cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
549
Views
10
Helpful
8
Replies
Beginner

IBNS 2.0 / auto macros replacement

Hi Gurus

i'm looking for ultimate solution for replacement of auto-macros with IBNS 2.0 approach with ISE acting as dynamic authorization source. I was thinking about downlodable interface templates but i'm lack of good documentation. Can somebody  help on the subject?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IBNS 2.0 / auto macros replacement

would recommend asking the switch team as this is not specific to ise
8 REPLIES 8
Cisco Employee

Re: IBNS 2.0 / auto macros replacement

would recommend asking the switch team as this is not specific to ise
VIP Engager

Re: IBNS 2.0 / auto macros replacement

There is a lot of stuff out there but this document here is excellent - it's an end to end story for wired 802.1X and covers the IBNS 1.0 to 2.0 stuff really well. I did a deployment recently and it pretty much exactly as in the guide.

Beginner

Re: IBNS 2.0 / auto macros replacement

Hi Arne

i cant see what source u r referencing to exactly...  

Cisco Employee

Re: IBNS 2.0 / auto macros replacement

Beginner

Re: IBNS 2.0 / auto macros replacement

from stuff i've learnt recently replacement of the Auto Smart Port is almost useless as switches fails to apply ISE's sent authorization accept if locally configured interface template change host mode. because most requirement is not only to change switchport access to trunk etc but also to change .1x host mode.

Highlighted
VIP Engager

Re: IBNS 2.0 / auto macros replacement

Thanks @Jason Kunst  - I forgot the paste command -had it all ready to go. That’s the one. My customer deployed 9300 and 9400 switches and would be a shame not to use IBNS 2.0 - esp on 9400 because there are lots of ports on that chassis. Config looks tidier with 2.0. And we also used the auth fail stuff. I didn’t get as far as using user role assignment. This is like persistence if ise should fail. It will cache the role of a Mac and then apply it in the event ise doesn’t respond. It’s like auth fail vlan/acl on steroids. 

 

Beginner

Re: IBNS 2.0 / auto macros replacement

Hi Arne,

tons of 10x for valuable input. btw do u know if Cat9Ks with Fuji 16.9.2 support multple VLAN authorization on access port? docs i've read so far stated only limited platforms support it (like BRKSEC-2691 states f.e.):

Per MAC VLAN Assignment
58
•Before Cat3850 / Cat3650: One port, one VLAN per access port (1:1)
•Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)
•Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.
•Now with Catalyst 2960X, 3850 & 3650: Each session can have individual VLAN assigned
•2960X 15.2(2)E
•C3850 03.03.00SE
•C3650 03.03.00SE

Everyone's tags (1)
Cisco Employee

Re: IBNS 2.0 / auto macros replacement

Please ask switching questions in the switching community on a new thread