Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
1
Helpful
6
Replies

Autosmart port and IOS Shell scripting

Go to solution
Vivek Ganapathi
Level 4
Level 4

‎03-16-2023 12:15 AM

Hello everyone, 

I had a requirement to trigger a script on a switch using Cisco ISE upon successful authorization of an endpoint. For this, i used the Cisco Autosmart port feature and the script looks like below. The requirement was that by default all the switchports on the switch will be configured for VLAN 106 (access) and VLAN 107 (voice). But depending upon the type of endpoint being connected, there would be a change in the switchport configuration. This requirement perfectly works when we have a single switch but in a dual stack switch environment we would have VLAN 108 and VLAN 109 on the secondary switch. Just wondering if there is a way in IOS shell scripting i can leverage to add an additional condition to the same script check the interface number before applying the configuration. For example: Switch1 in a stack will have Gi1/0/x while the Switch 2 in a stack will have Gi2/0/x.. 

Any insights will be highly appreciated.

macro auto execute ISE_AP_CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
macro description $TRIGGER
description Wireless
switchport trunk native vlan 112
switchport mode trunk
device-tracking attach-policy IPDT_POLICY
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 112
authentication host-mode multi-host
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 180
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree bpduguard enable
exit

fi

if [[ $LINKUP == NO ]]; then

conf t
default interface $INTERFACE
interface $INTERFACE
no macro description
description User_Segment_1
switchport access vlan 106
switchport mode access
switchport voice vlan 107
device-tracking attach-policy IPDT_POLICY
ip access-group ACL-DEFAULT in
load-interval 30
authentication event fail action next-method
authentication event server dead action authorize vlan 206
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 180
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 1.00
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-21-2023 12:01 AM

Hi,

If my understanding is correct, ISE actually triggers the switch to apply the locally defined macro.

If that's the case, you can simply use in ISE two authorization rules, something like if request is for x y z (your existing conditions) AND nas-port-id starts with GigabitEthernet1/0/ apply this authorization profile (macro1), if request is for x y z AND nas-port-id starts with GigabitEthernet2/0/ apply this authorization profile (macro2).

Each macro would have its own VLAN so everybody's happy

BR,

Octavian

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎03-16-2023 03:14 PM

How does your script get the value for $INTERFACE ?

I have not done EEM in a while, but I thought you could write a trigger that would trigger on parsing the local syslog events using regular expressions.

0 Helpful

Go to solution
Vivek Ganapathi
Level 4
Level 4
In response to Arne Bier

‎03-16-2023 08:23 PM

Thank you for your reply. I believe $INTERFACE, $LINKUP, $TRIGGER are all a system defined variables. I just took them from the Built-in Macros and modified according to my need. I didn't find any documentations listing the system defined variables. So not very sure how the value is feed into $INTERFACE. 

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-21-2023 12:01 AM

Hi,

If my understanding is correct, ISE actually triggers the switch to apply the locally defined macro.

If that's the case, you can simply use in ISE two authorization rules, something like if request is for x y z (your existing conditions) AND nas-port-id starts with GigabitEthernet1/0/ apply this authorization profile (macro1), if request is for x y z AND nas-port-id starts with GigabitEthernet2/0/ apply this authorization profile (macro2).

Each macro would have its own VLAN so everybody's happy

BR,

Octavian

Go to solution
Vivek Ganapathi
Level 4
Level 4
In response to Octavian Szolga

‎03-21-2023 08:43 AM

Hi Octavian,

This is the perfect solution! For some reason i couldn't think about this! I have tested this and working perfectly.

Regards

Vivek

0 Helpful

Go to solution
Vivek Ganapathi
Level 4
Level 4
In response to Vivek Ganapathi

‎03-21-2023 08:45 AM

Thank you very much Octavian!

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to Vivek Ganapathi

‎03-21-2023 01:36 PM

Glad to be of help!

 

BR,

Octavian

0 Helpful
Customers Also Viewed These Support Documents