Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
10
Helpful
3
Replies

Cisco 9300 dot1x unauthorize port access

Go to solution
nick wesley
Level 1
Level 1

‎11-02-2022 10:04 AM

setting up my cisco-9300 switch with dot1x  security on ports using active directory and clearpass radius.

i have no problem of getting port to either unauthorize or authorize as predicted.

the issue i am having is when port is set to unauthorize the traffic is still flowing.

i have tried to use "switch(config-if)# auth violation shutdown" and i get error  Command deprecated (auth violation shutdown ) - use cpl config.

i have tried "switch(config-if)# switchport port-security violation shutdown"  it just disappears with no error.

i have tried "switch(config-if)#dot1x violation-mode shutdown"  it just disappears with no error.

currently this is what i show under the interface configure:

interface GigabitEthernet1/0/10
description connection to data port nick test 802.1x
switchport access vlan 3080
switchport mode access
switchport port-security
power inline never
authentication periodic
access-session host-mode single-host
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/10
end

any sugestions i can do to get the port to stop accepting traffic if unauthorized?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-02-2022 10:42 AM

@nick wesley it looks like you are running IBNS 2.0 style configuration, if you add the command "access-session closed" under the interface this will deny a connection if the endpoint/user fails authentication.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2022 10:41 AM - edited ‎11-02-2022 10:42 AM

You are configured IBSN 2.0 config - that is ISE deployment point of view.

Do you have POLICY_GI1/0/10 ? and

look at simple config :

try simple config  as below :

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA

http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-02-2022 10:42 AM

@nick wesley it looks like you are running IBNS 2.0 style configuration, if you add the command "access-session closed" under the interface this will deny a connection if the endpoint/user fails authentication.

Go to solution
nick wesley
Level 1
Level 1

‎11-03-2022 06:47 AM

Thank you, using "access-session closed" worked like a charm.   thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card