Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
3
Replies

Using Ansible to remove authentication open for ISE enforcement

waqas gondal
Level 1
Level 1

‎07-21-2020 02:58 PM

Hi

 

I am working on putting ISE into enforcement mode on production switches for 802.1x wired auth.

 

Currently the access interfaces all have authentication open which needs to be removed.

 

I have Ansible installed and ready to configure switches.

 

Is there anyway I could configure a playbook to find interfaces that have 'authentication open' and remove it?

 

This type of config would also help switch to c3pl down the road.

 

Thanks!

Waqas

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎07-21-2020 11:02 PM

If you are using port profiles on the switch, then you can no longer rely on the show run-config command, since the interface statements won't contain all the commands, but will contain port profiles instead. 

Perform a show derived-config and then filter out the interfaces that contain the statement authentication open - I am no Ansible expert, but perhaps they have such logic/tools?

 

One other approach. If you cycle through every interface and apply the command below, it will effectively remove "authentication open" if it exists, or do nothing at all.

no authentication open

 

 

 

 

 

0 Helpful

waqas gondal
Level 1
Level 1
In response to Arne Bier

‎07-22-2020 10:34 AM

Hi Arne
Thanks for the reply!
The show run interface command does work to display 'authentication open' under the interface.
The issue is more about being able to revert if enforcement doesn't go as planned. In this case it would be a bit more effort to put authentication open back on only the access ports and exclude the wireless access points. Doing that for many switch stacks is pretty time consuming.
Ansible playbooks do have tasks which can follow a sequence of conditions.
I should probably be asking the Ansible forum about this.
Thanks again!
Waqas
0 Helpful

Arne Bier
VIP
VIP
In response to waqas gondal

‎07-22-2020 03:15 PM

It's definitely an interesting DevOps type of discussion and others might find themselves in the same boat. There is still the  "Neanderthal approach" would involves saving the config before the changes (save the running config to flash and name the file appropriately) - and if you need to revert, then copy flash:/emergency-file.cfg run-config

0 Helpful
Customers Also Viewed These Support Documents