cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
5
Helpful
1
Replies

C3PL equivalent to old style

fitzie
Level 1
Level 1

I'm looking for some guidance on creating a policy-map that will perform in the same way the following two old-style interface commands would work:

 

 authentication order mab dot1x
 authentication priority dot1x mab

 

The reason being is that we have one particular model of Avaya phone that simply will not boot unless the MAB is the first method attempted.

 

We upgraded out 3850s from 3.7.4 to 16.3.7, and that upgrade didn't cause any problems, but now going to 16.6.6, C3PL seems to have kicked in and auto-generated a number of class-maps and policy-maps which don't seem to help.

 

I do have this, but my C3PL-fu is not strong.

policy-map type control subscriber MAB-DOT1X
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using mab priority 10
 event authentication-failure match-first
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 20
  40 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate mab
   20 terminate dot1x
   30 authentication-restart 60
 event agent-found match-all
  10 class DOT1X_MEDIUM_PRIO do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 20
 event aaa-available match-all
  10 class IN_CRITICAL_VLAN do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_VLAN do-until-failure
   10 resume reauthentication
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 clear-session
 event authentication-success match-all

I just need to know that dot1x-based auths are not held up by MAB-based processing.  What I think the above code does is it defaults to MAB first, and then reverts to dot1x only AFTER any MAB processing fails.

What I think I want is for the port is slightly different:  to first try to authenticate via MAB, but if dot1x is sensed, immediately kill the MAB processing and start dot1x processing.

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

The old FlexAuth configuration you reference would be provided by the Concurrent Auth model in IBNS 2.0. See the following example:

Configure IBNS 2.0 for Single-Host and Multi-Domain Scenarios 

You should also be aware, however, that some environments may exhibit issues with using Concurrent Auth as ISE doesn't officially understand it. See the following post:

CPL Template MAB/Dot1x Simultaneously