01-01-2019 12:53 AM - edited 01-01-2019 12:57 AM
My goal is to build out an applet to assign a dynamic description to any interface with an authenticated host, whether it be dot1x or MAB. I think this sounds like a great use case for event identity interface regexp Ethernet.*
, but I can't even get a syslog msg
or puts
to display a message.
Here is what I've tried...
event manager applet int_desc event identity interface regexp Ethernet.* action 00.00 syslog msg " ## Auth event on: $_identity_interface action 00.01 cli command "enable" action 00.02 cli command "conf t" action 00.03 cli command "int $_identity_interface" action 00.03 cli command "desc AUTH" action 00.04 exit
I have tried this on a C3850-12X48U-S and a C3650-48FQM-S, both running IOS-XE 16.3.6, here is the output from show event man version
(same from both switches).
#show eve man ver Embedded Event Manager Version 4.00 Component Versions: eem: (dev10)1.1.5 eem-gold: (rel1)1.0.2 eem-call-home: (rel2)1.0.5 Event Detectors: Name Version Node Type application 01.00 node0/0 RP rf 01.00 node0/0 RP identity 01.00 node0/0 RP mat 01.00 node0/0 RP neighbor-discovery 01.00 node0/0 RP generic-xed 01.00 node0/0 RP syslog 01.00 node0/0 RP generic 01.00 node0/0 RP routing 03.00 node0/0 RP rpc 01.00 node0/0 RP cli 01.00 node0/0 RP counter 01.00 node0/0 RP interface 01.00 node0/0 RP ioswdsysmon 01.00 node0/0 RP none 01.00 node0/0 RP oir 01.00 node0/0 RP snmp 01.00 node0/0 RP snmp-object 01.00 node0/0 RP snmp-notification 01.00 node0/0 RP timer 01.00 node0/0 RP test 01.00 node0/0 RP config 01.00 node0/0 RP env 01.00 node0/0 RP ds 01.00 node0/0 RP crash 01.00 node0/0 RP gold 01.00 node0/0 RP
01-02-2019 10:00 AM
I haven't tried this ED, and I do recall some issues with it in the past. You should enable debug event manager detector for identity and see if you get any event messages. If there a dot1x syslog you can use instead?
01-02-2019 12:01 PM - edited 01-02-2019 02:46 PM
This ED, has ED? 🤣 Sorry inappropriate way to start my 2019 posting history.
I did try to debug event manager detector identity
, but nothing shows up when an interface auth's a connected device. The only time messages show up is when I type show run
or edit the config of an applet with an identity trigger while that debug is enabled.
I want to avoid spamming the switch syslog with dot1x/mab auth messages, we're using ISE and getting all of the logging/accounting we need there.
My current workaround is to use %LINEPROTO-5-UPDOWN.*changed state to up$
as follows;
$vlan
and the last four digits of the MAC address as $macaddr
...{{vl.egm.id}}
is from my J2 switch template)...
$ipaddr
and sets $newdesc
as [EGM]$ipaddr/$macaddr
, example [EGM].91/abcd.$olddesc
, only updates if $newdesc
is different.event manager applet int_desc !-- `event identity interface regexp Ethernet.* authz-complete` event syslog occurs 1 pattern "%LINEPROTO-5-UPDOWN.*changed state to up$" maxrun 60 action 00.00 cli command "enable" action 00.01 regexp "([^\ ][A-Za-z]+)([/0-9]+), changed state to up$" "$_syslog_msg" match type int action 00.02 while 1 eq 1 action 00.03 wait 2 action 00.04 cli command "show mac addr int $type$int | inc $int\ *$" action 00.05 regexp "^\ *([0-9]+)\ *[a-f0-9]+\.[a-f0-9]+\.([a-f0-9]+)" "$_cli_result" match vlan macaddr action 00.06 if $_regexp_result eq "1" goto 01.00 action 00.07 end !-- Use actions 01.xx - 98.xx for different VLAN/client types. action 01.00 if $vlan eq "{{vlan.egm.id}}" action 01.01 while 1 eq 1 action 01.02 wait 2 action 01.03 cli command "show auth sess int $type$int det | i IPv4" action 01.04 regexp "IPv4 Address:\ *[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)" "$_cli_result" match ipaddr action 01.05 if $_regexp_result eq "1" action 01.06 set newdesc "[EGM]$ipaddr/$macaddr" action 01.07 break action 01.08 end action 01.09 end action 01.10 end !-- Check current interface description, only update if $newdesc is different. action 99.00 if $newdesc ne "" action 99.01 cli command "show int $type$int | i ^[\ ]*[Dd]escription" action 99.02 set output "$_cli_result" action 99.03 regexp "^\ *[Dd]escription" "$output" action 99.04 if $_regexp_result ne "1" action 99.05 set olddesc "<none>" action 99.06 else action 99.07 set i "0" action 99.08 foreach line "$output" "\n" action 99.09 increment i action 99.10 if $i eq "1" action 99.11 string trim "$line" action 99.12 set line "$_string_result" action 99.13 regexp "^\ *[Dd]escription:\ *(.*)" "$line" match olddesc action 99.14 end action 99.15 end action 99.16 end action 99.17 if $newdesc eq $olddesc action 99.18 syslog msg " ## Authed client on $type$int ($newdesc), description does not require updating." action 99.19 else action 99.20 syslog msg " ## Authed client on $type$int ($newdesc), updating description (was: $olddesc)." action 99.21 cli command "conf t" action 99.22 cli command "int $type$int" action 99.23 cli command "desc $newdesc" action 99.24 cli command "end" action 99.25 cli command "write mem" pattern "confirm|#" action 99.26 cli command "" action 99.27 end action 99.28 end
This all works, but I have a separate applet for CDP neighbors, triggered by event neighbor-discovery interface regexp Ethernet.* cdp add
as well and they both trigger simultaneously. I looked into tagging and correlating the events but wasn't successful, I'm pretty new to all of this.
Anyways, my preference/goal would be for the int_desc applet trigger only if the cdp_desc applet does not trigger.
Expand spoiler for my cdp_desc applet for reference...
event manager applet cdp_desc event neighbor-discovery interface regexp Ethernet.* cdp add action 00.00 cli command "enable" action 00.01 string range "$_nd_local_intf_name" 0 1 action 00.02 set type "$_string_result" action 00.03 regexp "[/0-9]+$" "$_nd_local_intf_name" int action 00.04 regexp "[/0-9]+$" "$_nd_port_id" neiint action 00.05 regexp "AIR|Phone|ATA" "$_nd_cdp_platform" neiplat action 00.06 if $_regexp_result ne "1" action 00.07 regexp "^[^\.\(]+" "$_nd_cdp_entry_name" nei action 00.08 set newdesc "$nei:$neiint" action 00.09 else action 00.10 if $neiplat eq "AIR" action 00.11 set capwap_vl "{{vlan.mgmt_ap.id}}" action 00.12 regexp "AIR-AP([A-Z0-9]+)" "$_nd_cdp_platform" match model action 00.13 cli command "show mac addr int $type$int | i ^\ *$capwap_vl" action 00.14 regexp "^\ *[0-9]+\ *[a-f0-9]+\.[a-f0-9]+\.([a-f0-9]+)" "$_cli_result" match macaddr action 00.15 set newdesc "[AP]$model/$macaddr" action 00.20 elseif $neiplat eq Phone action 00.21 regexp "[0-9]+$" "$_nd_cdp_platform" model action 00.22 regexp "....$" "$_nd_cdp_entry_name" macaddr action 00.23 set newdesc "[SEP]$model/$macaddr" action 00.30 elseif $neiplat eq ATA action 00.31 regexp "[0-9]+$" "$_nd_cdp_platform" model action 00.32 regexp "....$" "$_nd_cdp_entry_name" macaddr action 00.33 set newdesc "[ATA]$model/$macaddr" action 00.98 end action 00.99 end action 01.00 cli command "show int $_nd_local_intf_name | i ^\ *[Dd]escription" action 01.01 set output "$_cli_result" action 01.02 regexp "^\ *[Dd]escription" "$output" action 01.03 if $_regexp_result ne "1" action 01.04 set olddesc "<none>" action 01.05 else action 01.06 set i "0" action 01.07 foreach line "$output" "\n" action 01.08 increment i action 01.09 if $i eq "1" action 01.10 string trim "$line" action 01.11 set line "$_string_result" action 01.12 regexp "^\ *[Dd]escription:\ *(.*)" "$line" match olddesc action 01.13 end action 01.14 end action 01.15 end action 02.00 if $newdesc eq "$olddesc" action 02.01 syslog msg " ## New CDP neighbor on $type$int ($newdesc), description does not require updating." action 02.02 else action 02.03 syslog msg " ## New CDP neighbor on $type$int ($newdesc), updating description (was: $olddesc)." action 02.04 cli command "conf t" action 02.05 cli command "int $_nd_local_intf_name" action 02.06 cli command "desc $newdesc" action 02.07 cli command "end" action 02.08 cli command "write mem" pattern "confirm|#" action 02.09 cli command "" action 02.10 end
01-03-2019 07:08 AM
Yeah, seems like you may be hitting a bug, then. TAC would be able to help identify why the identity ED is not working if you'd like to pursue that over your workaround. The MAT ED may also be something to try rather than scanning the MAC address table for a new MAC.
