Solved: Re: DNAC policy templates 802.1X/Mab

Aileron88 · ‎04-06-2020

Hi,

Hoping someone can clear up some confusion. I'm looking at the default policy maps that DNA pushes to NADs for 802.1X/MAB and the Open Auth, Low Impact and Closed mode templates all look almost identical bar a couple of very small differences. See below:

Open Authentication

policy-map type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

Low Impact

policy-map type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
25 activate service-template DefaultCriticalAccess_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

Closed Mode

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

They also have identical interface templates. I'm only showing one but they're the same across all 3 templates:

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

So my question is, previoulsy we would have commands such as 'authentication open' on the port to implement monitor-mode and ignore the access-reject messages. With these default templates pushed from DNAC, it would seem that you do not get access if the port recieves an access-reject even in open mode and the control is based solely on the ISE policy. Is there something I'm missing here?

Thanks

Greg Gibbs · ‎04-06-2020

The main difference between the PMAP_DefaultWiredDot1xOpenAuth_1X_MAB and PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB policy-maps is that the latter adds the DefaultCriticalAccess_SRV_TEMPLATE. This Service Template applies a permissive Critical ACL to override the restrictive Pre-Auth ACL configured on the switchport for Low Impact Mode.

The PMAP_DefaultWiredDot1xClosedAuth_1X_MAB policy-map removes the DefaultCriticalAccess_SRV_TEMPLATE and uses a different class-map (IN_CRITICAL_AUTH_CLOSED_MODE) that also includes the Critical VLAN.

With the IBNS 2.0 framework used by newer switches and DNAC, the old 'authentication open' syntax is replaced by 'access-session open' and the default mode on the interfaces is open access. Both Monitor Mode and Low Impact Mode use open access, so the templates do not require this configuration. If you look at the template DefaultWiredDot1xClosedAuth, you should see the 'access-session closed' command.

View solution in original post

Greg Gibbs · ‎04-06-2020

The main difference between the PMAP_DefaultWiredDot1xOpenAuth_1X_MAB and PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB policy-maps is that the latter adds the DefaultCriticalAccess_SRV_TEMPLATE. This Service Template applies a permissive Critical ACL to override the restrictive Pre-Auth ACL configured on the switchport for Low Impact Mode.

The PMAP_DefaultWiredDot1xClosedAuth_1X_MAB policy-map removes the DefaultCriticalAccess_SRV_TEMPLATE and uses a different class-map (IN_CRITICAL_AUTH_CLOSED_MODE) that also includes the Critical VLAN.

With the IBNS 2.0 framework used by newer switches and DNAC, the old 'authentication open' syntax is replaced by 'access-session open' and the default mode on the interfaces is open access. Both Monitor Mode and Low Impact Mode use open access, so the templates do not require this configuration. If you look at the template DefaultWiredDot1xClosedAuth, you should see the 'access-session closed' command.

Aileron88 · ‎04-07-2020

Thanks Greg.

The issue I have is that the 3 service templates all show 'access-session port-control auto'. Should this be the case?

template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
!
template DefaultWiredDot1xLowImpactAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB
!
template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Greg Gibbs · ‎04-07-2020

Yes. That command enables port-based authentication, so it applies to all three deployment modes.

See this chapter on Enabling IEEE 802.1X Authentication and Authorization for more info.

Cyptic man · ‎09-29-2020

I'm using open auth and dot1x/MAB mode. My clients fails since there are no "switchport access vlan" in my template configured by DNAC. How come you have that in yours and how do i add it? DHCP doesn't work while dot1x is running and my devices fails since they have to be profiled in ISE based on DHCP information.

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

hslai · ‎09-30-2020

Please assign VLAN from ISE. The newer DNA Center releases are behaving as you described. IIRC the older ones have the critical data VLAN in these templates.

BenLora79498 · ‎01-13-2022

Hello everyone,

Have we just started our deployment of DNA Center. However, I don't see any templates having to do with 802.1x out of the box. Where can I find them? This newer 802.1x IBNS 2.0 command is giving me a hard time creating a template manually.

Arne Bier · ‎01-13-2022

If you're doing SDA (SD Access) in DNAC, you won't see the template in DNAC GUI. DNAC just pushes the commands down to the Edge device when you provision the device. If you are not doing SDA, then I guess you'd need to feed each command through DNAC templates. I don't see the benefit in that - DNAC went backwards in my opinion (versus what Prime was able to do more intelligently) - I am not saying that Prime can do a better job - just saying that pushing "conf t" commands to a device can be done with free tools as well (or copy and paste from an Excel template generator). Template-based config is not the future. SDA finally improves the situation by avoiding the need for having to care about hundreds of commands.

The only place where I have seen any form of Machine-Generated templates is in a Cisco VIRL/CML IOS Layer2 image where the Auto Identity feature seems to exist. Another great feature but shrouded in mystery. AI (Auto Identity) had templates baked into the IOS that you could call up. Have a look at this old posting.

BenLora79498 · ‎01-14-2022

Thank you, Arne

This is a bit frustrating from my point of view. Not everyone is going to go in the direction of SDA. And now that DNAC only supports IBNS 2.0 command it's making our deployment of 802.x much more difficult than it needs to be. Cisco should provide a way to implement 802.1x from a simple configuration via DNAC. The whole premise of DNAC is to make things simple, yet this is far from the case as it relates to deploying 802.1x.

hasitha siriwardhana · ‎02-18-2022

100% true..dnac made the life difficult with ibns way of dot1x configuration for non SDA environment.