802.1x - Issue with command: authentication open

Jason Mann · ‎01-09-2014

The issue we are running into is that when we initially deployed 802.1x we had the command “authentication open” on all of our switch ports. We ran a CscoWorks job last week Thursday to remove that command from all of our ports. Since that time we have ran into a couple of weird issues where the device was powered up but the switch port would show notconnect when doing a show int status but the speed would show a-1000 and duplex would show a-full. There would be no mac address listed when doing a “show mac add int ‘interface’” and the device would be in the MAB running state. This is happening on devices that are supposed to be doing 802.1x and MAB authentication, if we put the command “authentication open” back onto the port it showed connected and mac address. Now we have over 1000 switches on the network with this command removed and so far have only ran into a couple of these odd ball problem ports so at this time it is not happening widespread but would like to take care of the issue or figure out why this happening before it does.

Tarik Admani · ‎01-11-2014

What version of switch are you running and the platform also are these stacked?

Also with authentication open which port acl mapped to the port?

Sent from Cisco Technical Support Android App

Jason Mann · ‎01-13-2014

On the 2960's we are running 12.2(55)SE5, on the 6500's we are running 15.1(1)SY

We didn't use any kind of ACL because we start all of our switch ports into a black hole vlan. I have been watching sessions from Cisco Live 2012 and looks like Cisco is now recommending that you don't go closed mode unless absolutely necessary because it is hard to maintain and function.