Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2843
Views
0
Helpful
3
Replies

Auto smartport ISE-triggered / access to trunk issue

Antho_Balitrand
Level 1
Level 1

‎03-06-2018 09:59 AM - edited ‎03-08-2019 02:09 PM

Hello all,

 

I'm trying to configure auto-smart-port macros triggered via ISE (no CDP), to configure dynamically my access ports for FlexConnect access-points connection.

 

I created a macro, which is the following:

 

macro auto execute CISCO_FLEX_AP  {
 if [[ $LINKUP == YES ]]
  then conf t
  interface $INTERFACE
  macro description $TRIGGER
  switchport trunk allowed vlan 200,2700-2799
  switchport trunk native vlan 200
  switchport mode trunk
  authentication host-mode multi-host
  spanning-tree portfast trunk
  exit
 fi
 if [[ $LINKUP == NO ]]
  then conf t
  interface $INTERFACE
  no macro description $TRIGGER
  no switchport trunk allowed vlan
  no switchport trunk native vlan
  authentication host-mode multi-auth
  switchport mode access
  no spanning-tree portfast trunk
  exit
 fi
}

 

The macro is correctly triggered by the ISE when my AP is authenticated (via MAB, for now).

Unfortunately, even if the port is converted to trunk mode with native VLAN 200, my access-point MAC address remains on the base access VLAN (1905) :

 

Access#sh mac add int gI1/0/28
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1905    ecbd.1da3.xxxx    STATIC      Gi1/0/28 
Total Mac Addresses for this criterion: 1

 

I also tried to combine this macro with the "NEAT" parameter on ISE (thus removing the "switchport mode trunk" from the macro and returning both the macro name an the  NEAT attribute from ISE), but the result is the same...

 

The switchport config is the following:

 

interface GigabitEthernet1/0/28
 switchport access vlan 1905
 switchport mode access
 switchport voice vlan 300
 switchport port-security maximum 5
 switchport port-security
 ip device tracking maximum 0
 authentication control-direction in
 authentication event fail retry 1 action next-method
 authentication event server dead action authorize vlan 1905
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout server-timeout 18
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 5
 dot1x timeout ratelimit-period 60
 dot1x max-req 1
 dot1x max-reauth-req 1
 storm-control broadcast level 0.15
 storm-control action trap
 no keepalive
 no cdp enable
end

 

 

Can you help me ?

(IOS : 15.2(2)E5 on WS-C2960X-48LPS-L)

 

Thanks !

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Antho_Balitrand
Level 1
Level 1

‎03-07-2018 01:24 AM

Anyone can help me ? :)
0 Helpful

wackerk24
Level 4
Level 4
In response to Antho_Balitrand

‎03-30-2018 09:30 AM

Try adding a 

shut

no shut 

To the list of commands to execute, because your device is doing MAB it doesn't know a vlan change happened so it won't request a new IP, but if you bounce the port after changing the vlan the AP will get an IP in the correct network.

0 Helpful

safanawaheed
Level 1
Level 1

‎07-09-2018 11:52 AM

Did you try it with adding "no switchport mode access" to the macros?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card