Cisco Dot1x Disabled

Title: Cisco Dot1x Disabled
Status: experimental
Description:Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
References:
  -https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680
  -https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_010.html#wp3502072400
  -https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html#47220
Author: Luc Génaux
Date: 2026-04-28
modified:None
Tags:

• -'attack.defense-evasion'
• -'attack.persistence'
• -'attack.credential-access'
• -'attack.t1562.001'
• -'attack.t1556.004'

Logsource:

• product: cisco
• service: aaa

Detection:
  keywords:
    - 'access-session port-control force-authorized'
    - 'authentication port-control force-authorized'
    - 'dot1x port-control force-authorized'
    - 'no access-session port-control'
    - 'no authentication port-control'
    - 'no dot1x port-control'
    - 'no dot1x system-auth-control'
  condition:keywords
Falsepositives:
  -Administrator troubleshooting connectivity issues
Level: medium