Reply

Cisco - Check Interfaces that are running 802.1x

Not applicable
Posts: 1
2950     0

I am running Network Automation 6.8.7 and want to create a Policy Compliancy Check to verify that all user switch ports have 802.1x authentication enabled.

I would like to evaluate each Ethernet port to see if it is a user switchport (switchport mode access) and see if the port also has the corresponding 802.1x and MAB commands.

Sample port config to evaluate:

interface GigabitEthernet0/1

! defines user switch port
 switchport mode access

! 802.1x and MAB port commands
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 5
 dot1x max-req 3
 dot1x max-reauth-req 3
!

Can someone point me in the right direction of building a policy to evaluate thisz?

Re: Cisco - Check Interfaces that are running 802.1x

Posts: 75
2950     0

I have a similar question.  I want to be able to evaluate all the interfaces within the configuration and not just one.  For example you could use something like this:

 

^interface (\S*Ethernet|Vlan).*

(and then put the commands you want below it) but I think it will only evaluate the first instance of this and not every interface.

Re: Cisco - Check Interfaces that are running 802.1x

Techie
Posts: 8
2950     0

You'll want to use CPD or XML to iterate a policy check over multiple interfaces in a config

Re: Cisco - Check Interfaces that are running 802.1x

Authority
Posts: 27
2950     0

I highly recommend upgrading to 6.9 minimum to get the XML ConfigBlockCheck. At that point, it will let you define block start and block end, then loop your logic for each block.

 

-Jerry

Showing results for 
Search instead for 
Did you mean: 

Recommended for You