DOT1X authentication host-mode

Ian Cowley — Mon, 11 Mar 2019 04:56:48 GMT

Question - which to choose?

Scenarios with devices attaching to 3850s 150-1.EZ2, ISE v1.2

1. IP Phone with daisy-chained PC

2. dumb hub with IP Phone and multiple PCs

authentication host-mode multi-domain

authentication host-mode multi-auth

AND

authentication violation replace

authentication violation restrict

Regards

For all of my deployments I

nspasov — Tue, 19 Aug 2014 00:20:46 GMT

For all of my deployments I have used "authentication host-mode multi-auth" That way I generate a more generic template and not have to go back and touch ports that might have a switch attached to it. So I would recommend using this as well unless there is a driver behing not to.

Be careful with "dumb hubs" connecting to a 802.1x enabled port. I have ran into situations where the dumb hub/switch would let dot1x authenticatons go through but then would not pass the EAPoL logg-off message, thus causing issues when a new device would connect. I suppose in such situation the "authentication violation replace" might help but then you can run into other unforseen issues. I had a couple of deployments where the EAPoL traffic was completely dropped and never reached the Radius server. Thus, I have been lucky of convincing my customers to replace those with a "compact" version of the Cisco switch family (2960c, 3560c) so I have always used "authentication violation restrict"

I know this doesn't answer your quesitons directly but I hope it helps

Thank you for rating helpful posts!

topic DOT1X authentication host-mode in Network Access Control

DOT1X authentication host-mode

For all of my deployments I