04-26-2016 01:07 AM - edited 03-08-2019 05:29 AM
Hi all,
I'm having a strange issue when it comes to the auto smartport feature. Whenever I connect an AP I want to reconfigure the port via the locally configured macro. My setup looks the following:
1. AP gets connected to a dot1x enabled switchport
2. AP authenticates and the switch gets the macro trigger delivered via ACS parameter
3. The locally configured macro gets triggered and reconfigures the port
So far so good. Until now everything works. The configuration is changed and the AP works in the desired mode. The problem is that when I disconnect the port it does not revert the configuration. I think because the macro is not triggered again.
My configuration looks the following:
macro auto execute RADIUS_DOT1X_EVENT {
macro auto global processing
no macro auto global control device
no macro auto global control detection
shell trigger RADIUS_DOT1X_EVENT Radius Accept Triggers Port Configuration
macro auto execute RADIUS_DOT1X_EVENT {
if [ $LINKUP -eq YES ] ;
then conf t
default interface $INTERFACE
interface $INTERFACE
shut
description Access Point
switchport trunk native vlan 502
switchport mode trunk
switchport nonegotiate
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
no shut
end
fi
if [ $LINKUP -eq NO ]; then
conf t
default interface $INTERFACE
interface $INTERFACE
desc User Port
switchport access vlan 551
switchport mode access
switchport nonegotiate
switchport voice vlan 941
ip access-group PRE-AUTH-PERMIT-ANY in
no logging event link-status
no logging event power-inline-status
authentication event fail retry 3 action next-method
authentication event server dead action authorize vlan 502
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust dscp
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
end
fi
}
Any ideas I can make this work?
Thanks, Chris
05-11-2016 04:21 AM
Hello Chris
Are you still having issues?
Can you send me the switch model and the image used?
Best regards
Isaac
05-24-2016 01:05 AM
Hi,
the issue persists. The TAC enginner is working on it since two weeks but couldn't find a solution to it.
WS-C2960-24PC-L 12.2(55)SE6 C2960-LANBASEK9-M
Thanks & Regards,
Chris
05-24-2016 01:38 AM
Hello Chris
We have a setup very close to yours and it is working fine. The difference is that we are not using ACS server som radius men that shouldn't be the issue for you.
Here a copy of the configuration we have on the autosmart-port. Our radius server configures the vlan and the only thing that AS does is to add the description to the interface.
shell trigger BUF_AP BUF_AP
macro auto execute BUF_AP {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
desc m-net
exit
end
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description
no desc m-net
exit
end
fi
}
macro auto global processing
In order to make AS working properly I had to try several IOS versions. Do you think an upgrade / downgrade could be a possiblity for you?
Best regards
Isaac
05-30-2016 06:21 AM
Hi, thank you very much for your information.
It seems it's pretty much the same. Is it on purpose that you do not have an If clause statement in the macro?
Also, have you tested that the configuration is in fact cleared after removal of the device connected to that port?
How is the macro triggered on your side?
Thanks & Regards,
Chris
07-09-2016 12:34 AM
Hello Chris
I am sorry I never answered back. Did you found a solution or do you want me to get back to you on the next week?
Best
Isaac
07-13-2016 01:41 AM
Hi,
I have opened a TAC case and the outcome was that it is not possible to change the port configuration via radius event AND revert the configuration as soon as the device is disconnected.
Cisco has no other feature or option to accomplish what I want to do.
Regards,
Christopher
07-13-2016 01:54 AM
Hello Chris
The outcome of the TAC doesn't seem correct to me - unless I have misunderstood the all question.
The only difference between your setup and mine is the switch version you are using. And the radius server - I am using Win2012 as radius but I have also used ISE 2.0 and worked as well.
I don't have any WS-C2960-24PC-L but I have some 2960S that we could use. If this still is something you would like to do I think we can make that work.
The link down is managed by the local autosmart port so there should be no problem in doing a "no" as soon as the link is down.
Could you upgrade the switch to a newer version?
09-13-2016 05:05 PM
What I get from the first lines of your macro is that after the event "LINKUP == yes" you first of all do a shutdown... Which triggers the event "LINKUP == no" and everything starts anew.
Not sure if this helps but at a customer site I have the actual macro defined as a text file and stored on the switch flash. I am using ISE with a policy that uses the auto smartport feature (on other servers you will most likely need the av pair for auto smart port). this just calls the trigger on the switch for that one client and executes from flash. The config is similar to this (switch is a 2960X running 15.2(2)E4):
##### ON SWITCH #####
##### macro.txt #####
So my macro should, after successfully authenticating a device, remove the dot1x and mab config on that port to avoid clients from authenticating behind that device (it is a 3rd party AP that bridges clients directly onto the network). After the original device disconnects, config is restored and so far this works perfectly.
Regards
10-06-2017 07:26 AM - edited 10-06-2017 07:32 AM
Hello!
Agree with previous answer.
Try to use this symbol "==" instead of "-eq". It worked for me. And check the log. I discovered the decision from it.
My working config:
vlan 300
name GUEST-VLAN
interface FastEthernet0/1
description test-stop
switchport access vlan 300
switchport mode access
shutdown
end
macro auto execute CISCO_PHONE_EVENT {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
description test-start
switchport block unicast
switchport mode access
switchport access vlan 2
switchport voice vlan 4
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
load-interval 30
auto qos voip cisco-phone
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 20
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
exit
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description $TRIGGER
description test-stop
no switchport port-security
no switchport port-security maximum 2
no switchport port-security maximum 1 vlan access
no switchport port-security violation restrict
no switchport port-security aging time 1
no switchport port-security aging type inactivity
no load-interval
no auto qos voip cisco-phone
no storm-control broadcast level
no storm-control multicast level
no storm-control action trap
no spanning-tree portfast
no spanning-tree bpduguard enable
no ip dhcp snooping limit rate
no switchport block unicast
no switchport voice vlan 4
no authentication event fail action next-method
no authentication event server dead action reinitialize vlan
no authentication event no-response action authorize vlan
no authentication event server alive action reinitialize
no authentication host-mode multi-domain
no authentication order dot1x mab
no authentication priority dot1x mab
no authentication port-control auto
no authentication violation restrict
no mab
snmp trap link-status
no dot1x pae authenticator
no dot1x timeout tx-period 10
switchport access vlan 300
exit
fi
}
04-12-2018 02:46 AM
Hey chaps. Quick question. What if UP LINK macro is applied, and then someone saves the running-config and reboots the switch. What happens to ports where 'trunk' mode is applied - will they return to standard 'access' mode with 802.1x enabled?
I haven't tried this solution yet, but I tried Classic NEAT with FlexConnect AP (that is effectively a basic macros that converts port into trunk mode) and Interface-Template NEAT (Radius server return Interface-Template-Name attribute). First one changes running config and if saved ruins future authentication of devices behind these ports. Second method doesn't change running-config and is so far works as I expect in my lab environment. However, I am hitting a bug where dot1x stops working if I reboot or sh/unshut one of the ports with modified config via interface-template.
So the question is... how macros approach behaves if config is saved post-authentication and switch is rebooted. Regards
04-12-2018 03:15 AM
Applied by macro config will be saved to startup-config so will be present after reload on the interface.
04-12-2018 04:26 AM
Thanks Halyna. So, it's not solving NEAT's problems then.
I will concentrate my efforts on Interface-Templates in this case.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide