Hi, all.

I have been testing the new IBNS2.0 features for some days now, testing equipment is this:

Model number                    : WS-C3750X-48PF-S

Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 54    WS-C3750X-48P             15.2(3)E2             C3750E-UNIVERSALK9-M   

What I am trying to do is the following:

Having a static access-port-config (using an "standard-port-config" interface template), I try to overwrite/overlay

this standard template with another one (that is configured locally on the switch) by sending down the template name using the

radius server (in this case: ISE 1.4 Patch 3 after authentication of an access point (in FlexConnect mode) .....

Here are the templates:

template TEMPLATE_INTERFACE_standard_dot1x_mod_0_1_2
 dot1x pae authenticator
 spanning-tree portfast trunk
 spanning-tree bpdufilter disable
 spanning-tree bpduguard enable
 spanning-tree guard loop
 switchport access vlan x
 switchport mode access
 switchport nonegotiate
 switchport voice vlan y
 storm-control broadcast level 5.00
 storm-control action shutdown
 mab
 access-session host-mode multi-domain
 access-session port-control auto
 authentication periodic
 ip dhcp snooping limit rate 10
 load-interval 60        

This is the template that is sent down by the radius:

template TEMPLATE_INTERFACE_access_points
 spanning-tree portfast trunk
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable
 switchport trunk encapsulation dot1q
 switchport trunk native vlan x
 switchport trunk allowed vlan x,y,z
 switchport mode trunk
 storm-control broadcast level 5.00
 storm-control action shutdown
 ip dhcp snooping limit rate 20
 ip dhcp snooping trust
 load-interval 60   

When the access point is connected, it gets authenticated (via mab) and authorized, the authorization profile contains the template-name:

cisco-av-pair=interface-template-name=TEMPLATE_INTERFACE_access_points

The template gets applied to the port and everything looks good, but:

When the template is applied, the access port is turned into a trunk (.1q) port, and allowed vlans are specified in the template, but even if the vlans are allowed, no traffic is going over the port.

After troubleshooting I have found the reason why:

sh interfa trunk:

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/5     on               802.1q         trunking      x

Port        Vlans allowed on trunk
Gi1/0/5     none

Port        Vlans allowed and active in management domain
Gi1/0/5     none

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/5     none                                                                             

Although the trunk has an allowed vlan range applied to the config, no vlans are allowed  !!!!

The port config looks like this:

sh deriv int gig1/0/5

interface GigabitEthernet1/0/5
 description [Land]/[Stadt]/[Standortkennziffer]/[Gebaeude]/[Verteilerraum]/[Schrank]
 switchport access vlan x
 switchport trunk encapsulation dot1q
 switchport trunk native vlan y
 switchport trunk allowed vlan x,y,z
 switchport mode trunk
 switchport nonegotiate
 switchport voice vlan 409
 no logging event link-status
 load-interval 60
 authentication periodic
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 no snmp trap link-status
 dot1x pae authenticator
 storm-control broadcast level 5.00
 storm-control action shutdown
 spanning-tree portfast trunk
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable
 spanning-tree guard loop
 service-policy type control subscriber POLICYMAP_standard_dot1x_port
 ip dhcp snooping limit rate 20
 ip dhcp snooping trust              

Is this working as designed ??? Maybe I did miss something ??

Or could this be a bug ???

Any ideas ?

Rgs

Frank