Hi
I am testing changing our switch config over from old style to new IBNS 2.0. I have it working but was hoping someone could check it for me and see if i'm on the right track and help me with a couple of things:
service policy:
policy-map type control subscriber DOT1X_AND_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X-FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X-NO-RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
30 class MAB-FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
50 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
10 pause reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event aaa-available match-all
10 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
10 resume reauthentication
event violation match-all
10 class always do-until-failure
10 restrict
class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
match result-type aaa-timeout
match authorization-status authorized
class-map type control subscriber match-all MAB-FAILED
match method mab
match result-type method mab authoritative
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
class-map type control subscriber match-all DOT1X-NO-RESP
match method dot1x
match result-type method dot1x agent-not-found
interface config:
template Dot1x-Port
dot1x pae authenticator
switchport access vlan 1xx
switchport mode access
switchport voice vlan 1xx
mab
access-session closed
access-session port-control auto
access-session host-mode multi-auth
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_AND_MAB
description - Dot1x -
This works ok but I'm having trouble figuring out how to authorize the voice vlan if the AAA server goes down but I DON'T want to authorize anything else or enable the critical VLAN with ACL (we are working in closed mode) - i still need the 'critical' voice VLAN to be the same as it is now. I can see there is this config:
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
40 authorize
But will this authorize all the ports and any devices on any other VLAN as well?