08-24-2017 06:00 AM
Hello,
we plan to use dynamic vlan with cisco switches (IOS Version 15.2.x) and cisco ISE (2.1.0), this works so far.
For the error case, I would like to set the dead action vlan dynamically.
The only possibility I know is the AutoSmartPort feature on the cisco switches.
macro auto execute CRITICAL_AUTH_VLAN CAVLAN=7 {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
description CAVLAN_7
if [[ $AUTH_ENABLED -eq YES ]]
then authentication event server dead action reinitialize vlan $CAVLAN
fi
end
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description
no description CAVLAN_44
if [[ $AUTH_ENABLED -eq YES ]]
then authentication event server dead action reinitialize vlan 44
fi
end
fi
}
macro auto global processing
On the ISE i use this in the Authorization Profile
cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN
Question: is it possible to change the $CAVLAN value withe the "cisco-av-pair = auto-smart-port" Parameter?
for example: cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN CAVLAN=55
The background of the question is, the crit vlan should always have the value of the last successful logon (with dynamic vlan). There are about 10-15 dynamic vlans, if i could set the parameter CAVLAN on the ISE, i need only one macro on the switch, otherwise it would copy the macro 10-15 and only the vlan id would differ.
Solved! Go to Solution.
08-26-2017 10:37 AM
This is a unique use case, so cannot say I have had similar request. Others reviewing thread may be able to comment on their experience, but question is more specific to switching team and options to achieve desired goal are limited to ASP feature, or if able to leverage IBNS 2.0 policy to achieve. May even be able to achieve via EMM, but always a balance between complexity and utility.
As I recall, the critical VLAN initiates on reauth or connection state change such that existing sessions not impacted. It appears that you are trying to permit existing host access to same VLAN after AAA down. Of course this would allow any endpoint that connects to port to get the privs of previous host. Critical VLAN is often used to provide a minimum common denominator access when AAA down.
/Craig
08-25-2017 01:43 AM
No, you cannot specify variables in the A/V pair. ASP is generally tricky on switchports with RADIUS authorization since they write to switch config, not just temporary config elements in mem for given session. Have you looked at session-aware command logic that would allow policy template to set the desired behavior? ISE also supports the retrieval of service and interface templates via RADIUS.
/Craig
08-25-2017 02:47 AM
Exactly this is the tick, the command (authentication event server dead action reinitialize vlan) should NOT be session-aware.
When the radius servers are not reachable or down and e.g. the radius session expires, the clients should use the vlan of the last successful logon. If the commando is session-aware, the setting disappears after the radius session expires.
Do I now have to create a single macro for each access vlan?
08-26-2017 10:37 AM
This is a unique use case, so cannot say I have had similar request. Others reviewing thread may be able to comment on their experience, but question is more specific to switching team and options to achieve desired goal are limited to ASP feature, or if able to leverage IBNS 2.0 policy to achieve. May even be able to achieve via EMM, but always a balance between complexity and utility.
As I recall, the critical VLAN initiates on reauth or connection state change such that existing sessions not impacted. It appears that you are trying to permit existing host access to same VLAN after AAA down. Of course this would allow any endpoint that connects to port to get the privs of previous host. Critical VLAN is often used to provide a minimum common denominator access when AAA down.
/Craig
03-15-2024 01:10 AM
very good question and idea that I also faced.
but there is no answer in this thread as to whether anyone has solved this problem to automatically send the vlan number for authentication event server dead action reinitialize vlan
/Lukasz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide