04-17-2015 07:13 AM - edited 03-10-2019 10:39 PM
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
!
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
John
03-09-2018 08:41 AM
I am looking at doing something similar to this for some flexconnect APs that I want to deploy. I would imagine that adding a switchport trunk allowed vlans x,y,z to the initial port config would suffice and that the access vlan would become the native vlan for the trunk.
Is this what you did or did you accomplish this some other way?
03-12-2018 08:54 AM - edited 03-12-2018 08:56 AM
Hi John,
Even if you change the switchport mode to trunk, I'm not sure you'll be able to pass client's traffic because each MAC will have to be authenticated from switch perspective.(you'll need most likely a multi-host mode, so that one MAC - AP - would grant access to all MACs.
Stil, multi-auth would usually place all other MACs into the same VLAN of the first authenticated host. You have to double check.
Still, the good news is that you can use a service-template (I don't have ISE interface available now to check - this is how I remeber it's called - it's one of the first options in the authz profile settings) and send to the switch a specific string. When that string is received, the switch can apply a macro to your interface doing what you don't want to do manually :)
Just a quick hint:
I don't have anything more specific now, but I think that will do.
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide