Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
3
Helpful
6
Replies

Flexconnect AP Native vlan

OdenseKommune
Level 1
Level 1

‎03-30-2017 05:25 AM

Hi

I new to ISE and so is my colleague, and we are still learning a lot.

We have run into a problem regarding getting a native vlan, on a port that we connect a Cisco 3602I Access Point to.

The 802.1x works like a charm.

The AP Native VLAN is 666

And our switch port config is below.

My question is how we get a native vlan of 666 on the port?

Default port config:

switchport access vlan 5

switchport mode access

switchport nonegotiate

ip arp inspection trust

authentication event server dead action authorize vlan 40

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

ip dhcp snooping trust

Regards,

Brian Møller

0 Helpful
6 Replies 6

Dustin Anderson
VIP
VIP

‎03-30-2017 10:35 AM

Are you looking to just set the port to 666?

switchport access vlan 666


Or are you looking to have ISE change the vlan?

This should be able to be done by the result of the rule.

Capture.JPG

I have not tried this via wired, so there may be some other config needed.

0 Helpful

OdenseKommune
Level 1
Level 1
In response to Dustin Anderson

‎03-30-2017 02:20 PM

Hi Dustin

Sorry i forgot a few ekstra informations in my first post.

We want the AP-port to have this ekstra config, or something simelar that works:

switchport mode trunk

switchport trunk native vlan 666

Regards,

Brian

0 Helpful

Dustin Anderson
VIP
VIP

‎03-30-2017 02:29 PM

OK, I think what you may want is to set an interface template.

Identity-Based Networking Services Configuration Guide, Cisco IOS Release 15E - Interface Templates [Cisco IOS 15.2E] …

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/xe-3e/ibns-xe-3e-book/ibns-int-temp.pdf

Granted it looks like it's dependent on ios version on the switch.

You could then call the template in the result on ISE.

hslai
Cisco Employee
Cisco Employee

‎04-02-2017 12:56 AM

You might want to take a look at this -- Configure to Secure a Flexconnect AP Switchport with Dot1x

hariholla
Cisco Employee
Cisco Employee
In response to hslai

‎04-04-2017 09:28 AM

Use interface-templates.

Screen Shot 2017-04-04 at 9.26.10 AM.png

run "show derived-config <interface>" to see the actual config applied on the port. The running-config won't change.

OdenseKommune
Level 1
Level 1

‎04-04-2017 06:11 AM

Hi Dustin and hslai

Thnx for the answers.

My Colleague and i will look at them and see what we can do.

Thnx

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents