cisco catalyst 2960x is it IBNS 2.0 compatible?

vivarock12 · ‎06-15-2023

im having problems creating classs-map, policy-map and im getting fo example:

Command deprecated (authentication event fail action next-method ) - use cpl config

so is ther something special that i dont know or is imposible to use IBNS 2.0 with this sw and i need to do a fabric-reset to it to continue doing 802.1x?

HAME_N03C01_ACC04#show version
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(7)E3, RELEASE SOFTWARE (fc3)

ROM: Bootstrap program is C2960X boot loader
BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(6r)E, RELEASE SOFTWARE (fc1)System image file is "flash:c2960x-universalk9-mz.152-7.E3.bin"

cisco WS-C2960X-48TS-LL
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 50 WS-C2960X-48TS-LL 15.2(7)E3 C2960X-UNIVERSALK9-M

Configuration register is 0xF

HAME_N03C01_ACC04#

this is my interface configuration:

HAME_N03C01_ACC04#show run int gi0/38
Building configuration...

Current configuration : 325 bytes
!
interface GigabitEthernet0/38
description ** test ISE **
switchport access vlan 60
switchport mode access
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast edge
end

Rob Ingram · ‎06-15-2023

@vivarock12 if you've converted to the new style configuration then the command authentication event fail action next-method is defined under the class map, so therefore you don't define under the interface.

The recommended approach is configure the switch using IBNS 1.0 configuration and then covert to the new style, which will convert the configuration from IBNS 1.0 to 2.0 and change the relevant commands.

Read the section Configuring and Understanding the IBNS 2.0 Policy for more information - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

vivarock12 · ‎06-15-2023

thanks for the response but i have a problem the thing is that i cant use a class-map, i cant create a class-map on the switch in at the moment i dont know why im not able to doit any idea why this migth be?

reading the recomendation rigth now.

poongarg · ‎06-15-2023

You are not able to do currently because new-style config is not enabled. In order to activate C3PL configuration on a switch, I would recommend clearing the ISE port configurations and issue the following global exec command: authentication display new-style. As MHM Cisco World mentioned that it is a irreversible change, so make sure you understand IBNS config well before moving to new style config.

Note: If you do not clear the ports prior to this, it will convert all your existing ISE port configurations to individual C3PL policies and if you plan on creating a single consistent policy on a switch, you don't want it to automatically create a policy per port.

vivarock12 · ‎06-16-2023

authentication display config

wheni run this command its saids that is running, NEW-STYLE,i think they issue the command without deleting the ports, what can be donde in this case and after validating that i should be able to use policy-maps and class-maps rigth? cause at the moment im not able to create any.

thanks for the help by the way.

MHM Cisco World · ‎06-15-2023

Disable new-style command—This command switches to C3PL display mode.

NOTE:- this convert not reversible' be sure before change to new style of dot1x

hslai · ‎06-23-2023

@vivarock12 I hope you are following some specific guide for IOS 15E, such as Identity-Based Networking Services Configuration Guide, Cisco IOS Release 15E / Configuring Identity Control Policies

Then, please show the error(s) or warning(s) when you attempt C3PL configuration.