This post will cover some examples of using Cisco SmartPort Macros in a wired 802.1X environment to change the ‘default’ (aka 802.1X enabled per port) behaviour of ports on a Catalyst switch.    Examples here are based on Cisco IOS 15.2 and Cisco Identity Services Engine 1.4 and greater, so it requires understanding of 802.1X and ISE operations – I highly recommend reading this Cisco Press book.

There are many Cisco configuration guides on SmartPort Macros though they don’t always explain the flexibility and use cases very clearly.

The great thing is SmartPort macros can be triggered using 802.1X or MAC Authentication Bypass (MAB) authentication and authorisation events.Caution!

SmartPort Macros are very powerful, and should be used with caution and always tested in a non-production lab environment before deploying to your production environment!

‘Default’ 802.1X Access Port Configuration

For this scenario here is an example configuration of the ‘default’ switchport configuration with multi-domain host mode (to allow only one authenticated device per voice and data domain).

interface range Gi1/0/1-48,Gi2/0/1-48,Gi3/0/1-48,Gi4/0/1-48
 switchport mode access
 switchport access vlan 100
 switchport voice vlan 200
 authentication event fail action next-method
 authentication event server dead action authorize vlan 100
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
!

Configure Macro Global Settings

This scenario assumes you’re not currently using macros on your switch.  Configure global macro settings in a change window outside of operational hours, as it is best practice to shutdown all access ports.  Disable auto macro processing on all ports especially uplinks, as the switch will trigger macros for any upstream device it sees (such as a router) and will reconfigure your trunk interfaces!

!DISABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS INCLUDING UPLINKS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48
no macro auto processing
exit
!
!SHUT ALL ACCESS PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48
shut
!
!ENABLE MACRO PROCESSING GLOBALLY (NO EFFECT ON PORTS)
macro auto global processing
!
!DISABLE THE DEFAULT BEHAVIOUR OF THE SWITCH TRIGGERING ON PORTS
!WHERE NEIGHBOURING DEVICES ARE DETECTED VIA CDP/LLDP
no macro auto global control device
no macro auto global control detection
!
!ENABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48
macro auto processing
!
!NO-SHUT ALL ACCESS PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48
no shut
!

Macro for Trunk Port

Here is an example macro where you have authenticated a device in ISE (or any RADIUS server) that requires a trunk port for connectivity, such as a FlexConnect mode access point.  Your ISE authorisation profile can then have ‘Auto Smart Port’ value of the name of your custom macro (in this example it is FLEX_TRUNK) and return it as a RADIUS attribute-value pair.

This will then trigger the macro on the port the endpoint is connected to and change the configuration.

If the port goes down (i.e. the access point is rebooted or disconnected) the interface returns to the ‘default’ 802.1X access port configuration.

shell trigger FLEX_TRUNK Event
macro auto execute FLEX_TRUNK {
 if [[ $LINKUP == YES ]]
 then conf t
 interface $INTERFACE
 macro description $TRIGGER
 no authentication event fail action next-method
 no authentication event server dead action authorize vlan 100
 no authentication event server dead action authorize voice
 no authentication event server alive action reinitialize
 no authentication host-mode multi-domain
 no authentication open
 no authentication order dot1x mab
 no authentication priority dot1x mab
 no authentication port-control auto
 no authentication periodic
 no authentication timer reauthenticate server
 no authentication violation restrict
 no mab
 no dot1x pae authenticator
 no dot1x timeout tx-period 5
 switchport trunk native vlan 248
 switchport trunk allowed vlan 248,300
 switchport mode trunk
 exit
 fi
 if [[ $LINKUP == NO ]]
 then conf t
 interface $INTERFACE
 no macro description $TRIGGER
 no switchport trunk native vlan 248
 no switchport trunk allowed vlan 248,300
 no switchport mode trunk
 switchport mode access
 authentication event fail action next-method
 authentication event server dead action authorize vlan 100
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 exit
 fi
}

To verify a macro has been triggered you can use the ‘show macro auto interface’ command:

switch#show macro auto int
 Global Auto Smart Port Status
 Auto Smart Ports Disabled
 Fallback : CDP Disabled
Interface Auto Smart Port Fallback Macro Description(s)
--------------------------------------------------------------
Fa1       FALSE            None      No Macro Applied
Gi1/1     FALSE            None      No Macro Applied
Gi1/2     FALSE            None      FLEX_TRUNK

To remove a macro from a port enter the command ‘no macro description <name of macro>’ at the interface level.  You may need to bounce the port or trigger a Change of Authorisation (CoA) from ISE.

Macro to Change Host Mode

You may require to dynamically change the authentication host mode of an interface to support authentication and authorisation of multiple hosts behind a port, such as an AV switch.

Again, once ISE has authenticated the first device/MAC address it sees, the authorisation profile can trigger a different SmartPort macro to change the host mode.  Once this has triggered on the port, all other devices can begin their individual authentication processes; and you will see session information for each MAC address on the port.

shell trigger RADIUS_MAB_MULTI_AUTH Event
macro auto execute RADIUS_MAB_MULTI_AUTH {
if [[ $LINKUP == YES ]]; then
conf t
 interface $INTERFACE
 macro description $TRIGGER
 authentication host-mode multi-auth
 exit
fi
if [[ $LINKUP == NO ]]; then
conf t
interface $INTERFACE
 no macro description $TRIGGER
authentication host-mode multi-domain
 exit
fi
}

Here is an example of the session authentication status for a port that has the multi-auth macro applied, which shows multiple MAC addresses authorised (Status = Auth) behind the one port:

switch# show auth sess int gi7/9
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi7/9     b0e8.92ec.beaf mab DATA   Auth 0A0C016900000335A1E7F590
Gi7/9     0060.9f9e.73e1 mab DATA   Auth 0A0C016900000336A1E7F91C
Gi7/9     0060.9f9f.2585 mab DATA   Auth 0A0C016900000337A1E7F95C
Gi7/9     0060.9f9f.014d mab DATA   Auth 0A0C01690000032DA1E74A7C

Summary

I hope that has provided an overview of what you can achieve with dynamically-triggered SmartPort macros, they can be very flexible for altering interface-level configuration.

Please let me know if you have any questions, and I will follow up with another related post about authenticating a downstream router or switch as an EAP supplicant and triggering a SmartPort macro!

Posted by Wi-Fi Coops

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s