cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19156
Views
120
Helpful
17
Replies

IBNS 2.0 / Dynamic Interface Templace not applied correctly unless sticky cmd used

Jozef Cmorej
Level 1
Level 1

Hello Cisco community,

I am struggling a bit with the combination of IBNS 2.0 and interface/service templates.

My environment looks following:
- ISE 2.3, patch 4
- IBNS 2.0 / 802.1X and MAB simultaneously
- Authenticator / Catalyst 3850, SW 16.9.1
- Supplicants / Cisco FlexConnect AP2800 and NEAT Switch 3560cx

There are 3 interface templates configured on the switches. The template called DEFAULT_ACCESSPORT is the default one attached to all user ports. Then we have two additional templates, one for the FlexAPs called DEFAULT_WLAN_AP_PORT and second for the NEAT Supplicant Switches called NEAT_AUTHZ. The reason for using additional templates is that we need to change the mode of switch ports from access to trunk for all FlexAPs and NEAT Supplicant switches.

If we send “only” dVLAN and/or dACL as a part of authorization rules from the ISE to the switches, it works properly as there is no dynamic interface template assignment. Once the ISE send also the name of the interface/service template that is configured locally to the switches to change the mode of the switch port, it does not work correctly unless we configure the command access-session interface-template sticky under the template DEFAULT_ACCESSPORT.

Cisco says about this command: The access-session interface-template sticky command is mandatory to apply an inbuilt template that contains access-session commands on an interface.

But using this command breaks the concept of dynamic configuration as the switch port configuration remains active even the port is shutdown or the device is disconnected.

Is there any other way how to make it working in combination of IBSN2.0 with dynamic interface/service templates? Because in my opinion, this sticky command breaks up the whole concept with dynamic templates.

 

We would like to avoid using macros if possible as they affect all switchports.

The Interface Templates:
---------------------

template DEFAULT_ACCESSPORT
 dot1x pae authenticator
 spanning-tree bpduguard enable
 switchport access vlan 3
 switchport mode access
 switchport voice vlan 2
 mab
 access-session host-mode multi-domain
 access-session control-direction in
 access-session port-control auto
 access-session interface-template sticky
 service-policy type control subscriber DOT1X_DEFAULT_POLICY
!
template DEFAULT_WLAN_AP_PORT
 dot1x pae authenticator
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 mab
 access-session host-mode multi-host
 access-session control-direction in
 access-session port-control auto
!
template NEAT_AUTHZ
 spanning-tree portfast trunk
 spanning-tree bpduguard disable
 switchport trunk native vlan 3
 switchport mode trunk
 access-session host-mode multi-host

 

Thank you.

17 Replies 17


@Andrii Oliinyk wrote:
one short notice about your config: as u dont change host-mode within dynamic template u dont need interface-template sticky statement. in my understanding "interface-template sticky" is only way to make port transit into desired host-mode (quite unobvious though :0)

I found I had to add it otherwise the trunk parts of the dynamic config were not removed and it had issues reverting back including with stp. Like I mentioned though I had the sticky command in the base interface stanza, not in the interface template so not sure if that makes a big difference too. 

Simon Parlsjo
Level 1
Level 1

Hi,

I know this thread is staring to become quite old but I was wondering if someone have found any solutions to this or have had any updates from Cisco.

My use-case for the dynamic template assignment is for Flexconnect APs i.e. turning the port from multi-auth to multi-host.

Anyone got any news?

dont manipulate with host mode dynamically. as soon as u know port with FlexAP attached stay with multi-host hardcoded on that port. with the rest u can take templates from @franklinb posts