Cisco Switch & dot1x port shutdown not working

SamSaul · ‎05-24-2018

Hi there,

I'm configuring dot1x with Windows Server as Radius NPS. Authentication with username is working well. I've configured "authentication violation shutdown" (port will be shutdown and in error-disable mode), but when authorization is failed, port status doesn't change to shutdown and error-disable mode.

I hope someone got an idea how to achieve this.

Thanks & regards,

Sam Saul

Rob Ingram · ‎05-24-2018

Hi Sam,

I think your understanding of that command is incorrect. As per this link here, "the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation interface configuration command."

Do you want to essentially deny access if the user fails authentication/authorization? If so use 802.1x closed mode, which would not allow access if user fails.

HTH

SamSaul · ‎05-24-2018

Hi RJI,

Thanks for your quick response. So that means that if authentication of a client is failed, we would not be able to see the status of switch port as error-disable when performing "show interface status" command.

Yes, you are right. I want that switch port to deny access if authentication is failed. What is the command or how I can achieve "802.1x closed mode"?

Thanks.

Rob Ingram · ‎05-24-2018

Commands are below:-

interface range GigabitEthernet 1/0/1
no authentication open

or if running IBNS 2.0

interface GigabitEthernet1/0/1
access-session closed

Most people start off in open mode, so if authentication/authorization fails they can still permit access. They run in this mode for a period so as to monitor the devices and ensure the everything is working as expected before then moving to closed mode.

HTH

SamSaul · ‎05-24-2018

Thanks. I'll try that and let you know.