Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
5
Helpful
4
Replies

Port Authentication KRITIS with9n SDA

Koerns
Cisco Employee
Cisco Employee

‎08-27-2020 07:34 AM

I hope you are doing fine.

 

We are doing a SDA deployment at our customer Nergie, which is an energy provider for the 500 000 inhabitant city of Nuremberg.

 

Some questions remain which we did not solve yet. It is about Port Authentication.

 

Customer went for multi-auth first but due to KRITIS, they need to have higher standards. The other option, to use Single Auth is not satisfying them either, because only 1 host can get authenticated.

 

Their wish would look like the following: Host-mode multi domain + Err disabled as Action, when 2 hosts would like to connect to the data vlan.

 

Is there a roadmap for this? Or would be a workaround possible, for example that I use a defaultwired1xcloseauth template within templates? Any ideas or best practices would be great and highly appreciated.

 

Last question: What would happen, if we now change back from multi auth to single auth within the fabric site? What is then the default action? Would there every additional connection be blocked (with or without logging?)?

 

Your help is highly appreciated.

 

 

Labels:
0 Helpful
4 Replies 4

mnagired
Cisco Employee
Cisco Employee

‎08-27-2020 10:18 AM

Hello Koerns,

Single Host radio button on the DNAC UI represents Multi-Domain(1 Voice Device + 1 Data Device) and by default port goes into errdisable state when more than one device is detected in Voice or Data Domain..

 

Here is the config with Single Host Radio button selected..

 

C-FIAB1.demo.local> sh derived-config int g1/0/2
Building configuration...

Derived configuration : 622 bytes
!
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 2046
device-tracking attach-policy IPDT_MAX_10
ip flow monitor SSA-FNF-MON input
ip flow monitor SSA-FNF-MON output
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 4
dot1x timeout supp-timeout 4
dot1x max-req 3
dot1x max-reauth-req 3
et-analytics enable
spanning-tree portfast
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
end

Benjamin-A
Level 1
Level 1
In response to mnagired

‎10-27-2020 06:29 AM

Hi, I just wanted to add the following as we changed the mode yesterday:

The default action is not err-disabled within SDA  it is restrict (Drop + Syslog) (DNAC 1.3.3.8):

 

policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_MAB_1X
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
60 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
  10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60


.:|:..:|:.Please rate helpful posts.:|:..:|:.
0 Helpful

Benjamin-A
Level 1
Level 1

‎08-27-2020 01:04 PM

Thank you for this helpful information.

 

Will there be the possibility to customize the Authentication Template a bit more or create my own in the future?

I was thinking of the szenario the customer wants ClosedAuth in the whole fabric site and wants to limit the Number of Hosts for Single Host as it is already possible. But on some Ports they need multi-auth. So there would be a need to have 2 ClosedAuth Templates (I actually have this case).

Or if the Customer want the default behavior while using multi-domain and wants the FEs instead just to log the violation?

 

Thank you


.:|:..:|:.Please rate helpful posts.:|:..:|:.
0 Helpful

mnagired
Cisco Employee
Cisco Employee
In response to Benjamin-A

‎08-27-2020 02:12 PM

Hi Benjamin,

Nothing I am aware of. If such customization required today, Template Editor is the only option.

 

Regards

Mahesh N

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents