Hi
Also on a 9300 IOS-XE 16.12 i'm using following Policy:
policy-map type control subscriber POLICY_BASE
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template CRITICAL_AUTH_VLAN_BASE
30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
40 authorize
50 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!
Plus this here:
service-policy type control subscriber POLICY_BASE
And I'm wokring with a template assigned to interfaces:
template PORT
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
dot1x max-req 1
dot1x max-reauth-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode access
mab
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber POLICY_BASE
!
!
And I think you also have to send over Clearpass Radius:IETF -> Session-Timeout -> XY Seconds together with the Vlan Assignment (Radius:IETF - Tunnel-Private-Group-Id). The Session timeout defines, when next Re-Authentication should happen.
Best regards,
Andy
Original Message:
Sent: Sep 28, 2022 12:07 AM
From: ioannis vosikas
Subject: Cisco 9300 Switch (IBNS 2.0) Policy-map
I noticed for sometime now that cisco 9300 switches configured as per the bellow :
policy-map type control subscriber CPass-Pol
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
Ports do not reauthenticate at all. Is the above policy-map sufficient for good operation?
On another note, If i will add the following lines to the policy-map as per the Cisco Switch FlexAuth and Admin Authentication (Aruba Solution Exchange):
event authentication-success match-all
10 class always do-until-failure
10 activate service-template IA-TIMER
event inactivity-timeout match-all
10 class always do-until-failure
10 unauthorize
I get printers and couple of other device not to be able to re-authenticate 802.1x
Any Clues why?