Solved: Re: show ports that do not make use of authentication

yayaa · ‎12-23-2020

Hello all,

Is there a way to find out which ports are using dynamic vlan assigment (aaa authentication) and which ones not ? I am working on a migration where we swap 50-60 2960 switches to new 9300's , but the current configuration is not organized and a real mess. I want to bring structure in the new switches. If I can see which switchports are making use of AAA authentication and which ports are manual configured for specific servers or access points for example, I can easily detect these and put them on the new switch in an organized way. Looking forward to your feedback, thank you!

Looking forw

aukhadiev · ‎12-23-2020

During ISE implementation at my work, I used the following method to identify interfaces with configured dot1x functionality:

1) show dot1x all | tee tftp://tftp_server_ip/dot1x.txt

2) export this file to Excel, with Original data type - Delimited, Delimiters - Space

3) apply filter on first column - Dot1x

4) the fourth column will contain the list of interfaces

View solution in original post

balaji.bandi · ‎12-23-2020

check the access port config, if the port is not configured with dot.1x authentication with AAA was just normal access port- if the configuration is against dot1.x - can easily identify the config.

still confused post one of the switch config we can give you suggestion.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yayaa · ‎12-23-2020

Well.. That's the hard & pretty long way to check it was hoping someone could point out an easy way or quicker way. Unfortunately I am not experienced enough to automate this to get the info quicker. Currently I am thinking of checking it based on the following ways:

show int status | in connected (to see what are the connected devices)

show auth sess ( to check which ports are authenticated)

Then compare and based on what is not shown in the "show auth sess" output, will tell me what ports are not authenticated.

The ports that are not connected and not configured to do authentication, are for me unused ports. Servers, AP's or other important devices should always be connected.

So I was wondering if there was a command or easier/more efficient way to get this info.

Mike.Cifelli · ‎12-23-2020

If you are trying to determine which ports are enabled for dot1x/mab configuration you could use the following:

#show authentication sessions (will list session information)

Are there no descriptions on the interfaces? If there are and/or you know which vlans would be used for APs/servers you can rely on a simple: #show interface status

aukhadiev · ‎12-23-2020

I'm sorry, I answered in the wrong place...

aukhadiev · ‎12-23-2020

During ISE implementation at my work, I used the following method to identify interfaces with configured dot1x functionality:

1) show dot1x all | tee tftp://tftp_server_ip/dot1x.txt

2) export this file to Excel, with Original data type - Delimited, Delimiters - Space

3) apply filter on first column - Dot1x

4) the fourth column will contain the list of interfaces

MichaelBurk-CCIE50207 · ‎12-01-2022

This was super helpful, I found a easy way to get the information in real time was to simply use

show dot1x all | include Ethernet

yayaa · ‎12-24-2020

Awesome, tested it out and it's exactly what I needed.
On the excel, when pressing on F5 you can select blank cells, then delete cells upwards and you got a perfect list sorted with the interfaces. Doing the same with show cdp neigh to get AP listed out this way. Thanks a lot for sharing this.