cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
10
Helpful
3
Replies

CPL Updates for IBNS 2.0 Document

paul
Advocate
Advocate

Is IBNS 2.0 supposed to be the most current reference on how to do CPL configuration for ISE deployments?  If so there needs to be some updates.  Currently the document uses this syntax to capture MAB and Dot1x failures:

class-map type control subscriber match-all MAB_FAILED

match method mab

match result-type method mab authoritative

!

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

The Dot1x only works if ISE rejects the Dot1x authentication.  If the client rejects the ISE certificate and goes quite that is a Dot1x timeout that the above doesn't catch.  Also in the client simply sends out an EAPol start to kick the switch to Dot1x and sends nothing else the above won't catch that failure either. 

The correct coding for this should be:

class-map type control subscriber match-all MAB_FAILED

match method mab

no-match result-type method dot1x success

!

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

That should cover any failure scenarios for MAB or Dot1x. 

Not sure who maintains that document or it should be referenced any more, but I think that is the most current document out there detailing CPL.

3 Replies 3

howon
Cisco Employee
Cisco Employee

Hi, Paul. Please check out the new guide: Cisco ISE Wired Access Deployment Guide

Also, where are seeing the out dated information?

Even that has similar class maps that have a whole in them:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

match result-type method dot1x authoritative

!

class-map type control subscriber match-all DOT1X_NO_RESP

match method dot1x

match result-type method dot1x agent-not-found

!

class-map type control subscriber match-all DOT1X_TIMEOUT

match method dot1x

match result-type method dot1x method-timeout

You could replace all 3 of those with:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

And it covers all failure scenarios. The above 3 would not handle a device sending out an EAPol start and nothing else. That is a unique failure. I ran into this at a hospital that has radiology equipment running on XP SP1 and 2 that has wired authentication enabled by default but just enough to kick the switch out of MAB to Dot1x. The switch would never fail back to MAB using the IBNS 2.0 class maps or the ones in the new guide. I was able to simulate this failure scenario by using Wireshark to capture an EAPol start from my test laptop and then using PlayCap to replay just that frame onto the wire. The switch would kick over to Dot1x and never fail back to MAB. In closed mode that means no access. In open mode with no preauth ACL (which we never use) that means you defeated the authentication scheme. Switching to:

class-map type control subscriber match-all DOT1X_FAILED

match method dot1x

no-match result-type method dot1x success

Fixes all that and basically tells the switch I don’t care what the Dot1x failure was just switch back to MAB.

Hi Paul,

Thanks for your note. After validation, we'll get the document updated.

- Krish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: