802.1X is designed to be binary by default. Successful authentication means the user is authorized to access the network.
Unsuccessful authentication means the user has no access to the network. This paradigm does not lend itself very well to a modern organization. Most organizations need to do workstation imaging with Pre-Execution Environments (PXE), or may have some thin clients that have to boot with DHCP and don't have any way to run a supplicant.
Additionally, when early adopters of 802.1X would deploy authentication companywide, there were repercussions. For example, supplicants were misconfigured, and unknown devices were unable to authenticate because of a lack of supplicant and for many other reasons.
Cisco created open authentication mode to aid with deployments. Open authentication allows all traffic to flow through the switchport even without the port being authorized. This feature allows authentication to be configured across the entire organization, while not denying access to any device.
Step 1 |
Set the port for open
authentication.
|
Step 2 |
Enable MAC
Authentication Bypass on the port.
|
Step 3 |
Enable the port to do
IEEE 802.1X authentication.
|