ISE and Auto Smartports

gnijs · ‎03-13-2012

I am testing ISE and Auto Smartports and i got the execution of the macro via ISE working.

However, it seems i MUST enable globally "macro auto global processing " before it the macro is really executed.

I would like to avoid this, as enabling this globally, it will automatically run all standard cisco macros for phones, AP, etc.

To prevent this, i need to configure "no macro auto processing" on each and every interface...

Isn't there another way to enable macros but not run the default macros on all ports. Only run -custom- macros when triggered by ISE ?

regards,

Geert

Alfonso Lopez · ‎09-19-2016

Would you like to share the document that you followed to get Auto Smarports to work with a response from the ISE?

I can´t find anything where it is well explained.

networkguy13111 · ‎08-02-2017

In the ISE authorization profile, along with "permit" access there are many options. There is one named as "auto-smart-port".

If you write the trigger string in the profile and configure a script with this trigger string on the switch, when the EP interface is authorised with your profile, ISE will send a radius attribute calling the switch to run the script on this EP interface.

It was well documented in Cisco TrustSec solution white papers in my memory.

-- Best Regards

networkguy13111 · ‎08-02-2017

With ISE normally the deployment is switch wide, so to enable it globally can simplify the port configuration.

When dot1x is enabled on an interface, the Cisco auto macro will not run until ISE tells the switch so. It is a bit inconvenient but acceptable.

-- Best Regards