topic Re: show ports that do not make use of authentication in Network Access Control

show ports that do not make use of authentication

yayaa — Wed, 23 Dec 2020 09:59:47 GMT

Hello all,

Is there a way to find out which ports are using dynamic vlan assigment (aaa authentication) and which ones not ? I am working on a migration where we swap 50-60 2960 switches to new 9300's , but the current configuration is not organized and a real mess. I want to bring structure in the new switches. If I can see which switchports are making use of AAA authentication and which ports are manual configured for specific servers or access points for example, I can easily detect these and put them on the new switch in an organized way. Looking forward to your feedback, thank you!

Looking forw

Re: show ports that do not make use of authentication

balaji.bandi — Wed, 23 Dec 2020 10:25:07 GMT

check the access port config, if the port is not configured with dot.1x authentication with AAA was just normal access port- if the configuration is against dot1.x - can easily identify the config.

still confused post one of the switch config we can give you suggestion.

Re: show ports that do not make use of authentication

Mike.Cifelli — Wed, 23 Dec 2020 13:37:30 GMT

If you are trying to determine which ports are enabled for dot1x/mab configuration you could use the following:

#show authentication sessions (will list session information)

Are there no descriptions on the interfaces? If there are and/or you know which vlans would be used for APs/servers you can rely on a simple: #show interface status

Re: show ports that do not make use of authentication

yayaa — Wed, 23 Dec 2020 14:54:51 GMT

Well.. That's the hard & pretty long way to check it 🙂 was hoping someone could point out an easy way or quicker way. Unfortunately I am not experienced enough to automate this to get the info quicker. Currently I am thinking of checking it based on the following ways:

show int status | in connected (to see what are the connected devices)

show auth sess ( to check which ports are authenticated)

Then compare and based on what is not shown in the "show auth sess" output, will tell me what ports are not authenticated.

The ports that are not connected and not configured to do authentication, are for me unused ports. Servers, AP's or other important devices should always be connected.

So I was wondering if there was a command or easier/more efficient way to get this info.

Re: show ports that do not make use of authentication

aukhadiev — Wed, 23 Dec 2020 20:02:07 GMT

I'm sorry, I answered in the wrong place...

Re: show ports that do not make use of authentication

aukhadiev — Wed, 23 Dec 2020 20:02:31 GMT

During ISE implementation at my work, I used the following method to identify interfaces with configured dot1x functionality:

1) show dot1x all | tee tftp://tftp_server_ip/dot1x.txt

2) export this file to Excel, with Original data type - Delimited, Delimiters - Space

3) apply filter on first column - Dot1x

4) the fourth column will contain the list of interfaces

Re: show ports that do not make use of authentication

yayaa — Thu, 24 Dec 2020 09:09:18 GMT

Awesome, tested it out and it's exactly what I needed.
On the excel, when pressing on F5 you can select blank cells, then delete cells upwards and you got a perfect list sorted with the interfaces. Doing the same with show cdp neigh to get AP listed out this way. Thanks a lot for sharing this.

Re: show ports that do not make use of authentication

MichaelBurk-CCIE50207 — Thu, 01 Dec 2022 16:31:54 GMT

This was super helpful, I found a easy way to get the information in real time was to simply use

show dot1x all | include Ethernet