This community is for technical, feature, configuration and deployment questions.
I'm looking for advise on the best way to deploy MAB for non 802.1X capable devices using DNAC. As we only get the 3 pre-defined authentication templates each with a specific purpose but favouring 802.1X - how have you deployed MAB to ports that are not ever going to host 802.1X compliant devices but that you want to use MAB for?
The DNAC settings just set up the NAD ports in your network. The default is 802.1x 3/7 meaning it'll try 802.1x first, wait for 7 seconds for each of 3 tries. If it fails it will then try MAB. You can change that to try MAB first and then 802.1x and you can also tweak the timers (NOTE: unsure what changing the timers will do to the network - previous cautions from Cisco were that changing the timers would mean that all FE would need to be removed from the fabric and then re-added therefore we haven't tried to move that slider yet).
You can create the policies in ISE. In ISE under Policy sets create one that matches 802.1x plus whatever protocol you're using and then create a second policy set that matches MAB with MAB as the protocol. This way when it fails 802.1x it'll roll over to MAB. Then create the appropriate authentication and authorization policies to ensure your devices go to the correct network.
I have brought up to the BU & my reps several times that customers should have more flexibility with the templates that get assigned to the fabric. The workaround is to use the template editor to tweak the out of box configs to meet your environment needs. I totally agree with you though. What version of DNAC are you running? The bug that @ChuckMcF mentioned can be found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj67842/?rfs=iqvred
If you are hitting this your best bet will be to upgrade unless you plan to interrupt services for customers connected to your fabric. Good luck!
Thanks all. I agree that there should be more flexibility, I would like to be able to make new authentication templates, with more customisation including, for example what we do in critical auth. It's a shame that we have to use the template editor for these. For now I think that's going to be my best solution.
Thank you also for information on the bug!
Please do @mike.cifelli and I a favor and add a Make a Wish for this feature in DNAC. The more people that make a request the higher it goes on the BU priority list.
-Please mark helpful posts and solutions-