topic Re: C3PL Templet For 802.1X wired in Network Access Control

C3PL Templet For 802.1X wired

ezzaariyouness — Thu, 24 Mar 2022 11:18:52 GMT

Hello everyone ;

actually, I'm using C3PL Templet For 802.1X wired, I'm using first-order dot1.X and MAB.

my new use case is That I'm planning to use that to apply only DOT.1X as authentication, so I believe that I need to create a new temple and assign it to specific port that I went to apply only DOT.1X.

my question is which parameter should I remove from the temple to allow only DOR.1X

below is the template that I'm using.

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative

policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab

---------------------------------

thank's in advance.

Re: C3PL Templet For 802.1X wired

duckjoser227 — Thu, 24 Mar 2022 12:00:51 GMT

C3PL Templet is originally designed to help cisco switch. C3PL Templet is a secure 802.1X solution. It is a great security solution that helps you to control VLAN and high user security with one policy. But the problem is C3PL Templet doesn't work on all the switches. So, to resolve the problem we need to configure 802.1X on a Cisco switch. Here is the complete guide for that

Re: C3PL Templet For 802.1X wired

Mike.Cifelli — Thu, 24 Mar 2022 12:08:57 GMT

my question is which parameter should I remove from the temple to allow only DOR.1X

-FYSA for testing purposes and actually best practice from Cisco, you should configure a single port using IBNS1.0 with your specific/desired commands, test the one port, and transition to IBNS2.0 via #authentication display new-style once you are satisfied with the configuration. This should help achieve the most accurate IBNS2.0 config to meet your needs. To determine what mode you are running: #authentication display config-mode. A quick peek at the above config you would want to remove any mab references. However, you would want to make sure that you have some sort of reauth timer and/or some event for auth failure which it looks like you are attempting to accomplish too so that is good. Lastly, your 2.0 config can/should be derived from 1.0 migration tool 🙂

Re: C3PL Templet For 802.1X wired

ezzaariyouness — Thu, 24 Mar 2022 13:20:21 GMT

Hi Mike ;

I'm confused about your reply. how can I perform dot1.X without MAB using C3PL Templet .

note that is not possible to configure DOT1.X directly on the port.

Best regards

Younes

Re: C3PL Templet For 802.1X wired

Janne K. — Fri, 25 Mar 2022 12:48:39 GMT

If your goal is to only do DOT1X you would have to remove these two lines:

20 authenticate using mab priority 20

40 terminate mab

Re: C3PL Templet For 802.1X wired

thomas — Mon, 11 Apr 2022 18:25:07 GMT

The has sections explaining the IBNS 2.0 commands:

Re: C3PL Templet For 802.1X wired

ezzaariyouness — Tue, 12 Apr 2022 01:59:53 GMT

Hi Thomas ;

thank you for your response.

that's helped me with my issue.