topic Authentication open in Network Access Control

Authentication open

jan.murin — Tue, 05 Jan 2021 16:46:17 GMT

Hi everyone,

I have a question about the authentication open command.

Until today I thought that the command allows any traffic (if no preauth ACL is used) until the authentication and authorization is finished.

So if the result is access-reject the endpoint should be able to communicate just a short while until the reject is received.

Recently I have noticed that even if authentication fails or authorization returns access-reject, the endpoint still has access to the network.

So I would like to confirm the exact behavior of the command.

Thanks a lot

Re: Authentication open

Damien Miller — Tue, 05 Jan 2021 18:41:33 GMT

The expected behavior of authentication open, the default state, is to allow all communication prior to authentication or on failure. This is unless you send a DACL or use a pre-auth ACL.

You could send a deny ip DACL + access accept with the default deny rule.

Re: Authentication open

yalbikaw — Tue, 05 Jan 2021 18:43:57 GMT

this command purpose is to use it in pre-deployment of dot1x or in piloting phase , it will pass eap traffic along with other traffic, if the result from AAA server is permit access or reject the port still pass the traffic, you use this command when you dont want to cause any interruption for the users until you confirm dot1x and authentication works fine, then you should make authentication close after that and relay only on AAA server to give the permission

Re: Authentication open

MHM Cisco World — Tue, 05 Jan 2021 23:09:33 GMT

As I know,
all user connect to port are effect by pre-auth ACL
and if the user auth then the DACL or filter-id is use with pre-auth ACL, simply it put on top of pre-auth ACL.

Re: Authentication open

jan.murin — Thu, 07 Jan 2021 07:01:20 GMT

Thanks a lot for all answers