https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4280173#M565040 <P>See <A href="https://community.cisco.com/t5/security-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">ISE Secure Wired Access Prescriptive Deployment Guide</A> &gt; <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-883346157" target="_self">MAC Limits</A> :</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">This does not limit the number of endpoints from connecting or authenticating on the port. Use <FONT face="courier new,courier">limit address-count <EM>maximum</EM></FONT> CLI under the device-tracking policy to limit the number of endpoints allowed to use identity-based services.</P> <PRE class="lia-indent-padding-left-30px">c9300-Sw(config)#device-tracking policy IPDT_POLICY c9300-Sw(config-device-tracking)#no protocol udp c9300-Sw(config-device-tracking)#tracking enable c9300-Sw(config-device-tracking)#<STRONG>limit address-count 10</STRONG> &nbsp;</PRE> <P>&nbsp;</P> Tue, 26 Jan 2021 23:52:05 GMT thomas 2021-01-26T23:52:05Z https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4279962#M565024 <P>if you configure AUTHENTICATION HOST-MODE MULTI-AUTH on your switch port allowing a single device in the voice domain and multiple devices on the data domain, is it possible to limit the number of devices on the data domain. For example, a single phone and 2 devices but not 3.</P><P>&nbsp;</P><P>thanks</P> Tue, 26 Jan 2021 18:33:22 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4279962#M565024 Pete C 2021-01-26T18:33:22Z https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4280020#M565026 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/562198">@Pete C</a>&nbsp;</P><P>&nbsp;</P><P>&nbsp;please take a look at the following presentation: <A href="https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2018/pdf/BRKSEC-3690.pdf" target="_blank" rel="noopener">Cisco Live BRKSEC-3690</A>. (search for <STRONG>ip device tracking</STRONG>).</P><P>&nbsp;</P><P>Hope this helps !!!</P> Tue, 26 Jan 2021 19:38:15 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4280020#M565026 Marcelo Morais 2021-01-26T19:38:15Z https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4280173#M565040 <P>See <A href="https://community.cisco.com/t5/security-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">ISE Secure Wired Access Prescriptive Deployment Guide</A> &gt; <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-883346157" target="_self">MAC Limits</A> :</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">This does not limit the number of endpoints from connecting or authenticating on the port. Use <FONT face="courier new,courier">limit address-count <EM>maximum</EM></FONT> CLI under the device-tracking policy to limit the number of endpoints allowed to use identity-based services.</P> <PRE class="lia-indent-padding-left-30px">c9300-Sw(config)#device-tracking policy IPDT_POLICY c9300-Sw(config-device-tracking)#no protocol udp c9300-Sw(config-device-tracking)#tracking enable c9300-Sw(config-device-tracking)#<STRONG>limit address-count 10</STRONG> &nbsp;</PRE> <P>&nbsp;</P> Tue, 26 Jan 2021 23:52:05 GMT https://community.cisco.com/t5/network-access-control/authentication-host-mode-multi-auth/m-p/4280173#M565040 thomas 2021-01-26T23:52:05Z