Showing results for 
Search instead for 
Did you mean: 

Event Detector Identity, does it actually work?

My goal is to build out an applet to assign a dynamic description to any interface with an authenticated host, whether it be dot1x or MAB. I think this sounds like a great use case for event identity interface regexp Ethernet.*, but I can't even get a syslog msg or puts to display a message.

Here is what I've tried...

event manager applet int_desc
 event identity interface regexp Ethernet.*
 action 00.00 syslog msg "  ## Auth event on: $_identity_interface
 action 00.01 cli command "enable"
 action 00.02 cli command "conf t"
 action 00.03 cli command "int $_identity_interface"
 action 00.03 cli command "desc AUTH"
 action 00.04 exit

I have tried this on a C3850-12X48U-S and a C3650-48FQM-S, both running IOS-XE 16.3.6, here is the output from show event man version (same from both switches).

#show eve man ver
Embedded Event Manager Version 4.00
Component Versions:
eem: (dev10)1.1.5
eem-gold: (rel1)1.0.2
eem-call-home: (rel2)1.0.5
Event Detectors:
Name                Version   Node        Type    
application         01.00     node0/0     RP      
rf                  01.00     node0/0     RP      
identity            01.00     node0/0     RP      
mat                 01.00     node0/0     RP      
neighbor-discovery  01.00     node0/0     RP      
generic-xed         01.00     node0/0     RP      
syslog              01.00     node0/0     RP      
generic             01.00     node0/0     RP      
routing             03.00     node0/0     RP      
rpc                 01.00     node0/0     RP      
cli                 01.00     node0/0     RP      
counter             01.00     node0/0     RP      
interface           01.00     node0/0     RP      
ioswdsysmon         01.00     node0/0     RP      
none                01.00     node0/0     RP      
oir                 01.00     node0/0     RP      
snmp                01.00     node0/0     RP      
snmp-object         01.00     node0/0     RP      
snmp-notification   01.00     node0/0     RP      
timer               01.00     node0/0     RP      
test                01.00     node0/0     RP      
config              01.00     node0/0     RP      
env                 01.00     node0/0     RP      
ds                  01.00     node0/0     RP      
crash               01.00     node0/0     RP      
gold                01.00     node0/0     RP      


Joe Clarke
Hall of Fame Cisco Employee

I haven't tried this ED, and I do recall some issues with it in the past.  You should enable debug event manager detector for identity and see if you get any event messages.  If there a dot1x syslog you can use instead?

This ED, has ED? 🤣 Sorry inappropriate way to start my 2019 posting history.

I did try to debug event manager detector identity, but nothing shows up when an interface auth's a connected device. The only time messages show up is when I type show run or edit the config of an applet with an identity trigger while that debug is enabled.

I want to avoid spamming the switch syslog with dot1x/mab auth messages, we're using ISE and getting all of the logging/accounting we need there.

My current workaround is to use %LINEPROTO-5-UPDOWN.*changed state to up$ as follows;

