topic Re: How to check port is currently running open or closed 802.1x mode in Network Access Control

How to check port is currently running open or closed 802.1x mode

getaway51 — Wed, 30 Oct 2019 05:28:25 GMT

Hi,

How to check port is currently running open or closed 802.1x mode?

sh authentication brief or session doesnt tell tht

Re: How to check port is currently running open or closed 802.1x mode

Arne Bier — Wed, 30 Oct 2019 10:30:46 GMT

I don't have a open mode example handy.

Do you have access to the show run output? Under the interface you might find this to indicate closed mode - if this statement is not present then you're in open mode:

access-session closed

Re: How to check port is currently running open or closed 802.1x mode

getaway51 — Wed, 30 Oct 2019 11:41:19 GMT

Hi,

The statement is nt present as i cfg no access session closed.
I just wonder if i can view it in operation using show cmd.

Re: How to check port is currently running open or closed 802.1x mode

Arne Bier — Wed, 30 Oct 2019 12:18:45 GMT

I just had a look at a closed mode example from a live switch and it looks no different to the output of a open mode from Hari's Prescriptive Guide.

Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject.

Having said that, it might be possible to see this from the show commands - perhaps Mr @hariholla himself can provide some guidance?

Re: How to check port is currently running open or closed 802.1x mode

JohnNewman7082 — Wed, 30 Oct 2019 14:39:53 GMT

"Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject."

Not exactly true

The only real way to see open mode vs closed mode is to look at the running configuration.

Show run int <type><port>

If you see "authentication open" or the absence of "access-session closed" in IBNS2, you are either in OPEN mode or Low Impact mode.

The command "authentication open" or "no access-session closed" simply allows traffic to flow before authentication will occur.

If you send an access-reject or an access-accept, the port still has access. < Open Mode / Monitor Mode

If you send a vlan change or a dACL, these will still apply and can restrict or break access. This is what is called low impact mode.

If you remove the command "authentication open" or you apply "Access-session closed", you are entering closed mode. This actually just applies a default ACL(that is pre-installed on the switch) to the port that blocks most traffic.

If you send an access-accept, this opens the port for traffic. If you send a reject, that default ACL stays applied.

If you send a dacl or a vlan change (with an access-accept), you pre-pend the default ACL and get access from the dACL.

For ACTUAL monitor mode, you need to apply monitor rules on ISE.

In summary:

authentication open - Open / Monitor Mode

authentication open with dACL - low impact mode

no authentication open - closed mode

Re: How to check port is currently running open or closed 802.1x mode

getaway51 — Sun, 03 Nov 2019 08:19:24 GMT

Hi,

I noticed some endpoints where i didnt customize them under an identity grp-for eg. Avaya-VoIP will tends to fail authorization since it went into default Cisco ISE identity grp-"Profiled".

But since the switch ports is in "monitor mode", i noticed i still can ping the IP of the failed (in ISE) endpoint.Why?

Does it means tht if i change to "access session closed", i will not able to ping tht failed authorization device?

Does it also means tht during monitor mode, switch will ignore failed messages frm BOTH authentication & authorization process?

Re: How to check port is currently running open or closed 802.1x mode

JohnNewman7082 — Mon, 04 Nov 2019 14:24:49 GMT

Hi getaway51,

When you have monitor mode configured, an access-reject simply fails the authentication, but there is no enforcement at that point.

Removing "authentication open" or adding "access session closed" adds a default ACL to the port that actually stops traffic.

The issue with this, if your device needs to get an IP before authentication typically finishes, it will fail all together.

It is an environment specific change.

Re: How to check port is currently running open or closed 802.1x mode

getaway51 — Mon, 04 Nov 2019 14:47:48 GMT

Hi,

Does it means tht during monitor mode, even when authorization fails, there will be no blocking?

However if switch insert "access sessions closed", there will be blocking if authorization fails.

Am i correct to for both scenarios above?

Re: How to check port is currently running open or closed 802.1x mode

JohnNewman7082 — Mon, 04 Nov 2019 14:59:59 GMT

Yes.

Monitor mode is simply that. Youre monitoring, not blocking.

Closed mode is youre blocking everything, unless you give access.