Administrator Guide
328 Authentication, Authorization, and Accounting
When the guest VLAN capabiltiy is disabled, users authorized by the guest
VLAN are removed from the VLAN and denied network access.
What is Monitor Mode?
The monitor mode is a special mode that can be enabled in conjunction with
802.1X authentication. Monitor mode provides a way for network
administrators to identify possible issues with the 802.1X configuration on
the switch without affecting the network access to the users of the switch. It
allows network access even in case where there is a failure to authenticate but
logs the results of the authentication process for diagnostic purposes.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate a user for any reason (for example, RADIUS access reject
from RADIUS server, RADIUS timeout, or the client itself is dot1x-unaware),
the client is authenticated and is undisturbed by the failure condition(s). The
reasons for failure are logged for tracking purposes.
Table 10-11 provides a summary of the 802.1X Monitor Mode behavior.
Table 10-11. IEEE 802.1X Monitor Mode Behavior
Case Sub-case Regular Dot1x Dot1x Monitor Mode
RADIUS/IAS
Success
Success Port State: Permit
VLAN: Assigned
Filter: Assigned
Port State: Permit
VLAN: Assigned
Filter: Assigned
Incorrect NAS Port Port State: Deny Port State: Permit
VLAN: Assigned
Invalid VLAN
Assignment
Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Invalid Filter-id Port State: Deny Port State: Permit
VLAN: Assigned
Bad RADIUS packet Port State: Deny Port State: Permit
VLAN: Default PVID
of the port