cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1434
Views
5
Helpful
5
Replies
Aileron88
Beginner

DNAC policy templates 802.1X/Mab

Hi,

 

Hoping someone can clear up some confusion. I'm looking at the default policy maps that DNA pushes to NADs for 802.1X/MAB and the Open Auth, Low Impact and Closed mode templates all look almost identical bar a couple of very small differences. See below:

 

Open Authentication

policy-map type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

 

 

 

Low Impact

policy-map type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

 

 

Closed Mode

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

 

 

They also have identical interface templates. I'm only showing one but they're the same across all 3 templates:

 

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

 

So my question is, previoulsy we would have commands such as 'authentication open' on the port to implement monitor-mode and ignore the access-reject messages. With these default templates pushed from DNAC, it would seem that you do not get access if the port recieves an access-reject even in open mode and the control is based solely on the ISE policy. Is there something I'm missing here?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Greg Gibbs
Cisco Employee

The main difference between the PMAP_DefaultWiredDot1xOpenAuth_1X_MAB and PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB policy-maps is that the latter adds the DefaultCriticalAccess_SRV_TEMPLATE. This Service Template applies a permissive Critical ACL to override the restrictive Pre-Auth ACL configured on the switchport for Low Impact Mode.

The PMAP_DefaultWiredDot1xClosedAuth_1X_MAB policy-map removes the DefaultCriticalAccess_SRV_TEMPLATE and uses a different class-map (IN_CRITICAL_AUTH_CLOSED_MODE) that also includes the Critical VLAN.

 

With the IBNS 2.0 framework used by newer switches and DNAC, the old 'authentication open' syntax is replaced by 'access-session open' and the default mode on the interfaces is open access. Both Monitor Mode and Low Impact Mode use open access, so the templates do not require this configuration. If you look at the template DefaultWiredDot1xClosedAuth, you should see the 'access-session closed' command.

View solution in original post

5 REPLIES 5
Greg Gibbs
Cisco Employee

The main difference between the PMAP_DefaultWiredDot1xOpenAuth_1X_MAB and PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB policy-maps is that the latter adds the DefaultCriticalAccess_SRV_TEMPLATE. This Service Template applies a permissive Critical ACL to override the restrictive Pre-Auth ACL configured on the switchport for Low Impact Mode.

The PMAP_DefaultWiredDot1xClosedAuth_1X_MAB policy-map removes the DefaultCriticalAccess_SRV_TEMPLATE and uses a different class-map (IN_CRITICAL_AUTH_CLOSED_MODE) that also includes the Critical VLAN.

 

With the IBNS 2.0 framework used by newer switches and DNAC, the old 'authentication open' syntax is replaced by 'access-session open' and the default mode on the interfaces is open access. Both Monitor Mode and Low Impact Mode use open access, so the templates do not require this configuration. If you look at the template DefaultWiredDot1xClosedAuth, you should see the 'access-session closed' command.

View solution in original post

Thanks Greg.

 

The issue I have is that the 3 service templates all show 'access-session port-control auto'. Should this be the case?

 

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
!
template DefaultWiredDot1xLowImpactAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
!
template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Yes. That command enables port-based authentication, so it applies to all three deployment modes.

See this chapter on Enabling IEEE 802.1X Authentication and Authorization for more info.

I'm using open auth and dot1x/MAB mode. My clients fails since there are no "switchport access vlan" in my template configured by DNAC. How come you have that in yours and how do i add it? DHCP doesn't work while dot1x is running and my devices fails since they have to be profiled in ISE based on DHCP information.


template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Please assign VLAN from ISE. The newer DNA Center releases are behaving as you described. IIRC the older ones have the critical data VLAN in these templates.

Content for Community-Ad