dot1x and open authentication

Unanswered Question
Jun 15th, 2010


Does anybody know if I still need an ACL, even if I don't want to filter anything with the open authentication?

I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :

IOS : /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normale Tabelle"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} 12.2(53)SE2

C3560-NAC-043#sh authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID

Fa0/1      001a.e80c.1e70  mab      VOICE    Authz Success  AC10FA2B0000005010BD2E9C

Fa0/1      001e.ec16.0ea0  N/A      DATA     Authz Failed   AC10FA2B0000005110BD35D2

Global config :

aaa new-model
aaa group server radius HBM_NAC_Radius
server auth-port 1812 acct-port 1813
aaa group server radius HBM_Login_Radius
server auth-port 1812 acct-port 1813
server auth-port 1812 acct-port 1813
aaa authentication login default group HBM_Login_Radius local
aaa authentication dot1x default group HBM_NAC_Radius
aaa authorization exec default group HBM_Login_Radius local
aaa authorization network default group HBM_NAC_Radius
aaa accounting dot1x default start-stop group HBM_NAC_Radius

port config :

interface FastEthernet0/1
switchport access vlan 190
switchport mode access
switchport voice vlan 290
priority-queue out
authentication event server dead action reinitialize vlan 190
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication open
authentication timer reauthenticate 10
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast
service-policy input QoS-Marker

Thanks and regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Chetan Kumar Ress Tue, 06/15/2010 - 06:01


If you want that user failed the dot1x authentication then he should access limited services as you define then you can configure

dot1x auth-fail vlan GUEST under fast ether interface & to limit the services you can configure VLAN ACL for Guest VLAN or else leave open in dont't

assign any ip address for guest VLAN.


Chetan Kumar

Anton Klementyev Mon, 02/21/2011 - 00:41

We have the same problem, multi-auth + open authentication is permitting unauthenticated users to access the network, does anybody have the solution?

Do I need any downloadable ACLs when using open authentication?

Guest VLAN doesnt work with multi-auth(

Bastien Migette Mon, 02/21/2011 - 03:44

Hello Rishi,

The open auth allows to let traffic flow through the port even if user is not authenticated.

to limit this, you have 2 possible scenarios:


-add a 'pre auth' acl on the switchport (just create an ACL and apply it on the port using ip access-group xxx in)

-use dynamic ACLs on your ACS (or other radius) so that these ACL will override the pre auth one upon successful authentication


-configure a default vlan (switchport access vlan) that is filtered on the gateway

-use dynamic vlan so that users will get an unrestricted VLAN upon successful authentication

Hope this helps.

rishi.sumbal Mon, 03/07/2011 - 05:31

Hello Bastien,

Thanks, however I had opened a case for that and Cisco told me that the main purpose of open auth is to smoothly migrate to dot1x and monitor first the results. Your solutions help then limiting the access in a second phase of the migration I would say. The last phase would be to remove open auth.



BuddeMcBudde Tue, 03/20/2012 - 12:56

Does open authentication work with Dynamically Assigned VLANs?

If it does this could solve the PXE vs 802.1x battle. 

I've tried open authentication with a filtered default vlan with no luck. 


This Discussion