The question of which 802.1X deployment mode to use is not answered by the switch — it is answered by your organization's risk tolerance, the maturity of your endpoint inventory, and how much time you have to remediate authentication failures before enforcement goes live. A campus access layer with 3,000 ports and an unknown endpoint population is a different problem from a greenfield branch office with 20 managed laptops.
This article covers the three Cisco deployment modes in the order you would typically use them during a phased rollout: Monitor Mode first, Low-Impact Mode second, Closed Mode last. Each mode is shown with a complete IOS XE 17.9.x configuration, a show command verification, and an honest assessment of the gaps.
What the Three Modes Control
Before diving into configuration, it is worth being precise about what these modes actually control at the port level.
The enforcement variable in 802.1X is not whether the switch attempts authentication — it is what the switch does with traffic before authentication completes, and what it does when authentication fails.
All three modes can run 802.1X authentication simultaneously. The difference is access policy:
| Mode | Pre-Auth Traffic | Auth Success | Auth Failure |
|---|---|---|---|
| Monitor Mode | Fully permitted | Authorized (no enforcement change) | Fully permitted |
| Low-Impact Mode | Limited (pre-auth ACL) | Authorized (VLAN/dACL applied) | Pre-auth ACL remains |
| Closed Mode | Blocked | Authorized (VLAN/dACL applied) | Auth-Fail VLAN or blocked |
In Monitor Mode, the switch never denies any traffic. The mode exists purely to generate authentication data — success and failure logs in ISE — without impacting users. In Closed Mode, unauthenticated traffic does not pass. Low-Impact Mode sits between them: a pre-authentication ACL permits specific traffic (DHCP, DNS, perhaps a remediation server) while blocking everything else until authentication completes.
Monitor Mode
Configuration
! Global AAA configuration
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
! RADIUS server (ISE PSN)
radius server ISE-PSN-1
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key ISEsecret123
aaa group server radius ISE_SERVERS
server name ISE-PSN-1
! Global 802.1X
dot1x system-auth-control
! Interface configuration — Monitor Mode
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
authentication open
authentication port-control auto
authentication host-mode multi-auth
dot1x pae authenticator
spanning-tree portfast
The single command that defines Monitor Mode is authentication open. This directive tells the switch to permit all traffic on the port regardless of authentication outcome. The port behaves as if it is an open, uncontrolled port — but the switch still runs the full 802.1X state machine, sends EAP-Request/Identity frames, processes RADIUS responses, and logs the results.
Note that authentication port-control auto is still present. This is intentional. Without it, the switch does not initiate any 802.1X exchange. The auto setting starts the authentication process; authentication open simply removes the consequence of failure.
What Happens in ISE During Monitor Mode
Configure an ISE authorization rule that returns PermitAccess for all endpoints — regardless of identity group or device type. Navigate to Policy > Policy Sets > [Your Policy Set] > Authorization Rules and create a catch-all rule at the bottom of the rule list:
- Rule Name:
Monitor-Mode-PermitAll - Conditions: Any
- Authorization Profile:
PermitAccess(built-in)
This ensures that even endpoints that fail EAP authentication receive a PermitAccess result, which aligns with the authentication open behavior on the switch. ISE still logs the failure reason in Operations > RADIUS > Live Logs, giving you the inventory and failure data you need.
What You Learn from Monitor Mode
After running Monitor Mode for 2-4 weeks on a production access layer segment, ISE live logs will show you:
- Which endpoint types are authenticating successfully with dot1x
- Which endpoints are falling back to MAB and why
- Which endpoints are generating Access-Reject (wrong credentials, missing cert, AD lookup failure)
- Which VLANs endpoints are being assigned to (if you configure the policy to return VLAN attributes even in Monitor Mode)
This data becomes the remediation list before you move to Low-Impact Mode.
