Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5759
Views
5
Helpful
8
Replies

How to check port is currently running open or closed 802.1x mode

Go to solution
getaway51
Level 2
Level 2

‎10-29-2019 10:28 PM

Hi,

How to check port is currently running open or closed 802.1x mode?

sh authentication brief or session doesnt tell tht

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-30-2019 03:30 AM

I don't have a open mode example handy.

 

Do you have access to the show run output? Under the interface you might find this to indicate closed mode - if this statement is not present then you're in open mode:

access-session closed

 

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to getaway51

‎10-30-2019 05:18 AM

I just had a look at a closed mode example from a live switch and it looks no different to the output of a open mode from Hari's Prescriptive Guide.

 

Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject.

 

Having said that, it might be possible to see this from the show commands - perhaps Mr @hariholla himself can provide some guidance?

 

View solution in original post

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1
In response to Arne Bier

‎10-30-2019 07:39 AM

"Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject."

Not exactly true

 

The only real way to see open mode vs closed mode is to look at the running configuration.

Show run int <type><port>

If you see "authentication open" or the absence of "access-session closed" in IBNS2, you are either in OPEN mode or Low Impact mode.

 

The command "authentication open" or "no access-session closed" simply allows traffic to flow before authentication will occur.

If you send an access-reject or an access-accept, the port still has access. < Open Mode / Monitor Mode

If you send a vlan change or a dACL, these will still apply and can restrict or break access.  This is what is called low impact mode.

 

If you remove the command "authentication open" or you apply "Access-session closed", you are entering closed mode.  This actually just applies a default ACL(that is pre-installed on the switch) to the port that blocks most traffic.

If you send an access-accept, this opens the port for traffic.  If you send a reject, that default ACL stays applied.

If you send a dacl or a vlan change (with an access-accept), you pre-pend the default ACL and get access from the dACL.

 

For ACTUAL monitor mode, you need to apply monitor rules on ISE.  

 

In summary:

authentication open  - Open / Monitor Mode

authentication open with dACL - low impact mode

no authentication open - closed mode

View solution in original post

8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎10-30-2019 03:30 AM

I don't have a open mode example handy.

 

Do you have access to the show run output? Under the interface you might find this to indicate closed mode - if this statement is not present then you're in open mode:

access-session closed

 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Arne Bier

‎10-30-2019 04:41 AM

Hi,

The statement is nt present as i cfg no access session closed.
I just wonder if i can view it in operation using show cmd.
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to getaway51

‎10-30-2019 05:18 AM

I just had a look at a closed mode example from a live switch and it looks no different to the output of a open mode from Hari's Prescriptive Guide.

 

Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject.

 

Having said that, it might be possible to see this from the show commands - perhaps Mr @hariholla himself can provide some guidance?

 

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1
In response to Arne Bier

‎10-30-2019 07:39 AM

"Open mode is just faking the end result of what would happen in closed mode - the RADIUS transactions are all the same, but the switch chooses to ignore the RADIUS Access-Reject."

Not exactly true

 

The only real way to see open mode vs closed mode is to look at the running configuration.

Show run int <type><port>

If you see "authentication open" or the absence of "access-session closed" in IBNS2, you are either in OPEN mode or Low Impact mode.

 

The command "authentication open" or "no access-session closed" simply allows traffic to flow before authentication will occur.

If you send an access-reject or an access-accept, the port still has access. < Open Mode / Monitor Mode

If you send a vlan change or a dACL, these will still apply and can restrict or break access.  This is what is called low impact mode.

 

If you remove the command "authentication open" or you apply "Access-session closed", you are entering closed mode.  This actually just applies a default ACL(that is pre-installed on the switch) to the port that blocks most traffic.

If you send an access-accept, this opens the port for traffic.  If you send a reject, that default ACL stays applied.

If you send a dacl or a vlan change (with an access-accept), you pre-pend the default ACL and get access from the dACL.

 

For ACTUAL monitor mode, you need to apply monitor rules on ISE.  

 

In summary:

authentication open  - Open / Monitor Mode

authentication open with dACL - low impact mode

no authentication open - closed mode

Go to solution
getaway51
Level 2
Level 2
In response to JohnNewman7082

‎11-03-2019 01:19 AM

Hi,

 

I noticed some endpoints where i didnt customize them under an identity grp-for eg. Avaya-VoIP will tends to fail authorization since it went into default Cisco ISE identity grp-"Profiled". 

But since the switch ports is in "monitor mode", i noticed i still can ping the IP of the failed (in ISE) endpoint.Why?

Does it means tht if i change to "access session closed", i will not able to ping tht failed authorization device?

Does it also means tht during monitor mode, switch will ignore failed messages frm BOTH authentication & authorization process?

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1
In response to getaway51

‎11-04-2019 06:24 AM

Hi getaway51,

   When you have monitor mode configured, an access-reject simply fails the authentication, but there is no enforcement at that point.

Removing "authentication open" or adding "access session closed" adds a default ACL to the port that actually stops traffic.

The issue with this, if your device needs to get an IP before authentication typically finishes, it will fail all together.

It is an environment specific change.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to JohnNewman7082

‎11-04-2019 06:47 AM

Hi,

 

Does it means tht during monitor mode, even when authorization fails, there will be no blocking?

 

However if switch insert "access sessions closed", there will be blocking if authorization fails. 

Am i correct to for both scenarios above?

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1
In response to getaway51

‎11-04-2019 06:59 AM

Yes.

Monitor mode is simply that. Youre monitoring, not blocking.

 

Closed mode is youre blocking everything, unless you give access.

0 Helpful
Customers Also Viewed These Support Documents