Honestly, these policies were created by default. I was able to use authentication command in interface mode, but not anymore. I would rather using ISE to do everything instead of having loads of commands in my switch.

Today both dot1x and MAB works fine but if I remove the service-policy command from the interface everything stops working, therefore I have these policy-map commands. As I said I'd rather to remove these policies from my switch and configure ISE to do this job instead. The one thing that I still can't figure out with policy-map is how to make non-joined domain and guest access to X vlan for only surfing the web.

Any recommendation of how to achieve these? I am not so familiar with ISE but the more I use it the more I start to understand it, but unfortunately the policy set is still very tricky.

This is what I am trying to do:
1. Dot1x
2. MAB
3. Guest and non-joined domain PC's redirection for webauth.

-W

HI Walwar,

non 802.1x authenticated can be MAB :) 

The old style config in which the switch is using LWA or failed VLAN or guest VLAN or whatever is kind've legacy :)

You can configure ISE so that when a MAB request for an unkown MAC is requested, the device is placed into a 'guest' VLAN or is presented a web-auth portal. (from ISE)

The config you're using is IBNS 2.0 (policy-map oriented) which can be deactived so that you can use old-style syntax (dot1x authentication, etc).

Thanks,

Octavian

Hello,

I probably should have pointed this out, my dot1X is only for wired joined domain PC.
MAB is used for Printers, Security cams, and non-joined domain PC I.e. guests which is redirected to a to authenticate through a webpage.

Now after many long nights in my basement I am kind of solved the webauth, but not 100%. The only thing that is not working in my lab, is that my guest PC is not getting access to Internet though when I look at the port is has assigned IP and I even see the dACL but the PC is not connecting. Now when I copy the dACL from the port and used it from another PC I get to the self-reg page and can register successfully and only then my guest PC is able to surf to the internet.

How do I deactivate this policy-map based config? It starts to get too complex and I could lose track of everything soon hehe.

What do you think of using policy-map vs old style syntax?

-walwar

Hi,

IBNS 2.0 is rather new (or at least not often implemented) and is not available on every existing Catalyst platform.

In Cisco's documentation is states that you cannot revert to the old style configuration mode for 802.1x if you saved the config and reloaded the device. I have my doubts about that and I suspect that the correct sentence would be that you cannot revert to the old style and keep your entire config.

I suspect that a write erase reload would allow you to revert to the old style config.

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html

There are some advantages of using the policy-map model, like running both MAB and dot1x simultaneoulsy on the switch (old style/auth manager cannot do it) but overall, it's not that user friendly like auth manager.

Thanks,

Octavian

Hello,

Yeah, I saw that and unfortunately I had already saved and booted my switch and I won't bother troubleshooting if write erase will revert back to the legacy style. I will continue using policy-map though I need to clean it up and add back the class-maps I removed not knowing that the policies might be useful.

Do you have any experience with wired guest authentication? I am still having trouble figuring this out.

Thanks for taking time and helping out, much appreciated!

-walwar