Information About Auto Identity
Auto Identity Overview
The Cisco Identity-Based Networking Services (IBNS) solution provides a policy and identity-based framework in which edge devices can deliver flexible and scalable services to subscribers. IBNS allows the concurrent operation of IEEE 802.1x (dot1x), MAC authentication bypass (MAB), and web authentication methods, making it possible to invoke multiple authentication methods in parallel, on a single subscriber session. These authentication methods, dot1x, authentication, authorization, and accounting (AAA), and RADIUS are available in global configuration and interface configuration modes.
The Auto Identity feature uses the Cisco Common Classification Policy Language-based configuration that significantly reduces the number of commands used to configure both authentication methods and interface-level commands. The Auto Identity feature provides a set of built-in policies that are based on policy maps, class maps, parameter maps, and interface templates.
In global configuration mode, the source template AI_GLOBAL_CONFIG_TEMPLATE command enables the Auto Identity feature. In interface configuration mode, configure the AI_MONITOR_MODE, AI_LOW_IMPACT_MODE, or AI_CLOSED_MODE interface templates to enable the feature on interfaces.
You can configure multiple templates; however, you must bind multiple templates together using the merge command. If you do not bind the templates, the last configured template is used. While binding templates, if the same command is repeated in two templates with different arguments, the last configured command is used.
Note |
You can also enable user-defined templates that are configured using the template name command in global configuration mode . |
Note |
Before you delete a template, ensure that it is not attached to a device. |
Auto Identity Global Template
Note |
You must configure the RADIUS server commands, because these are not automatically configured when the global template is enabled. |
Switch(config)# source template AI_GLOBAL_CONFIG_TEMPLATE
Switch(config)# radius server ISE
Switch(config-radius-server)# address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
Switch(config-radius-server)# key cisco
Switch(config-radius-server)# end
dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 6 voice 1
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
Auto Identity Interface Templates
The following interface templates are available in the Auto Identity feature:
-
AI_MONITOR_MODE—Passively monitors sessions that have authentication in open mode.
-
AI_LOW_IMPACT_MODE—Similar to monitor mode, but with a configured static policy such as a port access control list (PACL).
-
AI_CLOSED_MODE—Secure mode in which data traffic is not allowed into the network, until authentication is complete. This mode is the default.
Note |
Multi-auth host mode is not supported with the LAN Lite license. |
switchport mode access
access-session port-control auto
access-session host-mode multi-auth
dot1x pae authenticator
mab
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
switchport mode access
access-session port-control auto
access-session host-mode multi-auth
dot1x pae authenticator
mab
ip access-group AI_PORT_ACL in
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
switchport mode access
access-session closed
access-session port-control auto
access-session host-mode multi-auth
dot1x pae authenticator
mab
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
Auto Identity Built-in Policies
The following five built-in policies are available in the Auto Identity feature:
- AI_DOT1X_MAB_AUTH—Enables flexible authentication with dot1x, and then MAC Address Bypass (MAB).
- AI_DOT1X_MAB_POLICIES—Enables flexible authentication with dot1x, and then MAB. Applies critical VLAN in case the Authentication, Authorization, and Accounting (AAA) server is not reachable.
- AI_DOT1X_MAB_WEBAUTH—Enables flexible authentication with dot1x, MAB, and then web authentication.
- AI_NEXTGEN_AUTHBYBASS—Skips authentication if an IP phone device is detected. Enables the device classifier command in global configuration mode and the voice-vlan command in interface configuration mode to detect the device. This is a reference policy map, and users can copy the contents of this policy map to other policy maps.
- AI_STANDALONE_WEBAUTH—Defines standalone web authentication.
Auto Identity Class Maps Templates
- AI_NRH—Specifies that the nonresponsive host (NRH) authentication method is enabled.
- AI_WEBAUTH_METHOD—Specifies that the web authentication method is enabled.
- AI_WEBAUTH_FAILED—Specifies that the web authentication method failed to authenticate.
- AI_WEBAUTH_NO_RESP—Specifies that the web authentication client failed to respond.
- AI_DOT1X_METHOD—Specifies that the dot1x method is enabled.
- AI_DOT1X_FAILED—Specifies that the dot1x method failed to authenticate.
- AI_DOT1X_NO_RESP—Specifies that the dot1x client failed to respond.
- AI_DOT1X_TIMEOUT—Specifies that the dot1x client stopped responding after the initial acknowledge (ACK) request.
- AI_MAB_METHOD—Specifies that the MAC Authentication Bypass (MAB) method is enabled.
- AI_MAB_FAILED—Specifies that the MAB method failed to authenticate.
- AI_AAA_SVR_DOWN_AUTHD_HOST—Specifies that the Authentication, Authorization, and Accounting (AAA) server is down, and the client is in authorized state.
- AI_AAA_SVR_DOWN_UNAUTHD_HOST—Specifies that the AAA server is down, and the client is in authorized state.
- AI_IN_CRITICAL_AUTH—Specifies that the critical authentication service template is applied.
- AI_NOT_IN_CRITICAL_AUTH—Specifies that the critical authentication service template is not applied.
- AI_METHOD_DOT1X_DEVICE_PHONE—Specifies that the method is dot1x and the device type is IP phone.
- AI_DEVICE_PHONE—Specifies that the device type is IP phone.
Auto Identity Parameter Maps
The following built-in parameter map templates are supported by the Auto Identity feature:
-
AI_NRH_PMAP—Starts nonresponsive host (NRH) authentication.
AI_WEBAUTH_PMAP—Starts web authentication.
Auto Identity Service Templates
Service templates are available inside builit-in policy maps. The following built-in service templates are supported by the Auto Identity feature:
- AI_INACTIVE_TIMER—Template to start the inactivity timer.
- AI_CRITICAL_ACL—Dummy template; users can configure this template as per their requirements.