Networking

SD-Access Host Onboarding: From Port to Policy

SD-Access host onboarding - an 802.1X access session returning a security group tag on IOS XE
In: Networking, CCIE, 802.1X

An endpoint plugs into a port. Somehow, seconds later, it is in the right virtual network, carrying the right security group tag, with the right policy following it wherever it goes in the fabric. That "somehow" is host onboarding, and it is where SD-Access stops being an architecture diagram and starts being something a user experiences.

This article walks the journey from physical port to enforced policy. It is a concept-and-components piece - the orchestration needs Cisco Catalyst Center - but the underlying mechanisms (802.1X, SGT assignment, LISP registration) are real technology PingLabz has captured standalone. For the wider context, see the network virtualization pillar.

The journey, step by step

1
Connect. A device plugs into an edge node port. The port is a fabric access port, not an ordinary switchport - it is waiting to authenticate whatever connects.
2
Authenticate. The edge node challenges the device via 802.1X (or MAB for devices that cannot do 802.1X). The credentials go to ISE, the identity service.
3
Authorize. ISE decides who the device is and returns a policy: which virtual network it belongs to, and which SGT it carries. This is the moment identity becomes network placement.
4
Assign. The edge node places the endpoint into the assigned virtual network (a fabric VLAN mapped to a VNI) and stamps it with the SGT ISE returned.
5
Register. The edge node registers the endpoint's address with the LISP control plane node: "this EID is behind me." Now the fabric can find it.
6
Forward. The endpoint gets its gateway (the anycast gateway on the edge node), and traffic flows - VXLAN-encapsulated, SGT-tagged, policy-enforced.

What makes this powerful: the same user gets the same policy on any port, in any building, because the policy is tied to identity, not to a switchport or a VLAN. Move to a different desk, plug into a different edge node, and you land in the same virtual network with the same SGT. That is the whole promise of SD-Access, delivered at onboarding time.

The anycast gateway: why the endpoint never notices moving

Every edge node in the fabric presents the same gateway IP and MAC for a given virtual network. This is the anycast gateway, and it is quietly one of the most important pieces of the design.

Because every edge node answers to the same default gateway, an endpoint that moves from one edge node to another does not need to re-ARP, does not notice a gateway change, and does not drop its sessions. Its gateway is "here" no matter which edge node "here" is. Combined with LISP re-registration (the new edge node tells the control plane "this endpoint is now behind me"), roaming becomes seamless - the fabric updates its map, the endpoint stays blissfully unaware.

802.1X: the real, labbable part

The authentication step is standard 802.1X, and it is entirely real technology that PingLabz has configured and captured on IOS XE (the whole 802.1X cluster is built on real captures). The edge node's port config for fabric onboarding is 802.1X with a few fabric-specific additions:

interface GigabitEthernet1/0/10
 description FABRIC-EDGE-PORT
 switchport mode access
 access-session port-control auto
 access-session host-mode multi-auth
 dot1x pae authenticator
 mab
 service-policy type control subscriber FABRIC-POLICY

And the verification is the same 802.1X you would run on any Catalyst:

Edge# show access-session interface Gi1/0/10 details
Interface:  GigabitEthernet1/0/10
MAC Address: 0011.2233.4455
IPv4 Address: 10.1.10.50
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Authorized By: Authentication Server
SGT: 0010-0 (Employees)

That SGT: 0010 line is the key moment - the authorization returned a security group tag, and now every packet from this endpoint carries it. From here, policy follows the endpoint everywhere in the fabric.

Closed, low-impact, and open modes

How aggressively you enforce authentication is a deployment choice, and it maps to three modes you will hear about:

Closed mode
No access at all until authentication succeeds. The most secure, the most disruptive to deploy. A device that cannot authenticate gets nothing.
Low-impact mode
A pre-auth ACL allows limited access (DHCP, DNS, PXE) before authentication completes, then full policy applies after. The usual production choice.
Open / monitor mode
Authenticate and log, but do not enforce. For rolling out 802.1X without breaking anything while you find the devices that cannot authenticate. Deploy here first.

The standard rollout path is open → low-impact → closed. Start in monitor mode to discover every device that will fail authentication (there are always more than you think - printers, badge readers, old IoT), fix or profile them, then tighten. Going straight to closed mode is how you take down a floor of users on day one.

What needs the controller, and what does not

  • Needs Catalyst Center + ISE: defining the authentication policy, mapping identities to virtual networks and SGTs, provisioning the fabric edge ports as onboarding ports, the overall orchestration.
  • Real and standalone: 802.1X and MAB (fully captured in the 802.1X cluster), SGT assignment via RADIUS, LISP registration of the endpoint (the map-cache and database, captured standalone). Every mechanism the onboarding flow uses is real technology.

The orchestration - the "plug in and it just works" experience - is what Catalyst Center and ISE provide. The individual mechanisms are all things you can build and verify by hand, and PingLabz has. We describe the orchestrated flow honestly as architecture, and point to the real captures for the pieces.

Key takeaways

  • Host onboarding is a six-step journey: connect → authenticate (802.1X/MAB) → authorize (ISE returns VN + SGT) → assign (into the virtual network, tagged) → register (with the LISP control plane) → forward (VXLAN, SGT, policy).
  • The policy follows identity, not the port. The same user gets the same virtual network and SGT on any port in any building.
  • The anycast gateway - the same gateway IP/MAC on every edge node - is why an endpoint can roam without noticing or dropping sessions.
  • The authentication step is standard 802.1X, fully real and labbable. The SGT: field in show access-session details is where identity becomes policy.
  • Deploy authentication in stages: open (monitor) → low-impact → closed. Going straight to closed takes down the users who cannot authenticate.
  • Orchestration needs Catalyst Center + ISE; the mechanisms (802.1X, SGT, LISP registration) are real and standalone-verifiable. We describe the flow honestly and point to the real captures.

Next: SD-Access border handoff - IP transit, SDA transit, and L2 handoff. The full cluster index lives on the network virtualization pillar, cross-linked to 802.1X.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.