cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!

Register for the monthly Cisco DNA Center Ask the Expert Sessions to learn about Cisco DNA Center configuration and deployment.
319
Views
0
Helpful
6
Replies
Highlighted
Beginner

MAB with DNAC

Hi,

 

I'm looking for advise on the best way to deploy MAB for non 802.1X capable devices using DNAC. As we only get the 3 pre-defined authentication templates each with a specific purpose but favouring 802.1X - how have you deployed MAB to ports that are not ever going to host 802.1X compliant devices but that you want to use MAB for?

 

Thanks

6 REPLIES 6
Highlighted
Cisco Employee

You can tweak the Closed Authentication to put MAB first. See attached image

Highlighted

Thank you. I've looked at this as an option, it would be nice if we had an option to build more authentication templates here too.

 

I do run in to an issue when trying to change the Authentication Template to MAB, please see attached.

 

Thanks

Highlighted

The DNAC settings just set up the NAD ports in your network. The default is 802.1x 3/7 meaning it'll try 802.1x first, wait for 7 seconds for each of 3 tries. If it fails it will then try MAB. You can change that to try MAB first and then 802.1x and you can also tweak the timers (NOTE: unsure what changing the timers will do to the network - previous cautions from Cisco were that changing the timers would mean that all FE would need to be removed from the fabric and then re-added therefore we haven't tried to move that slider yet).

 

You can create the policies in ISE. In ISE under Policy sets create one that matches 802.1x plus whatever protocol you're using and then create a second policy set that matches MAB with MAB as the protocol. This way when it fails 802.1x it'll roll over to MAB. Then create the appropriate authentication and authorization policies to ensure your devices go to the correct network.

 

HTH,

Chuck McFadden

Highlighted

I have brought up to the BU & my reps several times that customers should have more flexibility with the templates that get assigned to the fabric. The workaround is to use the template editor to tweak the out of box configs to meet your environment needs. I totally agree with you though. What version of DNAC are you running? The bug that @ChuckMcF mentioned can be found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj67842/?rfs=iqvred

 

If you are hitting this your best bet will be to upgrade unless you plan to interrupt services for customers connected to your fabric.  Good luck!

Highlighted

Thanks all. I agree that there should be more flexibility, I would like to be able to make new authentication templates, with more customisation including, for example what we do in critical auth. It's a shame that we have to use the template editor for these. For now I think that's going to be my best solution.

 

Thank you also for information on the bug!

Highlighted

Please do @mike.cifelli and I a favor and add a Make a Wish for this feature in DNAC. The more people that make a request the higher it goes on the BU priority list.

TIA,

Chuck McFadden

-Please mark helpful posts and solutions-

Content for Community-Ad