Re: MAB with DNAC

Aileron88 · ‎04-03-2020

Hi,

I'm looking for advise on the best way to deploy MAB for non 802.1X capable devices using DNAC. As we only get the 3 pre-defined authentication templates each with a specific purpose but favouring 802.1X - how have you deployed MAB to ports that are not ever going to host 802.1X compliant devices but that you want to use MAB for?

Thanks

Preston Chilcote · ‎04-03-2020

You can tweak the Closed Authentication to put MAB first. See attached image

Aileron88 · ‎04-06-2020

Thank you. I've looked at this as an option, it would be nice if we had an option to build more authentication templates here too.

I do run in to an issue when trying to change the Authentication Template to MAB, please see attached.

Thanks

ChuckMcF · ‎04-06-2020

The DNAC settings just set up the NAD ports in your network. The default is 802.1x 3/7 meaning it'll try 802.1x first, wait for 7 seconds for each of 3 tries. If it fails it will then try MAB. You can change that to try MAB first and then 802.1x and you can also tweak the timers (NOTE: unsure what changing the timers will do to the network - previous cautions from Cisco were that changing the timers would mean that all FE would need to be removed from the fabric and then re-added therefore we haven't tried to move that slider yet).

You can create the policies in ISE. In ISE under Policy sets create one that matches 802.1x plus whatever protocol you're using and then create a second policy set that matches MAB with MAB as the protocol. This way when it fails 802.1x it'll roll over to MAB. Then create the appropriate authentication and authorization policies to ensure your devices go to the correct network.

HTH,

Chuck McFadden

Mike.Cifelli · ‎04-06-2020

I have brought up to the BU & my reps several times that customers should have more flexibility with the templates that get assigned to the fabric. The workaround is to use the template editor to tweak the out of box configs to meet your environment needs. I totally agree with you though. What version of DNAC are you running? The bug that @ChuckMcF mentioned can be found here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj67842/?rfs=iqvred

If you are hitting this your best bet will be to upgrade unless you plan to interrupt services for customers connected to your fabric. Good luck!

Aileron88 · ‎04-06-2020

Thanks all. I agree that there should be more flexibility, I would like to be able to make new authentication templates, with more customisation including, for example what we do in critical auth. It's a shame that we have to use the template editor for these. For now I think that's going to be my best solution.

Thank you also for information on the bug!

ChuckMcF · ‎04-06-2020

Please do @mike.cifelli and I a favor and add a Make a Wish for this feature in DNAC. The more people that make a request the higher it goes on the BU priority list.

TIA,

Chuck McFadden

-Please mark helpful posts and solutions-

oron.yaniv · ‎09-11-2023

Hi @Mike.Cifelli ,

did cisco change the template flaxibility?

i have a similar issue, part of my campus (one site) is 802.1x than try MAB, and part of my campus is MAB only.

it would be helpful if there were flexibility in the configuration.

the second issue regarding this is when implementing Template at the template editor with MAB, and after that assigning configuration from the "port assignment", the "port assignment" config overwrites the config of MAB if it's the first time the ports deployed configuration.

jedolphi · ‎09-11-2023

"did cisco change the template flaxibility?"

Not yet, please raise it with your sales team. In the meantime you'll need to use a combined 802.1X + MAB authentication template. Best regards, Jerome