This post will cover some examples of using Cisco SmartPort Macros in a wired 802.1X environment to change the ‘default’ (aka 802.1X enabled per port) behaviour of ports on a Catalyst switch.    Examples here are based on Cisco IOS 15.2 and Cisco Identity Services Engine 1.4 and greater, so it requires understanding of 802.1X and ISE operations – I highly recommend reading this Cisco Press book.

There are many Cisco configuration guides on SmartPort Macros though they don’t always explain the flexibility and use cases very clearly.

The great thing is SmartPort macros can be triggered using 802.1X or MAC Authentication Bypass (MAB) authentication and authorisation events.Caution!

SmartPort Macros are very powerful, and should be used with caution and always tested in a non-production lab environment before deploying to your production environment!

‘Default’ 802.1X Access Port Configuration

For this scenario here is an example configuration of the ‘default’ switchport configuration with multi-domain host mode (to allow only one authenticated device per voice and data domain).

interface range Gi1/0/1-48,Gi2/0/1-48,Gi3/0/1-48,Gi4/0/1-48

 switchport mode access

 switchport access vlan 100

 switchport voice vlan 200

 authentication event fail action next-method

 authentication event server dead action authorize vlan 100

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 5

!

Configure Macro Global Settings

This scenario assumes you’re not currently using macros on your switch.  Configure global macro settings in a change window outside of operational hours, as it is best practice to shutdown all access ports.  Disable auto macro processing on all ports especially uplinks, as the switch will trigger macros for any upstream device it sees (such as a router) and will reconfigure your trunk interfaces!

!DISABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS INCLUDING UPLINKS

int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48

no macro auto processing

exit

!

!SHUT ALL ACCESS PORTS

int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48

shut

!

!ENABLE MACRO PROCESSING GLOBALLY (NO EFFECT ON PORTS)

macro auto global processing

!

!DISABLE THE DEFAULT BEHAVIOUR OF THE SWITCH TRIGGERING ON PORTS

!WHERE NEIGHBOURING DEVICES ARE DETECTED VIA CDP/LLDP

no macro auto global control device

no macro auto global control detection

!

!ENABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS

int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48

macro auto processing

!

!NO-SHUT ALL ACCESS PORTS

int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48

no shut

!

Macro for Trunk Port

Here is an example macro where you have authenticated a device in ISE (or any RADIUS server) that requires a trunk port for connectivity, such as a FlexConnect mode access point.  Your ISE authorisation profile can then have ‘Auto Smart Port’ value of the name of your custom macro (in this example it is FLEX_TRUNK) and return it as a RADIUS attribute-value pair.

This will then trigger the macro on the port the endpoint is connected to and change the configuration.

If the port goes down (i.e. the access point is rebooted or disconnected) the interface returns to the ‘default’ 802.1X access port configuration.

shell trigger FLEX_TRUNK Event

macro auto execute FLEX_TRUNK {

 if [[ $LINKUP == YES ]]

 then conf t

 interface $INTERFACE

 macro description $TRIGGER

 no authentication event fail action next-method

 no authentication event server dead action authorize vlan 100

 no authentication event server dead action authorize voice

 no authentication event server alive action reinitialize

 no authentication host-mode multi-domain

 no authentication open

 no authentication order dot1x mab

 no authentication priority dot1x mab

 no authentication port-control auto

 no authentication periodic

 no authentication timer reauthenticate server

 no authentication violation restrict

 no mab

 no dot1x pae authenticator

 no dot1x timeout tx-period 5

 switchport trunk native vlan 248

 switchport trunk allowed vlan 248,300

 switchport mode trunk

 exit

 fi

 if [[ $LINKUP == NO ]]

 then conf t

 interface $INTERFACE

 no macro description $TRIGGER

 no switchport trunk native vlan 248

 no switchport trunk allowed vlan 248,300

 no switchport mode trunk

 switchport mode access

 authentication event fail action next-method

 authentication event server dead action authorize vlan 100

 authentication event server dead action authorize voice

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 5

 exit

 fi

}

To verify a macro has been triggered you can use the ‘show macro auto interface’ command:

switch#show macro auto int

 Global Auto Smart Port Status

 Auto Smart Ports Disabled

 Fallback : CDP Disabled

Interface Auto Smart Port Fallback Macro Description(s)

--------------------------------------------------------------

Fa1       FALSE            None      No Macro Applied

Gi1/1     FALSE            None      No Macro Applied

Gi1/2     FALSE            None      FLEX_TRUNK

To remove a macro from a port enter the command ‘no macro description <name of macro>’ at the interface level.  You may need to bounce the port or trigger a Change of Authorisation (CoA) from ISE.

Macro to Change Host Mode

You may require to dynamically change the authentication host mode of an interface to support authentication and authorisation of multiple hosts behind a port, such as an AV switch.

Again, once ISE has authenticated the first device/MAC address it sees, the authorisation profile can trigger a different SmartPort macro to change the host mode.  Once this has triggered on the port, all other devices can begin their individual authentication processes; and you will see session information for each MAC address on the port.

shell trigger RADIUS_MAB_MULTI_AUTH Event

macro auto execute RADIUS_MAB_MULTI_AUTH {

if [[ $LINKUP == YES ]]; then

conf t

 interface $INTERFACE

 macro description $TRIGGER

 authentication host-mode multi-auth

 exit

fi

if [[ $LINKUP == NO ]]; then

conf t

interface $INTERFACE

 no macro description $TRIGGER

authentication host-mode multi-domain

 exit

fi

}

Here is an example of the session authentication status for a port that has the multi-auth macro applied, which shows multiple MAC addresses authorised (Status = Auth) behind the one port:

switch# show auth sess int gi7/9

Interface MAC Address Method Domain Status Fg Session ID

----------------------------------------------------------------------

Gi7/9     b0e8.92ec.beaf mab DATA   Auth 0A0C016900000335A1E7F590

Gi7/9     0060.9f9e.73e1 mab DATA   Auth 0A0C016900000336A1E7F91C

Gi7/9     0060.9f9f.2585 mab DATA   Auth 0A0C016900000337A1E7F95C

Gi7/9     0060.9f9f.014d mab DATA   Auth 0A0C01690000032DA1E74A7C

Summary

I hope that has provided an overview of what you can achieve with dynamically-triggered SmartPort macros, they can be very flexible for altering interface-level configuration.

Please let me know if you have any questions, and I will follow up with another related post about authenticating a downstream router or switch as an EAP supplicant and triggering a SmartPort macro!