802.1x Open Access

memgtdg1 · ‎02-06-2026

I've configured a switch port for Open Access as per the ISE Secure Wired Access Prescriptive Deployment Guide but when authentication fails (as expected) the port does not pass traffic for the data vlan. I have a phone connected to the port with MAB authentication and a PC connected through the phone. The PC does not have 802.1x configured yet hence why I want it to fail open.

Is there something obvious I'm missing? My configuration is below:

interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
switchport voice vlan 51
device-tracking attach-policy IPDT_POLICY
authentication periodic
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber PORT-AUTH-POLICY
end

show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/17 c81f.eaf3.d63c mab VOICE Auth 0B00020A000025832DB071FA
Gi1/0/17 f4a8.0d09.7575 N/A UNKNOWN Unauth 0B00020A000025822DB053F0

balaji.bandi · ‎02-06-2026

how about adding some more config on the port and test.

authentication open
 access-session host-mode multi-domain
 authentication event fail action next-method

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

memgtdg1 · ‎02-06-2026

Hi, thanks for your reply. I should have mentioned that I am using IBNS 2.0. I believe authentication open and access-session host-mode multi-domain are the defaults as they don't show in config when I enter those commands.

I am also using a policy map that covers the methods:

policy-map type control subscriber PORT-AUTH-POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x aaa authc-list AAA_RADIUS authz-list AAA_RADIUS priority 10
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab aaa authc-list AAA_RADIUS authz-list AAA_RADIUS priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab aaa authc-list AAA_RADIUS authz-list AAA_RADIUS priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

Cristian Matei · ‎02-06-2026

Hi,

@memgtdg1 In IBNS 2.0, open access is enabled by default, no need to activate it via authentication open; also, while using IBNS 2.0, stop using authentication commands, instead use access-session commands, to avoid running into let's say unexpected behaviour.

Not sure what the default host-mode is, regardless, what you configure should show up in the configuration. Also, ensure that while working in open mode, at least initially, one ISE you don't push any authorisations, just Access-Accept.

I also suggest going through this presentation, aside to the already provided document:

https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2025/pdf/BRKCRT-3002.pdf

Thanks,

Cristian.

Cristian Matei · ‎02-06-2026

Hi,

@memgtdg1 To support both VOICE (which is the MAC the switch sees first) and DATA (which is the MAC the switch sees second), you need to run in multi-domain mode, configure at port level access-session host-mode multi-domain

If you're planning to use IBNS 2.0, it's recommended to use templates for any MAB/DOT1x/authentication related configurations; a good, simple and concise guide you can get here:

https://www.wiresandwi.fi/blog/solid-config-cisco-ibns-2-0-concurrent-802-1x-mab-switch-configuration-ios-xe

Thanks,

Cristian.