topic Re: Sda Authentication Template not configured on all interfaces in Software-Defined Access (SD-Access)

Sda Authentication Template not configured on all interfaces

cygnuz — Tue, 03 Dec 2019 15:34:22 GMT

Hi all,

I configured my SDA network and configured Closed Auth as authentication template in the onboarding pool.

When i connect an endpoint to the FE switch it seems it is not configured for dot1x by default while if i explicity configure the port (assign) for closed auth the endpoint can authenticate via dot1x.

default port configuration follow:

Cat3850_2-172-16-66-68#sh run int gi 1/0/1
Building configuration...

Current configuration : 81 bytes
!
interface GigabitEthernet1/0/1
device-tracking attach-policy IPDT_MAX_10
end

Cat3850_2-172-16-66-68#sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet1/0/11
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 7

is this a normal behaviour?I thought that every interface should be automatically configured via default auth template.

Re: Sda Authentication Template not configured on all interfaces

Mike.Cifelli — Tue, 03 Dec 2019 16:17:23 GMT

You definitely need to configure ports to support host on-boarding. This is done in the same place that you are mentioning via device-type selection, auth mode, or static provisioning for segment/sgt. Have you assigned the FE to site in inventory and set the network role to access in fabric infrastructure? I know that for extended nodes this configuration is accurate prior to statically assigning host ports for on-boarding:
interface GigabitEthernet1/0/1
device-tracking attach-policy IPDT_MAX_10
end

Re: Sda Authentication Template not configured on all interfaces

cygnuz — Tue, 03 Dec 2019 16:39:32 GMT

Thanks Mike,

the FE was configured as Distribution and not as access. changing the role and reconfiuring it in sda has resolved the issue.