cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

690
Views
5
Helpful
6
Replies
Highlighted
Explorer

no access-session port-control force-authorized

May I know if command "no access-session port-control force-authorized" after "access-session port-control force-authorized" will force all port to become Unauthorized?

 

access-session port-control force-authorized

no access-session port-control force-authorized

 

If so does this means all ports applying this command will not be operational due to Unauthorized? or is there another meaning here?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Rising star

No it won't. The force-authorized is the default port-control setting, so if you apply it and then you negate it it won't change anything. The port-control will stick with force-authorized until you configure it to be otherwise, whether force-unauthorized or auto.

View solution in original post

6 REPLIES 6
Highlighted
VIP Rising star

No it won't. The force-authorized is the default port-control setting, so if you apply it and then you negate it it won't change anything. The port-control will stick with force-authorized until you configure it to be otherwise, whether force-unauthorized or auto.

View solution in original post

Highlighted

step 1, access-session port-control force-authorized

step 2,no access-session port-control force-authorized

After step 2, the port is in force-authorized(default) or force-unauthorized, is there anyway to verify this?

"no access-session port-control force-authorized" means taking away force-authorized?

Basically step 1 and 2 is to re-initialize authorization?

Highlighted
VIP Rising star

After step 2, the port is in force-authorized(default) or force-unauthorized, is there anyway to verify this?

do sh run int gix/x, you won't see the command access-session port-control force-authorized, that's because it is the default, which means the port is in force-authorized state.

 

"no access-session port-control force-authorized" means taking away force-authorized?

This command will not change the port state, since it is not applicable in this case. So, even if you apply it, the switch port will remain in force-authorized state. If you want to change the port state, you need to use the command access-session port-control force-unauthroized or access-session port-control auto.

 

Basically step 1 and 2 is to re-initialize authorization?

Step 1 will place the port state in force-authorized state, step 2 won't change anything, it will not affect the port state.

 

Highlighted

Hi,

 

May I know in what situation we apply "access-session port-control force-unauthorized"?

 

 Also this cmd used in wht scenario-"no access-session port-control force-authorized" ?

 

Thanks!

Highlighted
VIP Rising star

A use case I would think of for the access-session port-control force-unauthorized command would be if you are doing a maintenance work on the switch and you don't want any user to be able to authenticate or pass traffic over that port. It would be kinda similar to shutting down the port.

Regarding negating the force-authorized, I can't think of any use case, since negating it would not change the port state. A similar example of this would be any default command on the switch port, where changing it would require hardcoding the different value. For example, on the switch ports the arp timeout command is default to 14400, if you try to issue no arp timeout 14400 nothing would change, because this command requires defining the values that are different than the default ones to be changed.

Highlighted

Worth noting though, if you already have a port configured with "access-session port-control auto", and apply "access-session port-control force-authorized", it immediately disables dot1x and mab on the port as soon as it is entered. If there was an authentication session on the port, it's immediately gone. 

 

This can be a very helpful command for help desks depending on the security policy of the enterprise if a problem is encountered with authentication.

Content for Community-Ad