Solved: Re: Authentication open

jan.murin · ‎01-05-2021

Hi everyone,

I have a question about the authentication open command.

Until today I thought that the command allows any traffic (if no preauth ACL is used) until the authentication and authorization is finished.

So if the result is access-reject the endpoint should be able to communicate just a short while until the reject is received.

Recently I have noticed that even if authentication fails or authorization returns access-reject, the endpoint still has access to the network.

So I would like to confirm the exact behavior of the command.

Thanks a lot

Damien Miller · ‎01-05-2021

The expected behavior of authentication open, the default state, is to allow all communication prior to authentication or on failure. This is unless you send a DACL or use a pre-auth ACL.

You could send a deny ip DACL + access accept with the default deny rule.

View solution in original post

Damien Miller · ‎01-05-2021

The expected behavior of authentication open, the default state, is to allow all communication prior to authentication or on failure. This is unless you send a DACL or use a pre-auth ACL.

You could send a deny ip DACL + access accept with the default deny rule.

yalbikaw · ‎01-05-2021

this command purpose is to use it in pre-deployment of dot1x or in piloting phase , it will pass eap traffic along with other traffic, if the result from AAA server is permit access or reject the port still pass the traffic, you use this command when you dont want to cause any interruption for the users until you confirm dot1x and authentication works fine, then you should make authentication close after that and relay only on AAA server to give the permission

MHM Cisco World · ‎01-05-2021

As I know,
all user connect to port are effect by pre-auth ACL
and if the user auth then the DACL or filter-id is use with pre-auth ACL, simply it put on top of pre-auth ACL.

jan.murin · ‎01-06-2021

Thanks a lot for all answers