https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306817#M103129 <P>Dears,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i have strange issue with dot1x , when i configured the port as multi-domain it is working if IP phone connected.</P><P>if IP phone removed and PC connected directly to the switch port the PC can't work properly although it authentciated ,autorized and have the proper IP address.</P><P>when i changed to single-host it is working properly.</P><P></P><P>Thanks,</P><P>Ibrahim</P> Mon, 11 Mar 2019 03:49:06 GMT ibrahim_hassan 2019-03-11T03:49:06Z https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306817#M103129 <P>Dears,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i have strange issue with dot1x , when i configured the port as multi-domain it is working if IP phone connected.</P><P>if IP phone removed and PC connected directly to the switch port the PC can't work properly although it authentciated ,autorized and have the proper IP address.</P><P>when i changed to single-host it is working properly.</P><P></P><P>Thanks,</P><P>Ibrahim</P> Mon, 11 Mar 2019 03:49:06 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306817#M103129 ibrahim_hassan 2019-03-11T03:49:06Z https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306818#M103148 <HTML><HEAD></HEAD><BODY><P>Hello Ibrahim</P><P></P><P>This is really a strange issue. However please review the few steps which are given below:</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">Enable Multi-Auth host mode. Multi-Auth is essentially a superset of Multi-Domain Authentication</P><P style="margin-bottom: 0.0001pt; line-height: normal;">(MDA). MDA only allows a single endpoint in the data domain. When multi-auth is configured, a single</P><P style="margin-bottom: 0.0001pt; line-height: normal;">authenticated phone is allowed in the voice domain (as with MDA) but an unlimited number of data</P><P style="margin-bottom: 0.0001pt; line-height: normal;">devices can be authenticated in the data domain.</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">! Allow voice + multiple endpoints on same physical access port</P><P style="margin-bottom: 0.0001pt; line-height: normal;">authentication host-mode multi-auth</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;"><STRONG>• </STRONG>Ensure that the RADIUS probe is enabled in Cisco ISE.</P><P style="margin-bottom: 0.0001pt; line-height: normal;"><STRONG>• </STRONG>Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP</P><P style="margin-bottom: 0.0001pt; line-height: normal;">&nbsp; information.</P><P style="margin-bottom: 0.0001pt; line-height: normal;"><STRONG>• </STRONG>Ensure that network access devices run the following CDP and LLDP commands to capture CDP</P><P style="margin-bottom: 0.0001pt; line-height: normal;">&nbsp; and LLDP information from endpoints:</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">cdp enable</P><P style="margin-bottom: 0.0001pt; line-height: normal;">lldp run</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;"><STRONG>• </STRONG>Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS</P><P style="margin-bottom: 0.0001pt; line-height: normal;">&nbsp; commands.</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">For example, use the following commands:</P><P style="margin-bottom: 0.0001pt; line-height: normal;">aaa new-model</P><P style="margin-bottom: 0.0001pt; line-height: normal;">aaa accounting dot1x default start-stop group radius</P><P style="margin-bottom: 0.0001pt; line-height: normal;">radius-server host <IP> auth-port <PORT> acct-port <PORT> key <SHARED-SECRET></SHARED-SECRET></PORT></PORT></IP></P><P style="margin-bottom: 0.0001pt; line-height: normal;">radius-server vsa send accounting</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">Thanks:</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;">Muhammad Munir</P><P></P><P style="margin-bottom: 0.0001pt; line-height: normal;"><STRONG><PLEASE rate="" the="" helpful="" answer=""></PLEASE></STRONG></P></BODY></HTML> Wed, 28 Aug 2013 04:20:07 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306818#M103148 Muhammad Munir 2013-08-28T04:20:07Z https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306819#M103231 <HTML><HEAD></HEAD><BODY><P>Specify the settings here to&nbsp; ensure the switch is able to appropriately handle RADIUS Change of&nbsp; Authorization behavior supporting Posture functions from Cisco ISE.</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf</A></P></BODY></HTML> Thu, 05 Sep 2013 15:10:49 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode/m-p/2306819#M103231 aqjaved 2013-09-05T15:10:49Z