Does anybody know if I still need an ACL, even if I don't want to filter anything with the open authentication?
I've configured it on a port, and after the failed authentication, the computer still access everything although it's marked as 'auth failed' :
IOS : 12.2(53)SE2
C3560-NAC-043#sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa0/1 001a.e80c.1e70 mab VOICE Authz Success AC10FA2B0000005010BD2E9C
Fa0/1 001e.ec16.0ea0 N/A DATA Authz Failed AC10FA2B0000005110BD35D2
Global config :
aaa new-model ! ! aaa group server radius HBM_NAC_Radius server 172.16.250.123 auth-port 1812 acct-port 1813 ! aaa group server radius HBM_Login_Radius server 172.16.249.239 auth-port 1812 acct-port 1813 server 172.18.20.215 auth-port 1812 acct-port 1813 ! aaa authentication login default group HBM_Login_Radius local aaa authentication dot1x default group HBM_NAC_Radius aaa authorization exec default group HBM_Login_Radius local aaa authorization network default group HBM_NAC_Radius aaa accounting dot1x default start-stop group HBM_NAC_Radius
port config :
interface FastEthernet0/1 switchport access vlan 190 switchport mode access switchport voice vlan 290 priority-queue out authentication event server dead action reinitialize vlan 190 authentication event server alive action reinitialize authentication host-mode multi-auth authentication port-control auto authentication periodic authentication open authentication timer reauthenticate 10 mab snmp trap mac-notification change added snmp trap mac-notification change removed spanning-tree portfast service-policy input QoS-Marker
Thanks, however I had opened a case for that and Cisco told me that the main purpose of open auth is to smoothly migrate to dot1x and monitor first the results. Your solutions help then limiting the access in a second phase of the migration I would say. The last phase would be to remove open auth.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...