Looking for a flexible IBNS 2.0 switch port design that will work with dynamic service templates dow...

John Palmason · ‎02-05-2021

Hello ISE experts, I am trying to solve an issue I have come across in my DOT1X design. I am looking to build a switching configuration that I can replicate across my company. I have been working in a lab designing different ideas and testing them which leads me to my reason I am posting here. I have come to the end my understanding of IBNS 2 and I am currently stuck with a choice, I will try and explain its complex and has many moving parts.

I am looking to have a switch configuration that will allow interface templates to be called/downloaded/applied by ISE using Authorization Profiles . I currently have this working and the interface templates are sourced locally on the switch and called from ISE by the policy sets and Authorization Policy profiles. This part is working great, and for most companies this is would be enough.

For my company we maintain a small IT foot print on ocean going vessels (Router/ASA/Switches/ESXi HA hosts/Endpoints etc.) This leads to periods of convergence and lost of upstream connectivity which is here IBNS 2.0 shines, it will hold the auth session on the ports during these up/downs very well. I have tested it and it works as designed, I couldn't be happier with this result as I thought I was going to have a local ISE node on every vessel (I manage 37 vessels) to keep the sessions active ($$$$$). So, we have ISE working nicely doing its part and IBSN 2.0 caching/holding sessions for periods when ISE can't get reached (AAA DOWN) situations. (See attached screenshot of my IBNS policy)

Now the final situation that most people won't consider is I need a way to auth the endpoints in a situation where AAA is down and the power on the switch has been cycled (refit/maintenance work on the vessel in a ship yard for example). Again IBNS 2.0 comes to the recue here again but with one problem.

With my current understanding you can statically assign a source template to the interrace config can call a service-template, interface-template or policy. I need one that would encompass many different vlans for cameras/phones/workstations/vendor hardware. I have able to get around this obstacle but creating a interface template by endpoint type and calling the VLAN in the service templates. This makes the ports configuration static based off the template assigned (keeping in mind that the AAA server not reachable in this failure scenario) this breaks the dynamic nature of service templates downloaded from ISE. Any port that has been moved accidently or on purpose gets the static config and not the dynamic one from ISE.

Let me explain:

This works if nobody ever moves cables on the switch physically or access to our AAA server is available, in our case we have non-IT staff often supporting the vessel when its at sea to act as IT support while its not possible to attend the vessel unit is docks. Cables get put back in the wrong ports and then this breaks it function.

So with all that said, does anybody know of a way I could create an generic IBNS template that would accommodate different vlans and allow the traffic to flow until the AAA server could be marked alive and re-auth the ports.

Francesco Molino · ‎02-10-2021

Hi

Just to make sure I understand. You want to keep the switch working when ise isn't reachable and when people move cables around? And what vlan you would expect to be on each port?

You can have some dot1x authentication locally but it's not going to be a real dot1x authentication (mschapv2 or tls) but it will be limited:

aaa authentication dot1x default local

What switch model are you using? Maybe a local radius in guestshell like freeradius?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

John Palmason · ‎02-11-2021

Thank you for your reply Francesco, we are running 3850/3650 with 16.9.6 IOSXE code, I should have mentioned this in my original post. The problem is using a CRITICAL VLAN config for AAA down allows a single VLAN to be applied which does work and I have tested it. But the limitation is it works only for a single VLAN and I would require max 5 vlans to work in the AAA down situation.

With some time to reflect on this issue I am asking for too much, the switch can't be dynamic and static at the same time. We do have Microsoft NPS service running on some of vessels and they are actually doing TLS for the wireless connections onboard.

So I think for the time being I will just use the interface templates statically assigned to the switch ports this seems to cover off most of my requirements.

John

aqdasmuneer · ‎02-11-2021

Hi,

In regards to the requirement for multi vlan support during critical auth, have you tried leaving the vlan out of the service-template for data vlan. We were running into a similar issue and there was no real solution and I tried this on a hunch and it worked out for us. When in critical auth all ports maintain their VLan membership.

service-template CRITICAL_AUTH_ACCESS

service-template CRITICAL_VOICE_ACCESS
voice vlan

Thanks,

Aqdas

John Palmason · ‎02-11-2021

Aqdas, I have not tried this I will give this a go in my lab and see how it works, it would be great to have this working to allow us the dynamic nature of the service templates. I will post any results once I have the findings.

Thank you for the suggestion.

John

Looking for a flexible IBNS 2.0 switch port design that will work with dynamic service templates downloaded from ISE