll need most likely a multi-host mode, so that one MAC - AP - would grant access to all MACs.</P> <P>Stil, multi-auth would usually place all other MACs into the same VLAN of the first authenticated host. You have to double check.</P> <P>&nbsp;</P> <P>Still, the good news is that you can use a service-template (I don't have ISE interface available now to check - this is how I remeber it's called - it's one of the first options in the authz profile settings) and send to the switch a specific string. When that string is received, the switch can apply a macro to your interface doing what you don't want to do manually <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Just a quick hint:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/automacr.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/automacr.pdf</A></P> <P>&nbsp;</P> <P>I don't have anything more specific now, but I think that will do.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Octavian</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 12 Mar 2018 15:56:33 GMT https://community.cisco.com/t5/network-access-control/authenticating-trunk-ports-vlan-list/m-p/3346868#M55968 Octavian Szolga 2018-03-12T15:56:33Z