Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
0
Replies

IBNS2.0 Cannot nest class-map

rlienard
Level 1
Level 1

‎09-03-2021 09:51 AM - edited ‎09-03-2021 11:17 AM

Hi all,

I'm trying to do the following :

 

service-template IOT_DEVICES_TEMPLATE
   sgt 3
   vlan 100
!

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_IOT_DEVICES
   match result-type aaa-timeout
   match authorization-status unauthorized
   match --->>> I would like to match a list of MAC OUI here but I can't since the "match-all" condition is set and I need it
!
class-map type control subscriber match-any IN_LOCAL_AUTH_MODE
   match activated-service-template IOT_DEVICES_TEMPLATE
!
policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

....
    event authentication-failure match-first
       6 class AAA_SVR_DOWN_UNAUTHD_IOT_DEVICES do-until-failure
          10 activate service-template IOT_DEVICES_TEMPLATE
          30 authorize
          40 pause reauthentication
    event aaa-available match-all
       30 class IN_LOCAL_AUTH_MODE do-until-failure
          10 clear-session
!

Basically I need to nest a class-map with a match-any condition inside a class-map with a match-all condition..

This seems not be supported so do someone has a good alternative to this ?

 

I would like to avoid creating one class-map per OUI family

 

Best regards,

Raphael

Raphael Lienard | CCIE #63267
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card