02-25-2020 07:32 AM
I'm looking for some guidance on creating a policy-map that will perform in the same way the following two old-style interface commands would work:
authentication order mab dot1x authentication priority dot1x mab
The reason being is that we have one particular model of Avaya phone that simply will not boot unless the MAB is the first method attempted.
We upgraded out 3850s from 3.7.4 to 16.3.7, and that upgrade didn't cause any problems, but now going to 16.6.6, C3PL seems to have kicked in and auto-generated a number of class-maps and policy-maps which don't seem to help.
I do have this, but my C3PL-fu is not strong.
policy-map type control subscriber MAB-DOT1X event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 60 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class MAB_FAILED do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 20 40 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authentication-restart 60 60 class always do-until-failure 10 terminate mab 20 terminate dot1x 30 authentication-restart 60 event agent-found match-all 10 class DOT1X_MEDIUM_PRIO do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 20 event aaa-available match-all 10 class IN_CRITICAL_VLAN do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_VLAN do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all
I just need to know that dot1x-based auths are not held up by MAB-based processing. What I think the above code does is it defaults to MAB first, and then reverts to dot1x only AFTER any MAB processing fails.
What I think I want is for the port is slightly different: to first try to authenticate via MAB, but if dot1x is sensed, immediately kill the MAB processing and start dot1x processing.
02-25-2020 02:45 PM
The old FlexAuth configuration you reference would be provided by the Concurrent Auth model in IBNS 2.0. See the following example:
Configure IBNS 2.0 for Single-Host and Multi-Domain Scenarios
You should also be aware, however, that some environments may exhibit issues with using Concurrent Auth as ISE doesn't officially understand it. See the following post:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide