The default 802.1X mode, which was previously called High-Security Mode, is now referred to Closed Mode. Closed Mode is recommended only for IT environments that are experienced with 802.1X deployments and have considered all the nuances that go along with it. Closed Mode should be deployed with caution (see image below).

The main difference between Closed Mode and Monitor Mode or Low-Impact Mode is that interface command authentication open is not used. That means any traffic prior to authentication will be dropped, including DHCP, DNS, and Address Resolution Protocol (ARP) traffic. Some endpoints without a supplicant will need to wait for the interface to time out before MAB authentication starts on the interface. This could cause some endpoints to give up on DHCP process, even after MAB succeeds. To address this problem, the 802.1X timer needs to be tweaked to accommodate for such endpoints. For detailed information about Closed Mode, see the TrustSec How-To Guide: Closed Mode.

The diagram below shows a high-level processing flow for Closed Mode.