Client Information Signaling Protocol (CISP)
Feature is new for release 15.8(3)M1 and applies to the IR829 only
CISP is a generic protocol used by Network Edge Authentication Topology (NEAT) scenario in order to propagate client MAC addresses and VLAN information between supplicant and authenticator. CISP was already available in Cisco IOS, but is new to the IR829 platform. Complete details on this feature are available here:
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
Cisp in NEAT illustrates how the CISP feature works in NEAT in a simple scenario.
CISP Commands
The following commands have been added to the IR829:
-
cisp enable
-
show cisp [client]/[interface]/[registrations]/[summary]
-
show authentication [interface] / [method] / [registrations]/ [sessions] / [statistic]
-
debug cisp [all]/[errors]/[events]/[packets]/[sync]
Details on the commands follow:
cisp enable
Used to enable the CISP protocol on Authenticator as well as on Supplicants. In config mode CISP enable cli globally enable the CISP protocol on L2 interface.
IR800(config)# cisp enable
show cisp commands
-
In exec mode, show cisp client displays all the information for authorized host mac address and VLAN details.
IR800#show cisp clients
Authenticator Client Table:
---------------------------
MAC Address VLAN Interface
---------------------------------
001b.0d55.21c1 200 Fa0/6
001b.0d55.21c0 1 Fa0/6
-
In exec mode, show cisp registrations displays all the details of Interface(s) with CISP registered user(s).
IR800#show cisp registrations
Interface(s) with CISP registered user(s):
------------------------------------------
Fa0/6
Auth Mgr (Authenticator
-
In exec mode, show cisp interface <> displays information whether the device is supplicant or authenticator, version details, and peer mode.
IR800# show cisp interface gigabitEthernet 1
CISP Status for interface Gi1
-----------------------------
Version: (not negotiated)
Mode: Authenticator
Peer Mode:
Auth State: Idle
CISP Prerequisites
-
802.1x Authentication is already supported on IR829.
-
No support for CISP has been added to the IR809 platform, or for L3 ports on the IR829.
-
Before CISP is enabled, the 802.1x authentication must be completed as both supplicant and authenticator
.
Flow Diagrams
Trigger of CISP Packets
-
On Successful authentication response from authenticator, it will start registration with Authenticator CISP.
-
Once End host is authorized or unauthorized, it will update (Add / Delete) to the authenticator CISP.
-
If Access links or trunk uplink goes up or down, it will clear off the local CISP Client. Table and the Authenticator CISP will clear its Client Table.
-
If there is New MAC is learned or aged out, CISP will update on both sides.
-
If there is no response to CISP request frames, it will retransmit the CISP frames.
-
Authentication Switch ACKs CISP frame after completing desired action.
Host Disconnect/Power down/Logoff
-
NEAT (Supplicant and Authenticator) utilizes the CISP protocol that securely transports authenticated hosts MAC addresses from a downstream Supplicant device to an upstream Authenticator device. CISP must be enabled on both ends.
-
On a successful authentication response from the authenticator, it will start registration with Authenticator CISP. Once the authenticator authenticates the supplicant’s registration packet transfer between the supplicant and the authenticator. The following are examples of the CISP packet transfer after enable the debug cisp all:
Oct 15 13:51:36.707: CISP-RXPAK (Fa0/6): Code: REQUEST ID:0x22 Length: 0x001C Type: REGISTRATION
Oct 15 13:51:36.707: CISP-TXPAK (Fa0/6): Code: RESPONSE ID:0x22 Length:0x001C Type: REGISTRATION
Once the End host is authorized or unauthorized, it will update (Add / Delete) to the authenticator CISP. The following shows an example:
Oct 15 13:51:36.724: CISP-RXPAK (Fa0/6): Code: REQUEST ID:0x23 Length:0x003A Type: ADD_CLIENT
Oct 15 13:51:36.724: CISP-EVENT (Fa0/6): Adding client 001b.0d55.21c1 (vlan: 200)
to authenticator list
Feedback