cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6184
Views
5
Helpful
12
Replies

Auto Smartport Macro execution via Cisco ACS

Chris
Level 1
Level 1

Hi all,

I'm having a strange issue when it comes to the auto smartport feature. Whenever I connect an AP I want to reconfigure the port via the locally configured macro. My setup looks the following:

1. AP gets connected to a dot1x enabled switchport

2. AP authenticates and the switch gets the macro trigger delivered via ACS parameter

3. The locally configured macro gets triggered and reconfigures the port

So far so good. Until now everything works. The configuration is changed and the AP works in the desired mode. The problem is that when I disconnect the port it does not revert the configuration. I think because the macro is not triggered again.

My configuration looks the following:

macro auto execute RADIUS_DOT1X_EVENT {
macro auto global processing
no macro auto global control device
no macro auto global control detection
shell trigger RADIUS_DOT1X_EVENT Radius Accept Triggers Port Configuration
macro auto execute RADIUS_DOT1X_EVENT {
if [ $LINKUP -eq YES ] ;
then conf t
default interface $INTERFACE
interface $INTERFACE
shut
description Access Point
switchport trunk native vlan 502
switchport mode trunk
switchport nonegotiate
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
no shut
end
fi
if [ $LINKUP -eq NO ]; then
conf t
default interface $INTERFACE
interface $INTERFACE
desc User Port
switchport access vlan 551
switchport mode access
switchport nonegotiate
switchport voice vlan 941
ip access-group PRE-AUTH-PERMIT-ANY in
no logging event link-status
no logging event power-inline-status
authentication event fail retry 3 action next-method
authentication event server dead action authorize vlan 502
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust dscp
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
end
fi
}

Any ideas I can make this work?

Thanks, Chris

12 Replies 12

isaacalves27
Level 1
Level 1

Hello Chris

Are you still having issues?

Can you send me the switch model and the image used? 

Best regards

Isaac

Hi,

the issue persists. The TAC enginner is working on it since two weeks but couldn't find a solution to it.

WS-C2960-24PC-L    12.2(55)SE6      C2960-LANBASEK9-M

Thanks & Regards,

Chris

Hello Chris

We have a setup very close to yours and it is working fine. The difference is that we are not using ACS server som radius men that shouldn't be the issue for you.

Here a copy of the configuration we have on the autosmart-port. Our radius server configures the vlan and the only thing that AS does is to add the description to the interface.

shell trigger BUF_AP BUF_AP
macro auto execute BUF_AP  {
 if [[ $LINKUP == YES ]]
  then conf t
  interface  $INTERFACE
  macro description $TRIGGER
  desc m-net
  exit
  end
 fi      
 if [[ $LINKUP == NO ]]
  then  conf t
  interface  $INTERFACE
  no macro description
  no desc m-net
  exit
  end
 fi
}
macro auto global processing

In order to make AS working properly I had to try several IOS versions. Do you think an upgrade / downgrade could be a possiblity for you?

Best regards

Isaac

Hi, thank you very much for your information. 

It seems it's pretty much the same. Is it on purpose that you do not have an If clause statement in the macro?

Also, have you tested that the configuration is in fact cleared after removal of the device connected to that port?

How is the macro triggered on your side?

Thanks & Regards,

Chris

Hello Chris

I am sorry I never answered back. Did you found a solution or do you want me to get back to you on the next week?

Best

Isaac

Hi,

I have opened a TAC case and the outcome was that it is not possible to change the port configuration via radius event AND revert the configuration as soon as the device is disconnected.

Cisco has no other feature or option to accomplish what I want to do.

Regards,

Christopher

Hello Chris

The outcome of the TAC doesn't seem correct to me - unless I have misunderstood the all question.

The only difference between your setup and mine is the switch version you are using. And the radius server - I am using Win2012 as radius but I have also used ISE 2.0 and worked as well.

I don't have any WS-C2960-24PC-L but I have some 2960S that we could use. If this still is something you would like to do I think we can make that work.

The link down is managed by the local autosmart port so there should be no problem in doing a "no" as soon as the link is down.

Could you upgrade the switch to a newer version?

What I get from the first lines of your macro is that after the event "LINKUP == yes" you first of all do a shutdown... Which triggers the event "LINKUP == no" and everything starts anew.

