topic Re: DNAC policy templates 802.1X/Mab in Network Access Control

DNAC policy templates 802.1X/Mab

Aileron88 — Mon, 06 Apr 2020 15:40:56 GMT

Hi,

Hoping someone can clear up some confusion. I'm looking at the default policy maps that DNA pushes to NADs for 802.1X/MAB and the Open Auth, Low Impact and Closed mode templates all look almost identical bar a couple of very small differences. See below:

Open Authentication

policy-map type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

Low Impact

policy-map type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

Closed Mode

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

They also have identical interface templates. I'm only showing one but they're the same across all 3 templates:

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

So my question is, previoulsy we would have commands such as 'authentication open' on the port to implement monitor-mode and ignore the access-reject messages. With these default templates pushed from DNAC, it would seem that you do not get access if the port recieves an access-reject even in open mode and the control is based solely on the ISE policy. Is there something I'm missing here?

Thanks

Re: DNAC policy templates 802.1X/Mab

Greg Gibbs — Tue, 07 Apr 2020 05:57:53 GMT

The main difference between the PMAP_DefaultWiredDot1xOpenAuth_1X_MAB and PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB policy-maps is that the latter adds the DefaultCriticalAccess_SRV_TEMPLATE. This Service Template applies a permissive Critical ACL to override the restrictive Pre-Auth ACL configured on the switchport for Low Impact Mode.

The PMAP_DefaultWiredDot1xClosedAuth_1X_MAB policy-map removes the DefaultCriticalAccess_SRV_TEMPLATE and uses a different class-map (IN_CRITICAL_AUTH_CLOSED_MODE) that also includes the Critical VLAN.

With the IBNS 2.0 framework used by newer switches and DNAC, the old 'authentication open' syntax is replaced by 'access-session open' and the default mode on the interfaces is open access. Both Monitor Mode and Low Impact Mode use open access, so the templates do not require this configuration. If you look at the template DefaultWiredDot1xClosedAuth, you should see the 'access-session closed' command.

Re: DNAC policy templates 802.1X/Mab

Aileron88 — Tue, 07 Apr 2020 10:04:00 GMT

Thanks Greg.

The issue I have is that the 3 service templates all show 'access-session port-control auto'. Should this be the case?

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
!
template DefaultWiredDot1xLowImpactAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
!
template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Re: DNAC policy templates 802.1X/Mab

Greg Gibbs — Tue, 07 Apr 2020 22:58:53 GMT

Yes. That command enables port-based authentication, so it applies to all three deployment modes.

See this chapter on Enabling IEEE 802.1X Authentication and Authorization for more info.

Re: DNAC policy templates 802.1X/Mab

Cyptic man — Tue, 29 Sep 2020 17:08:13 GMT

I'm using open auth and dot1x/MAB mode. My clients fails since there are no "switchport access vlan" in my template configured by DNAC. How come you have that in yours and how do i add it? DHCP doesn't work while dot1x is running and my devices fails since they have to be profiled in ISE based on DHCP information.

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Re: DNAC policy templates 802.1X/Mab

hslai — Wed, 30 Sep 2020 23:36:06 GMT

Please assign VLAN from ISE. The newer DNA Center releases are behaving as you described. IIRC the older ones have the critical data VLAN in these templates.

Re: DNAC policy templates 802.1X/Mab

BenLora79498 — Fri, 14 Jan 2022 00:59:12 GMT

Hello everyone,

Have we just started our deployment of DNA Center. However, I don't see any templates having to do with 802.1x out of the box. Where can I find them? This newer 802.1x IBNS 2.0 command is giving me a hard time creating a template manually.

Re: DNAC policy templates 802.1X/Mab

Arne Bier — Fri, 14 Jan 2022 01:40:41 GMT

If you're doing SDA (SD Access) in DNAC, you won't see the template in DNAC GUI. DNAC just pushes the commands down to the Edge device when you provision the device. If you are not doing SDA, then I guess you'd need to feed each command through DNAC templates. I don't see the benefit in that - DNAC went backwards in my opinion (versus what Prime was able to do more intelligently) - I am not saying that Prime can do a better job - just saying that pushing "conf t" commands to a device can be done with free tools as well (or copy and paste from an Excel template generator). Template-based config is not the future. SDA finally improves the situation by avoiding the need for having to care about hundreds of commands.

The only place where I have seen any form of Machine-Generated templates is in a Cisco VIRL/CML IOS Layer2 image where the Auto Identity feature seems to exist. Another great feature but shrouded in mystery. AI (Auto Identity) had templates baked into the IOS that you could call up. Have a look at this old posting.

Re: DNAC policy templates 802.1X/Mab

BenLora79498 — Fri, 14 Jan 2022 20:02:58 GMT

Thank you, Arne

This is a bit frustrating from my point of view. Not everyone is going to go in the direction of SDA. And now that DNAC only supports IBNS 2.0 command it's making our deployment of 802.x much more difficult than it needs to be. Cisco should provide a way to implement 802.1x from a simple configuration via DNAC. The whole premise of DNAC is to make things simple, yet this is far from the case as it relates to deploying 802.1x.

Re: DNAC policy templates 802.1X/Mab

hasitha siriwardhana — Fri, 18 Feb 2022 08:20:38 GMT

100% true..dnac made the life difficult with ibns way of dot1x configuration for non SDA environment.