Hopefully this simple command set helps someone. Since it's the first EEM script I've actually had need to write, I'm posting it here on the chance someone will get something out of it.
Problem.
My DMVPN spokes (890s) are all running dot1x port auth on their switchports. However, when a user power cycles the router the switchports all come up and attempt to authenticate long before the tunnels are established. I initially worked with dot1x timers and retries, but nothing seemed to work. So, I've come up with this tiny script to force re-auth once the DMVPN session is really UP.
Here I'm establishing an object tracking that triggers UP or Down whether or not a default route has been put into the global routing table. For my design, this is done via BGP and signals that the tunnels are UP and BGP adjacencies are made.
track 1 ip route 0.0.0.0 0.0.0.0 reachability
running a show track 1 with no connectivity shows the following
IP route 0.0.0.0 0.0.0.0 reachability Reachability is Down (no ip route) 1 change, last change 00:01:26 First-hop interface is unknown Tracked by:EEM applet clearDot1x
Once the default route is in the routing table, it will appear as below. You can see the object tracking knows about my default route via BGP.
IP route 0.0.0.0 0.0.0.0 reachability Reachability is Up (BGP) 2 changes, last change 00:03:04 First-hop interface is Tunnel1 Tracked by:EEM applet clearDot1x
Now the EEM script. Here I'm just simply resetting the dot1x sessions on the switchports one by one. I wish the command would allow for a range, but this is my best solution.
event manager applet clearDot1x event track 1 state up action 1.0 cli command "enable" action 1.5 syslog msg "Clearing Dot1x on all Interfaces" action 2.0 cli command "clear authentication sessions interface gigabitEthernet 0" action 2.1 cli command "clear authentication sessions interface gigabitEthernet 1" action 2.2 cli command "clear authentication sessions interface gigabitEthernet 2" action 2.3 cli command "clear authentication sessions interface gigabitEthernet 3" action 2.4 cli command "clear authentication sessions interface gigabitEthernet 4" action 2.5 cli command "clear authentication sessions interface gigabitEthernet 5" action 2.6 cli command "clear authentication sessions interface gigabitEthernet 6" action 2.7 cli command "clear authentication sessions interface gigabitEthernet 7"
At this point whenever the default route is added to the routing table (for me a few minutes after boot), the switchports restart their auth process and now can be properly authed with my radius servers.
No comments:
Post a Comment