This post will cover some examples of using Cisco SmartPort Macros in a wired 802.1X environment to change the ‘default’ (aka 802.1X enabled per port) behaviour of ports on a Catalyst switch. Examples here are based on Cisco IOS 15.2 and Cisco Identity Services Engine 1.4 and greater, so it requires understanding of 802.1X and ISE operations – I highly recommend reading this Cisco Press book.
There are many Cisco configuration guides on SmartPort Macros though they don’t always explain the flexibility and use cases very clearly.
The great thing is SmartPort macros can be triggered using 802.1X or MAC Authentication Bypass (MAB) authentication and authorisation events.Caution!
SmartPort Macros are very powerful, and should be used with caution and always tested in a non-production lab environment before deploying to your production environment!
‘Default’ 802.1X Access Port Configuration
For this scenario here is an example configuration of the ‘default’ switchport configuration with multi-domain host mode (to allow only one authenticated device per voice and data domain).
interface range Gi1/0/1-48,Gi2/0/1-48,Gi3/0/1-48,Gi4/0/1-48
switchport mode access
switchport access vlan 100
switchport voice vlan 200
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
!
Configure Macro Global Settings
This scenario assumes you’re not currently using macros on your switch. Configure global macro settings in a change window outside of operational hours, as it is best practice to shutdown all access ports. Disable auto macro processing on all ports especially uplinks, as the switch will trigger macros for any upstream device it sees (such as a router) and will reconfigure your trunk interfaces!
!DISABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS INCLUDING UPLINKS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48
no macro auto processing
exit
!
!SHUT ALL ACCESS PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48
shut
!
!ENABLE MACRO PROCESSING GLOBALLY (NO EFFECT ON PORTS)
macro auto global processing
!
!DISABLE THE DEFAULT BEHAVIOUR OF THE SWITCH TRIGGERING ON PORTS
!WHERE NEIGHBOURING DEVICES ARE DETECTED VIA CDP/LLDP
no macro auto global control device
no macro auto global control detection
!
!ENABLE AUTOMATIC MACRO PROCESSING ON ALL PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,te5/1-8,te6/1-8,gi7/1-48,gi8/1-48
macro auto processing
!
!NO-SHUT ALL ACCESS PORTS
int range gi1/1-48,gi2/1-48,gi3/1-48,gi4/1-48,gi7/1-48,gi8/1-48
no shut
!
Macro for Trunk Port
Here is an example macro where you have authenticated a device in ISE (or any RADIUS server) that requires a trunk port for connectivity, such as a FlexConnect mode access point. Your ISE authorisation profile can then have ‘Auto Smart Port’ value of the name of your custom macro (in this example it is FLEX_TRUNK) and return it as a RADIUS attribute-value pair.
This will then trigger the macro on the port the endpoint is connected to and change the configuration.
If the port goes down (i.e. the access point is rebooted or disconnected) the interface returns to the ‘default’ 802.1X access port configuration.
shell trigger FLEX_TRUNK Event
macro auto execute FLEX_TRUNK {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
no authentication event fail action next-method
no authentication event server dead action authorize vlan 100
no authentication event server dead action authorize voice
no authentication event server alive action reinitialize
no authentication host-mode multi-domain
no authentication open
no authentication order dot1x mab
no authentication priority dot1x mab
no authentication port-control auto
no authentication periodic
no authentication timer reauthenticate server
no authentication violation restrict
no mab
no dot1x pae authenticator
no dot1x timeout tx-period 5
switchport trunk native vlan 248
switchport trunk allowed vlan 248,300
switchport mode trunk
exit
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description $TRIGGER
no switchport trunk native vlan 248
no switchport trunk allowed vlan 248,300
no switchport mode trunk
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
exit
fi
}
To verify a macro has been triggered you can use the ‘show macro auto interface’ command:
switch#show macro auto int
Global Auto Smart Port Status
Auto Smart Ports Disabled
Fallback : CDP Disabled
Interface Auto Smart Port Fallback Macro Description(s)
--------------------------------------------------------------
Fa1 FALSE None No Macro Applied
Gi1/1 FALSE None No Macro Applied
Gi1/2 FALSE None FLEX_TRUNK
To remove a macro from a port enter the command ‘no macro description <name of macro>’ at the interface level. You may need to bounce the port or trigger a Change of Authorisation (CoA) from ISE.
Macro to Change Host Mode
You may require to dynamically change the authentication host mode of an interface to support authentication and authorisation of multiple hosts behind a port, such as an AV switch.
Again, once ISE has authenticated the first device/MAC address it sees, the authorisation profile can trigger a different SmartPort macro to change the host mode. Once this has triggered on the port, all other devices can begin their individual authentication processes; and you will see session information for each MAC address on the port.
shell trigger RADIUS_MAB_MULTI_AUTH Event
macro auto execute RADIUS_MAB_MULTI_AUTH {
if [[ $LINKUP == YES ]]; then
conf t
interface $INTERFACE
macro description $TRIGGER
authentication host-mode multi-auth
exit
fi
if [[ $LINKUP == NO ]]; then
conf t
interface $INTERFACE
no macro description $TRIGGER
authentication host-mode multi-domain
exit
fi
}
Here is an example of the session authentication status for a port that has the multi-auth macro applied, which shows multiple MAC addresses authorised (Status = Auth) behind the one port:
switch# show auth sess int gi7/9
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi7/9 b0e8.92ec.beaf mab DATA Auth 0A0C016900000335A1E7F590
Gi7/9 0060.9f9e.73e1 mab DATA Auth 0A0C016900000336A1E7F91C
Gi7/9 0060.9f9f.2585 mab DATA Auth 0A0C016900000337A1E7F95C
Gi7/9 0060.9f9f.014d mab DATA Auth 0A0C01690000032DA1E74A7C
Summary
I hope that has provided an overview of what you can achieve with dynamically-triggered SmartPort macros, they can be very flexible for altering interface-level configuration.
Please let me know if you have any questions, and I will follow up with another related post about authenticating a downstream router or switch as an EAP supplicant and triggering a SmartPort macro!