Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2641
Views
6
Helpful
3
Replies

IBNS 2.0 Monitor Mode Only

Go to solution
mstraessle
Level 4
Level 4

‎05-11-2016 02:22 PM

I maybe have a stupid question, but I did not find any useful way for my problem.

My customer ist using 3850 access switches. He want to enable monitor mode in first phase to do the inventory of all connected endpoints. Second phase he wants to move to low impact mode. However, I simply started with IBNS 1.0 open mode, which worked fine so far. Then I used one switch and upgraded tp 3.6.4 and changed to "new style". Unfortunatly the monitor configuration seams not to be converted.

This is my initial configuration:

interface GigabitEthernet1/0/13

...

switchport access vlan 10

switchport mode access

switchport voice vlan 20

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action authorize vlan 10

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

no cdp enable

spanning-tree portfast

After the convertion I had the following config:

service-template CRITICAL_AUTH_VLAN_105

vlan 105

policy-map type control subscriber DEFAULT_POLICY

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template CRITICAL_AUTH_VLAN_10

   20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

   30 authorize

   40 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

   20 authorize

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

interface GigabitEthernet1/0/13

service-policy type control subscriber DEFAULT_POLICY

Is it true, that the "authentication open" command does not get converted?

Or is the monitor mode simply not supported with IBNS 2.0? Even when I trie to add the commands to the "old style" interface again, it did not work at all. Any hints are highly welcome.

Thanks, Marco

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-11-2016 02:36 PM

Marco, with IBNS 2.0, the open mode is the default whereas with IBNS 1.0, closed mode was the default setting. So what you are seeing is expected. Even though you are not seeing the command, the interface will operate in open mode. You can run 'show run all' to see the command.

IBNS 2.0:

Open mode (Default): no access-session closed

Closed mode: access-session closed

IBNS 1.0

Open mode: authentication open

Closed mode (Default): no authentication open

Hosuk

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-11-2016 02:36 PM

Marco, with IBNS 2.0, the open mode is the default whereas with IBNS 1.0, closed mode was the default setting. So what you are seeing is expected. Even though you are not seeing the command, the interface will operate in open mode. You can run 'show run all' to see the command.

IBNS 2.0:

Open mode (Default): no access-session closed

Closed mode: access-session closed

IBNS 1.0

Open mode: authentication open

Closed mode (Default): no authentication open

Hosuk

Go to solution
mstraessle
Level 4
Level 4
In response to howon

‎05-11-2016 02:47 PM

Hi Hosuk

Thanks for this clarification. In this case I have to check the software Version. Since even when I go back to old-style, the switch did not work as expected (to be honest I not checked before change to "new style"!)

Do you have any experience with 3850 IOS XE 3.6.4?

Next week I will check another IOS Version, maybe 3.7.3 or any other suggestion?

Thanks, Marco

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to mstraessle

‎05-12-2016 06:40 AM

Marco,

Currently, we recommend IOS-XE 3.6.3 with 3.6.4 most likely to be the new recommended version once ISE 2.1 is available.  I'm pretty sure 3.7.3 would work as well since it contains a lot of identity related fixes that are in 3.6.3 and 3.6.4.

Regards,

-Tim

Customers Also Viewed These Support Documents