Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1477
Views
15
Helpful
2
Replies

SDA Wired Web Auth MAB

Go to solution
Heriberto Diaz
Level 1
Level 1

‎11-14-2019 10:07 PM

Hi

 

Does anybody know or have a guide how to configure Wired Web Authentication (SDA with ISE)? Because I don't find on SDA how to do this.


I checked the templates (Close Auth, Auth) but both are with 8021.X.

 

Thanks and regard.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-15-2019 06:36 AM

Do you have access to the run config on one of your edge nodes in your fabric? After assigning the closed auth template DNAC will provision your edge nodes using IBNS service templates. Closed auth provisions order & priority dot1x and then mab. Meaning dot1x goes first and is set to higher priority. However, should this fail it will fallback to mab. There is another template you could use that is lighter on restrictions that is known as Easy Connect. In DNAC if you go to Design->Authentication you can tweak some of the options in the cisco default templates that you assign to your fabric. For example, if you want to use closed authentication but want the order to be mab first you can set it to use mab order first via the gui. Or if you really want to tweak configs you can leverage the template editor to modify the service template deployed from DNAC. I personally have used the template editor to modify things such as dot1x timers, critical auth vlan, and the default voice vlan.

As far as using web auth this should be straightforward. If your edges are configured to support mab just ensure that your authz profiles in ISE are configured to use whichever portal you setup. Something to note is the default webauth_acl that gets deployed from DNAC. I would double check that. Again, note that you can modify this via template editor. HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-15-2019 06:36 AM

Do you have access to the run config on one of your edge nodes in your fabric? After assigning the closed auth template DNAC will provision your edge nodes using IBNS service templates. Closed auth provisions order & priority dot1x and then mab. Meaning dot1x goes first and is set to higher priority. However, should this fail it will fallback to mab. There is another template you could use that is lighter on restrictions that is known as Easy Connect. In DNAC if you go to Design->Authentication you can tweak some of the options in the cisco default templates that you assign to your fabric. For example, if you want to use closed authentication but want the order to be mab first you can set it to use mab order first via the gui. Or if you really want to tweak configs you can leverage the template editor to modify the service template deployed from DNAC. I personally have used the template editor to modify things such as dot1x timers, critical auth vlan, and the default voice vlan.

As far as using web auth this should be straightforward. If your edges are configured to support mab just ensure that your authz profiles in ISE are configured to use whichever portal you setup. Something to note is the default webauth_acl that gets deployed from DNAC. I would double check that. Again, note that you can modify this via template editor. HTH!

Go to solution
Monica Lluis
Level 9
Level 9
In response to Mike.Cifelli

‎11-27-2019 07:28 PM

Mike, Thank you for this useful reply to Heriberto!
I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents