05-17-2017 10:57 AM
Has anyone implemented macros via auto-smart port AVP ?
I am able to make the macro work when the endpoint authenticates but anti-macro does not seem to work when the endpoint unplugs.
My macro looks something like this
macro auto execute changeofvlan {
if [[ $LINKUP -eq YES ]]; then
configure terminal
interface $INTERFACE
description Guest
switchport access vlan 20
shut
no shut
exit
exit
fi
if [[ $LINKUP -eq NO ]] ; then
configure terminal
interface $INTERFACE
switchport access vlan 10
exit
exit
fi
}
Solved! Go to Solution.
05-17-2017 11:02 AM
It has been 3 years since I have done this but you are missing the "macro description $TRIGGER" statement in your YES setup. This is what I did for FlexConnect APs using Smart Ports:
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 582
switchport trunk allowed vlan 582
spanning-tree portfast trunk
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 582
switchport mode access
authentication event server dead action reinitialize vlan 582
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}
05-17-2017 11:02 AM
It has been 3 years since I have done this but you are missing the "macro description $TRIGGER" statement in your YES setup. This is what I did for FlexConnect APs using Smart Ports:
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 582
switchport trunk allowed vlan 582
spanning-tree portfast trunk
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 582
switchport mode access
authentication event server dead action reinitialize vlan 582
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}
05-17-2017 11:45 AM
Hi Paul,
Thanks a lot for your response.
1. What does this command do ? When I added this command the first part of the macro is also not working. When I removed I am able to get the first part ($LINK==YES) work.
2. In your case if you removed the AP I am assuming all the commands under anti-macro got reapplied. Is that correct ?
In my case too I want to reapply the commands (which were over ridden by macro) when the endpoint is disconnected.
05-17-2017 11:53 AM
Again it has been years since I worked on this (5 years now that I look back at my notes). The issue I was trying to solve is FlexConnect APs run on trunk ports so ISE can’t be applied there, but customer was concerned that someone could unplug the AP and attempt to access the network. I demonstrated how they could use AutoSmart ports to mitigate this. I showed them two ways to use AutoSmart ports. The first was using CDP detection and second using ISE assigned smart port macro. The port was a normal ISE controlled port, when an AP was attached either CDP or ISE would apply the smart port macro and completely rebuild the interface. See how I defaulted the interface in both the UP and DOWN condition. Then when the AP was unplugged the interface was rebuilt back to the ISE controlled setup. The trigger statement was needed to allow the switch to know what macro to use when the port went down.
Here are my testing notes from back then (I wasn’t doing a trunk at the time, but was just testing to see it worked):
CDP Detection
Standard 802.1X Port
ISE-Test#show run int gig 1/0/23
interface GigabitEthernet1/0/23
description Dot1X Enabled Port
switchport access vlan 13
switchport mode access
switchport voice vlan 949
authentication event fail action next-method
authentication event server dead action reinitialize vlan 13
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
AP is Connected and Recognized by Auto SmartPorts via CDP
Dec 12 22:21:28.813 UTC: %AUTOSMARTPORT-5-INSERT: Device LightWeight Access Point detected on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
Port is Reconfigured (not trunking for now, but the concept worked)
ISE-Test#show run int gig 1/0/23
Building configuration...
Current configuration : 197 bytes
!
interface GigabitEthernet1/0/23
description Access Point
switchport access vlan 555
switchport mode access
macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
spanning-tree portfast
end
AP is Disconnected and Event is Recognized by Auto SmartPorts
Dec 12 22:22:14.598 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT to remove the configuration
Port is Back to 802.1x Port
ISE-Test#show run int gig 1/0/23
Building configuration...
Current configuration : 750 bytes
!
interface GigabitEthernet1/0/23
description Dot1X Enabled Port
switchport access vlan 13
switchport mode access
switchport voice vlan 949
authentication event fail action next-method
authentication event server dead action reinitialize vlan 13
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
end
ISE AV Pair Push
Configure ISE AV Pair in Result
You can see in the attached script I created a trigger and macro called ISE-AP-CONFIG. Here is where I call it up in the result:
Create an Authorization Rule to Use Result
Plug in AP and Watch for the Magic
Dec 13 14:13:12.223 UTC: %AUTOSMARTPORT-5-INSERT: MAB device detected on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG
See Port Changed
ISE-Test#show run int gi 1/0/32
Building configuration...
Current configuration : 175 bytes
!
interface GigabitEthernet1/0/32
description Access Point
switchport access vlan 555
switchport mode access
macro description ISE-AP-CONFIG
spanning-tree portfast
end
Unplug AP and Watch for the Magic
Dec 13 14:17:32.489 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG to remove the configuration
See Port Changed Back
ISE-Test#show run int gi 1/0/32
Building configuration...
Current configuration : 750 bytes
!
interface GigabitEthernet1/0/32
description Dot1X Enabled Port
switchport access vlan 13
switchport mode access
switchport voice vlan 949
authentication event fail action next-method
authentication event server dead action reinitialize vlan 13
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
end
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-17-2017 01:12 PM
Thanks a lot Paul.
That explains how we are binding the macro to the interface for the switch to run the anti-macro portion of it when the endpoint unplugs.
06-07-2017 06:28 AM
Paul,
What is the global command needed to enable macro functionality ?
I used 'macro auto global processing' command to make the custom macro work but it seems it is also enabling all the inbuilt macros . The ports connected to APs and Cisco IP phones are also getting built in macro applied to the interface which we do not require.
Do you remember how we can disable builtin macros and only enable custom macros ?
06-07-2017 08:12 AM
I would also recommend reaching out to switching team
06-07-2017 12:28 PM
Utkarsh,
I had to laugh a bit when I read this as here is what I have in my notes:
!
! Turn on device control only for lightweight APs
!
macro auto global control device lightweight-ap
!
! Turn off the default trigger, forgetting this could shoot yourself in the foot
!
no macro auto global control trigger
macro auto global processing
See you shot yourself in the foot. ☺ Play with the “macro auto global control device” command to enable only what you want and shut off everything else with “no macro auto global control trigger”
In my case when I was testing it ran the smart macro on my switch uplink because it detected a Cisco switch and ran the built in macro for that. I lost my connection and had to go console in and fix it.
Try that and let me know.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
06-07-2017 12:32 PM
Thanks Paul,
You are a life saver.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide