Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
0
Helpful
0
Replies

IBNS 2.0 Config Check

Dan
Level 1
Level 1

‎07-10-2018 01:32 AM - edited ‎02-21-2020 11:00 AM

Hi

 

I am testing changing our switch config over from old style to new IBNS 2.0. I have it working but was hoping someone could check it for me and see if i'm on the right track and help me with a couple of things:

 

service policy:

policy-map type control subscriber DOT1X_AND_MAB
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  5 class DOT1X-FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class DOT1X-NO-RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  30 class MAB-FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  40 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
  50 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
   10 pause reauthentication
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event aaa-available match-all
  10 class AAA-SVR-DOWN-AUTHD-HOST do-until-failure
   10 resume reauthentication
 event violation match-all
  10 class always do-until-failure
   10 restrict

 

class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
match result-type aaa-timeout
match authorization-status authorized


class-map type control subscriber match-all MAB-FAILED
match method mab
match result-type method mab authoritative

class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X-NO-RESP
match method dot1x
match result-type method dot1x agent-not-found

interface config:

template Dot1x-Port

 dot1x pae authenticator
 switchport access vlan 1xx
 switchport mode access
 switchport voice vlan 1xx
 mab
 access-session closed
 access-session port-control auto
 access-session host-mode multi-auth
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber DOT1X_AND_MAB
 description - Dot1x -

 

 

This works ok but I'm having trouble figuring out how to authorize the voice vlan if the AAA server goes down but I DON'T want to authorize anything else or enable the critical VLAN with ACL (we are working in closed mode) - i still need the 'critical' voice VLAN to be the same as it is now. I can see there is this config:

10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   40 authorize

 

But will this authorize all the ports and any devices on any other VLAN as well?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents