Demystifying the IBNS 2.0 setup (2023)

Table of Contents
considerations Demystifying IBNS 2.0 control class service templates control policy resume Videos

In this article, I want to walk through a typical Identity-Based Network Services (IBNS 2.0) setup and break down each one so we can better understand the setup. Although there are many configuration items for secure network access, this article focuses on Cisco Common Classification Policy Language (C3PL) configurations.

I have to admit, when I first took a look at some of the IBNS 2.0 configurations, I was a bit surprised by the number of configurations. However, after reading up on this and brushing up on some of my CCNP R&S knowledge, I was able to understand how the IBNS 2.0 configuration is related.

This articleNOFocus on the use cases for using IBNS 2.0. However, I would like to point out a good online documentation that will provide you with some useful information.

Just before I get into the configuration element, I should mention that IBNS 2.0 works with the Cisco Common Classification Policy Language (C3PL). In a nutshell, C3PL is a combination of class maps, policy maps, and service policies. Once you understand that C3PL works, you shouldn't have any trouble familiarizing yourself with the configuration you'll see. It's also worth noting that the terminology used for C3PL in the IBNS world is slightly different than above:

  • class card = tax class
  • policy-map = control-policy
  • Service Policy = Control Service Policy

considerations

  • Once one has decided to configure the IBNS 2.0 configuration, it is often easier to implement the required global configurations as well as the interface level configurations in the classic (IBNS 1.0) way. This is because the settings are automatically converted when you enter the required command (New style authentication screen) to use IBNS 2.0.
  • When migrating to IBNS 2.0, you should consider the following. You can go back to IBNS 1.0ONLYif you have not made any changes to the control policy, you have not started any IBNS 2.0 configuration or a copy run. If you have performed any of the steps just mentioned, you will not be able to go back to IBNS 1.0.

Demystifying IBNS 2.0

Whether you have automatically converted your IBNS 1.0 configuration or have decided to start your IBNS 2.0 configuration from scratch, you will be surprised how many configuration lines you can have depending on your needs. Below is a snippet of the IBNS 2.0 setup I currently have set up in my lab environment.

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURElinksec policy must-secureservice-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURElinksec policy should-secureservice-template DEFAULT_CRITICAL_VOICE_TEMPLATEvoice vlanservice-template CRITICAL_AUTH_VLAN_DATAvlan <VLAN>!service-template CRITICAL_AUTH_ACCESSdescriptionmap ** Access control for Inaccessible Auth Bypass **access-group IPV4_CRITICAL_CRITICAL_C Abonnenten-Match-all AAA_SVR_DOWN_AUTHD_HOSTmatch Result Type aaa-timeoutmatch Permission Status Authorized! Class Mapping Type Control Subscriber Match All AAA_SVR_DOWN_UNAUTHD_HOSTmatch Result Type aaa-timeoutmatch Permission Status Unauthorized! Class Mapping Type Control Subscriber Match All Method DOT1Xmatch dot1x! class assignment control type subscribers match all DOT1X_FAILEDmatch method dot1xmatch result type method dot1x authoritative! class mapping subscriber control type match all DOT1X_MEDIUM_PRIOmatch priority authorization method gt 20! gefunden!Klassenzuordnungstypkontrolle Abonnentenübereinstimmung-alle DOT1X_TIMEOUTmatch Methode dot1xmatch Ergebnistypmethode dot1x Methode-Timeout!Klassenzuordnungstypkontrolle Abonnentenübereinstimmung-beliebig IN_CRITICAL_AUTHmatch aktivierte-Service-Vorlage CRITICAL_AUTH_ACCESSpasst aktiviertes Service-Template an DEFAULT_CRITICAL_VOICE_TEMPLATE!Klassenzuordnungstyp-Steuerungsabonnent passt zu allen IN_CRITICAL_VLAN_DATApasst aktiviertes-Service-Template ab CRITICAL_AUTH_VLAN_DATApasst aktiviertes -Services DEFAULT_CRITICAL_VOICE_TEMPLATE template! Class-mapping-type-control-subscriber match-all MAB_FAILEDMatch method mabmatch result-type method mab authorized!class-mapping-type-control- participant-match-none NOT_IN_CRITICAL_AUTHmatch-enabled-service-template CRITICAL_AUTH_ACCESSmatch-enabled-service -template DEFAULT_CRITICAL_VOICE_TEMPLATE!class-mapping-type-no-control-participant.match NOT_IN_CRITICAL_VLAN_DATAcoincide con una plantilla de servicio habilitado CRITICAL_AUTH_VLAN_DATAcoincide con la plantilla de servicio habilitado DEFAULT_CRITICAL_VOICE_TEMPLATE! class-mapping-type-control Subscriber Match-all NRH!class-mapping-type -control Subscriber Match-all WEBAUTH_FAILED!policy-mapping-type-control Subscriber POLICY_DATAevent session started do1-0bis-failure match-all10 class always authenticate with mab priority 20event authentication-failure match-first5 class DOT1X_FAILED do-bis-failure10 terminate dot1x10 class AAA_SVR _DOWN_UNAUTHD_HOST do-bis-failure10 clear-authenticated-data-hosts-on -port20 habilitar plantilla de servicio CRITICAL_AUTH_ACCESS30 activar servicio -Plantilla default_critical_voice_template40 autorizar50 pausa reautute autenticación20 clase aaa_svr_down_authd_host do-upil-failure10 pausa reautute authenticatik Terminar webauth20 autenticación-reinicio 6060 clase NRH do -bis-failure10 terminate webauth20 authentication-LED do-upil-LED WEBAUT 6080I class stop bis-failure10 webauth20 authentication-restart 6090 class always do-bis-failure10 stop mab20 stop dot1x30 stop webauth40 authentication-restart 60event agent -found match-all10 class always do-until-failure10 stop mab20 stop webauth30 authenticate with dot1x priority 10event aaa-match available-all10 class IN_CRITICAL_AUTH do-until-failure10 clear-session20 class NOT_IN_CRITICAL_AUTH do-until-failure10 continue reauthentication event idle timeout class match -all1 always runs until10-session eventcle fails ar successful authentication all match always run vote10 class until error 10 enable DEFAULT_LINKSEC_POLICY_SHOULD_SECURE service template

:-O Seems like a lot, doesn't it?

Don't worry, let's break it down into more manageable sections so we can better understand what's going on with all this setup.

(Video) Configuring ISE 3 with simple IBNS2 config

The best way to do this is to separate the tax class, tax policy, and service policy.

See Also
802.1x Guest Users Created Through Sponsor Portal - Cisco ISE Tips, Tricks, and Lessons LearnedWhat is Cisco Identity Services Engine (ISE)? Use cases, how it's used, etc.10.3.9. Configuring Connection Settings Red Hat Enterprise Linux 6 | Red Hat Customer PortalISE C3PL switch setup - networking fun

control class

Simply put, a control class is a set of conditions that must be met for a control policy to perform any action. Control classes can match all, any, or none to return true. The following screenshot shows the options we have when creating control classes.

Demystifying the IBNS 2.0 setup (1)

Now let's look at and discuss the control classes presented in this lab. Most of the following control classes were generated when moving from IBNS 1.0 to 2.0.

Class-Map-Type Control Subscriber Match-All AAA_SVR_DOWN_AUTHD_HOSTClass-Map-Type Control Subscriber Match-All AAA_SVR_DOWN_UNAUTHD_HOSTClass-Map Type Control Subscriber Match-All DOT1Xclass-Map Type Control Subscriber Match-All DOT1X_FAILEDclass-Map Type Control Subscriber Match-All DOT1XMapClass1MAPDIMEsPRIOMEs Type Control Match Subscriber All DOT1X_NO_RESPclass-Map-Type-Control Match Subscriber All DOT1X_TIMEOUTclass-Map-Type-Control Match Subscriber Any IN_CRITICAL_AUTHclass-Map-Type-Control Match Any Subscriber IN_CRITICAL_VLANclass-Map-Type- Control Subscriber-Match-all MABclass-Map -Control of type Subscriber-Match-all MAB_FAILEDclass -Subscriber match of association type NOT_IN_CRITICAL_AUTHSubscriber class match of association type None NOT_IN_CRITICAL_VLAN Subscriber association type matching all NRHs Match class of the subscriber of the type of association WEBAUTH_FAILED

Starting with the first control class:Class Map Type Control Subscriber Match All AAA_SVR_DOWN_AUTHD_HOST, let's see what the setting means.

Class Map Type Control Subscriber Match All AAA_SVR_DOWN_AUTHD_HOST Match Result Type aaa Timeout Match Authorization Status Authorized
  • Class Map Type Control Subscriber Match All AAA_SVR_DOWN_AUTHD_HOST<<< We create a control class called AAA_SVR_DOWN_AUTHD_HOST and for the value to be true, everything in the control class must match.
  • Match result type aaa-timeout<<< True if timeout aaa
  • Author Match Authorization Status<<< True if an authorization session is authorized.

Follow:Class Map Type Control Subscriber Match All AAA_SVR_DOWN_UNAUTHD_HOST

Class Map Type Control Subscriber Match All AAA_SVR_DOWN_UNAUTHD_HOSTmatch Result Type aaa-timeoutmatch Authorization Status Unauthorized
  • Class Map Type Control Subscriber Match All AAA_SVR_DOWN_UNAUTHD_HOST<<< We create a control class called AAA_SVR_DOWN_UNAUTHD_HOST and for the value to be true, everything in the control class must match.
  • Match result type aaa-timeout<<< True if timeout aaa
  • unauthorized matching authorization status<<< True if a session is not authorized

The next is:Class Map Type Control Participant Match-All DOT1X

Class-Map-Type-Control Participant Match-All Method DOT1XMatch dot1x
  • Class Map Type Control Participant Match-All DOT1X<<< control class named DOT1X and for the value to be true, everything in the control class must match.
  • dot1x matching method<<< True if the authentication method is 802.1X

The next control class is:Class Map Type Control Participant Match all DOT1X_FAILED

(Video) 802.1X Simplification & Automation with IBNS 2.0

Class Map Type Control Subscriber Match-All DOT1X_FAILEDMatch method dot1xmatch result type method dot1x prevails
  • Class Map Type Control Participant Match all DOT1X_FAILED<<< control class named DOT1X_FAILED and for the value to be true, everything in the control class must match.
  • dot1x matching method<<< True if the authentication method is 802.1X
  • dot1x match result type method prevails<<< True if 802.1X authentication method failed

Then comes:Class-Map-Type-Control Subscribers-Match-All DOT1X_MEDIUM_PRIO

Class Map Type Control Subscriber Match All DOT1X_MEDIUM_PRIOMatch Authorization Method Priority GT 20
  • Class-Map-Type-Control Subscribers-Match-All DOT1X_MEDIUM_PRIO<<< Tax class named DOT1X_MEDIUM_PRIO and for the value to be true, everything in the tax class must match.
  • GT 20 party authorization method priority<<< True if authorization method priority is greater than 20

Then comes:Class Assignment Type Control Subscriber Match-All DOT1X_NO_RESP

See Also
ROBUST CONFIGURATION: Cisco IBNS 2.0 802.1x and MAB for IOS Switches — FIOS AND WI.FISISE v3.0: Cisco® Identity Services Engine Implementation and Configuration **includes additional BYOD content** Course OverviewCisco ISE: Wired 802.1X implementation in monitor modeHow to implement 802.1X over cable on Cisco Catalyst

Class Assignment Type Control Subscriber Match-all DOT1X_NO_RESPmatch Method dot1xmatch Result Type Method dot1x Agent not found
  • Class Assignment Type Control Subscriber Match-All DOT1X_NO_RESP<<< control class named DOT1X_NO_RESP and for the value to be true, everything in the control class must match.
  • dot1x matching method<<< True if the authentication method is 802.1X
  • match result type method dot1x agent-not-found<<< True if an endpoint does not have an 802.1X supplicant.

Then comes:Class-Map-Type-Control Subscriber-Match-All DOT1X_TIMEOUT

class mapping subscriber type control match all DOT1X_TIMEOUTmethod match dot1xmatch method result type dot1x method timeout
  • Class-Map-Type-Control Subscriber-Match-All DOT1X_TIMEOUT<<< control class named DOT1X_TIMEOUT and for the value to be true, everything in the control class must match.
  • dot1x matching method<<< True if the authentication method is 802.1X
  • match method result type dot1x method timeout<<< True if the method, which is 802.1x, has expired

Then comes:map-class-control-type subscriber match-any IN_CRITICAL_AUTH

Class Mapping Type Control Subscriber Match-Any IN_CRITICAL_AUTH Service Enabled Template Match CRITICAL_AUTH_ACCESS Service Enabled Template Match DEFAULT_CRITICAL_VOICE_TEMPLATE
  • map-class-control-type subscriber match-any IN_CRITICAL_AUTH<<< control class named IN_CRITICAL_AUTH and for the value to be true, one of the service templates within the control class must match.
  • Service template matching enabled CRITICAL_AUTH_ACCESS<<< True if the service template matches CRITICAL_AUTH_ACCESS. An access list is bound to this service template, and when enabled, the access list applies to any interface that is assigned a policy control class.
  • matches the DEFAULT_CRITICAL_VOICE_TEMPLATE service template enabled<<< True if the service template matches DEFAULT_CRITICAL_VOICE_TEMPLATE. This service template assigns a relevant device to the voice VLAN when it matches a policy.

Then comes:class-assignment-control-participant-match-any IN_CRITICAL_VLAN

Class Mapping Type Control Subscriber Match Any IN_CRITICAL_VLAN_DATA Service Template Match Enabled CRITICAL_AUTH_VLAN_DATA Service Template Match Enabled DEFAULT_CRITICAL_VOICE_TEMPLATE
  • Class-Map-Typ-Kontrollteilnehmer-Match-any IN_CRITICAL_VLAN_DATA<<< control class named IN_CRITICAL_VLAN_DATA and for the value to be true, one of the service templates within the control class must match.
  • Matches the enabled service template CRITICAL_AUTH_VLAN_DATA<<< True if the service template matches CRITICAL_AUTH_VLAN_DATA. This service template assigns the relevant critical VLAN when it matches a policy.
  • matches the DEFAULT_CRITICAL_VOICE_TEMPLATE service template enabled<<< True if the service template matches DEFAULT_CRITICAL_VOICE_TEMPLATE. This service template assigns a relevant device to the voice VLAN when it matches a policy.

Then comes:Class-Map-Typ Control Suscriptor Match-All-MAB

Class Assignment Type Control Subscriber Match-All MABmatch Method mab
  • Class-Map-Typ Control Suscriptor Match-All-MAB<<< control class called MAB and for the value to be true, everything in the control class must match.
  • method of coincidence mab<<< True if the authentication method is MAC Authentication Bypass (MAB).

Then comes:Class Assignment Type Control Participant Match-All MAB_FAILED

(Video) KT S2 EP1 - Deploying IBNS 2.0

Class Mapping Type Control Subscriber Match-All Method MAB_FAILEDmatch Mabmatch Result Type Method Authorized by Mab
  • Class Assignment Type Control Participant Match-All MAB_FAILED<<< control class called MAB_FAILED and for the value to be true, everything in the control class must match.
  • method of coincidence mab<<< True if the authentication method is MAC Authentication Bypass (MAB).
  • mab match result type method prevails<<< True if the MAB method failed.

Then comes:Class Assignment Type Control Subscriber Match-none NOT_IN_CRITICAL_AUTH

Class Map Type Control Subscriber Match-None NOT_IN_CRITICAL_AUTH Service Template Match Enabled CRITICAL_AUTH_ACCESS Service Template Match Enabled DEFAULT_CRITICAL_VOICE_TEMPLATE
  • Class Assignment Type Control Subscriber Match-none NOT_IN_CRITICAL_AUTH<<< Control class named NOT_IN_CRITICAL_AUTH and for the value to be true, neither must match.
  • Service template matching enabled CRITICAL_AUTH_ACCESS<<< True if the service template does not match CRITICAL_AUTH_ACCESS.
  • matches the DEFAULT_CRITICAL_VOICE_TEMPLATE service template enabled<<< True if the service template does not match DEFAULT_CRITICAL_VOICE_TEMPLATE.

Then comes:Class-Association-Type-Control Subscriber Match-none NOT_IN_CRITICAL_VLAN

Class Assignment Type Control Subscriber Match-none NOT_IN_CRITICAL_VLAN_DATA Service Template Match Enabled CRITICAL_AUTH_VLAN_DATA Service Template Match Enabled DEFAULT_CRITICAL_VOICE_TEMPLATE
  • Class Mapping Type Control Subscriber Match: None NOT_IN_CRITICAL_VLAN_DATA<<< control class named NOT_IN_CRITICAL_VLAN_DATA and for the value to be true, neither must match.
  • Matches the enabled service template CRITICAL_AUTH_VLAN_DATA<<< True if the service template does not match CRITICAL_AUTH_VLAN_DATA.
  • matches the DEFAULT_CRITICAL_VOICE_TEMPLATE service template enabled<<< True if the service template does not match DEFAULT_CRITICAL_VOICE_TEMPLATE.

The last two tax classes below are not used in this example and are therefore not discussed.

See Also
Heavy Networking 608: Everything you ever wanted to know about NAC (and then some) - Packet PushersConfigure EAP-TLS authentication using Cisco ISE RADIUSConfigure RADIUS authentication with WPA2-EnterpriseImplement password-based 802.1X authenticated wireless access

Class-Map-Typ Control Subscriber Match-All NRH
Class-Map-Typ-Kontrolle Abonnent match-all WEBAUTH_FAILED

Now that we've seen the control classes and hopefully understand them, let's take a look at service templates.

service templates

Service templates contain attributes that can be applied to Subscriber sessions through control policies. Features such as ACLs and VLANs, as used in the templates below, can be configured within a service template.

This example uses the following service templates:

(Video) INE Live Webinar: DOT1X and MAB

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURElinksec-Richlinie must-secure!service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURElinksec-Richtlinie should-secure!service-template DEFAULT_CRITICAL_VOICE_TEMPLATEvoice vlan!service-template CRITICAL_AUTH_VLAN_DATAvlan <VLAN>!service-template CRITICAL_AUTH_Policy Bypass for Inaccessible Auth Accessdescription ** grupo IPV4.CRIT_A

I will now break down each template and describe the purpose of each, starting withPlantilla de servicio DEFAULT_LINKSEC_POLICY_MUST_SECURE.

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE linksec policy must be secure
  • Plantilla de servicio DEFAULT_LINKSEC_POLICY_MUST_SECURE<<< Create a service template named DEFAULT_LINKSEC_POLICY_MUST_SECURE
  • Linksec policy must be secure<<< Used to protect and authorize a port when establishing a MACsec session.
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE Linksec policy must be secure
  • Formulario de servicio DEFAULT_LINKSEC_POLICY_SHOULD_SECURE<<< Create a service template named DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  • Linksec policy must be secure<<< Used to optionally secure the port.
DEFAULT_CRITICAL_VOICE_TEMPLATEvoice vlan service template
  • DEFAULT_CRITICAL_VOICE_TEMPLATE service template<<< Create a service template named DEFAULT_CRITICAL_VOICE_TEMPLATE
  • Sprach-VLAN<<< Applies the voice VLAN to sessions that have the service template enabled.
Dienstvorlage CRITICAL_AUTH_VLAN_DATAvlan <VLAN>
  • Dienstvorlage CRITICAL_AUTH_VLAN_DATA<<< Create a service template named CRITICAL_AUTH_VLAN_DATA
  • vlan <VLAN><<< Applies a data VLAN to sessions that have the service template enabled.
service-template CRITICAL_AUTH_ACCESSdescription ** Access policy for unreachable authentication bypass ** access group IPV4_CRITICAL_ACL
  • Dienstvorlage CRITICAL_AUTH_ACCESS<<< Create a service template namedCRITICAL_AUTH_ACCESO
  • Access group IPV4_CRITICAL_ACL<<< Applies an access list named IPV4_CRITICAL_ACL to sessions that have the service template enabled.

