Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
1
Helpful
5
Replies

Example of using cisco-av-pair to apply a specific service template?

shrimpcracker
Level 1
Level 1

‎06-04-2025 08:33 AM

Hello,

With IBNS2.0, I'm looking for a way to apply different service template(s) per radius attribute (specifically custom cisco-av-pair) given by the server. Is there any configuration example anyone can show for better understanding?

Thank you in advance!

0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎06-04-2025 02:59 PM

Not sure what problem you're trying to solve with service-templates, but my understanding of them is that the service-template is referenced inside the IBNS 2.0 Policy by a literal name (e.g. activate Service-Template CRITICAL) - and the service-template CRITICAL can either exist on the switch (static config) or if not on the switch, they can be downloaded from ISE as an Authorization Profile with the "Service Template" checkbox ticked. In either of the cases, the contents of the Service-Template is a fixed set of parameters.

Not sure what you want to parameterise exactly - perhaps your use case can be solved using another mechanism? Please give more details of your use case and how you want it to work.

0 Helpful

shrimpcracker
Level 1
Level 1

‎06-04-2025 03:12 PM

Arne, Thank you for your reply.
What I'm hoping to do is to run(activate) different service template against interface depending on which device profile endpoint belong to. Is it possible to use service template name from ISE that matches with one on switch?
Or any attribute ISE can provide about the device so switch can use it to determine which template to activate? 

0 Helpful

Arne Bier
VIP
VIP
In response to shrimpcracker

‎06-04-2025 03:57 PM

As far as I know, there is no dynamic manipulation of the IBSN 2.0 Policy constructs via any means. The session can be dynamically manipulated via interface templates - which serve a different purpose - interface templates allow certain on-the-fly changes to the configuration of the interface on which the session was created. You can for example turn an access mode to trunk mode, and certain things like that.

But remember that service-templates are constructs that belong in the IBNS 2.0 Policy - they have to be explicitly called by name per event that you want to handle. 

Can you draw out some kind of pseudo-code (as IBNS 2.0 Policy or whatever) that shows what behaviours you want to create? 

0 Helpful

shrimpcracker
Level 1
Level 1
In response to Arne Bier

‎06-04-2025 04:55 PM

There is a default interface template contains most of basic configuration for dot1x to work correctly so all interfaces will have minimal line of config which is static. 
I would like to use following event under policy map, to activate different service template depending on which device profile/attributes(cisco-av-pair)/template-name ISE provides. Can I possibly define the matching criteria within class-map?

< Under Policy-map >

event authentication-success match-first

10 class MATCH_SERVER do-until-failure

 1 activate service-template SERVER_TEMPLATE

20 class MATCH_PHONE do-until-failure

 1 activate service-template PHONE_TEMPLATE

30 class MATCH_PC do-until-failure

 1 activate service-template PC_TEMPLATE
.....


0 Helpful

Arne Bier
VIP
VIP
In response to shrimpcracker

‎06-04-2025 05:38 PM

Nope. The best you can do is to create multiple IBNS 2.0 Policy-Maps (one for each scenario you need) and then create the same number of interface-templates that refer to these Policy-Maps. In ISE Authorization Profile you can authorize the session to use whichever Interface-Template you need. It's a lot of work, but it would cater for your requirement - albeit you need to plan out every possible IBNS config you may need.

What is driving this requirement?

Customers Also Viewed These Support Documents