Hi I'm looking at implementing a TrustSec SGT policy using ibns 2.0 on some 3650 switches. The policy is intended to apply a "pre-authentication" SGT to clients until they have been authenticated successfully by ISE and has been assigned an SGT by ISE. I setup the following on switches running 03.07.05E.   1 When a session starts, the ibns 2.0 control policy applies a "pre-authentication" SGT tag to the clients traffic. This was done with a locally configured service-template on the switch. Once the client had successfully authenticated, the service-template was deactivated and the client was assigned an SGT from ISE (2.3 patch 5)   policy-map type control subscriber TEST_POLICY event session-started match-all 10 class always do-until-failure 5 activate service-template PRE-AUTH 10 authenticate using mab priority 10 ... event authentication-success match-all 10 class always do-until-failure 10 deactivate service-template PRE-AUTH 20 authorize   2 As the above worked well, I looked at moving the pre-authentication service-template onto ISE as a downloadable service-template. The ISE authorization profile ISE-PRE-AUTH was configured as a service-template with Access-Reject along with the attributes required to assign an SGT. This also worked as expected   policy-map type control subscriber TEST_POLICY event session-started match-all 10 class always do-until-failure 5 activate service-template ISE-PRE-AUTH aaa-server ISE 10 authenticate using mab priority 10 ... event authentication-success match-all 10 class always do-until-failure 10 deactivate service-template ISE-PRE-AUTH 20 authorize   3 The problem started when I tried to migrate this setup onto 16.x - I've tried this with 16.3.7 and 16.6.4a On 16.x, applying the "pre-authentication" SGT with locally configured service-templates works as expected. The problem occurs when I move to downloadable service-templates: The downloadable service template works as expected by applying the pre-authentication SGT However, once the client has been authenticated successfully the switch shows the client as unauthorized with no SGT tag - the client is not tagged with either the pre-authentication SGT nor the SGT assigned by ISE on successful authentication. A debug shows the message %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client Has anyone come across this issue with ISE downloadable service-templates on 16.x? Thanks Andy ... View more

  Hi I'm working on a ISE/Trustsec deployment for wired devices using ibns 2.0. The dev environment is working well:   Clients authenticate successfully and are dynamically assigned SGTs from ISE Switches download CTS environment data from ISE (SGTs and SGACLs) and ISE policy is enforced correctly.   I'm now looking at how to handle a critical authentication event where ISE becomes unavailable:   Unauthenticated clients are authorised ok by the switch's ibns 2.0 identity control policy. SGTs are applied statically though VLAN membership CTS environment data (SGTs and SGACLs) learned from ISE eventually times out (ISE default for this timeout is 24 hours). Clients that authenticated successfully (before RADIUS became unavailable) remain authorised with their dynamically assigned SGT. Periodic authentication isn't enabled so clients remain authorised until the session ends. The problem I'm seeing is that if ISE is unavailable for long enough and the switch's CTS environmental data times out, then the switch loses the SGACLs/SGTs required to enforce policy for the ISE authenticated devices with their dynamically assigned SGTs.   I thought the old legacy 802.1x command "authentication event server dead action reinitialize vlan X" might help reinitialize authenticated clients when a critical authentication event occurs but the bug CSCul89568 (and my testing) shows that this is only possible if periodic authentication is enabled.   I created a simple EEM script below which clears all authenticated sessions when RADIUS becomes unavailable. Clients are then authorised by the switch with statically assigned SGTs (enforcement is done through static SGACLs).   event manager applet CRITICAL-CLEAR-SESSIONS event syslog pattern "RADIUS-4-RADIUS_DEAD" maxrun 5 action 1.0 cli command "enable" action 1.1 cli command "clear access-session"   Can anyone suggest a better way of dealing with this kind of event? I could increase the cts environmental data timeout or enable periodic authentication.   Thanks Andy ... View more