Switch-Side C3PL Configuration

1. Overview

C3PL (Cisco Common Classification Policy Language) is Cisco’s policy language for IBNS 2.0 (Identity-Based Networking Services). It replaces legacy 802.1X configuration with a more flexible event-driven model using:

Interface Templates - Reusable port configuration
Policy Maps - Event-driven authentication logic
Class Maps - Condition matching for authentication states
Service Templates - Dynamic policy application

This configuration applies to Cisco Catalyst switches running IOS-XE 16.x+. The examples show configuration for the Domus network switch (switch-01.inside.domusdigitalis.dev).

2. Interface Template

The interface template defines authentication behavior applied to all 802.1X-enabled access ports.

template DefaultWiredDot1xClosedAuth
 dot1x pae authenticator                           (1)
 dot1x timeout tx-period 7                         (2)
 dot1x max-reauth-req 3                            (3)
 mab                                               (4)
 access-session control-direction in              (5)
 access-session closed                             (6)
 access-session port-control auto                  (7)
 authentication periodic                           (8)
 authentication timer reauthenticate server        (9)
 service-policy type control subscriber PMAP_Dot1xClosed_1X_MAB  (10)

1	Port acts as 802.1X authenticator (switch authenticates clients)
2	EAP-Request/Identity retransmit interval: 7 seconds (default 30 is too slow)
3	Maximum EAP-Request retries before MAB fallback
4	Enable MAC Authentication Bypass as fallback for non-supplicant devices
5	Control traffic ingress only (client-to-switch), allow switch-to-client
6	CLOSED MODE — block all traffic until authenticated (zero-trust)
7	Enable 802.1X port-based access control
8	Periodic reauthentication enabled
9	Reauthentication interval from RADIUS Session-Timeout attribute
10	Apply the C3PL policy map (event-driven authentication logic)

Closed Mode vs Open Mode

access-session closed = Zero-trust: Block ALL traffic until authenticated
access-session open = Monitor mode: Allow traffic, log authentication results

Always use closed mode for production security.

3. Interface Application

Apply the template to access ports where workstations connect:

interface GigabitEthernet1/0/5
 description Linux Workstation - modestus-p50
 switchport access vlan 10             (1)
 switchport mode access
 switchport nonegotiate                            (2)
 device-tracking attach-policy DT_POLICY           (3)
 source template DefaultWiredDot1xClosedAuth       (4)
 spanning-tree portfast                            (5)
 spanning-tree bpduguard enable                    (6)

1	Access VLAN (data) — ISE can override via RADIUS VLAN attribute
2	Disable DTP negotiation (security hardening)
3	Device tracking for IP-MAC binding (prevents spoofing)
4	Apply the authentication template
5	Portfast for immediate forwarding after auth (skip STP learning)
6	BPDU guard shuts port if switch/bridge is connected (prevents loops)

4. Policy Map

The policy map defines event-driven authentication logic. This is the "brain" of C3PL.

policy-map type control subscriber PMAP_Dot1xClosed_1X_MAB

 event session-started match-all                   (1)
  10 class always do-until-failure
   10 authenticate using dot1x retries 2 retry-time 0 priority 10
   20 authenticate using mab priority 20

 event authentication-failure match-first          (2)
  5 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   5 clear-authenticated-data-hosts-on-port
   10 activate service-template CriticalAuth_SRV_TEMPLATE
   20 authorize
   30 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   5 clear-authenticated-data-hosts-on-port
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60

 event aaa-available match-all                     (3)
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 clear-session

 event agent-found match-all                       (4)
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x retries 2 retry-time 0 priority 10

 event inactivity-timeout match-all                (5)
  10 class always do-until-failure
   10 clear-session

 event authentication-success match-all            (6)

 event violation match-all                         (7)
  10 class always do-until-failure
   10 restrict

 event authorization-failure match-all             (8)
  10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
   10 authentication-restart 60

1	Session Started: Try dot1x first (priority 10), then MAB (priority 20) simultaneously
2	Auth Failure: Handle dot1x fail, AAA timeout (critical auth), MAB fail
3	AAA Available: When ISE comes back online, clear critical auth sessions
4	Agent Found: If supplicant starts after MAB, terminate MAB and try dot1x
5	Inactivity Timeout: Clear session if no traffic
6	Auth Success: dACL/VLAN pushed via RADIUS, no additional action needed
7	Violation: Restrict traffic on MAC move or second MAC
8	Authz Failure: If authenticated but not authorized, restart after 60 seconds

5. Class Maps

Class maps match specific authentication conditions.

5.1. Authentication Method Classes

class-map type control subscriber match-all DOT1X
 match method dot1x

class-map type control subscriber match-all MAB
 match method mab

5.2. Failure Classes

class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative      (1)

class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found    (2)

class-map type control subscriber match-all MAB_FAILED
 match method mab
 no-match result-type method mab success           (3)

1	Authoritative failure = ISE explicitly rejected (bad cert, unknown user)
2	Agent-not-found = no supplicant response (device doesn’t support dot1x)
3	Match MAB attempts that did NOT succeed

5.3. AAA Server Down Classes

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
 match authorization-status unauthorized
 match result-type aaa-timeout                     (1)

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match authorization-status authorized
 match result-type aaa-timeout                     (2)

1	New host, ISE unreachable — apply critical auth VLAN
2	Previously authenticated host, ISE unreachable — keep current session

5.4. Authorization Failure Classes

class-map type control subscriber match-all AUTHC_SUCCESS-AUTHZ_FAIL
 match authorization-status unauthorized
 match result-type success                         (1)

1	Authenticated (ISE knows identity) but not authorized (no matching policy)

5.5. Critical Auth State Classes

class-map type control subscriber match-any IN_CRITICAL_AUTH
 match activated-service-template CriticalAuth_SRV_TEMPLATE

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
 match activated-service-template CriticalAuth_SRV_TEMPLATE

6. Service Templates

Service templates define dynamic policy for special scenarios like critical authentication.

service-template CriticalAuth_SRV_TEMPLATE
 vlan 999                      (1)
 access-group ACL_CRITICAL_AUTH                    (2)

ip access-list extended ACL_CRITICAL_AUTH
 permit udp any host 10.50.1.1 eq 53
 permit udp any any eq 67
 permit udp any any eq 68
 permit tcp any host 10.50.1.50 eq 88
 permit tcp any host 10.50.1.50 eq 636
 permit tcp any host 10.50.1.21 eq 8443
 deny ip any any log

1	Critical auth VLAN when ISE is unreachable
2	Minimal access - DNS, DHCP, AD, ISE only

7. CoA and Dynamic Authorization

ISE uses Change of Authorization (CoA) to push policy changes mid-session.

7.1. CoA Client Configuration

aaa server radius dynamic-author
 client 10.50.1.20 server-key 0 <RADIUS_SECRET>   (1)
 client 10.50.1.21 server-key 0 <RADIUS_SECRET>   (2)

1	ISE-01 as CoA client
2	ISE-02 as CoA client

7.2. How dACLs Are Pushed

Client authenticates (dot1x or MAB)
Switch sends RADIUS Access-Request to ISE
ISE evaluates authorization policy, returns:
- Access-Accept with Cisco-AVPair: ACS:CiscoSecure-Defined-ACL=DACL<dacl-name>
- VLAN assignment (optional)
- Session-Timeout for reauthentication
Switch downloads dACL content from ISE via RADIUS
Switch applies dACL to port (client traffic filtered)
If posture changes, ISE sends CoA with new dACL

8. AAA Configuration

Global AAA configuration for 802.1X with ISE:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

radius server ISE-01
 address ipv4 10.50.1.20 auth-port 1812 acct-port 1813
 key 0 <RADIUS_SECRET>

radius server ISE-02
 address ipv4 10.50.1.21 auth-port 1812 acct-port 1813
 key 0 <RADIUS_SECRET>

aaa group server radius ISE_SERVERS
 server name ISE-01
 server name ISE-02

radius-server dead-criteria time 5 tries 3
radius-server deadtime 15

9. Device Tracking

Device tracking binds IP to MAC, preventing IP spoofing:

device-tracking policy DT_POLICY
 security-level glean
 tracking enable

interface GigabitEthernet1/0/5
 device-tracking attach-policy DT_POLICY

10. Verification Commands

10.1. Access Session Details

show access-session interface Gi1/0/5 details

Shows MAC, IP, username, domain, current policy (dACL, VLAN), auth method, session state.

10.2. Authentication Sessions

show authentication sessions interface Gi1/0/5

Summary view of all sessions on the port.

10.3. Downloaded dACL

show ip access-list interface Gi1/0/5

Shows ACL entries currently applied (downloaded from ISE).

10.4. Device Tracking

show device-tracking database interface Gi1/0/5

Shows IP-MAC bindings learned on the port.

10.5. Dot1x Interface Details

show dot1x interface Gi1/0/5 details

Shows dot1x state machine, EAP statistics, timeout values.

11. Operational Commands

11.1. Clear Session (Bounce Port)

clear authentication sessions interface Gi1/0/5

Clears all sessions and triggers reauthentication.

11.2. Force Reauthentication

authentication session interface Gi1/0/5 reauth

Triggers reauthentication without clearing session.

11.3. Debug Commands

Debug commands generate high CPU and log volume. Use sparingly.

debug dot1x all
debug radius authentication
debug radius accounting
debug aaa coa

Disable with: undebug all

12. Quick Reference

Command Purpose

Command	Purpose
`show access-session int Gi1/0/5 det`	Full session details (MAC, IP, VLAN, dACL)
`show auth sessions int Gi1/0/5`	Session summary
`show ip access-list int Gi1/0/5`	View downloaded dACL content
`show dot1x int Gi1/0/5 det`	Dot1x state machine details
`clear auth sessions int Gi1/0/5`	Bounce port (force reauth)
`show device-tracking db int Gi1/0/5`	IP-MAC bindings

show access-session int Gi1/0/5 det

Full session details (MAC, IP, VLAN, dACL)

show auth sessions int Gi1/0/5

Session summary

show ip access-list int Gi1/0/5

View downloaded dACL content

show dot1x int Gi1/0/5 det

Dot1x state machine details

clear auth sessions int Gi1/0/5

Bounce port (force reauth)

show device-tracking db int Gi1/0/5

IP-MAC bindings