Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2168
Views
5
Helpful
4
Replies

dot1x port-control force-unauthorized

Go to solution
HiTmAn47
Level 1
Level 1

‎03-27-2018 08:46 PM - edited ‎02-21-2020 10:52 AM

dot1x port-control force-unauthorized

My understanding of the above command is the following -

force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port

 

In what situation/s has anyone used the above command? Does this not essentially mean "nothing can use that port?"  isn't that basically means I shut the port !!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-27-2018 09:13 PM

Hi

 

This means that this port is not shutdown but doesn't allow anyone to connect to it, your right.

Usually, you will use auto to put the port in unauthorized and as soon as someone is connected to and authenticated, it will switch to authorized.

 

Personally, i use this command when I'm staging your switch and don't want anyone to initiate any authentication process.

Let's take an example: you're deploying a new switch on a remote site and you don't want anybody to authenticate while you finish your config to not generate any logs and bring pushed into quarantine.

 

Is that clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-27-2018 09:13 PM

Hi

 

This means that this port is not shutdown but doesn't allow anyone to connect to it, your right.

Usually, you will use auto to put the port in unauthorized and as soon as someone is connected to and authenticated, it will switch to authorized.

 

Personally, i use this command when I'm staging your switch and don't want anyone to initiate any authentication process.

Let's take an example: you're deploying a new switch on a remote site and you don't want anybody to authenticate while you finish your config to not generate any logs and bring pushed into quarantine.

 

Is that clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
HiTmAn47
Level 1
Level 1
In response to Francesco Molino

‎03-28-2018 03:16 AM

Thanks alot , it makes sense now ....so this feature blocks anyone from connecting to the port without shutting it down .....But Still in your example I would have just shutdown every port instead of going through the hassle of applying this command on each port
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to HiTmAn47

‎03-28-2018 06:59 AM

Yes you're right you can shutdown as well but it's a way to work.
I shutdown ports that are unused and leave unauthorized ports that will be on production later during the staging.

I say to the customer to do a config on the interface and apply auto instead of no shutdown then I'm sure he won't unshut a port that needs to be shutted down

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-27-2018 09:46 PM

In short this port won't be authorized and can't get DACL or VLAN vsa or
any other attribute from ISE. You can replace it with an ACL and restricted
ACEs or MAC security but I think you can use it if you want unified
environment where everything controlled from one place
0 Helpful
Customers Also Viewed These Support Documents