Auto Identity Overview
The Cisco Identity-Based Networking Services (IBNS) solution provides a policy and identity-based framework in which edge devices can deliver flexible and scalable services to subscribers. IBNS allows the concurrent operation of IEEE 802.1x (dot1x), MAC authentication bypass (MAB), and web authentication methods, making it possible to invoke multiple authentication methods in parallel, on a single subscriber session. These authentication methods, dot1x, authentication, authorization, and accounting (AAA), and RADIUS are available in global configuration and interface configuration modes.
The Auto Identity feature uses the Cisco Common Classification Policy Language-based configuration that significantly reduces the number of commands used to configure both authentication methods and interface-level commands. The Auto Identity feature provides a set of built-in policies that are based on policy maps, class maps, parameter maps, and interface templates.
In global configuration mode, the source template AI_GLOBAL_CONFIG_TEMPLATE command enables the Auto Identity feature. In interface configuration mode, configure the AI_MONITOR_MODE, AI_LOW_IMPACT_MODE, or AI_CLOSED_MODE interface templates to enable the feature on interfaces.
You can configure multiple templates; however, you must bind multiple templates together using the merge command. If you do not bind the templates, the last configured template is used. While binding templates, if the same command is repeated in two templates with different arguments, the last configured command is used.
Note You can also enable user-defined templates that are configured using the template name command in global configuration mode.
Use the show template interface or show template global commands to display information about built-in templates.
Built-in templates can be edited. Built-in template information is displayed in the output of the show running-config command, if the template is edited. If you delete an edited built-in template, the built-in template reverts to the default and is not deleted from the configuration. However; if you delete a user-defined template, it is deleted from the configuration.
Note Before you delete a template, ensure that it is not attached to a device.
Auto Identity Global Template
To enable the global template, configure the source template template-name command in global configuration mode.
Note You must configure the RADIUS server commands, because these are not automatically configured when the global template is enabled.
The following example shows how to enable the global template:
Switch(config)# source template AI_GLOBAL_CONFIG_TEMPLATE
Switch(config)# radius server ISE
Switch(config-radius-server)# address ipv4 172.20.254.4 auth-port 1645 acct-port 1646
Switch(config-radius-server)# key cisco
Switch(config-radius-server)# end
The AI_GLOBAL_CONFIG_TEMPLATE automatically configures the following commands:
dot1x system-auth-control
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 6 voice 1
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include