ISE C3PL Switch Configuration

Other By Louis Spencer JR |

Creating your control policies – The control class that you created in step 1 are used in the control policy. The control class is the event that casuses the control policy to be evaluated and defines actions to take based on the event in the class map. The actions you can take are specific to what kind of event occurred. 

The way this is written is that the actions are numbers and executed sequentially. You use the previously created control class map in this control policy. The way the control policy is structured:

First you create the policy-map and specify the event:policy-map type control subscriber nameevent event-type {match-all | match-first} Note: The different between match-all and match-first is that with match-all, you evaluate all of the classes you define and with match-first, you only evaluate the first class it matches.Next you can specify the class and how to handle the actions:num class {class-name | always} {do-all | do-until-failure | do-until-success}Note: Here is where you can specify you class name you created in step 1 or you can specify always to ensure that the control class-map always matches. For the second argument in the above configuration, you can have it execute all the actions you specify, all of them until it fails, or all of them until it’s successful. Next you specify the actions to take including actions to take for policy violations:num <action-type> <additional-arguements>Here is where you can specify the action to take including to activate a template or policy, authentication type and priority, authorize a session, notify the session attibutes, set a timer, and unauthorize a session along with a number of additional arguments depending on what type of argument you are making. 

Let’s say I want to create the following configuration:

Run 802.1x and MAB at the same time on a port but prefer 802.1x If 802.1x fails authentication, fallback to MABIf the RADIUS server is down, give access based on the critical ACL I define

First I would start by creating the critical ACL: 

ip access-list extended ACL-ALLOWpermit ip any any

Then I would add that ACL to a service template:

service-template CRITICALaccess-group ACL-ALLOW

Note: This ACL could be as restrictive or as liberal as you want it to be. The point is to craft it for your organization.

Next we will create the control policy:

policy-map type control subscriber DOT1X-DEFAULT <- Creates the control policy

event session-started match-all <- States that if a session starts, match all the below that we define.10 class always do-all <- Matches everything after a session starts and do all the actions10 authenticate using dot1x priority 10 <- Action is to authenticate using dot1x with a priority of 1020 authenticate using mab priority 20 <- Action is to authenticate using MAB with priority of 20 – making it a lower priority than a successful dot1x authentication if both were to pass authentication.

event violation match-all <-specifies a new action to take when a control violation occurs10 class always do-all <- Matches everything after a session starts and do all the actions10 restrict <- The action is to drop violating packets and generate a syslog

event agent-found match-all <- The event is if an 802.1x supplicant is detected10 class always do-all <- Do all the actions10 authenticate using dot1x <- Action is to authenticate using 802.1x

In the above, we’d stated to attempt 802.1x and MAB authentication at the same time but the priority is for 802.1x to be the preferred authentication method. If there is a violation, drop the packets. If an 802.1x supplicant is detected, 

The above will look like this in the running config of the switch:

Subscribe to the Individuals Growth Newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × 4 =