Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2112
Views
0
Helpful
2
Replies

Authenticating Trunk Ports - VLAN list

John Quick
Level 1
Level 1

‎04-17-2015 07:13 AM - edited ‎03-10-2019 10:39 PM

I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)

My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.

cisp enable
!
interface FastEthernet0/2
 description *** Client Device ***
 switchport access vlan 2
 switchport mode access
 no logging event link-status
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 3
 authentication event server alive action reinitialize
 authentication order mab dot1x webauth
 authentication priority mab dot1x webauth
 authentication port-control auto
 authentication fallback GUEST_FALLBACK
 mab eap
 dot1x pae authenticator
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 10
 dot1x max-reauth-req 1
 dot1x timeout auth-period 600
 no cdp enable
 spanning-tree portfast

Any help will be greatly appreciated. 

Thanks
John

Labels:
0 Helpful
2 Replies 2

dmurech0488
Level 1
Level 1

‎03-09-2018 08:41 AM

I am looking at doing something similar to this for some flexconnect APs that I want to deploy.  I would imagine that adding a switchport trunk allowed vlans x,y,z to the initial port config would suffice and that the access vlan would become the native vlan for the trunk.

 

Is this what you did or did you accomplish this some other way?

0 Helpful

Octavian Szolga
Level 4
Level 4

‎03-12-2018 08:54 AM - edited ‎03-12-2018 08:56 AM

Hi John,

 

Even if you change the switchport mode to trunk, I'm not sure you'll be able to pass client's traffic because each MAC will have to be authenticated from switch perspective.(you'll need most likely a multi-host mode, so that one MAC - AP - would grant access to all MACs.

Stil, multi-auth would usually place all other MACs into the same VLAN of the first authenticated host. You have to double check.

 

Still, the good news is that you can use a service-template (I don't have ISE interface available now to check - this is how I remeber it's called - it's one of the first options in the authz profile settings) and send to the switch a specific string. When that string is received, the switch can apply a macro to your interface doing what you don't want to do manually :)

 

Just a quick hint:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/automacr.pdf

 

I don't have anything more specific now, but I think that will do.

 

Thanks,

Octavian

 

 

0 Helpful
Customers Also Viewed These Support Documents