cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1176
Views
6
Helpful
3
Replies
Highlighted
Enthusiast

IBNS 2.0 Monitor Mode Only

I maybe have a stupid question, but I did not find any useful way for my problem.

My customer ist using 3850 access switches. He want to enable monitor mode in first phase to do the inventory of all connected endpoints. Second phase he wants to move to low impact mode. However, I simply started with IBNS 1.0 open mode, which worked fine so far. Then I used one switch and upgraded tp 3.6.4 and changed to "new style". Unfortunatly the monitor configuration seams not to be converted.

This is my initial configuration:

interface GigabitEthernet1/0/13

...

switchport access vlan 10

switchport mode access

switchport voice vlan 20

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action authorize vlan 10

authentication event server dead action authorize voice

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

no cdp enable

spanning-tree portfast

After the convertion I had the following config:

service-template CRITICAL_AUTH_VLAN_105

vlan 105

policy-map type control subscriber DEFAULT_POLICY

event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 activate service-template CRITICAL_AUTH_VLAN_10

   20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

   30 authorize

   40 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 pause reauthentication

   20 authorize

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  40 class MAB_FAILED do-until-failure

   10 terminate mab

   20 authentication-restart 60

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authentication-restart 60

event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

interface GigabitEthernet1/0/13

service-policy type control subscriber DEFAULT_POLICY

Is it true, that the "authentication open" command does not get converted?

Or is the monitor mode simply not supported with IBNS 2.0? Even when I trie to add the commands to the "old style" interface again, it did not work at all. Any hints are highly welcome.

Thanks, Marco

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Marco, with IBNS 2.0, the open mode is the default whereas with IBNS 1.0, closed mode was the default setting. So what you are seeing is expected. Even though you are not seeing the command, the interface will operate in open mode. You can run 'show run all' to see the command.

IBNS 2.0:

Open mode (Default): no access-session closed

Closed mode: access-session closed

IBNS 1.0

Open mode: authentication open

Closed mode (Default): no authentication open

Hosuk

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Marco, with IBNS 2.0, the open mode is the default whereas with IBNS 1.0, closed mode was the default setting. So what you are seeing is expected. Even though you are not seeing the command, the interface will operate in open mode. You can run 'show run all' to see the command.

IBNS 2.0:

Open mode (Default): no access-session closed

Closed mode: access-session closed

IBNS 1.0

Open mode: authentication open

Closed mode (Default): no authentication open

Hosuk

View solution in original post

Highlighted

Hi Hosuk

Thanks for this clarification. In this case I have to check the software Version. Since even when I go back to old-style, the switch did not work as expected (to be honest I not checked before change to "new style"!)

Do you have any experience with 3850 IOS XE 3.6.4?

Next week I will check another IOS Version, maybe 3.7.3 or any other suggestion?

Thanks, Marco

Highlighted

Marco,

Currently, we recommend IOS-XE 3.6.3 with 3.6.4 most likely to be the new recommended version once ISE 2.1 is available.  I'm pretty sure 3.7.3 would work as well since it contains a lot of identity related fixes that are in 3.6.3 and 3.6.4.

Regards,

-Tim

Content for Community-Ad