Cisco Dot1x Disabled

 1title: Cisco Dot1x Disabled
 2id: ef0ff092-a24a-4fbc-beea-06c08d53e085
 3status: experimental
 4description: |
 5    Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
 6    Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
 7    This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.    
 8references:
 9    - https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680 # Modern IOS-XE
10    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_010.html#wp3502072400 # Older IOS
11    - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html#47220 # Legacy
12author: Luc Génaux
13date: 2026-04-28
14tags:
15    - attack.persistence
16    - attack.credential-access
17    - attack.defense-impairment
18    - attack.t1685
19    - attack.t1556.004
20logsource:
21    product: cisco
22    service: aaa
23detection:
24    keywords:
25        # xxx port-control force-authorized : disables 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required
26        # no xxx port-control : causes the port to fallback to the default setting which is "force-authorized", thereby disabling 802.1X
27        - 'access-session port-control force-authorized' # Modern IOS-XE
28        - 'authentication port-control force-authorized' # Older IOS
29        - 'dot1x port-control force-authorized' # Legacy
30        - 'no access-session port-control' # Modern IOS-XE
31        - 'no authentication port-control' # Older IOS
32        - 'no dot1x port-control' # Legacy
33        - 'no dot1x system-auth-control' # disables 802.1X globally
34    condition: keywords
35falsepositives:
36    - Administrator troubleshooting connectivity issues
37level: medium
38# regression_tests_path: regression_data/rules/cisco/aaa/cisco_cli_dot1x_disabled/info.yml

References

• A through Z  [Cisco Catalyst 3850 Series Switches]

  

  A through Z aaa accounting identity To enable accounting and to create an accounting method list for Session Aware Networking subscriber services, use the aaa accounting identity command in global ...

  
  Read More

• Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - authentication command bounce-port ignore through auth-type [Cisco Catalyst 3850 Series Switches]

  Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)-authentication command bounce-port ignore through auth-type

  
  Read More

• Catalyst 2960 and 2960-S Switch Command Reference, 12.2(53)SE1 - Catalyst 2960 and 2960-S Switch Cisco IOS Commands - aaa accounting through reserved-only [Cisco Catalyst 2960 Series Switches]

  

  Catalyst 2960 and 2960-S Switch Cisco IOS Commands - aaa accounting through reserved-only

  
  Read More

Related rules

• Potential Suspicious Activity Using SeCEdit
• AWS Identity Center Identity Provider Change
• Azure AD Only Single Factor Authentication Required
• CA Policy Removed by Non Approved Actor
• CA Policy Updated by Non Approved Actor