i'm looking for ultimate solution for replacement of auto-macros with IBNS 2.0 approach with ISE acting as dynamic authorization source. I was thinking about downlodable interface templates but i'm lack of good documentation. Can somebody help on the subject?
Solved! Go to Solution.
There is a lot of stuff out there but this document here is excellent - it's an end to end story for wired 802.1X and covers the IBNS 1.0 to 2.0 stuff really well. I did a deployment recently and it pretty much exactly as in the guide.
from stuff i've learnt recently replacement of the Auto Smart Port is almost useless as switches fails to apply ISE's sent authorization accept if locally configured interface template change host mode. because most requirement is not only to change switchport access to trunk etc but also to change .1x host mode.
Thanks @Jason Kunst - I forgot the paste command -had it all ready to go. That’s the one. My customer deployed 9300 and 9400 switches and would be a shame not to use IBNS 2.0 - esp on 9400 because there are lots of ports on that chassis. Config looks tidier with 2.0. And we also used the auth fail stuff. I didn’t get as far as using user role assignment. This is like persistence if ise should fail. It will cache the role of a Mac and then apply it in the event ise doesn’t respond. It’s like auth fail vlan/acl on steroids.
tons of 10x for valuable input. btw do u know if Cat9Ks with Fuji 16.9.2 support multple VLAN authorization on access port? docs i've read so far stated only limited platforms support it (like BRKSEC-2691 states f.e.):
Per MAC VLAN Assignment
•Before Cat3850 / Cat3650: One port, one VLAN per access port (1:1)
•Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)
•Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.
•Now with Catalyst 2960X, 3850 & 3650: Each session can have individual VLAN assigned