Verification
SW1# show authentication sessions interface GigabitEthernet1/0/1 details
Interface: GigabitEthernet1/0/1
MAC Address: a4b1.c2d3.e4f5
User-Name: CORP\jsmith
Status: Auth
Domain: DATA
Security Policy: Open
Security Status: Unsecured
Oper host mode: multi-auth
Oper control dir: both
Current Policy: POLICY_Gi1/0/1
Method status list:
Method State
dot1x Authc Success
Security Policy: Open — this is the definitive indicator that the port is in Monitor Mode. Even though dot1x shows Authc Success, the Open policy means traffic is not restricted. An endpoint that shows dot1x: Authc Failed in Monitor Mode will also show Status: Auth because authentication open overrides the failure.
Monitor Mode Limitations
Monitor Mode has two important gaps that are often misunderstood:
-
Dynamic VLAN assignment does not redirect traffic. If ISE returns a VLAN attribute in the Access-Accept, the switch logs the attribute but does not move the port. The endpoint stays in whatever VLAN the
switchport access vlancommand specifies. This is by design — enforcement is off. -
dACLs are received but not enforced. The switch will download an ACL name from ISE but will not apply it to the port interface. Confirming this is simple:
show authentication sessions interface X detailswill show the ACL name underServer Policies, butshow ip access-listswill not show the ACL applying matches to port traffic.
Low-Impact Mode
Low-Impact Mode is the most operationally complex of the three modes because it introduces a pre-authentication ACL — a static ACL applied to the port before any endpoint authenticates. The pre-auth ACL defines what limited traffic is permitted to unauthenticated endpoints. After authentication succeeds, ISE pushes a dACL or VLAN assignment that replaces or supplements the pre-auth ACL.
Pre-Authentication ACL Design
The pre-auth ACL must permit the minimum set of traffic needed for an endpoint to reach authentication infrastructure:
- DHCP (UDP 67/68) — to obtain an IP address
- DNS (UDP/TCP 53) — to resolve domain names needed for authentication
- ICMP — recommended for troubleshooting, optional in strict environments
- Any remediation or profiling traffic specific to your environment
ip access-list extended PREAUTH-ACL
10 permit udp any host 255.255.255.255 eq 67
20 permit udp any any eq 68
30 permit udp any host 10.0.0.10 eq 53
40 permit tcp any host 10.0.0.10 eq 53
50 permit icmp any any
60 deny ip any any
This ACL permits DHCP broadcast, DNS to ISE's IP (if ISE is running DNS, otherwise substitute your DNS server IP), and ICMP. Everything else is denied.
Interface Configuration
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 10
ip access-group PREAUTH-ACL in
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 40
authentication port-control auto
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Note that authentication open is absent. This is the critical difference from Monitor Mode. The ip access-group PREAUTH-ACL in applies the pre-auth ACL immediately when the port comes up.
After a successful 802.1X or MAB authentication, ISE pushes the authorization attributes. If ISE returns a dACL, the switch replaces the per-port ACL with the dACL for that session. If ISE returns a VLAN attribute, the switch moves the port to the assigned VLAN. For a full walkthrough of dACL application, see Article 16: Downloadable ACLs (dACLs) with Cisco ISE and 802.1X.
Verification
SW1# show authentication sessions interface GigabitEthernet1/0/2 details
Interface: GigabitEthernet1/0/2
MAC Address: a4b1.c2d3.e4f5
User-Name: CORP\jsmith
Status: Auth
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecured
Oper host mode: multi-auth
Oper control dir: both
Current Policy: POLICY_Gi1/0/2
Server Policies:
Vlan Group: Vlan: 10
ACS ACL: xAUTHORIZED-USERS-ACL
Method status list:
Method State
dot1x Authc Success
Security Policy: Should Secure — this is the indicator for Low-Impact Mode. The port is attempting authentication and enforcing policy, but it is not in the strictest closed posture.
ISE Authorization Profile for Low-Impact Mode
In ISE, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create a profile for authenticated users:
- Profile name:
Corp-Users-VLAN10 - VLAN:
10 - Downloadable ACL Name:
AUTHORIZED-USERS-ACL(must exist in ISE under Policy > Policy Elements > Results > Authorization > Downloadable ACLs)
The dACL in ISE for corporate users might look like:
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 389
permit tcp any any eq 636
permit udp any any eq 53
deny ip any any
This is stricter than the pre-auth ACL and is enforced per-session after authentication.
