10-26-2016 07:55 AM - edited 03-11-2019 12:11 AM
Is anyone doing IBNS 2.0, or is everyone sticking w/ the legacy "authentication" commands that have been available like forever?
We're looking into IBNS 2.0 to take advantage of its critical ACL feature that's not available in the legacy auth-manager style.
When I did a conversion from existing, legacy style to the new IBNS 2.0 style on a 3850, I can't tell which line is the equivalence of the "authentication open" command.
Can someone please point it out to me?
How do we do "authentication open" in the new IBNS 2.0 style?
This is important to our MONITOR & LOW-IMPACT ISE rollout phases.
===============
New style:
policy-map type control subscriber POLICY_Gi1/0/21
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN_Gi1/0/21
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
25 activate service-template CRITICAL-ACCESS
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 40
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 40
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
================
Old style:
interface GigabitEthernet1/0/21
description ISE-TEST
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer restart 40
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
Solved! Go to Solution.
10-26-2016 09:58 AM
It looks like "authentication open" is now default, and as such not shown in the new style config.
access-session closed Example: Device(config-if)# access-session closed |
Prevents preauthentication access on this port. |
http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html
10-26-2016 09:30 AM
From the IBNS 2.0 GUIDE :
"Two key changes to notice after moving on to the new-style configurations are (1) the ‘authentication’ commands will be replaced with commands starting with ‘access-session’ keyword"
So i guess this would now be a "access-session" command on the interface.
10-26-2016 09:40 AM
Thanks but I don't see anything that would imply the "authentication open" command in the new interface config:
Switch#sh derived-config interface gi1/0/21
Building configuration...
Derived configuration : 481 bytes
!
interface GigabitEthernet1/0/21
description ISE-TEST
switchport mode access
switchport nonegotiate
switchport voice vlan 25
ip access-group ACL-DEFAULT in
no logging event link-status
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_Gi1/0/21
service-policy input QOS-INPUT
service-policy output QOS-OUTPUT
10-26-2016 09:58 AM
It looks like "authentication open" is now default, and as such not shown in the new style config.
access-session closed Example: Device(config-if)# access-session closed |
Prevents preauthentication access on this port. |
http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-cntrl-pol.html
10-26-2016 10:02 AM
Thank you!
02-26-2024 08:44 AM - edited 02-26-2024 08:44 AM
Yes I realize this topic is old but it was most relevant to what i'm seeing right now.
So here's a (potentially stupid) question that i can't seem to find the answer to. If both access-session closed and a preauth ACL are configured on the port, what's the result?
I have this situation in a couple places in my environment and it *seems* as if the preauth ACL supercedes access-session closed, but I can't confirm that for 100% certain.
02-27-2024 06:21 AM
for anyone looking at this in 2024, according to TAC: access-session closed overrides a preauth ACL and only allows EAPOL traffic. If, like me, you're trying to run in enforcement mode but you have a lot of MAB clients but don't want the unfettered preauth access, you need to remove AC closed and implement a more restrictive preauth ACL. It doesn't work like ibns 1.0 where you remove 'authentication open' and apply your preauth ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide