02-20-2019 12:00 PM - edited 03-08-2019 07:12 PM
We were wondering what the best practice is for plugging in a Cisco wireless access point to a Cisco switch configured with 802.1x authentication with ISE as the Radius server? Would the best practice be the same for FlexConnect wireless access points? It seems to me like it should be different, but we would want the best practice for both.
Thanks in advance!
Solved! Go to Solution.
02-20-2019 05:50 PM
Leverage AutoSmart Ports. It works well. On the switch side you would have something like this:
**** ISE Triggered auto smart port ****
!
! Turn off auto device control, forgetting this could shoot yourself in the foot
!
no macro auto global control device
!
! Turn off the default trigger, forgetting this could shoot yourself in the foot
!
no macro auto global control trigger
macro auto global processing
!
shell trigger ISE-AP-CONFIG Cisco Access Points
macro auto execute ISE-AP-CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30
spanning-tree portfast trunk
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 10
switchport voice vlan 100
switchport mode access
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}
Then in ISE on your Access Point authorization profile you invoke the Auto Smartport macro. So the sequence is:
02-20-2019 05:50 PM
Leverage AutoSmart Ports. It works well. On the switch side you would have something like this:
**** ISE Triggered auto smart port ****
!
! Turn off auto device control, forgetting this could shoot yourself in the foot
!
no macro auto global control device
!
! Turn off the default trigger, forgetting this could shoot yourself in the foot
!
no macro auto global control trigger
macro auto global processing
!
shell trigger ISE-AP-CONFIG Cisco Access Points
macro auto execute ISE-AP-CONFIG {
if [[ $LINKUP == YES ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description Access Point Port Configured by ISE Macro
macro description $TRIGGER
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30
spanning-tree portfast trunk
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
description **DOT1X Auth**
switchport access vlan 10
switchport voice vlan 100
switchport mode access
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication violation restrict
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-req 1
spanning-tree portfast
authentication control-direction in
exit
fi
}
Then in ISE on your Access Point authorization profile you invoke the Auto Smartport macro. So the sequence is:
02-21-2019 03:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide