04-08-2019 12:44 PM
Hi Gurus
i'm looking for ultimate solution for replacement of auto-macros with IBNS 2.0 approach with ISE acting as dynamic authorization source. I was thinking about downlodable interface templates but i'm lack of good documentation. Can somebody help on the subject?
Solved! Go to Solution.
04-08-2019 03:41 PM
04-08-2019 03:41 PM
04-09-2019 05:16 AM
There is a lot of stuff out there but this document here is excellent - it's an end to end story for wired 802.1X and covers the IBNS 1.0 to 2.0 stuff really well. I did a deployment recently and it pretty much exactly as in the guide.
04-09-2019 05:20 AM
Hi Arne
i cant see what source u r referencing to exactly...
04-09-2019 06:30 AM
04-09-2019 09:31 AM
from stuff i've learnt recently replacement of the Auto Smart Port is almost useless as switches fails to apply ISE's sent authorization accept if locally configured interface template change host mode. because most requirement is not only to change switchport access to trunk etc but also to change .1x host mode.
04-09-2019 01:43 PM
Thanks @Jason Kunst - I forgot the paste command -had it all ready to go. That’s the one. My customer deployed 9300 and 9400 switches and would be a shame not to use IBNS 2.0 - esp on 9400 because there are lots of ports on that chassis. Config looks tidier with 2.0. And we also used the auth fail stuff. I didn’t get as far as using user role assignment. This is like persistence if ise should fail. It will cache the role of a Mac and then apply it in the event ise doesn’t respond. It’s like auth fail vlan/acl on steroids.
04-09-2019 11:46 PM
Hi Arne,
tons of 10x for valuable input. btw do u know if Cat9Ks with Fuji 16.9.2 support multple VLAN authorization on access port? docs i've read so far stated only limited platforms support it (like BRKSEC-2691 states f.e.):
Per MAC VLAN Assignment
58
•Before Cat3850 / Cat3650: One port, one VLAN per access port (1:1)
•Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)
•Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.
•Now with Catalyst 2960X, 3850 & 3650: Each session can have individual VLAN assigned
•2960X 15.2(2)E
•C3850 03.03.00SE
•C3650 03.03.00SE
04-10-2019 08:15 AM
10-24-2021 01:33 AM
right now i have C9K deployment under 17.3.4 with 2 endpoints connected the single switch port & got authorized in different VLANs. Effectively traffic passes only for one of them (those which VLAN is show as operational access vlan in sho interfa X swit)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide