Cisco ISE - FlexConnect Access Point Auto Smartport Trunk via Macro Configuration

In this article, we take a look at how to make ISE configure a switch port as a Trunk (using a Macro) when an Access Point in FlexConnect mode is connected to an 802.1x/MAB-enabled switch access port, and reverting the configuration back to an access port if the Access Point is unplugged.

Introduction

The following solution is useful for those cases where you want every single access port connected to an endpoint to have the exact same configuration, with the ability to also plug in FlexConnect Access Points to those access ports and have them converted to Trunk ports in the process. This is achieved using the Auto Smartports (“ASP”) feature of the switch by having ISE tell the switch to run a configuration Macro as part of the authorization result.

While you could simply statically configure Trunk mode on the port that Access Points will be connected to, this solution offers a bit more dynamic approach if you really do not want to manually configure trunk ports.

The following hardware and software were used in this article:

Cisco ISE version 3.1 patch 5
Cisco Catalyst C9200L-48P-4X Switch running IOS-XE 17.6.4

Authentication Process

To give you the complete picture of what we’re trying to achieve, let’s go through the complete authentication process.

The chain of events below assumes you are using Profiling to identify and authenticate Access Points. You could also use 802.1x authentication (some flavor or EAP) or regular MAB (by adding the access points’ MAC address to an Endpoint Identity Group in ISE and matching on that). However, since the goal of this post sort of is to automate the onboarding process as much as possible, the Profiling method will be used as it does not add any extra pre-requisite steps.

All endpoint ports (typically all GigabitEthernet 1/0/X interfaces of a standard 9K Catalyst switch) are configured as secured 802.1x/MAB-enabled access ports.
An Access Point is connected to an 802.1x/MAB-enabled access port.
The switch sees the MAC address of the AP and starts a Radius Session for the endpoint by sending a Radius Request to ISE.
ISE sees the unknown MAC address and assigns it the Authorization Profile for general Profiling Access, allowing the Radius Session in the switch to stay alive and giving the access point limited network access.
The switch will receive CDP/LLDP/DHCP data from the Access Point, and using the Device Sensor feature, will send this information to ISE via Radius Accounting messages.
ISE receives the CDP/LLDP/DHCP data from the switch, enabling it to properly profile the endpoint as an Access Point.
ISE sends out a Change of Authorization (“CoA”) message to the switch, which includes a Cisco Attribute-Value Pair (AVP) of the type auto-smart-port and the value “MACRO-AP-FLEX-TRUNK”.
The auto-smart-port value triggers the switch to run the configured Macro called “MACRO-AP-FLEX-TRUNK”.
The configuration inside the Macro is applied to the port, making it a Trunk port, assigning Native VLAN, allowed VLANs, and more. Thanks to including the “source template…” command which reapplies the 802.1x/MAB configuration, the Radius Session for the Access Point will remain and be tracked/visible to ISE.
Because of the “source template…” command being re-applied (which includes all of the authentication-related commands) by the Macro, 802.1x/MAB authentication will run one more time and then settle down.
Important security note! One thing to note is that the configuration applied on interfaces by this macro will temporarily survive a switch reboot if the configuration is saved to running-config before the reboot happens. Temporarily in this case meaning that for a few seconds after the switch has booted up completely, interfaces that were previously configured with the macro will still have that configuration. This means there will be a very short window of a couple of seconds where network access is "granted" before the authentication process starts. Since this macro’s task is automatic configuration of Trunk ports for Flexconnect APs, this means that a potential rogue endpoint connected to a previous macro-ed interface during the reboot period (stealing the Flexconnect AP’s interface) will be able to get on the Flexconnect VLAN for a few seconds before 802.1x/MAB authentication is initiated on the interface, and the endpoint is properly authenticated (or denied). If you feel bad about this, considering putting a dACL in the Authorization Profile to further lock down the Access Point’s network access to make sure this temporary network access cannot be used to perform attacks.

Switch IBNS 2.0 Configuration

Configure standard IBNS 2.0 on your endpoint ports (access ports). If you do not currently have an IBNS 2.0 configuration on your switches, you can find some examples of how to do this in my previous articles, down below.

SOLID CONFIG: Cisco IBNS 2.0 802.1x and MAB Authentication for IOS Switches

SOLID CONFIG: Cisco IBNS 2.0 802.1x and MAB Authentication for IOS-XE Switches

Important note: make sure your configuration template does NOT include the “no macro auto processing” command on each of the access ports. We will need macro auto processing enabled for this solution to work. My standard templates for IBNS 2.0 do have this command in them, so it needs to be removed.

Switch Global Configuration

If you take a look at some of the references at the end of this article, you’ll see that Cisco switches can run built-in Macros automatically based on what kind of device is connected to a switch port. Using protocols like CDP, the switch can detect different types of endpoints and configure the port accordingly. Examples of these endpoints are access points, VOIP phones, and other switches.

However, we want to use ISE to decide which Macro to run, so we will only configure the minimum Macro commands required for this solution. Leaving all types of built-in Macros enabled could cause you issues, like the switch deciding to configure switch-to-switch trunks on its own, possibly breaking your network.

no macro auto global control device
no macro auto global control trigger
macro auto global processing

Switch Macro Configuration

An important note is to make sure that the configuration that is to be re-applied (restored if you will) to the port if the link to an Access Point goes down matches the original IBNS 2.0 configuration of the port.

This “restoration” configuration can be seen after the “if [[ $LINKUP == NO ]]; then….” part further down.

In the example below, we will use the Access Port configuration similar to the one available in my articles above, but if you are using a different configuration for your secured 802.1x/MAB-enabled interface you will need to edit the script below to match, otherwise, you might “lose” configuration commands when the restoration of the original access port configuration is performed.

Don’t forget to adjust Native VLAN (AP management VLAN, which in my case is VLAN 16) and allowed VLANs (native VLAN plus User VLANs, which is VLAN 10/20/30 in my case) to match your environment.

Note the “access-session host-mode multi-host” command which allows all MAC addresses after the first authentication MAC address to be able to skip authentication. This is needed because we are using FlexConnect access points, so only the FlexConnect AP needs to authenticate to the switch because the clients that will connect to that AP via WLAN afterward will be authenticated by the AP/WLC, not by the switch.

macro auto execute MACRO-FLEX-AP-TRUNK {
if [[ $LINKUP == YES ]]; then
conf t
    default interface $INTERFACE
    interface $INTERFACE
    description Access Point Trunk Macro ISE
    macro description $TRIGGER
    macro auto processing
    switchport mode trunk
    switchport trunk native vlan 16
    switchport trunk allowed vlan 16,10,20,30
    spanning-tree portfast trunk
    spanning-tree bpduguard enable
    access-session host-mode multi-host
    device-tracking attach-policy DISABLE-IP-TRACKING
    ip dhcp snooping trust
    load-interval 30
    source template WIRED_DOT1X_CLOSED
    exit
fi
if [[ $LINKUP == NO ]]; then
conf t
default interface $INTERFACE
interface $INTERFACE
    description DOT1X-MAB Secured Port
    switchport mode access
    switchport access vlan 10
    switchport voice vlan 666
    switchport nonegotiate
    no switchport port-security
    device-tracking attach-policy IP-TRACKING
    ip dhcp snooping limit rate 20
    macro auto processing
    storm-control broadcast level pps 100 80
    storm-control action trap
    spanning-tree portfast
    spanning-tree bpduguard enable
    spanning-tree guard root
    load-interval 30
    source template WIRED_DOT1X_CLOSED
    exit
fi
}

If you need to remove the Macro to re-create it for some reason, use the command “no shell trigger MACRO-FLEX-AP-TRUNK” to delete it. Removing the Macro does not remove the active configuration made by it to interfaces.

This is what the Macro looks like in the running configuration.

ISE Authorization Profile Configuration

To make the Macro trigger when an access point is connected to one of the 802.1x/MAB enables switch ports, we will need to create a new Authorization Profile in ISE that send an AV Pair (or an “instruction”, if you will) to the switch to use the Macro when an AP is authenticated.

To do this, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and create a new Authorization Policy. Give it a name and check the box for “Auto Smart Port”, and input the name of the Macro on the switch (“MACRO-FLEX-AP-TRUNK”) as the value. Feel free to also add a Reauthentication timer, as that is considered best practice.

cisco-ise-auto-smart-port-flexconnect-ap-trunk

The raw result of this configuration can be seen at the bottom of the screen.

cisco-ise-auto-smart-port-flexconnect-ap-trunk-avp-av-pair

Now, add the new Authorization Profile to your Policy Set where access points are authenticated, regardless of if you are using 802.1x, MAB, or Profiling to authenticate your access points.