802.1X Phased Deployment

802.1X can be implemented using a phased deployment model that allows for limited impact on network access while gradually introducing authentication and authorization. 

• Phased approach for 802.1x deployment
• Gradual authorization enforcement
• Visibility into who will succeed and who will fail
  1. Determine the failure reason
  2. Remediate before implementing stronger enforcement
• Modes:
1. Monitor mode
2. Low impact mode
3. Closed mode
• This figure summarizes the preauthentication and post-authentication behavior of the three 802.1X deployment phases: monitor, low-impact, and closed modes.
• 
  
• In monitor mode, the open access feature transforms the normal behavior of blocking traffic on an 802.1X-enabled port until authentication and authorization are successfully performed. Full access is provided independently of the authentication results.
  In low-impact mode, a pre-authentication ACL is added to the port to permit some basic connectivity. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags.
  In closed mode, only EAPOL traffic is permitted until the user authenticates. After successful authentication, options to enforce authorization policy include downloadable ACLs, dynamic VLAN assignment and security group tags. The authorization options available in closed mode are identical to the options available in low-impact mode.