Hello
Is there a best practice around handling Cisco FlexConnect APs and their switchport configuration when doing profiling? Flex APs require commands relating to trunking and native VLAN etc. - which is different to the usual port template that I apply when I am authenticating access port devices.
I want all my Cat 9300 ports to have the same config to start off with - e.g. - and only if I AuthZ a FlexAP, I want ISE to send the necessary result to apply a different Port Template
interface FiveGigabitEthernet2/0/48 device-tracking attach-policy IPDT_POLICY source template PORT-AUTH-TEMPLATE spanning-tree portfast
On the the Cat 9300 switch (IOS-XE 16.9.4) I have created two port templates - one for access ports, and one for FlexAPs - they both share the same subscriber service policy (802.1X first, then MAB, etc - IBNS 2.0)
template APFLEX-PORT-TEMPLATE spanning-tree portfast trunk dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 switchport trunk native vlan 99 switchport mode trunk mab access-session closed access-session port-control auto authentication periodic authentication timer reauthenticate server service-policy type control subscriber PORT-AUTH-POLICY description ** DOT1X FlexAP Trunk **
template PORT-AUTH-TEMPLATE spanning-tree portfast dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 switchport access vlan 10 switchport mode access switchport voice vlan 15 access-session closed access-session port-control auto authentication periodic authentication timer reauthenticate server service-policy type control subscriber PORT-AUTH-POLICY description ** DOT1X Enabled Port **
When ISE profiles a Cisco AP then it returns an AuthZ Result as follows
It works but is this the correct approach? I noticed that even after the port is shut down, the config remains. It's not dynamic.
And the mixture of access and trunk settings looks messy.
We start off like this S1#show run int fiveGigabitEthernet 2/0/48 interface FiveGigabitEthernet2/0/48 device-tracking attach-policy IPDT_POLICY source template PORT-AUTH-TEMPLATE spanning-tree portfast When you successfully auth an AP on that port then through the magic of IBNS the config changes slightly (port-template sent via ISE) S1#show run int fi 2/0/48 interface FiveGigabitEthernet2/0/48 device-tracking attach-policy IPDT_POLICY source template PORT-AUTH-TEMPLATE spanning-tree portfast trunk end which currently ‘expands‘ to a derived config of: S1#show derived-config int fi 2/0/48 interface FiveGigabitEthernet2/0/48 description ** DOT1X FlexAP Trunk ** switchport access vlan 10 switchport trunk native vlan 99 switchport mode trunk switchport voice vlan 15 device-tracking attach-policy IPDT_POLICY authentication periodic authentication timer reauthenticate server access-session closed access-session port-control auto mab dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 spanning-tree portfast trunk service-policy type control subscriber PORT-AUTH-POLICY end And for sanity check, the AP is in trunk mode S1#show int fi 2/0/48 switchport Name: Fi2/0/48 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 99 (VLAN099) Administrative Native VLAN tagging: disabled Voice VLAN: 15 (VLAN0015) Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Vepa Enabled: false Appliance trust: none
