cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1488
Views
1
Helpful
6
Replies

cisco catalyst 2960x is it IBNS 2.0 compatible?

vivarock12
Level 1
Level 1

im having problems creating classs-map, policy-map and im getting fo example:

Command deprecated (authentication event fail action next-method ) - use cpl config

so is ther something special that i dont know or is imposible to use IBNS 2.0 with this sw and i need to do a fabric-reset to it to continue doing 802.1x?

 

HAME_N03C01_ACC04#show version
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(7)E3, RELEASE SOFTWARE (fc3)

ROM: Bootstrap program is C2960X boot loader
BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(6r)E, RELEASE SOFTWARE (fc1)System image file is "flash:c2960x-universalk9-mz.152-7.E3.bin"

cisco WS-C2960X-48TS-LL
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 50 WS-C2960X-48TS-LL 15.2(7)E3 C2960X-UNIVERSALK9-M

Configuration register is 0xF

HAME_N03C01_ACC04#

 

this is my interface configuration:

HAME_N03C01_ACC04#show run int gi0/38
Building configuration...

Current configuration : 325 bytes
!
interface GigabitEthernet0/38
description ** test ISE **
switchport access vlan 60
switchport mode access
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast edge
end

6 Replies 6

@vivarock12 if you've converted to the new style configuration then the command authentication event fail action next-method is defined under the class map, so therefore you don't define under the interface.

The recommended approach is configure the switch using IBNS 1.0 configuration and then covert to the new style, which will convert the configuration from IBNS 1.0 to 2.0 and change the relevant commands.

Read the section Configuring and Understanding the IBNS 2.0 Policy for more information - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

thanks for the response but i have a problem the thing is that i cant use a class-map, i cant create a class-map on the switch in at the moment i dont know why im not able to doit any idea why this migth be?

reading the recomendation rigth now.

 

You are not able to do currently because new-style config is not enabled.  In order to activate C3PL configuration on a switch, I would recommend clearing the ISE port configurations and issue the following global exec command: authentication display new-style. As MHM Cisco World mentioned that it is a irreversible change, so make sure you understand IBNS config well before moving to new style config.

Note: If you do not clear the ports prior to this, it will convert all your existing ISE port configurations to individual C3PL policies and if you plan on creating a single consistent policy on a switch, you don't want it to automatically create a policy per port.

authentication display config

wheni run this command its saids that is running, NEW-STYLE,i think they issue the command without deleting the ports, what can be donde in this case and after validating that i should be able to use policy-maps and class-maps rigth? cause at the moment im not able to create any.

thanks for the help by the way.

 Disable new-style command—This command switches to C3PL display mode.

NOTE:- this convert not reversible' be sure before change to new style of dot1x  

hslai
Cisco Employee
Cisco Employee

@vivarock12 I hope you are following some specific guide for IOS 15E, such as Identity-Based Networking Services Configuration Guide, Cisco IOS Release 15E / Configuring Identity Control Policies

Then, please show the error(s) or warning(s) when you attempt C3PL configuration.