https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609847#M574773 <P><SPAN>authentication <STRONG>OPEN &lt;- this&nbsp;command&nbsp;missing&nbsp;</STRONG></SPAN></P> Fri, 13 May 2022 14:06:50 GMT MHM Cisco World 2022-05-13T14:06:50Z https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609838#M574771 <P>Working on rolling out 802.1x and want to initially configure monitor mode to troubleshoot before changing to low impact or closed mode. &nbsp;Before adding the interface configuration my test interface allowed connectivity. Now that monitor mode configuration was added, the workstation cannot get connected. I was expecting them to be able to get connected even if the ISE logs showed that it failed. Is that not the expected behavior of monitor mode? &nbsp;Below is the interface config:</P> <P>&nbsp;</P> <P>interface GigabitEthernet1/0/40</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>description ISE-TestPort-MonitorMode</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport access vlan 13</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport mode access</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport voice vlan 166</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>ip device tracking maximum 65535</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>srr-queue bandwidth share 1 30 35 5</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>priority-queue out</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>mls qos trust dscp</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>dot1x timeout tx-period 7</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>dot1x max-reauth-req 3</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>auto qos trust dscp</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>source template Port-Dot1x-Default</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>spanning-tree portfast edge</P> <P>end</P> <P>&nbsp;</P> <P>Derived configuration : 675 bytes</P> <P>!</P> <P>interface GigabitEthernet1/0/40</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>description ISE-TestPort-MonitorMode</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>subscriber aging probe</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport access vlan 13</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport mode access</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport nonegotiate</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>switchport voice vlan 166</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>ip device tracking maximum 65535</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>srr-queue bandwidth share 1 30 35 5</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>priority-queue out</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>authentication periodic</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>authentication timer reauthenticate server</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>access-session host-mode multi-domain</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>access-session port-control auto</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>mab</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>mls qos trust dscp</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>dot1x pae authenticator</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>dot1x timeout tx-period 7</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>dot1x max-reauth-req 3</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>auto qos trust dscp</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>spanning-tree portfast edge</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>service-policy type control subscriber Dot1x-Default</P> <P><SPAN class="Apple-converted-space">&nbsp;</SPAN>ip dhcp snooping limit rate 100</P> <P>end</P> Fri, 13 May 2022 13:53:06 GMT https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609838#M574771 jasond 2022-05-13T13:53:06Z https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609847#M574773 <P><SPAN>authentication <STRONG>OPEN &lt;- this&nbsp;command&nbsp;missing&nbsp;</STRONG></SPAN></P> Fri, 13 May 2022 14:06:50 GMT https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609847#M574773 MHM Cisco World 2022-05-13T14:06:50Z https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609848#M574774 <P><A href="https://www.lookingpoint.com/blog/cisco-ise-wired-802.1x-deployment-monitormode" target="_blank">https://www.lookingpoint.com/blog/cisco-ise-wired-802.1x-deployment-monitormode</A></P><P>&nbsp;</P> Fri, 13 May 2022 14:07:11 GMT https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4609848#M574774 MHM Cisco World 2022-05-13T14:07:11Z https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4610488#M574801 <P>The switchport configuration is not enough information to provide any meaningful assistance. Depending on your switch version, 'open auth' could be the default. We would need more information on your versions, policy map configuration, live logs, switchport session status details, etc.</P> <P>Please see <A href="https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356" target="_blank" rel="noopener">How to Ask the Community for Help</A>.</P> <P>I would suggest checking your configuration and policies against the <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank" rel="noopener">ISE Secure Wired Access Prescriptive Deployment Guide</A></P> Sun, 15 May 2022 22:24:10 GMT https://community.cisco.com/t5/network-access-control/802-1x-monitor-mode-still-enforcing/m-p/4610488#M574801 Greg Gibbs 2022-05-15T22:24:10Z