Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2135
Views
10
Helpful
3
Replies

802.1X Monitor Mode Still Enforcing

Go to solution
jasond
Level 1
Level 1

‎05-13-2022 06:53 AM

Working on rolling out 802.1x and want to initially configure monitor mode to troubleshoot before changing to low impact or closed mode.  Before adding the interface configuration my test interface allowed connectivity. Now that monitor mode configuration was added, the workstation cannot get connected. I was expecting them to be able to get connected even if the ISE logs showed that it failed. Is that not the expected behavior of monitor mode?  Below is the interface config:

 

interface GigabitEthernet1/0/40

 description ISE-TestPort-MonitorMode

 switchport access vlan 13

 switchport mode access

 switchport voice vlan 166

 ip device tracking maximum 65535

 srr-queue bandwidth share 1 30 35 5

 priority-queue out

 mls qos trust dscp

 dot1x timeout tx-period 7

 dot1x max-reauth-req 3

 auto qos trust dscp

 source template Port-Dot1x-Default

 spanning-tree portfast edge

end

 

Derived configuration : 675 bytes

!

interface GigabitEthernet1/0/40

 description ISE-TestPort-MonitorMode

 subscriber aging probe

 switchport access vlan 13

 switchport mode access

 switchport nonegotiate

 switchport voice vlan 166

 ip device tracking maximum 65535

 srr-queue bandwidth share 1 30 35 5

 priority-queue out

 authentication periodic

 authentication timer reauthenticate server

 access-session host-mode multi-domain

 access-session port-control auto

 mab

 mls qos trust dscp

 dot1x pae authenticator

 dot1x timeout tx-period 7

 dot1x max-reauth-req 3

 auto qos trust dscp

 spanning-tree portfast edge

 service-policy type control subscriber Dot1x-Default

 ip dhcp snooping limit rate 100

end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-15-2022 03:24 PM

The switchport configuration is not enough information to provide any meaningful assistance. Depending on your switch version, 'open auth' could be the default. We would need more information on your versions, policy map configuration, live logs, switchport session status details, etc.

Please see How to Ask the Community for Help.

I would suggest checking your configuration and policies against the ISE Secure Wired Access Prescriptive Deployment Guide

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎05-13-2022 07:06 AM

authentication OPEN <- this command missing 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-15-2022 03:24 PM

The switchport configuration is not enough information to provide any meaningful assistance. Depending on your switch version, 'open auth' could be the default. We would need more information on your versions, policy map configuration, live logs, switchport session status details, etc.

Please see How to Ask the Community for Help.

I would suggest checking your configuration and policies against the ISE Secure Wired Access Prescriptive Deployment Guide

Customers Also Viewed These Support Documents