03-16-2023 12:15 AM
Hello everyone,
I had a requirement to trigger a script on a switch using Cisco ISE upon successful authorization of an endpoint. For this, i used the Cisco Autosmart port feature and the script looks like below. The requirement was that by default all the switchports on the switch will be configured for VLAN 106 (access) and VLAN 107 (voice). But depending upon the type of endpoint being connected, there would be a change in the switchport configuration. This requirement perfectly works when we have a single switch but in a dual stack switch environment we would have VLAN 108 and VLAN 109 on the secondary switch. Just wondering if there is a way in IOS shell scripting i can leverage to add an additional condition to the same script check the interface number before applying the configuration. For example: Switch1 in a stack will have Gi1/0/x while the Switch 2 in a stack will have Gi2/0/x..
Any insights will be highly appreciated.
macro auto execute ISE_AP_CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
macro description $TRIGGER
description Wireless
switchport trunk native vlan 112
switchport mode trunk
device-tracking attach-policy IPDT_POLICY
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 112
authentication host-mode multi-host
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 180
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree bpduguard enable
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
no macro description
description User_Segment_1
switchport access vlan 106
switchport mode access
switchport voice vlan 107
device-tracking attach-policy IPDT_POLICY
ip access-group ACL-DEFAULT in
load-interval 30
authentication event fail action next-method
authentication event server dead action authorize vlan 206
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 180
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 1.00
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
end
Solved! Go to Solution.
03-21-2023 12:01 AM
Hi,
If my understanding is correct, ISE actually triggers the switch to apply the locally defined macro.
If that's the case, you can simply use in ISE two authorization rules, something like if request is for x y z (your existing conditions) AND nas-port-id starts with GigabitEthernet1/0/ apply this authorization profile (macro1), if request is for x y z AND nas-port-id starts with GigabitEthernet2/0/ apply this authorization profile (macro2).
Each macro would have its own VLAN so everybody's happy
BR,
Octavian
03-16-2023 03:14 PM
How does your script get the value for $INTERFACE ?
I have not done EEM in a while, but I thought you could write a trigger that would trigger on parsing the local syslog events using regular expressions.
03-16-2023 08:23 PM
Thank you for your reply. I believe $INTERFACE, $LINKUP, $TRIGGER are all a system defined variables. I just took them from the Built-in Macros and modified according to my need. I didn't find any documentations listing the system defined variables. So not very sure how the value is feed into $INTERFACE.
03-21-2023 12:01 AM
Hi,
If my understanding is correct, ISE actually triggers the switch to apply the locally defined macro.
If that's the case, you can simply use in ISE two authorization rules, something like if request is for x y z (your existing conditions) AND nas-port-id starts with GigabitEthernet1/0/ apply this authorization profile (macro1), if request is for x y z AND nas-port-id starts with GigabitEthernet2/0/ apply this authorization profile (macro2).
Each macro would have its own VLAN so everybody's happy
BR,
Octavian
03-21-2023 08:43 AM
Hi Octavian,
This is the perfect solution! For some reason i couldn't think about this! I have tested this and working perfectly.
Regards
Vivek
03-21-2023 08:45 AM
Thank you very much Octavian!
03-21-2023 01:36 PM
Glad to be of help!
BR,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide