Solved: no access-session port-control force-authorized

getaway51 · ‎10-27-2020

May I know if command "no access-session port-control force-authorized" after "access-session port-control force-authorized" will force all port to become Unauthorized?

access-session port-control force-authorized

no access-session port-control force-authorized

If so does this means all ports applying this command will not be operational due to Unauthorized? or is there another meaning here?

Aref Alsouqi · ‎10-28-2020

No it won't. The force-authorized is the default port-control setting, so if you apply it and then you negate it it won't change anything. The port-control will stick with force-authorized until you configure it to be otherwise, whether force-unauthorized or auto.

View solution in original post

Aref Alsouqi · ‎10-28-2020

No it won't. The force-authorized is the default port-control setting, so if you apply it and then you negate it it won't change anything. The port-control will stick with force-authorized until you configure it to be otherwise, whether force-unauthorized or auto.

getaway51 · ‎10-28-2020

step 1, access-session port-control force-authorized

step 2,no access-session port-control force-authorized

After step 2, the port is in force-authorized(default) or force-unauthorized, is there anyway to verify this?

"no access-session port-control force-authorized" means taking away force-authorized?

Basically step 1 and 2 is to re-initialize authorization?

Aref Alsouqi · ‎10-29-2020

After step 2, the port is in force-authorized(default) or force-unauthorized, is there anyway to verify this?

do sh run int gix/x, you won't see the command access-session port-control force-authorized, that's because it is the default, which means the port is in force-authorized state.

"no access-session port-control force-authorized" means taking away force-authorized?

This command will not change the port state, since it is not applicable in this case. So, even if you apply it, the switch port will remain in force-authorized state. If you want to change the port state, you need to use the command access-session port-control force-unauthroized or access-session port-control auto.

Basically step 1 and 2 is to re-initialize authorization?

Step 1 will place the port state in force-authorized state, step 2 won't change anything, it will not affect the port state.

getaway51 · ‎10-29-2020

Hi,

May I know in what situation we apply "access-session port-control force-unauthorized"?

Also this cmd used in wht scenario-"no access-session port-control force-authorized" ?

Thanks!

Aref Alsouqi · ‎10-30-2020

A use case I would think of for the access-session port-control force-unauthorized command would be if you are doing a maintenance work on the switch and you don't want any user to be able to authenticate or pass traffic over that port. It would be kinda similar to shutting down the port.

Regarding negating the force-authorized, I can't think of any use case, since negating it would not change the port state. A similar example of this would be any default command on the switch port, where changing it would require hardcoding the different value. For example, on the switch ports the arp timeout command is default to 14400, if you try to issue no arp timeout 14400 nothing would change, because this command requires defining the values that are different than the default ones to be changed.

Damien Miller · ‎11-02-2020

Worth noting though, if you already have a port configured with "access-session port-control auto", and apply "access-session port-control force-authorized", it immediately disables dot1x and mab on the port as soon as it is entered. If there was an authentication session on the port, it's immediately gone.

This can be a very helpful command for help desks depending on the security policy of the enterprise if a problem is encountered with authentication.