Pre-Auth ACL Interaction with dACL
A common source of confusion: when a dACL is pushed after authentication, does the pre-auth ACL stay or go? The behavior depends on whether the dACL replaces or appends. On IOS XE with the ip access-group command applied at the interface level and a dACL applied per session, the dACL is enforced at the session level, and the interface-level pre-auth ACL continues to apply to unauthenticated sessions on the same port (relevant in multi-auth host mode where multiple endpoints may be in different auth states simultaneously).
Closed Mode
Closed Mode is the fully enforced state. No traffic passes from an unauthenticated endpoint. The port remains in an unauthorized VLAN (or completely blocked) until the authentication sequence completes. Closed Mode is appropriate for environments that have completed a Monitor Mode and Low-Impact Mode cycle and have high confidence that all production endpoints authenticate correctly.
Interface Configuration
interface GigabitEthernet1/0/3
switchport mode access
switchport access vlan 10
authentication event fail action authorize vlan 40
authentication event no-response action authorize vlan 40
authentication event server dead action authorize vlan 50
authentication event server alive action reinitialize
authentication port-control auto
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
No authentication open. No pre-auth ACL. The port is fully controlled by the 802.1X state machine. An endpoint that does not successfully authenticate lands in VLAN 40 (Auth-Fail VLAN) or VLAN 40 for no-response (no supplicant detected), or VLAN 50 (Critical VLAN) if ISE is unreachable.
For a full explanation of Guest VLAN, Auth-Fail VLAN, and Critical VLAN behavior, see Article 15: Guest VLAN, Auth-Fail VLAN, and Critical VLAN in 802.1X.
Verification
SW1# show authentication sessions interface GigabitEthernet1/0/3
Interface MAC Address Method Domain Status Session ID
Gi1/0/3 001e.7a3b.9c12 dot1x DATA Auth 0A00630A0000002A
SW1# show authentication sessions interface GigabitEthernet1/0/3 details
Interface: GigabitEthernet1/0/3
MAC Address: 001e.7a3b.9c12
User-Name: CORP\jdoe
Status: Auth
Domain: DATA
Security Policy: Restrict
Security Status: Secured
Oper host mode: multi-auth
Oper control dir: both
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
dot1x Authc Success
Security Policy: Restrict / Security Status: Secured — this is the Closed Mode indicator. The port is fully under authentication control and is only passing traffic because authentication succeeded.
VLAN Assignment Behavior Across Modes
Dynamic VLAN assignment (see Article 14: Dynamic VLAN Assignment with 802.1X and Cisco ISE) behaves differently across modes:
| Mode | VLAN Assignment Applied? | Notes |
|---|---|---|
| Monitor Mode | No | Attribute received, logged, not enforced |
| Low-Impact Mode | Yes | Port moved to assigned VLAN after auth |
| Closed Mode | Yes | Port moved to assigned VLAN after auth |
This is why it is important not to skip Low-Impact Mode during deployment. If you jump from Monitor Mode to Closed Mode without validating VLAN assignment behavior, you may discover that some endpoints receive an unexpected VLAN and lose connectivity immediately.
Choosing the Right Mode for Each Environment
Corporate Campus Access Layer
Start in Monitor Mode for 30 days. After validating that 95%+ of endpoints authenticate, move to Low-Impact Mode. After validating VLAN assignment and dACL application, move conference room ports to Closed Mode first (lower risk — intermittent use means failures are quickly noticed but impact is limited). Then roll out Closed Mode to workstation ports in phases by building or floor.
Branch Office (20-50 endpoints, all managed)
If all endpoints are domain-joined Windows devices with certificates deployed via GPO, you can go directly to Low-Impact Mode with a short Monitor Mode validation period (1-2 weeks). Branch offices often have simpler endpoint populations and fewer exceptions, making the jump to Closed Mode faster.
