Solved: Re: Wired 802.1x Switchport Best Practice Configuration For Cisco Wireless Access Point

Alex Pfeil · ‎02-20-2019

We were wondering what the best practice is for plugging in a Cisco wireless access point to a Cisco switch configured with 802.1x authentication with ISE as the Radius server? Would the best practice be the same for FlexConnect wireless access points? It seems to me like it should be different, but we would want the best practice for both.

Thanks in advance!

paul · ‎02-20-2019

Leverage AutoSmart Ports. It works well. On the switch side you would have something like this:

**** ISE Triggered auto smart port ****
!
! Turn off auto device control, forgetting this could shoot yourself in the foot
!
no macro auto global control device
!
! Turn off the default trigger, forgetting this could shoot yourself in the foot
!
no macro auto global control trigger
macro auto global processing
!
shell trigger ISE-AP-CONFIG Cisco Access Points
macro auto execute ISE-AP-CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30
spanning-tree portfast trunk
exit
fi

if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 10

switchport voice vlan 100
switchport mode access
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}

Then in ISE on your Access Point authorization profile you invoke the Auto Smartport macro. So the sequence is:

AP connects to standard access port with ISE configured.
The AP is profiled as an AP and hits the AP rule that invokes the Smartport macro.
The macro runs with the link up condition and the port is reconfigured as a trunk port and ISE is removed.
When the AP is unplugged the down condition of the macro is invoked and the port goes back to a standard access port with ISE configured.

View solution in original post

paul · ‎02-20-2019

Leverage AutoSmart Ports. It works well. On the switch side you would have something like this:

**** ISE Triggered auto smart port ****
!
! Turn off auto device control, forgetting this could shoot yourself in the foot
!
no macro auto global control device
!
! Turn off the default trigger, forgetting this could shoot yourself in the foot
!
no macro auto global control trigger
macro auto global processing
!
shell trigger ISE-AP-CONFIG Cisco Access Points
macro auto execute ISE-AP-CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30
spanning-tree portfast trunk
exit
fi

if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 10

switchport voice vlan 100
switchport mode access
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}

Then in ISE on your Access Point authorization profile you invoke the Auto Smartport macro. So the sequence is:

AP connects to standard access port with ISE configured.
The AP is profiled as an AP and hits the AP rule that invokes the Smartport macro.
The macro runs with the link up condition and the port is reconfigured as a trunk port and ISE is removed.
When the AP is unplugged the down condition of the macro is invoked and the port goes back to a standard access port with ISE configured.

Alex Pfeil · ‎02-21-2019

This would be the best solution since an AP could be unplugged and plugged into another port. This obviously would not happen very often, but it could happen. Thank you!!!