Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Port Authentication KRITIS with9n SDA

I hope you are doing fine.


We are doing a SDA deployment at our customer Nergie, which is an energy provider for the 500 000 inhabitant city of Nuremberg.


Some questions remain which we did not solve yet. It is about Port Authentication.


Customer went for multi-auth first but due to KRITIS, they need to have higher standards. The other option, to use Single Auth is not satisfying them either, because only 1 host can get authenticated.


Their wish would look like the following: Host-mode multi domain + Err disabled as Action, when 2 hosts would like to connect to the data vlan.


Is there a roadmap for this? Or would be a workaround possible, for example that I use a defaultwired1xcloseauth template within templates? Any ideas or best practices would be great and highly appreciated.


Last question: What would happen, if we now change back from multi auth to single auth within the fabric site? What is then the default action? Would there every additional connection be blocked (with or without logging?)?


Your help is highly appreciated.



Cisco Employee

Hello Koerns,

Single Host radio button on the DNAC UI represents Multi-Domain(1 Voice Device + 1 Data Device) and by default port goes into errdisable state when more than one device is detected in Voice or Data Domain..


Here is the config with Single Host Radio button selected..


C-FIAB1.demo.local> sh derived-config int g1/0/2
Building configuration...

Derived configuration : 622 bytes
interface GigabitEthernet1/0/2
switchport mode access
switchport voice vlan 2046
device-tracking attach-policy IPDT_MAX_10
ip flow monitor SSA-FNF-MON input
ip flow monitor SSA-FNF-MON output
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session closed
access-session port-control auto
dot1x pae authenticator
dot1x timeout tx-period 4
dot1x timeout supp-timeout 4
dot1x max-req 3
dot1x max-reauth-req 3
et-analytics enable
spanning-tree portfast
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Hi, I just wanted to add the following as we changed the mode yesterday:

The default action is not err-disabled within SDA  it is restrict (Drop + Syslog) (DNAC


policy-map type control subscriber PMAP_DefaultWiredDot1xClosedAuth_MAB_1X
event session-started match-all
10 class always do-until-failure
10 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
20 activate service-template DefaultCriticalVoice_SRV_TEMPLATE
30 authorize
40 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
40 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
60 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 authentication-restart 60
event aaa-available match-all
10 class IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH_CLOSED_MODE do-until-failure
10 resume reauthentication
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
event violation match-all
10 class always do-until-failure
  10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

.:|:..:|:.Please rate helpful posts.:|:..:|:.

Thank you for this helpful information.


Will there be the possibility to customize the Authentication Template a bit more or create my own in the future?

I was thinking of the szenario the customer wants ClosedAuth in the whole fabric site and wants to limit the Number of Hosts for Single Host as it is already possible. But on some Ports they need multi-auth. So there would be a need to have 2 ClosedAuth Templates (I actually have this case).

Or if the Customer want the default behavior while using multi-domain and wants the FEs instead just to log the violation?


Thank you

.:|:..:|:.Please rate helpful posts.:|:..:|:.

Hi Benjamin,

Nothing I am aware of. If such customization required today, Template Editor is the only option.



Mahesh N

Content for Community-Ad
This widget could not be displayed.