Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
0
Replies

Interface template bug on IOS XE 16.12.4?

Skjoedt
Level 1
Level 1

‎01-25-2021 05:34 AM - edited ‎01-25-2021 07:28 AM

--- UPDATE 2! ---
Might be hitting this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/cscvw45158
--- UPDATE 2! ---
--- UPDATE! ---
If I select both the NEAT VSA and the Interface Template VSA at the same time in my AuthZ Profile in ISE, then the feature is working as intended and my AP can get an IP from DHCP.
- See the new attached picture.

However, when I shutdown/disconnect the switchport, then the switchport is only partially returned to the previous configuration.
The command "switchport trunk native vlan 201" from the interface template somehow gets changed to "switchport access vlan 201" and left behind in the interface configuration, even though the command was not present in the interface configuration before authentication.
--- UPDATE! ---

 

Hello

I am currently studying for the CCIE Wireless and in my studies I am currently doing labs on 802.1x switchport authentication with AP's.

The issue I am seeing and what I suspect is a bug on the switch, is that when I connect an AP to the switchport, the AP is authenticated and allowed to pass traffic, I can also see with the "Show Interface Trunk" command, that the AP is connected on a trunk, that the Native VLAN is 201 and that all VLANs are in the forwarding state and not pruned.
However, the AP does not get an IP from DHCP and when debugging on the switch, I can see that the switch never receives any DHCP Discovery from the AP.

The gotcha comes when I introduce the command "switchport access vlan 201" on the switchport before authentication.
Now when the AP authenticates, everything looks the same in the "Show Interface Trunk" command and everywhere else, but this time the AP does get an IP from DHCP and I can see the switch getting a DHCP Discovery etc.

This means that before, without the command "switchport access vlan 201" on the switchport, the switch actually places untagged traffic in VLAN1, even though the "Show Interface Trunk" command states that the Native VLAN is 201.
Essentially working like normal NEAT without interface templates, where you will have to pre-configure the Native VLAN on the trunk as the Access VLAN before authentication, in order for the switch to assign the correct Native VLAN.

I have a 3650 switch running 16.12.4 (Because the CCIE Lab will run 16.12 code) in my lab and the AP's are on AireOS 8.10.130.0. (Again because the CCIE Lab will run 8.10 code).

Below is the config used to configure 802.1x switchport authentication in my lab.

!
aaa new-model
aaa session-id common
cisp enable
dot1x system-auth-control
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa server radius dynamic-author
client 172.21.0.50 server-key *****
!
radius server CCIE-ISE-Radius
address ipv4 172.21.0.50 auth-port 1812 acct-port 1813
key *****
!
ip dhcp snooping glean
!
vlan configuration 1,10,20,30,40,50,100,200-202,210,220,250
device-tracking
!
template FlexConnect-NEAT
spanning-tree portfast trunk
switchport trunk native vlan 201
switchport mode trunk
!
interface GigabitEthernet1/0/14
description dot1x/MAB Port
switchport mode access
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!

Preview file
23 KB
Preview file
24 KB
Preview file
3 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card