https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356709#M549495 Yes you're right you can shutdown as well but it's a way to work. <BR />I shutdown ports that are unused and leave unauthorized ports that will be on production later during the staging.<BR /><BR />I say to the customer to do a config on the interface and apply auto instead of no shutdown then I'm sure he won't unshut a port that needs to be shutted down Wed, 28 Mar 2018 13:59:18 GMT Francesco Molino 2018-03-28T13:59:18Z https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356316#M549476 <DIV class="lia-message-subject lia-component-message-view-widget-subject"> <DIV class="MessageSubject"> <DIV class="MessageSubjectIcons "> <DIV class="lia-message-subject"> <H5>dot1x port-control force-unauthorized</H5> </DIV> </DIV> </DIV> </DIV> <DIV id="messageBodySimpleDisplay" class="lia-message-body lia-component-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>My understanding of the above command is the following -</P> <P><STRONG><EM>force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by&nbsp;</EM></STRONG><STRONG><EM>the client to authenticate. The switch cannot provide authentication services to the client through the&nbsp;</EM></STRONG><STRONG><EM>port</EM></STRONG></P> <P>&nbsp;</P> <P>In what situation/s has anyone used the above command? Does this not essentially mean "nothing can use that port?"&nbsp;&nbsp;isn't that basically means I shut the port !!</P> </DIV> </DIV> Fri, 21 Feb 2020 18:52:08 GMT https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356316#M549476 HiTmAn47 2020-02-21T18:52:08Z https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356324#M549481 <P>Hi</P> <P>&nbsp;</P> <P>This means that this port is not shutdown but doesn't allow anyone to connect to it, your right.</P> <P>Usually, you will use auto to put the port in unauthorized and as soon as someone is connected to and authenticated, it will switch to authorized.</P> <P>&nbsp;</P> <P>Personally, i use this command when I'm&nbsp;staging your switch and don't want anyone to initiate any authentication process.</P> <P>Let's take an example: you're deploying a new switch on a remote site and you don't want anybody to authenticate while you finish your config to not generate any logs and bring pushed into quarantine.</P> <P>&nbsp;</P> <P>Is that clear?</P> Wed, 28 Mar 2018 04:13:16 GMT https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356324#M549481 Francesco Molino 2018-03-28T04:13:16Z https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356339#M549486 In short this port won't be authorized and can't get DACL or VLAN vsa or<BR />any other attribute from ISE. You can replace it with an ACL and restricted<BR />ACEs or MAC security but I think you can use it if you want unified<BR />environment where everything controlled from one place<BR /> Wed, 28 Mar 2018 04:46:15 GMT https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356339#M549486 Mohammed al Baqari 2018-03-28T04:46:15Z https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356521#M549491 Thanks alot , it makes sense now ....so this feature blocks anyone from connecting to the port without shutting it down .....But Still in your example I would have just shutdown every port instead of going through the hassle of applying this command on each port Wed, 28 Mar 2018 10:16:37 GMT https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356521#M549491 HiTmAn47 2018-03-28T10:16:37Z https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356709#M549495 Yes you're right you can shutdown as well but it's a way to work. <BR />I shutdown ports that are unused and leave unauthorized ports that will be on production later during the staging.<BR /><BR />I say to the customer to do a config on the interface and apply auto instead of no shutdown then I'm sure he won't unshut a port that needs to be shutted down Wed, 28 Mar 2018 13:59:18 GMT https://community.cisco.com/t5/network-access-control/dot1x-port-control-force-unauthorized/m-p/3356709#M549495 Francesco Molino 2018-03-28T13:59:18Z