Howdy folks, here's my current situation.  I am deploying 802.1X in an environment of Catalyst 9300 series switches at the access layer.  The infrastructure is managed by Catalyst Center that is tied in with Identity Services Engine.   We've setup a lab switch and onboarded it in Catalyst center into a network hierarchy site of its own.  I had done some research on the necessary global and interface level configurations to implement 802.1x, then tested them out on our lab switch.

So thus far, I've got the older (IBNS 1?) 802.1x global and interface level configurations implemented (on interfaces g1/0/1- 10) on our lab switch. 

In ISE I can see the lab switch in the RADIUS live logs successfully checking in.  I also happen notice in the RADIUS live logs a stack pair at another site is failing to authenticate with ISE.   This is strange because our lab switch is the first device we are testing 802.1X on, we haven't configured any other switches to talk to ISE yet.  Then it dawned on me that the stack that was unexpectedly attempting to authenticate with ISE had one of its members die earlier in the year and when we replaced it, we ran a provision job from Catalyst Center which deployed some 802.1X global configurations on to that switch (We have ISE configured in our Catalyst Center Network Hierarchy / network settings at the global level).  So thats when I learned that Cat Center, in some capacity can help you automate the deployment of 802.1x configurations.  

Realizing this, I ran a provision job on the lab switch to see what it pushes (remember I have old IBNS 802.1X configs manually added already on this switch, global and interface level on g1/0/1 - 10.)

Sure enough, there are global configurations but also now on G1/0/1 - 10 there was a Service-policy and those interfaces were now using IBNS (2?) configs.  there are also distinct service-policies for each interface that reference policy maps and a slew of other detailed configurations related to the policies.  Interestingly, interfaces g1/0/11 - 52 did not have any 802.1X configurations (same as before). 

Thats all great, everything is working and DNA Center made that super easy but, as things tend to go I get side tracked from this project for about a month and then come back to it.  I recently ran a provision job on a different switch in Catalyst Center but it only adds the global 802.1x configs.  It has not added the port configs nor all of those detailed service policy, policy map etc etc CLIs.  I am having a heck of a time finding where in Catalyst Center these detailed 802.1X configurations are coming from, and why I can't get the Interface settings to now apply to g1/0/11-48 on our lab switch.   I do not have any 802.1X templates created, only the original onboarding templates.  Below is an example of the configs that exist on our lab switch that are missing from the most recent switch.  These configs are also shown in the provision history of the lab switch -> Deployment of network intent -> Configuration Difference.  There is plenty more than what is shown below but I assume its all associated with the site / floor in the network hierarchy in Catalyst Center.  I just can't find anything.