Hi Paul,

Thanks a lot for your response.

1. What does this command do ? When I added this command the first part of the macro is also not working. When I removed I am able to get the first part ($LINK==YES) work.

2. In your case if you removed the AP I am assuming all the commands under anti-macro got reapplied. Is that correct ?

In my case too I want to reapply the commands (which were over ridden by macro) when the endpoint is disconnected.

Again it has been years since I worked on this (5 years now that I look back at my notes). The issue I was trying to solve is FlexConnect APs run on trunk ports so ISE can’t be applied there, but customer was concerned that someone could unplug the AP and attempt to access the network. I demonstrated how they could use AutoSmart ports to mitigate this. I showed them two ways to use AutoSmart ports. The first was using CDP detection and second using ISE assigned smart port macro. The port was a normal ISE controlled port, when an AP was attached either CDP or ISE would apply the smart port macro and completely rebuild the interface. See how I defaulted the interface in both the UP and DOWN condition. Then when the AP was unplugged the interface was rebuilt back to the ISE controlled setup. The trigger statement was needed to allow the switch to know what macro to use when the port went down.

Here are my testing notes from back then (I wasn’t doing a trunk at the time, but was just testing to see it worked):

CDP Detection

Standard 802.1X Port

ISE-Test#show run int gig 1/0/23

interface GigabitEthernet1/0/23

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

AP is Connected and Recognized by Auto SmartPorts via CDP

Dec 12 22:21:28.813 UTC: %AUTOSMARTPORT-5-INSERT: Device LightWeight Access Point detected on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

Port is Reconfigured (not trunking for now, but the concept worked)

ISE-Test#show run int gig 1/0/23

Building configuration...

Current configuration : 197 bytes

!

interface GigabitEthernet1/0/23

description Access Point

switchport access vlan 555

switchport mode access

macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT

spanning-tree portfast

end

AP is Disconnected and Event is Recognized by Auto SmartPorts

Dec 12 22:22:14.598 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/23, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT to remove the configuration

Port is Back to 802.1x Port

ISE-Test#show run int gig 1/0/23

Building configuration...

Current configuration : 750 bytes

!

interface GigabitEthernet1/0/23

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

end

ISE AV Pair Push

Configure ISE AV Pair in Result

You can see in the attached script I created a trigger and macro called ISE-AP-CONFIG. Here is where I call it up in the result:

Create an Authorization Rule to Use Result

Plug in AP and Watch for the Magic

Dec 13 14:13:12.223 UTC: %AUTOSMARTPORT-5-INSERT: MAB device detected on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG

See Port Changed

ISE-Test#show run int gi 1/0/32

Building configuration...

Current configuration : 175 bytes

!

interface GigabitEthernet1/0/32

description Access Point

switchport access vlan 555

switchport mode access

macro description ISE-AP-CONFIG

spanning-tree portfast

end

Unplug AP and Watch for the Magic

Dec 13 14:17:32.489 UTC: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet1/0/32, executed ISE-AP-CONFIG to remove the configuration

See Port Changed Back

ISE-Test#show run int gi 1/0/32

Building configuration...

Current configuration : 750 bytes

!

interface GigabitEthernet1/0/32

description Dot1X Enabled Port

switchport access vlan 13

switchport mode access

switchport voice vlan 949

authentication event fail action next-method

authentication event server dead action reinitialize vlan 13

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x max-req 1

spanning-tree portfast

end

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Thanks a lot Paul.

That explains how we are binding the macro to the interface for the switch to run the anti-macro portion of it when the endpoint unplugs.

Paul,

What is the global command needed to enable macro functionality ?

I used 'macro auto global processing' command to make the custom macro work but it seems it is also enabling all the inbuilt macros . The ports connected to APs and Cisco IP phones are also getting built in macro applied to the interface which we do not require.

Do you remember how we can disable builtin macros and only enable custom macros ?

I would also recommend reaching out to switching team

Utkarsh,

I had to laugh a bit when I read this as here is what I have in my notes:

!

! Turn on device control only for lightweight APs

!

macro auto global control device lightweight-ap

!

! Turn off the default trigger, forgetting this could shoot yourself in the foot

!

no macro auto global control trigger

macro auto global processing

See you shot yourself in the foot. ☺ Play with the “macro auto global control device” command to enable only what you want and shut off everything else with “no macro auto global control trigger”

In my case when I was testing it ran the smart macro on my switch uplink because it detected a Cisco switch and ran the built in macro for that. I lost my connection and had to go console in and fix it.

Try that and let me know.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Thanks Paul,

You are a life saver.