Now comes the most important part, putting everything together. Now we'll look at the example control policy and see how all the configuration comes together.

control policy

Governance policies consist of one or more rules that control how the policy rules are evaluated. A control policy consists of the following:

  • A control class
  • An event
  • one or more actions
Demystifying the IBNS 2.0 setup (2)

The following settings are from the control policy created for this article. I have created an infographic that breaks down the control policy for better understanding.

See Also
Why Automation is a Must for Implementing 802.1x on a Wired Network - NetBrain

Policy Map Type Control Subscriber POLICY_DATAEvent Session Initiated Match-All10 Class Always Do-Until-Failure10 Mab-Priority Authentication 20Event Authentication-Failure Match-First5 Class DOT1X_FAILED Do-Until-Failure10 Appointment Dot1x10 Class AAA_SVR_DOWN_UNAUTHD_HOSTAuthentica-HOSTAuthentic1 data-hosts-on-port20 habilitar plantilla de servicio CRITICAL_AUTH_ACCESS30 habilitar plantilla de servicio DEFAULT_CRITICAL_VOICE_TEMPLATE40 autorizar50 pausar reautenticación20 clase AAA_SVR_DOWN_AUTHD_HOST ejecutar10 detener reautenticación20 autorizar30 clase MAB_FAILED ejecutar hasta falla10 mabend200 finalizar punto de autenticación1x reiniciar260 reiniciar hacer-hasta-fallar206 hacer-reiniciar clase NRH60 autentificación- exit webauth10 until fail10 exit webauth20 authentication-restart 6080 class WEBAUTH_FAILED do until fail10 exit webauth20 authentication-restart 6090 class always do until fail10 Sea end mab20 end point1x30 end web auth40 authentication-restart 60event agent-found match-all10 class always do-bis-failure10 end mab20 end webauth30 authentication with point1x priority 10event aaa-available match-all10 class IN_CRITICAL_AUTH do-bis-failure10 clear-session20 class NOT_IN_CRITICAL_AUTH do-bis-failure10 continue reauthentication inactivity event timeout match-all10 class always do-bis-failure10 clear-sessionevent authentication-success match-all10 class always do-bis-failure10 enable service template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
Demystifying the IBNS 2.0 setup (3)
Demystifying the IBNS 2.0 setup (4)

resume

Hopefully, you should now understand what IBNS 2.0 configuration means and how everything is organized. The configurations shown in this article are for demonstration purposes only. It is recommended to create your configuration according to the needs of your company.

Once you have created the required control policies, they must be assigned to your data interfaces to take effect. The following configuration code snippet shows how we apply policies to interfaces on a Cisco switch.

(config)#interface GigabitEthernet1/0/23(config-if)Service Policy Type Control Subscriber <RICHTLINIE NAME>

Videos

1. ISE Secure Wired Access Webinar
(Cisco ISE - Identity Services Engine)
2. Securing Cisco Catalyst Wireless with ISE using mPSK / iPSK / 802.1X
(Cisco ISE - Identity Services Engine)
3. BEST DAMAGE LEGENDARY STORM BUILD | ANTHEM 2020
(IBNS gaming)
4. ISE Custom User & Endpoint Attributes
(Cisco ISE - Identity Services Engine)
5. INE Live Webinar: Configuring DOT1X and MAB
(INEtraining)
6. Cisco ISE 2.0 Integrates with Cisco MSE to Provide Geolocational Network Access
(Cisco ISE - Identity Services Engine)
Top Articles
Latest Posts
Article information

Author: Trent Wehner

Last Updated: 02/26/2023

Views: 5551

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.