Solved: Re: Low Impact mode

Saeed Abd Elhalim Hamada · ‎07-31-2025

Hi

i`m using ise ver 3.4 with native supplicant

i was trying to apply low imacpt mode , the problem is when i apply the ACL the user cant take ip or anything that i allow in ACL , but when i writh this CMD (authentication open)under the interface hi take ip with limit access .

do i realy need to using this CMD authentication open so the low impact can work or what cuz i found many article didn't mention this CMD

---

interface Ethernet1/0
description Low-Impact Mode Example
switchport access vlan 20
switchport mode access
ip access-group AA in
authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 3
spanning-tree portfast edge
!

Extended IP access list AA
10 permit udp any eq bootpc any eq bootps (8 matches)
20 permit udp any any eq domain (287 matches)
21 permit tcp any any eq 88
22 permit udp any any eq 88
23 permit tcp any any eq 464
24 permit udp any any eq 464
25 permit tcp any any eq 135
26 permit tcp any any eq 445
27 permit udp any any eq 389
28 permit tcp any any eq 389
30 permit icmp any any echo (3 matches)
40 permit udp any any eq tftp
120 deny ip any any (79 matches)

MHM Cisco World · ‎08-01-2025

For all cisco SW.

This slide from cisco live.

MHM

View solution in original post

Arne Bier · ‎07-31-2025

Low Impact Mode does not use "authentication open" - that command is used only for Monitoring Mode - remove that command.

In Low Impact Mode we use a pre-auth ACL - in your case, the "ip access-group AA in" is the pre-auth ACL. This ACL governs what access the endpoint has BEFORE ISE has had a chance to authorize the session. This could be a very short period, or a long period (depends how long it takes for 802.1X to complete etc.)

The key thing is that for a successful authentication, your RADIUS server must return a dACL (downloadable ACL) that takes precedence over the "AA" port based ACL. Trivial example, would be to return a "permit ip any any" via the Authorization Profile

Saeed Abd Elhalim Hamada · ‎08-01-2025

first of all think for your comment , about the Dacl yes in the authiz profile i do 2 tasks 1 Dacl to primt any any and Assigned new VLAN , a about the Open authi cmd as i told you before when i delete it the users cannot take ip or anything and i see this pic please look at it , so maybe what you said is only work in the new SWs or somthing cuz i working in old switch versin 15 also i work in test envirment PNET lab ? or you didnt think so ?

Saeed Abd Elhalim Hamada · ‎08-01-2025

and if you check @MHM Cisco World comment his said not working without authc open

MHM Cisco World · ‎08-01-2025

Sure Low Impact mode not work without authc open

Saeed Abd Elhalim Hamada · ‎08-01-2025

is that for all switch version cuz as i mention alot of article not mention this CLI commend

MHM Cisco World · ‎08-01-2025

For all cisco SW.

This slide from cisco live.

MHM

Saeed Abd Elhalim Hamada · ‎08-01-2025

thanks bro , i see it here too ♥

Saeed Abd Elhalim Hamada · ‎08-01-2025

if it possible to share with my this PDF

PSM · ‎08-01-2025

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2660.pdf

Arne Bier · ‎08-01-2025

My apologies I got that part wrong. It’s been so long since I have seen that command because on my deployment we use interface templates and I forgot what’s inside those. A show interface then makes you forgot what else is being applied (I forget to use a show derived instead)