cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
2
Replies
Dan Beginner
Beginner

IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Hi

 

I'm attemping to automatically configure an interface using a template. The template is already on the switch, ISE is pushing the template name with the Authz. Standard IBNS 2.0 stuff.

 

Config here:

template APAutoConfig
switchport trunk native vlan 120
switchport mode trunk
access-session host-mode multi-host

access-session interface-template sticky timer 10

 

template Dot1x-Port
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
switchport access vlan 120
switchport mode access
switchport voice vlan 170
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_AND_MAB
description - Dot1x -

 

interface GigabitEthernet1/0/22
no logging event link-status
access-session closed
no snmp trap link-status
snmp ifindex persist
source template Dot1x-Port
spanning-tree portfast edge

I'm on Version 15.2(4)E7. The APAutoConfig template gets applied, then seconds later gets unapplied and it goes through this constantly, every 3-20 seconds.

TEMPLATE EVENT: Gi1/0/22: Unbinding template APAutoConfig
TEMPLATE EVENT: APAutoConfig :ccb_bound(FALSE), visible(TRUE), pref_count(0)
TEMPLATE EVENT: Gi1/0/22: Binding template APAutoConfig

What's going on here? I've taken each line out of the base Dot1x-Port to see if it's causing a problem but it's made no change. Changing the sticky timer made no difference. I'm sure this worked on an older IOS version because I tested it before putting it on this switch config. I had to update for another reason - I've tried 2 different IOS versions - and it's simply not working. Is this a bug or am I missing something here?

 

Thanks

2 REPLIES 2
Highlighted
Beginner

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Hi Dan

hopefully u've already resolved the problem. If u didnt just dont change host-mode within dynamic server template. Just stay with single host-mode multi-auth. 

Dan Beginner
Beginner

Re: IBNS 2.0: 2960X, ISE2.4, Interface Template Unbinding

Hi

 

Unfortunately that wouldn't work, for the access point to work you need 'host-mode multi-host' to work, but we don't want the same on an access port connected to a PC. 

 

We did figure it out though - for whatever reason, in certain versions, Cisco have broken the template assignment. We were trying the newer, recommended IOS versions and they were all giving us problems. Luckily, the version that came with all ~330 of our 2960Xs works most of the time with a few configuration tweaks. Certain things in this version can't be applied on an interface-template, that could be in the newer versions.