Solved: Just to add, this depends on

CSCO10662744_2 · ‎03-16-2017

Say something terribly went wrong w/ ISE, and we needed to turn off 802.1x on all the switches, how would we do that?

Is there a way to do it w/ a single line, w/o having to touch on every single port?

For example, can I just remove the command "aaa authentication dot1x default group radius "?

TIA

Rahul Govindan · ‎03-17-2017

"no dot1x system-auth-control"

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_01.html#wp1782812608

System authentication is disabled by default. If this command is disabled, all ports behave as if they are force authorized.

View solution in original post

Angel Castillo · ‎03-16-2017

you can use:

authentication event server dead action authorize vlan #
authentication event server alive action reinitialize

on the port configuration

CSCO10662744_2 · ‎03-17-2017

Thank you, but some older IOS versions have limitations to support this...either can't specify data VLAN number, or can't do voice VLAN...can't remember which case right now.

My question remains: How do you turn off 802.1x globally on a switch?

Rahul Govindan · ‎03-17-2017

"no dot1x system-auth-control"

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-3850-cr-book_chapter_01.html#wp1782812608

System authentication is disabled by default. If this command is disabled, all ports behave as if they are force authorized.

agrissimanis · ‎04-03-2017

Just to add, this depends on the port configuration - if pre-authentication ACL is present on the port (which would normally be overridden by dACL in low-impact scenario), no dot1x system-auth-control will cause the default ACL to be in effect unconditionally. Might not be a problem in your case, but just wanted to highlight the possibility.

How to turn off 802.1x globally?