Not sure if this helps but at a customer site I have the actual macro defined as a text file and stored on the switch flash. I am using ISE with a policy that uses the auto smartport feature (on other servers you will most likely need the av pair for auto smart port). this just calls the trigger on the switch for that one client and executes from flash. The config is similar to this (switch is a 2960X running 15.2(2)E4):

##### ON SWITCH #####

! Enable auto smartport processing
macro auto global processing
! Define shell trigger and description
shell trigger TRIGGER TRIGGER-DESCRIPTION
! Copy macro text file to local flash
copy tftp://$TFTPSERVER/macro.txt flash:
! map trigger event to execute the macro text file
macro auto execute MAB_TEST remote flash:macro.txt

##### macro.txt #####

if [[ $LINKUP == YES ]]; then
 conf t
  interface $INTERFACE
   no ip access-group
   macro description $TRIGGER
   no dot1x pae authenticator
   no mab
   authentication open
  exit
 end
fi
if [[ $LINKUP == NO ]]; then
 conf t
  interface $INTERFACE
   no macro description $TRIGGER
   dot1x pae authenticator
   mab
   no authentication open
  exit
 end
fi

So my macro should, after successfully authenticating a device, remove the dot1x and mab config on that port to avoid clients from authenticating behind that device (it is a 3rd party AP that bridges clients directly onto the network). After the original device disconnects, config is restored and so far this works perfectly.

Regards

Halyna
Level 1
Level 1

Hello!

 

Agree with previous answer.

 

Try to use this symbol "==" instead of "-eq". It worked for me. And check the log. I discovered the decision from it.

 

My working config:

 

vlan 300
 name GUEST-VLAN

 

interface FastEthernet0/1
 description test-stop
 switchport access vlan 300
 switchport mode access
 shutdown
end

 

macro auto execute CISCO_PHONE_EVENT  {
 if [[ $LINKUP == YES ]]
  then conf t
  interface $INTERFACE
  macro description $TRIGGER
  description test-start
  switchport block unicast
  switchport mode access
  switchport access vlan 2
  switchport voice vlan 4
  switchport port-security maximum 2
  switchport port-security maximum 1 vlan access
  switchport port-security violation restrict
  switchport port-security aging time 1
  switchport port-security aging type inactivity
  switchport port-security
  load-interval 30
  auto qos voip cisco-phone
  storm-control broadcast level pps 1k
  storm-control multicast level pps 2k
  storm-control action trap
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip dhcp snooping limit rate 20
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 2
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication violation restrict
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout tx-period 10
  exit
 fi
 if [[ $LINKUP == NO ]]
  then conf t
  interface $INTERFACE
  no macro description $TRIGGER
  description test-stop
  no switchport port-security
  no switchport port-security maximum 2
  no switchport port-security maximum 1 vlan access
  no switchport port-security violation restrict
  no switchport port-security aging time 1
  no switchport port-security aging type inactivity
  no load-interval
  no auto qos voip cisco-phone
  no storm-control broadcast level
  no storm-control multicast level
  no storm-control action trap
  no spanning-tree portfast
  no spanning-tree bpduguard enable
  no ip dhcp snooping limit rate
  no switchport block unicast
  no switchport voice vlan 4
  no authentication event fail action next-method
  no authentication event server dead action reinitialize vlan
  no authentication event no-response action authorize vlan
  no authentication event server alive action reinitialize
  no authentication host-mode multi-domain
  no authentication order dot1x mab
  no authentication priority dot1x mab
  no authentication port-control auto
  no authentication violation restrict
  no mab
  snmp trap link-status
  no dot1x pae authenticator
  no dot1x timeout tx-period 10
  switchport access vlan 300
  exit
 fi
}

 

 

 

Hey chaps. Quick question. What if UP LINK macro is applied, and then someone saves the running-config and reboots the switch. What happens to ports where 'trunk' mode is applied - will they return to standard 'access' mode with 802.1x enabled?

 

I haven't tried this solution yet, but I tried Classic NEAT with FlexConnect AP (that is effectively a basic macros that converts port into trunk mode) and Interface-Template NEAT (Radius server return Interface-Template-Name attribute). First one changes running config and if saved ruins future authentication of devices behind these ports. Second method doesn't change running-config and is so far works as I expect in my lab environment. However, I am hitting a bug where dot1x stops working if I reboot or sh/unshut one of the ports with modified config via interface-template.

 

So the question is... how macros approach behaves if config is saved post-authentication and switch is rebooted. Regards

Applied by macro config will be saved to startup-config so will be present after reload on the interface.

Thanks Halyna. So, it's not solving NEAT's problems then.

I will concentrate my efforts on Interface-Templates in this case.

 

Regards

Review Cisco Networking for a $25 gift card