Data Center Access Ports
Server ports rarely run a supplicant. Use MAB for servers with known MACs registered in ISE. In a data center, Closed Mode is appropriate because the MAC-to-port mapping is stable and inventory is controlled. Use authentication host-mode single-host on server ports — one MAC per port, no multi-auth complexity.
Conference Rooms and Hoteling Areas
These areas consistently have the highest rate of authentication failures because visitors bring unmanaged devices. Low-Impact Mode with a Guest VLAN configured as the no-response fallback is the right posture. Full Closed Mode in conference rooms with no guest onboarding process will result in every visitor generating a helpdesk ticket.
Changing Modes in Production
When moving a deployed port from Monitor Mode to Low-Impact Mode or Closed Mode, the transition requires a brief authentication interruption on the port. The endpoint must re-authenticate after the config change. On IOS XE, you can force a re-authentication without bouncing the port:
SW1# authentication reinitialize interface GigabitEthernet1/0/3
Or for all sessions on the switch:
SW1# authentication reinitialize all
Plan for a 10-30 second reconnection delay per port as the re-authentication cycle completes. On a 48-port access switch with all ports active, authentication reinitialize all will trigger 48 concurrent authentication attempts. ISE 3.2 can handle this load, but if you are making the change across many switches simultaneously, stagger the reinitializations.
Troubleshooting
Symptom: After removing authentication open (moving from Monitor Mode to Low-Impact or Closed), endpoints in a specific building lose network access
Cause: Those endpoints were previously relying on Monitor Mode's open access to pass traffic despite authentication failure. The endpoint population in that building has a higher failure rate than expected — common causes include expired certificates, machines not re-joined to AD after a rebuild, or non-standard OS versions.
Fix: Temporarily restore authentication open on the affected ports to restore connectivity. Run show authentication sessions to identify the specific MACs and failure methods. Cross-reference with ISE live logs to find the failure reason for each. Remediate each class of failure before removing authentication open again.
Symptom: In Low-Impact Mode, endpoints get DHCP but cannot reach anything else after authentication succeeds
Cause: The post-auth dACL from ISE is more restrictive than expected, or the VLAN assignment changed the endpoint's subnet, causing an IP conflict. The pre-auth ACL permits DHCP, but after auth, the dACL takes effect and may be blocking traffic that the endpoint expects.
Fix: Run show authentication sessions interface X details to confirm which dACL was applied. Run show ip access-lists [dACL-name] and check hit counts. In ISE, review the Authorization Profile under Policy > Policy Elements > Results > Authorization > Authorization Profiles and verify the dACL content. The dACL in ISE must include all traffic classes that the endpoint needs, not just web traffic.
Symptom: In Closed Mode, phones have no audio and appear in VLAN 40 (Auth-Fail VLAN) instead of VLAN 20 (Voice)
Cause: The phone is using a different authentication method than expected, or the ISE policy is not correctly identifying the phone's device type. Multi-Domain Authentication (MDA) on the port assigns phones to the VOICE domain and workstations to the DATA domain. If the phone's 802.1X EAP-MD5 or MAB authentication fails, it lands in the fallback VLAN configured for the voice domain — which defaults to the same auth-fail VLAN as data if not separately configured.
Fix: Review the interface config. For MDA with Cisco IP Phones, see Article 17: 802.1X with IP Phones: Configuring Multi-Domain Authentication on Cisco IOS XE. In ISE, navigate to Policy > Policy Sets > [Policy Set] > Authorization Rules and confirm that the phone's MAC OUI or CDP-profiled device type matches the voice authorization rule. Verify authentication host-mode multi-domain is set on the interface.
What's Next: Article 27: Phased 802.1X Deployment Strategy for Enterprise Networks — Knowing the three deployment modes is step one. Article 27 maps out the full phased rollout plan — from the pre-deployment audit through Monitor Mode validation, Low-Impact Mode testing, and Closed Mode enforcement — with timelines, success criteria, and the change management considerations that determine whether the project succeeds or stalls.
