https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715063#M1094730 <P>You are configured IBSN 2.0 config - that is ISE deployment point of view.</P> <P>Do you have POLICY_GI1/0/10 ? and</P> <P>look at simple config :</P> <P>try simple config&nbsp; as below :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA" target="_blank">https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA</A></P> <P><A href="http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x" target="_blank" rel="noopener">http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x</A></P> <P>&nbsp;</P> Wed, 02 Nov 2022 17:42:31 GMT balaji.bandi 2022-11-02T17:42:31Z https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715002#M1094729 <P>setting up my cisco-9300 switch with dot1x&nbsp; security on ports using active directory and clearpass radius.</P><P>i have no problem of getting port to either unauthorize or authorize as predicted.</P><P>the issue i am having is when port is set to unauthorize the traffic is still flowing.</P><P>i have tried to use "switch(config-if)# auth violation shutdown" and i get error&nbsp; Command deprecated (auth violation shutdown ) - use cpl config.</P><P>i have tried "switch(config-if)#&nbsp;switchport port-security violation shutdown"&nbsp; it just disappears with no error.</P><P>i have tried "switch(config-if)#dot1x violation-mode shutdown"&nbsp; it just disappears with no error.</P><P>currently this is what i show under the interface configure:</P><P>interface GigabitEthernet1/0/10<BR />description connection to data port nick test 802.1x<BR />switchport access vlan 3080<BR />switchport mode access<BR />switchport port-security<BR />power inline never<BR />authentication periodic<BR />access-session host-mode single-host<BR />access-session port-control auto<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 7<BR />dot1x max-reauth-req 3<BR />spanning-tree portfast<BR />service-policy type control subscriber POLICY_Gi1/0/10<BR />end</P><P>any sugestions i can do to get the port to stop accepting traffic if unauthorized?</P> Wed, 02 Nov 2022 17:04:53 GMT https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715002#M1094729 nick wesley 2022-11-02T17:04:53Z https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715063#M1094730 <P>You are configured IBSN 2.0 config - that is ISE deployment point of view.</P> <P>Do you have POLICY_GI1/0/10 ? and</P> <P>look at simple config :</P> <P>try simple config&nbsp; as below :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA" target="_blank">https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA</A></P> <P><A href="http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x" target="_blank" rel="noopener">http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x</A></P> <P>&nbsp;</P> Wed, 02 Nov 2022 17:42:31 GMT https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715063#M1094730 balaji.bandi 2022-11-02T17:42:31Z https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715064#M1094731 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1428400">@nick wesley</a> it looks like you are running IBNS 2.0 style configuration, if you add the command "access-session closed" under the interface this will deny a connection if the endpoint/user fails authentication.</P> Wed, 02 Nov 2022 17:42:53 GMT https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715064#M1094731 Rob Ingram 2022-11-02T17:42:53Z https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715648#M1094746 <P>Thank you, using "access-session closed" worked like a charm.&nbsp; &nbsp;thank you</P> Thu, 03 Nov 2022 13:47:17 GMT https://community.cisco.com/t5/network-security/cisco-9300-dot1x-unauthorize-port-access/m-p/4715648#M1094746 nick wesley 2022-11-03T13:47:17Z