Users Guide
Authentication, Authorization, and Accounting 321
What is Monitor Mode?
The monitor mode is a special mode that can be enabled in conjunction with
802.1X authentication. Monitor mode provides a way for network
administrators to identify possible issues with the 802.1X configuration on
the switch without affecting the network access to the users of the switch. It
allows network access even in case where there is a failure to authenticate but
logs the results of the authentication process for diagnostic purposes.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate a user for any reason (for example, RADIUS access reject
from RADIUS server, RADIUS timeout, or the client itself is dot1x-unaware),
the client is authenticated and is undisturbed by the failure condition(s). The
reasons for failure are logged for tracking purposes.
Table 9-11 provides a summary of the 802.1X Monitor Mode behavior.
Table 9-11. IEEE 802.1X Monitor Mode Behavior
Case Sub-case Regular 802.1X 802.1X Monitor Mode
RADIUS/IAS
Success
Success Port State: Permit
VLAN: Assigned
Filter: Assigned
Port State: Permit
VLAN: Assigned
Filter: Assigned
Incorrect NAS Port Port State: Deny Port State: Permit
VLAN: Assigned
Invalid VLAN
Assignment
Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Invalid Filter-ID Port State: Deny Port State: Permit
VLAN: Assigned
Invalid DACL Port State: Deny Port State: Permit
DACL: Not Assigned
VLAN: Assigned
Bad RADIUS packet Port State: Deny Port State: Permit
VLAN: Default PVID
of the port