Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
2
Helpful
4
Replies

parameter AutoSmartPort, dynamic dead action vlan

Go to solution
ChristianBur
Level 1
Level 1

‎08-24-2017 06:00 AM

Hello,

we plan to use dynamic vlan with cisco switches (IOS Version 15.2.x) and cisco ISE (2.1.0), this works so far.

For the error case, I would like to set the dead action vlan dynamically.


The only possibility I know is the AutoSmartPort feature on the cisco switches.


macro auto execute CRITICAL_AUTH_VLAN CAVLAN=7 {

if [[ $LINKUP == YES ]]

  then  conf t

  interface $INTERFACE

        macro description $TRIGGER

        description CAVLAN_7

        if [[ $AUTH_ENABLED -eq YES ]]

   then           authentication event server dead action reinitialize vlan $CAVLAN

        fi

  end

fi

if [[ $LINKUP == NO ]]

  then  conf t

  interface $INTERFACE

        no macro description

        no description CAVLAN_44

        if [[ $AUTH_ENABLED -eq YES ]]

   then           authentication event server dead action reinitialize vlan 44

        fi

  end

fi

}

macro auto global processing


On the ISE i use this in the Authorization Profile


cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN

Question: is it possible to change the $CAVLAN value withe the "cisco-av-pair = auto-smart-port" Parameter?

               for example: cisco-av-pair = auto-smart-port=CRITICAL_AUTH_VLAN CAVLAN=55


The background of the question is, the crit vlan should always have the value of the last successful logon (with dynamic vlan). There are about 10-15 dynamic vlans, if i could set the parameter CAVLAN on the ISE, i need only one macro on the switch, otherwise it would copy the macro 10-15 and only the vlan id would differ.

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to ChristianBur

‎08-26-2017 10:37 AM

This is a unique use case, so cannot say I have had similar request.  Others reviewing thread may be able to comment on their experience, but question is more specific to switching team and options to achieve desired goal are limited to ASP feature, or if able to leverage IBNS 2.0 policy to achieve.  May even be able to achieve via EMM, but always a balance between complexity and utility.

As I recall, the critical VLAN initiates on reauth or connection state change such that existing sessions not impacted.  It appears that you are trying to permit existing host access to same VLAN after AAA down.  Of course this would allow any endpoint that connects to port to get the privs of previous host.  Critical VLAN is often used to provide a minimum common denominator access when AAA down.

/Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎08-25-2017 01:43 AM

No, you cannot specify variables in the A/V pair.  ASP is generally tricky on switchports with RADIUS authorization since they write to switch config, not just temporary config elements in mem for given session.  Have you looked at session-aware command logic that would allow policy template to set the desired behavior?  ISE also supports the retrieval of service and interface templates via RADIUS.

/Craig

Go to solution
ChristianBur
Level 1
Level 1
In response to Craig Hyps

‎08-25-2017 02:47 AM

Exactly this is the tick, the command (authentication event server dead action reinitialize vlan) should NOT be session-aware.

When the radius servers are not reachable or down and e.g. the radius session expires, the clients should use the vlan of the last successful logon. If the commando is session-aware, the setting disappears after the radius session expires.

Do I now have to create a single macro for each access vlan?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to ChristianBur

‎08-26-2017 10:37 AM

This is a unique use case, so cannot say I have had similar request.  Others reviewing thread may be able to comment on their experience, but question is more specific to switching team and options to achieve desired goal are limited to ASP feature, or if able to leverage IBNS 2.0 policy to achieve.  May even be able to achieve via EMM, but always a balance between complexity and utility.

As I recall, the critical VLAN initiates on reauth or connection state change such that existing sessions not impacted.  It appears that you are trying to permit existing host access to same VLAN after AAA down.  Of course this would allow any endpoint that connects to port to get the privs of previous host.  Critical VLAN is often used to provide a minimum common denominator access when AAA down.

/Craig

0 Helpful

Go to solution
Lukasz Luczak
Level 1
Level 1

‎03-15-2024 01:10 AM

very good question and idea that I also faced.
but there is no answer in this thread as to whether anyone has solved this problem to automatically send the vlan number for authentication event server dead action reinitialize vlan

/Lukasz

0 Helpful
Customers Also Viewed These Support Documents