Wired WebAuth support in SDA fabric

lulironi · ‎11-07-2019

Hello,

I know that ISE and Cat 9000 switches do support multiple authentication fallback configuration, including WebAuth.

I would like to confirm if wired WebAuth based on ISE DB (eg. wired guest access) is supported in a SDA fabric, and in detail:

1) Can you configure on a wired switch port in a SDA fabric a 3-steps fallback auth method chain such as: 802.1x, then MAB, then WebAuth?

2) Is this fully supported by BU and TAC? Any caveats?

thank you,

Luca

Mike.Cifelli · ‎11-08-2019

AKAIK you can use WebAuth. The caveat is as of the latest DNAC version 1.3.1.3 engineers cannot create their own authentication template under Design->Authentication Template. The issue here is that the default Cisco templates deploy IBNS service templates with pre-defined configs to your edge nodes within your fabric. The current workaround is to utilize the template editor for any things you wish to modify. I am currently running an SDA fabric where we deploy the default Closed Auth template, but then tweak items via the template editor which in regard to your topic include:
-Modification of dot1x/mab order & priority
-Modification of the default critical auth and voice vlans
-8021x timers
-Modification of the default webauth acl
Via ISE I have setup the default 8021x/mab authz policy to redirect users to a guest modified hotspot portal that essentially has access to VERY little and is a generic splash page with help desk number etc. This works like a charm.