cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
1
Helpful
4
Replies

Authentication open

jan.murin
Level 1
Level 1

Hi everyone,

I have a question about the authentication open command.

Until today I thought that the command allows any traffic (if no preauth ACL is used) until the authentication and authorization is finished.

So if the result is access-reject the endpoint should be able to communicate just a short while until the reject is received.

Recently I have noticed that even if authentication fails or authorization returns access-reject, the endpoint still has access to the network.

So I would like to confirm the exact behavior of the command.

 

Thanks a lot

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

The expected behavior of authentication open, the default state, is to allow all communication prior to authentication or on failure. This is unless you send a DACL or use a pre-auth ACL.

You could send a deny ip DACL + access accept with the default deny rule. 

View solution in original post

4 Replies 4

Damien Miller
VIP Alumni
VIP Alumni

The expected behavior of authentication open, the default state, is to allow all communication prior to authentication or on failure. This is unless you send a DACL or use a pre-auth ACL.

You could send a deny ip DACL + access accept with the default deny rule. 

yalbikaw
Cisco Employee
Cisco Employee

this command purpose is to use it in pre-deployment of dot1x or in piloting phase , it will pass eap traffic along with other traffic, if the result from AAA server is permit access or reject the port still pass the traffic, you use this command when you dont want to cause any interruption for the users until you confirm dot1x and authentication works fine, then you should make authentication close after that and relay only on  AAA server  to give the permission 

As I know,
all user connect to port are effect by pre-auth ACL 
and if the user auth then the DACL or filter-id is use with pre-auth ACL, simply it put on top of pre-auth ACL.

jan.murin
Level 1
Level 1

Thanks a lot for all answers