Does IBNS 2.0 Auto Identity (AI) exist for IOS-XE?

Arne Bier · ‎10-20-2020

Hello

I posted this question on the Security Blogs forum, but I didn't get any replies - perhaps this is more specific to switching - but it does fall between Security (NAC) and Switching. Maybe you guys can help me ...

I somehow stumbled upon Cisco's IBNS 2.0 Auto Identity (AI) templates in my CML/VIRL IOSv layer2 image (IOS 15.2(6)).

I find these templates great, because these are the best practices that we tend to hard-code manually - e.g there are templates for Monitor Mode, Closed Mode etc. - it's great. IBNS configuration is a commonly asked topic on these forums and I don't blame anyone for getting it wrong - we end up creating text file snippets that we use over and over. But with AI there is no need for this - you cannot get it wrong and there is nothing to remember.

You start off with the switch in legacy display mode and then perform the IBNS 1.0 to IBNS 2.0 conversion. When I do this on an IOS-XE 9300 device I don't get any AI templates.

I have been looking for this feature in IOS-XE. Does anyone know if it exists in IOS XE 16.12.x ?

I found this obscure Cisco Live presentation, but not much else on official Cisco web.

SW1#show ver
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20190423)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  V152_6_0_81_E
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Tue 23-Apr-19 04:48 by mmen


ROM: Bootstrap program is IOSv

Below is more detail about these built-in templates. The good thing is that the commands don't appear in the show-run - less config clutter. You simply use them.

Does this look familiar?

Switch#show template brief

Interface Templates
===================

Template-Name                                    Source            Bound-to-Interface
-------------                                    ------            ------------------
AI_CLOSED_MODE                                   Built-in          No
AI_LOW_IMPACT_MODE                               Built-in          No
AI_MONITOR_MODE                                  Built-in          No
AI_VISIBILITY_MODE                               Built-in          No

Service Templates
=================

Template-Name                                    Source            Bound-To-Session
-------------                                    ------            ----------------
webauth-global-inactive                          Built-in          No
webauth-global-absolute                          Built-in          No
DEFAULT_LINKSEC_POLICY_MUST_SECURE               Built-in          No
DEFAULT_LINKSEC_POLICY_SHOULD_SECURE             Built-in          No
DEFAULT_CRITICAL_VOICE_TEMPLATE                  Built-in          No
AI_INACTIVE_TIMER                                Built-in          No
AI_CRITICAL_ACL                                  Built-in          No

And even the global stuff no longer needs to be memorised (or asked about on these forums!!) - you use this one in your global config with the command source template AI_GLOBAL_CONFIG_TEMPLATE

Switch#show template global source built-in all
Building configuration...

Global Template Name       : AI_GLOBAL_CONFIG_TEMPLATE
Modified                   : No
Global Template Definition : global
 dot1x system-auth-control
 aaa new-model
 aaa authentication dot1x default group radius
 aaa authorization network default group radius
 aaa authorization auth-proxy default group radius
 aaa accounting identity default start-stop group radius
 aaa accounting system default start-stop group radius
 radius-server attribute 6 on-for-login-auth
 radius-server attribute 6 support-multiple
 radius-server attribute 6 voice 1
 radius-server attribute 8 include-in-access-req
 radius-server attribute 25 access-request include
!
end

And even more stuff we all use ... Service and Interface Templates:

Switch#show template interface source built-in all
Building configuration...

Template Name       : AI_CLOSED_MODE
Modified            : No
Template Definition :
 dot1x pae authenticator
 switchport mode access
 mab
 access-session closed
 access-session port-control auto
 service-policy type control subscriber AI_DOT1X_MAB_POLICIES
!
Template Name       : AI_LOW_IMPACT_MODE
Modified            : No
Template Definition :
 dot1x pae authenticator
 switchport mode access
 mab
 access-session port-control auto
 service-policy type control subscriber AI_DOT1X_MAB_POLICIES
 ip access-group AI_PORT_ACL in
!
Template Name       : AI_MONITOR_MODE
Modified            : No
Template Definition :
 dot1x pae authenticator
 switchport mode access
 mab
 access-session port-control auto
 service-policy type control subscriber AI_DOT1X_MAB_POLICIES
!
Template Name       : AI_VISIBILITY_MODE
Modified            : No
Template Definition :
 switchport mode access
 access-session port-control auto
 service-policy type control subscriber AI_VISIBILITY_POLICY
!
end



Switch#show template service source built-in all
Building configuration...

Built-In Service-Template
=========================

Service-Template : webauth-global-inactive
Template Definition:
 idle-timeout 3600
!
Service-Template : webauth-global-absolute
Template Definition:
!
Service-Template : DEFAULT_LINKSEC_POLICY_MUST_SECURE
Template Definition:
 linksec-policy Must-secure
!
Service-Template : DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
Template Definition:
 linksec-policy Should-secure
!
Service-Template : DEFAULT_CRITICAL_VOICE_TEMPLATE
Template Definition:
 voice vlan
!
Service-Template : AI_INACTIVE_TIMER
Template Definition:
 idle-timeout 3600
!
Service-Template : AI_CRITICAL_ACL
Template Definition:
 access-group AI_PORT_ACL
!
end