Re: Cisco2960X IBNS 2.0 and 802.1x/MAB Authentication NOT working

MaErre21325 · ‎04-15-2024

Hello,

i was successfully deploying Nac configuration on all my switches when i encountered i problem with the new authentication display config-mode on a WS-C2960X-48LPS-L 15.2(7)E4:

SwitchplanA#authentication display config-mode
Current configuration mode is new-style

all the following commands are rejected and i'm not able to deploy the nac configuration:

SwitchplanA(config)#device-sensor accounting
^
% Invalid input detected at '^' marker.

SwitchplanA(config)#access-session template monitor
^
% Invalid input detected at '^' marker.

SwitchplanA(config-if)# authentication control-direction in
%Command deprecated ( authentication control-direction in) - use access-session instead

SwitchplanA(config-if)# authentication event fail action next-method
Command deprecated ( authentication event fail action next-method) - use cpl config

SwitchplanA(config-if)#authentication event server dead action authorize vlan 200
Command deprecated ( authentication event server dead action authorize vlan 200) - use cpl config

SwitchplanA(config-if)#authentication event server dead action authorize voice
Command deprecated ( authentication event server dead action authorize voice) - use cpl config

SwitchplanA(config-if)#authentication event server alive action reinitialize
Command deprecated ( authentication event server alive action reinitialize) - use cpl config

SwitchplanA(config-if)# authentication host-mode multi-domain
%Command deprecated ( authentication host-mode multi-domain) - use access-session instead

SwitchplanA(config-if)# authentication order dot1x mab
Command deprecated ( authentication order dot1x mab) - use cpl config

SwitchplanA(config-if)# authentication priority dot1x mab
Command deprecated ( authentication priority dot1x mab) - use cpl config

SwitchplanA(config-if)# authentication port-control auto
%Command deprecated ( authentication port-control auto) - use access-session instead

how can i fix these errors and i can i convert them?
and why only this switch has this new authetication mode?

thank you

regards

Reza Sharifi · ‎04-15-2024

Hi,

Check the license and make sure this switch does not have a different license level. "Show version" should show you the license level you have for each switch.

HTH

MaErre21325 · ‎04-15-2024

Hello @Reza Sharifi ,

the license is a lanbase and is the same as the other switches, they're all WS-C2960X-48LPS-L running 15.2(7)E4 and witch lanbase license

MHM Cisco World · ‎04-15-2024

Unfortunately new style not accpet same command that use before' it use auth session .... commands

Sorry you need to learn how to use new command

MHM

MaErre21325 · ‎04-15-2024

I feared this answer........is it possibile to revert to the old style?

MHM Cisco World · ‎04-15-2024

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-cntrl-pol.html

If you dont use convert command and you use only disaply then yoh can back to use old style

Goodluck

MHM

Check link

Rob Ingram · ‎04-15-2024

@MaErre21325 the switch is running new-style mode, yet you are configuring the legacy commands, which won't work.

You need to create the class maps, policy maps and templates etc to use IBNS 2.0.

Refer to the ISE wired prescriptive guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--657806293

MaErre21325 · ‎04-16-2024

Hi @Rob Ingram @MHM Cisco World ,

i read your links but i can't understand how to convert my command to the new style, i've only found the conversion for the "device-sensor accounting", but didn't find anything useful about all the other commands.
The documentation states i need to create template ecc ecc .... but nothing about which new command replaces exactly the old one....

i'm a lil' bit confused and stuck on this

Rob Ingram · ‎04-16-2024

@MaErre21325 as per the guide, normally you'd configure the legacy configuration on an interface and then change to new-style, this would automatically convert the configuration. If you didn't do that, here are some IBNS 2.0 templates you can use. Else revert to legacy, configure IBNS 1.0 and then change to new style.

https://www.ise-support.com/cisco-ise-nad-configuration-templates/

https://www.wiresandwi.fi/blog/solid-config-cisco-ibns-2-0-802-1x-mab-switch-configuration-ios

MaErre21325 · ‎04-16-2024

i'd like to revert to legacy mode but the only thing i can type is "authentication display config-mode" telling me i'm in new style mode, i think reverting is not allowed and always more confused about using template o converting the commands

Rob Ingram · ‎04-16-2024

@MaErre21325 depends on your IOS/IOS-XE version

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/xe-3se/3850/ibns-xe-3se-3850-book/san-cntrl-pol.html

"Enter the authentication display new-style command—This command switches to C3PL display mode, temporarily converting your legacy configuration to a Identity-Based Networking Services configuration so you can see how it looks before you make the conversion permanent. You can switch back to legacy mode by using the authentication display legacy command. "

On newer IOS/IOS-XE versions I believe you cannot revert, you'd have to wipe the switch and start again, this will revert to legacy mode.

MaErre21325 · ‎04-16-2024

no, i'm unable to revert.... i'll try to convert the commands or open a case or pass this task because cisco documentation is not useful at all for me....

thank you however for all your tips

MHM Cisco World · ‎04-16-2024

authentication display legacy

This can yoh reverse back to old style

If this command is not accept then you can not anymore reverse back unless there is something must change in RAM (I dont know how)

MHM