Monitor Mode works like an audit mode. Using logging data for validation, administrators use this mode to ensure that all devices are authenticating correctly, either with 802.1X or MAC Authentication Bypass (MAB). At the same time, the open authentication command used on the switch interfaces in Monitor Mode makes it possible to provide network access across your wired and wireless infrastructure, without impacting your wired users or devices. If a device is misconfigured or is missing an 802.1X supplicant, the Open Authentication feature ensures that access will not be denied and simply logged (image below). When they deploy TrustSec in Monitor Mode, most organizations are surprised at what devices they find connected to the network that they were unaware of previously.

The next image shows a high-level flow of authentication in Monitor Mode.

Wireless environments with 802.1X are binary (just like 802.1X was designed to be), so when a user is unable to authenticate, they simply do not get access to the wireless network. Most users can accept this behavior and are willing to find a location with a physical network connection (wired) instead. While end users are mostly willing to accept an inability to join a wireless environment, they are much less understanding when faced with a lack of access to a wired network port.

As the image above indicates, Monitor Mode is a process, not just a command on a switch. The process will use a combination of RADIUS accounting packets and Open Authentication and Multi-Auth features on your Cisco infrastructure, coupled with device profiling, in order to provide visibility to the administrator into who and what is connecting to the network and from where. If a device should be authenticating successfully but fails due to a misconfiguration, the administrator will be informed based on logging data and can correct the issue without denying network access to the user. The goal of Monitor Mode is to address any possible authentication issues prior to moving to next phases.