  • Triggered by syslog...
  • [00.00 - 00.07] Checks the MAC address table of the interface every 2 seconds until a MAC is present, stores the vlan as $vlan and the last four digits of the MAC address as $macaddr...
  • [01.00 - 01.10] If the MAC address is in a certain VLAN (Note: {{}} is from my J2 switch template)...
    • Checks the auth session on the interface every 2 seconds until a valid IP address is present, grabs the last octet as $ipaddr and sets $newdesc as [EGM]$ipaddr/$macaddr, example [EGM].91/abcd.
  • [02.xx - 98.xx] Reserved for other VLANs to prepend the description accordingly.
  • [99.00 - 99.28] Checks the current interface description as $olddesc, only updates if $newdesc is different.
event manager applet int_desc
 !-- `event identity interface regexp Ethernet.* authz-complete`
 event syslog occurs 1 pattern "%LINEPROTO-5-UPDOWN.*changed state to up$" maxrun 60
 action 00.00 cli command "enable"
 action 00.01 regexp "([^\ ][A-Za-z]+)([/0-9]+), changed state to up$" "$_syslog_msg" match type int
 action 00.02 while 1 eq 1
 action 00.03  wait 2
 action 00.04  cli command "show mac addr int $type$int | inc $int\ *$"
 action 00.05  regexp "^\ *([0-9]+)\ *[a-f0-9]+\.[a-f0-9]+\.([a-f0-9]+)" "$_cli_result" match vlan macaddr
 action 00.06  if $_regexp_result eq "1" goto 01.00
 action 00.07 end
 !-- Use actions 01.xx - 98.xx for different VLAN/client types.
 action 01.00 if $vlan eq "{{}}"
 action 01.01  while 1 eq 1
 action 01.02   wait 2
 action 01.03   cli command "show auth sess int $type$int det | i IPv4"
 action 01.04   regexp "IPv4 Address:\ *[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)" "$_cli_result" match ipaddr
 action 01.05   if $_regexp_result eq "1"
 action 01.06    set newdesc "[EGM]$ipaddr/$macaddr"
 action 01.07    break
 action 01.08   end
 action 01.09  end
 action 01.10 end
 !-- Check current interface description, only update if $newdesc is different.
 action 99.00 if $newdesc ne ""
 action 99.01  cli command "show int $type$int | i ^[\ ]*[Dd]escription"
 action 99.02  set output "$_cli_result"
 action 99.03  regexp "^\ *[Dd]escription" "$output"
 action 99.04  if $_regexp_result ne "1"
 action 99.05   set olddesc "<none>"
 action 99.06  else
 action 99.07   set i "0"
 action 99.08   foreach line "$output" "\n"
 action 99.09   increment i
 action 99.10    if $i eq "1"
 action 99.11     string trim "$line"
 action 99.12     set line "$_string_result"
 action 99.13     regexp "^\ *[Dd]escription:\ *(.*)" "$line" match olddesc
 action 99.14    end
 action 99.15   end
 action 99.16  end
 action 99.17  if $newdesc eq $olddesc
 action 99.18   syslog msg "  ## Authed client on $type$int ($newdesc), description does not require updating."
 action 99.19  else
 action 99.20   syslog msg "  ## Authed client on $type$int ($newdesc), updating description (was: $olddesc)." 
 action 99.21   cli command "conf t"
 action 99.22   cli command  "int $type$int"
 action 99.23   cli command  "desc $newdesc"
 action 99.24   cli command  "end"
 action 99.25   cli command "write mem" pattern "confirm|#"
 action 99.26   cli command ""
 action 99.27  end
 action 99.28 end

This all works, but I have a separate applet for CDP neighbors, triggered by event neighbor-discovery interface regexp Ethernet.* cdp add as well and they both trigger simultaneously. I looked into tagging and correlating the events but wasn't successful, I'm pretty new to all of this.

Anyways, my preference/goal would be for the int_desc applet trigger only if the cdp_desc applet does not trigger.

Expand spoiler for my cdp_desc applet for reference...

event manager applet cdp_desc
 event neighbor-discovery interface regexp Ethernet.* cdp add
 action 00.00 cli command "enable"
 action 00.01 string range "$_nd_local_intf_name" 0 1
 action 00.02 set type "$_string_result"
 action 00.03 regexp "[/0-9]+$" "$_nd_local_intf_name" int
 action 00.04 regexp "[/0-9]+$" "$_nd_port_id" neiint
 action 00.05 regexp "AIR|Phone|ATA" "$_nd_cdp_platform" neiplat
 action 00.06 if $_regexp_result ne "1"
 action 00.07  regexp "^[^\.\(]+" "$_nd_cdp_entry_name" nei
 action 00.08  set newdesc "$nei:$neiint"
 action 00.09 else
 action 00.10  if $neiplat eq "AIR"
 action 00.11   set capwap_vl "{{}}"
 action 00.12   regexp "AIR-AP([A-Z0-9]+)" "$_nd_cdp_platform" match model
 action 00.13   cli command "show mac addr int $type$int | i ^\ *$capwap_vl"
 action 00.14   regexp "^\ *[0-9]+\ *[a-f0-9]+\.[a-f0-9]+\.([a-f0-9]+)" "$_cli_result" match macaddr
 action 00.15   set newdesc "[AP]$model/$macaddr"
 action 00.20  elseif $neiplat eq Phone
 action 00.21   regexp "[0-9]+$" "$_nd_cdp_platform" model
 action 00.22   regexp "....$" "$_nd_cdp_entry_name" macaddr
 action 00.23   set newdesc "[SEP]$model/$macaddr"
 action 00.30  elseif $neiplat eq ATA
 action 00.31   regexp "[0-9]+$" "$_nd_cdp_platform" model
 action 00.32   regexp "....$" "$_nd_cdp_entry_name" macaddr
 action 00.33   set newdesc "[ATA]$model/$macaddr"
 action 00.98  end
 action 00.99 end
 action 01.00 cli command "show int $_nd_local_intf_name | i ^\ *[Dd]escription"
 action 01.01 set output "$_cli_result"
 action 01.02 regexp "^\ *[Dd]escription" "$output"
 action 01.03 if $_regexp_result ne "1"
 action 01.04  set olddesc "<none>"
 action 01.05 else
 action 01.06  set i "0"
 action 01.07  foreach line "$output" "\n"
 action 01.08   increment i
 action 01.09   if $i eq "1"
 action 01.10    string trim "$line"
 action 01.11    set line "$_string_result"
 action 01.12    regexp "^\ *[Dd]escription:\ *(.*)" "$line" match olddesc
 action 01.13   end
 action 01.14  end
 action 01.15 end
 action 02.00 if $newdesc eq "$olddesc"
 action 02.01  syslog msg "  ## New CDP neighbor on $type$int ($newdesc), description does not require updating."
 action 02.02 else
 action 02.03  syslog msg "  ## New CDP neighbor on $type$int ($newdesc), updating description (was: $olddesc)."
 action 02.04  cli command "conf t"
 action 02.05  cli command "int $_nd_local_intf_name"
 action 02.06  cli command "desc $newdesc"
 action 02.07  cli command "end"
 action 02.08  cli command "write mem" pattern "confirm|#"
 action 02.09  cli command ""
 action 02.10 end


