topic Re: Low Impact mode in Network Access Control

Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 01:36:35 GMT

i`m using ise ver 3.4 with native supplicant

i was trying to apply low imacpt mode , the problem is when i apply the ACL the user cant take ip or anything that i allow in ACL , but when i writh this CMD (authentication open)under the interface hi take ip with limit access .

do i realy need to using this CMD authentication open so the low impact can work or what cuz i found many article didn't mention this CMD

---

interface Ethernet1/0
description Low-Impact Mode Example
switchport access vlan 20
switchport mode access
ip access-group AA in
authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 3
spanning-tree portfast edge
!

Extended IP access list AA
10 permit udp any eq bootpc any eq bootps (8 matches)
20 permit udp any any eq domain (287 matches)
21 permit tcp any any eq 88
22 permit udp any any eq 88
23 permit tcp any any eq 464
24 permit udp any any eq 464
25 permit tcp any any eq 135
26 permit tcp any any eq 445
27 permit udp any any eq 389
28 permit tcp any any eq 389
30 permit icmp any any echo (3 matches)
40 permit udp any any eq tftp
120 deny ip any any (79 matches)

Re: Low Impact mode

Arne Bier — Fri, 01 Aug 2025 03:19:22 GMT

Low Impact Mode does not use "authentication open" - that command is used only for Monitoring Mode - remove that command.

In Low Impact Mode we use a pre-auth ACL - in your case, the "ip access-group AA in" is the pre-auth ACL. This ACL governs what access the endpoint has BEFORE ISE has had a chance to authorize the session. This could be a very short period, or a long period (depends how long it takes for 802.1X to complete etc.)

The key thing is that for a successful authentication, your RADIUS server must return a dACL (downloadable ACL) that takes precedence over the "AA" port based ACL. Trivial example, would be to return a "permit ip any any" via the Authorization Profile

Re: Low Impact mode

MHM Cisco World — Fri, 01 Aug 2025 08:42:21 GMT

Sure Low Impact mode not work without authc open

Re: Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 10:51:39 GMT

first of all think for your comment , about the Dacl yes in the authiz profile i do 2 tasks 1 Dacl to primt any any and Assigned new VLAN , a about the Open authi cmd as i told you before when i delete it the users cannot take ip or anything and i see this pic please look at it , so maybe what you said is only work in the new SWs or somthing cuz i working in old switch versin 15 also i work in test envirment PNET lab ? or you didnt think so ?

Re: Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 10:58:13 GMT

and if you check @MHM Cisco World comment his said not working without authc open

Re: Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 10:53:23 GMT

is that for all switch version cuz as i mention alot of article not mention this CLI commend

Re: Low Impact mode

MHM Cisco World — Fri, 01 Aug 2025 10:56:24 GMT

For all cisco SW.

This slide from cisco live.

MHM

Re: Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 10:59:26 GMT

thanks bro , i see it here too ♥

Re: Low Impact mode

Saeed Abd Elhalim Hamada — Fri, 01 Aug 2025 11:00:09 GMT

if it possible to share with my this PDF

Re: Low Impact mode

PSM — Fri, 01 Aug 2025 12:05:59 GMT

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2660.pdf

Re: Low Impact mode

Arne Bier — Sat, 02 Aug 2025 05:04:35 GMT

My apologies I got that part wrong. It’s been so long since I have seen that command because on my deployment we use interface templates and I forgot what’s inside those. A show interface then makes you forgot what else is being applied (I forget to use a show derived instead)