01-03-2019 11:10 AM - edited 01-03-2019 11:11 AM
Thanks Joe - any thoughts on defining two different events/triggers to run a separate set of actions? The cdp_desc applet works well but I'd also like to be able to apply descriptions for other interfaces where CDP (or LLDP) info is not available.
All interfaces are going to auth so I can work through how I want to build the description text, my issue is that if the cdp_desc applet triggers then I don't want the other event or actions (int_desc applet) to run their course.
01-04-2019 06:55 AM
The link change will happen before CDP, so you could have that applet install a nested third applet that counts down for 75 seconds or so. When that applet runs, it checks to see if the description has been set via CDP and if not, it sets it based on MAC.
07-17-2019 07:34 AM
Thanks. I was also struggling with the not working identity detector. In fact, your applet has become the base for mine that checks for dynamically assigned VLANs and configures it as static access vlan for the critical authorization case when the RADIUS servers are not reachable after suffering from a power outage, where cached re-authentication is not working.
Attached is my applet, perhaps it is of help for somebody.
event manager applet AUTOMATION-CRITICAL-AUTHZ authorization bypass
event syslog severity-notification pattern "MGR-5-SUCCESS" maxrun 60
action 00.00 cli command "enable"
action 00.01 regexp "Authorization succeeded for client.*on Interface ([A-Za-z]+)([\/0-9]+)" "$_syslog_msg" match type int
action 00.02 while 1 eq 1
action 00.03 wait 2
action 00.04 cli command "show interface $type$int switchport | inc Access Mode VLAN"
action 00.05 regexp "Access Mode VLAN:\ ([0-9]+)" "$_cli_result" match assignedvlan
action 00.06 if $_regexp_result eq "1" goto 01.00
action 00.07 end
action 01.00 while 1 eq 1
action 01.01 wait 2
action 01.02 cli command "show run interface $type$int | i switchport access vlan"
action 01.03 regexp "switchport access vlan\ +([0-9]+)" "$_cli_result" match configuredvlan
action 01.04 if $_regexp_result eq "1" goto 02.00
action 01.05 end
action 02.00 while 1 eq 1
action 02.01 wait 2
action 02.02 cli command "show vlan group group-name highsecure"
action 02.03 regexp "vlan group highsecure \:([0-9]+)" "$_cli_result" match highsecurevlan
action 02.04 if $_regexp_result eq "1" goto 99.00
action 02.05 end
action 99.00 if $assignedvlan ne "$highsecurevlan"
action 99.01 if $assignedvlan ne "$configuredvlan"
action 99.02 syslog priority warnings msg "Configured access vlan of interface $type$int updated from $configuredvlan to $assignedvlan"
action 99.03 cli command "enable"
action 99.04 cli command "configure terminal"
action 99.05 cli command "int $type$int"
action 99.06 cli command "switchport access vlan $assignedvlan"
action 99.07 cli command "end"
action 99.08 cli command "write memory"
action 99.09 end
action 99.10 end
09-16-2021 01:05 PM
the same on C9300-48UXM 17.03.04 .
what a shame for Cisco to make such a dummy decoys
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide