topic Re: IBNS 2.0 with ISE for dot1x in Network Access Control

IBNS 2.0 with ISE for dot1x

harryraju — Fri, 02 Jan 2026 21:05:11 GMT

Hi all

Hope someone can answer the below for me.

Is a policy-map mandatory for dot1x to work when using IBNS 2.0 with ISE ?

I have two ports on a switch configured for dot1x. Out of the two, one is configured without any policy map and the other has a basic policy map attached.

The port with policy-map attached is working as expected but the port that’s not using a template or policy map is not authenticating.

show access-session

Interface MAC Address Method Domain Status Fg Session ID

--------------------------------------------------------------------------------------------

Gi1/0/2 Mac address dot1x VOICE Auth 040DA8C00000004D804E276C

Gi1/0/1 Mac address N/A UNKNOWN Unauth 040DA8C000000053806D94FC

Gi1/0/1 Mac address N/A UNKNOWN Unauth 040DA8C000000052806D8DC4

I’m testing with the following setup:

ISE version 3.3.0.430

Switch - Cat9200-24P on IOS-XE 17.15.03

I have port 1 on the switch configured as below without any template or policy map attached:

interface GigabitEthernet1/0/1

description Corporate Data [VLAN xxxx] / Voice [VLAN yyyy]

switchport access vlan xxxx

switchport mode access

switchport voice vlan yyyy

device-tracking attach-policy MERAKI_ACCESS_TRACK

ip flow monitor MERAKI_TA1_V4_IN input

ip flow monitor MERAKI_TA2_IPV4 input

ip flow monitor MERAKI_TA1_V4_OUT output

ip flow monitor MERAKI_TA2_IPV4 output

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session control-direction in

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x timeout supp-timeout 7

dot1x max-req 3

dot1x max-reauth-req 3

storm-control broadcast level 10.00

storm-control multicast level 10.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree guard root

end

port 2 on the switch is configured via template with has a policy map attached:

interface GigabitEthernet1/0/2

device-tracking attach-policy MERAKI_ACCESS_TRACK

ip flow monitor MERAKI_TA1_V4_IN input

ip flow monitor MERAKI_TA2_IPV4 input

ip flow monitor MERAKI_TA1_V4_OUT output

ip flow monitor MERAKI_TA2_IPV4 output

source template wired-dot1x-closed

spanning-tree portfast

end

template wired-dot1x-closed

dot1x pae authenticator

dot1x timeout supp-timeout 7

dot1x max-req 3

storm-control broadcast level 10.00

storm-control multicast level 10.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree guard root

switchport access vlan xxxx

switchport mode access

switchport voice vlan yyyy

mab

access-session host-mode multi-domain

access-session control-direction in

access-session closed

access-session port-control auto

authentication periodic

authentication timer reauthenticate server

service-policy type control subscriber test_Wired_dot1x_MAB

description Corporate Data [VLAN xxxx] / Voice [VLAN yyyy]

policy-map type control subscriber test_Wired_dot1x_MAB

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x retries 2 retry-time 0 priority 10

So it seems that with a policy map, the switch port doesn’t try to authenticate as I don’t see any logs on ISE for it. Is this by design or have a completely missed something simple here?

Re: IBNS 2.0 with ISE for dot1x

harryraju — Fri, 02 Jan 2026 21:10:14 GMT

sorry had a typo in the end ... it should have been... " So it seems that without a policy map, the switch port doesn’t try to authenticate as I don’t see any logs on ISE for it. Is this by design or have a completely missed something simple here?

Re: IBNS 2.0 with ISE for dot1x

Rob Ingram — Fri, 02 Jan 2026 21:41:28 GMT

@harryraju yes, you need a policy-map and relevant class-maps when using IBNS 2.0

You must convert the IBNS 1.0 configuration to IBNS 2.0 syntax using the command - authentication display new-style. I don't believe you can run both IBNS 1.0 and 2.0 concurrently. Refer to the wired prescriptive guide for implementaton - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515 and https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKOPS-2584.pdf

Re: IBNS 2.0 with ISE for dot1x

Karsten Iwen — Sat, 03 Jan 2026 16:58:04 GMT

@Rob Ingram already told you that you need it. For some more understanding: On your interface Gig1/0/1, you have a couple of commands that tell the interface what needs to be done *if* 802.1X is used. But you are missing the part where 802.1X is finally enabled, as that is controlled in the policy-map.

Re: IBNS 2.0 with ISE for dot1x

harryraju — Sat, 03 Jan 2026 17:48:10 GMT

Thanks Rob. The prescriptive deployment guide is what I used for my deployment and is really good. And the following Cisco live session is also a good deep dive into IBNS 2.0.

https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2025/pdf/BRKCRT-3002.pdf.

And I understand that we can't run IBNS 1.0 and 2.0 on the same switch but in my setup, both ports are using IBNS 2.0 commands. So the derived config of gi1/0/2 and run config of gi1/0/1 is identical except for the service-policy that's attached to gi1/0/2.

What's confusing me is that the following commands under gi1/0/1 enable dot1x so why is a service-policy required (assuming I'm not after backup solution for the ISE servers being not available) ?

interface GigabitEthernet1/0/1

...

device-tracking attach-policy MERAKI_ACCESS_TRACK

authentication periodic

authentication timer reauthenticate server

access-session host-mode multi-domain

access-session control-direction in

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 7

dot1x timeout supp-timeout 7

dot1x max-req 3

dot1x max-reauth-req 3

...

Re: IBNS 2.0 with ISE for dot1x

harryraju — Sat, 03 Jan 2026 17:48:48 GMT

Thanks @Karsten Iwen . Please see my reply to Rob.

Re: IBNS 2.0 with ISE for dot1x

Karsten Iwen — Sat, 03 Jan 2026 21:59:15 GMT

@harryraju wrote:

What's confusing me is that the following commands under gi1/0/1 enable dot1x

no, they don't!