Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
2
Replies

IBNS 2.0, Auto Smartport Macro - holy grail config?

andrew.butterworth
Level 7
Level 7

‎01-08-2022 01:28 PM

I have been messing around with IBNS 2.0 and Auto smartport macro configs for a few months now trying to get a 'holy grail' config and I just can't get there.

I'm working with some older C3750X/C3560X and current C3560CX switches.  I'm happy manually configuring (or Jinja2 scripting) base configs of AAA, L3 uplinks, routing etc, however the perfect access port config is eluding me.  I can get everything working on its own, but combining things is proving tricky.

My 'intent' is for the generic access ports to all have the same base config that by default allows no access.  It should see the access port going up and then detect the device (i.e. IP phone, AP or other 'device') and apply the config and/or do 802.1x for the device if supports it.

For example a port goes up, the switch detects its a Cisco IP phone and applies a base config of QoS, switchport voice vlan, 802.1x for the piggy-back PC etc.  If it detects a CAPWAP AP then apply the base config for an AP (QoS, switch access vlan etc).  If its a PC then attempt to authenticate it with 802.1x.

I can get everything working individually, but it generally requires unique configurations on each access port type.  My latest test config has nothing on the ports where APs are connected as the DC and and macros sort this out, however for phones with PCs attached it requires a base config on the interface.  For ports where only PCs are attached it requires a different base config.  The fallback 'CISCO_LAST_RESORT_AUTO_SMARTPORT' seems to take ages to apply so doesn't work well.

 

I have RADIUS available for authenticating PC's via 802.1x as well as MAB for phones and I can set VLANs, ACLs & Voice Domains etc via Cisco-AV-Pairs - I have full control over the RADIUS (MS NPS) server so can change whatever I need.

 

What I want is the same config applied to all access ports that allows any device to connect and the appropriate config to be applied based on the detection.  I know it will require 802.1x & MAB, however it also requires DC to detect devices that should 'bypass' authentication.  I've had a bit more success with Cisco IP Phones, however we have a lot of customers that use Mitel IP Phones.  I can get some sort of bypass working with mac-access-groups for the Mitel OUIs (08000F & 00085D), but its not perfect and requires RADIUS to supply 'Cisco-AV-Pair=device-traffic-class=voice' to get it to work.

 

I have access to a DNA 2.x LAB and have been scanning the pushed configs to the access switches for authentication and I'm still struggling to get what I want.

 

Anyone been through this pain and come up with an access port Holy Grail config?  Basically plug your device in and the switch dynamically apply the configuration based on the device, but require authentication for PC's or unknown devices?

 

Cheers

Andy

Labels:
0 Helpful
2 Replies 2

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-08-2022 03:23 PM

I know we have this sort of setup with 802.1x.  

The switches have a macro (hidden command) and templates. 

The macro is applied to the switch manually.  The macro is a "generic" set of interface-level commands.  The switch polls ISE and then ISE sends back what VLANs the machine goes into.  

If the device is an unknown, it goes into the "hell" VLAN (locally significant dummy VLAN and not trunked).

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Leo Laohoo

‎01-09-2022 03:56 AM

As I said I have managed to get the majority of things working individually and some together, however I can't get a base config that fits everything.  I don't really want to authenticate IP Phones or APs or printers etc.  With Cisco devices this works to some degree, however the built-in macros/templates aren't ideal (QoS).  If I enable DC and Auto Smartports and then tweak the access & voice VLANs for the macros I can have an unconfigured access port get reconfigured dynamically when a Cisco AP or Cisco IP Phone is connected.  When the device is removed all the configuration is removed and the access port is back at default config.

I managed to find a Lab guide online (LTRSEC-2017: Simplified IBNS 2.0 (Advanced 802.1X) Lab with Auto-Identity) that has a small section at the end called 'Bypassing Authentication for Cisco / Third Party IP Phones'.  This looks promising and partially works.  It invokes the built-in 'AI_NEXTGEN_AUTHBYPASS' IBNS 2.0 policy.  However it isn't complete.  It also only works with Cisco IP Phones.

I can authenticate Cisco & Mitel IP phones with MAB easily enough, however I'd rather just bypass authentication for these devices.  However I still want to authenticate PCs with 802.1x.

The 'CISCO_LAST_RESORT_AUTO_SMARTPORT' sort of works, but takes ages to get invoked.

 

Andy

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card