Joe Clarke
Hall of Fame Cisco Employee

Yeah, seems like you may be hitting a bug, then.  TAC would be able to help identify why the identity ED is not working if you'd like to pursue that over your workaround.  The MAT ED may also be something to try rather than scanning the MAC address table for a new MAC.

Thanks Joe - any thoughts on defining two different events/triggers to run a separate set of actions? The cdp_desc applet works well but I'd also like to be able to apply descriptions for other interfaces where CDP (or LLDP) info is not available.

All interfaces are going to auth so I can work through how I want to build the description text, my issue is that if the cdp_desc applet triggers then I don't want the other event or actions (int_desc applet) to run their course.

Joe Clarke
Hall of Fame Cisco Employee

The link change will happen before CDP, so you could have that applet install a nested third applet that counts down for 75 seconds or so.  When that applet runs, it checks to see if the description has been set via CDP and if not, it sets it based on MAC.

Thanks. I was also struggling with the not working identity detector. In fact, your applet has become the base for mine that checks for dynamically assigned VLANs and configures it as static access vlan for the critical authorization case when the RADIUS servers are not reachable after suffering from a power outage, where cached re-authentication is not working.

Attached is my applet, perhaps it is of help for somebody.

event manager applet AUTOMATION-CRITICAL-AUTHZ authorization bypass
event syslog severity-notification pattern "MGR-5-SUCCESS" maxrun 60
action 00.00 cli command "enable"
action 00.01 regexp "Authorization succeeded for client.*on Interface ([A-Za-z]+)([\/0-9]+)" "$_syslog_msg" match type int
action 00.02 while 1 eq 1
action 00.03 wait 2
action 00.04 cli command "show interface $type$int switchport | inc Access Mode VLAN"
action 00.05 regexp "Access Mode VLAN:\ ([0-9]+)" "$_cli_result" match assignedvlan
action 00.06 if $_regexp_result eq "1" goto 01.00
action 00.07 end
action 01.00 while 1 eq 1
action 01.01 wait 2
action 01.02 cli command "show run interface $type$int | i switchport access vlan"
action 01.03 regexp "switchport access vlan\ +([0-9]+)" "$_cli_result" match configuredvlan
action 01.04 if $_regexp_result eq "1" goto 02.00
action 01.05 end
action 02.00 while 1 eq 1
action 02.01 wait 2
action 02.02 cli command "show vlan group group-name highsecure"
action 02.03 regexp "vlan group highsecure \:([0-9]+)" "$_cli_result" match highsecurevlan
action 02.04 if $_regexp_result eq "1" goto 99.00
action 02.05 end
action 99.00 if $assignedvlan ne "$highsecurevlan"
action 99.01 if $assignedvlan ne "$configuredvlan"
action 99.02 syslog priority warnings msg "Configured access vlan of interface $type$int updated from $configuredvlan to $assignedvlan"
action 99.03 cli command "enable"
action 99.04 cli command "configure terminal"
action 99.05 cli command "int $type$int"
action 99.06 cli command "switchport access vlan $assignedvlan"
action 99.07 cli command "end"
action 99.08 cli command "write memory"
action 99.09 end
action 99.10 end 


the same on C9300-48UXM 17.03.04 .

what a shame for Cisco to make such a dummy decoys