11-02-2022 10:04 AM
setting up my cisco-9300 switch with dot1x security on ports using active directory and clearpass radius.
i have no problem of getting port to either unauthorize or authorize as predicted.
the issue i am having is when port is set to unauthorize the traffic is still flowing.
i have tried to use "switch(config-if)# auth violation shutdown" and i get error Command deprecated (auth violation shutdown ) - use cpl config.
i have tried "switch(config-if)# switchport port-security violation shutdown" it just disappears with no error.
i have tried "switch(config-if)#dot1x violation-mode shutdown" it just disappears with no error.
currently this is what i show under the interface configure:
interface GigabitEthernet1/0/10
description connection to data port nick test 802.1x
switchport access vlan 3080
switchport mode access
switchport port-security
power inline never
authentication periodic
access-session host-mode single-host
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/10
end
any sugestions i can do to get the port to stop accepting traffic if unauthorized?
Solved! Go to Solution.
11-02-2022 10:42 AM
@nick wesley it looks like you are running IBNS 2.0 style configuration, if you add the command "access-session closed" under the interface this will deny a connection if the endpoint/user fails authentication.
11-02-2022 10:41 AM - edited 11-02-2022 10:42 AM
You are configured IBSN 2.0 config - that is ISE deployment point of view.
Do you have POLICY_GI1/0/10 ? and
look at simple config :
try simple config as below :
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA
http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x
11-02-2022 10:42 AM
@nick wesley it looks like you are running IBNS 2.0 style configuration, if you add the command "access-session closed" under the interface this will deny a connection if the endpoint/user fails authentication.
11-03-2022 06:47 AM
Thank you, using "access-session closed" worked like a charm. thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide