cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2803
Views
25
Helpful
5
Replies

802.1x wired authentication and dump switch

MrBeginner
Spotlight
Spotlight

Hi,

I would like to ask about multi-auth.

I want to run 802.1x wired authentication. i have 2960 switch port ge0/1 connected to dump switch port ge 0/1. All hosts and printer are connect to other port of dump switch .I want to run 802.1x on 2960 port.

I want to use multi authentication.I user PEAP protocol and using user name and password for authentication.

multi-auth.PNG

I run multi authentication for all host and MAB for printer.I create different profiles in NAC.Let me know

It may apply separate profile for each hosts and printer ?

OR It may apply only one profile for every host which connected to dump switch because of we are using 1 port of 2960 ?

Do i need to add MAC of dump-switch in Allow -MAC profile of NAC ?

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
Keep in mind the following for multi-auth configs on interfaces:
Single-host—This is the default host mode. While in this mode, the switchport will only allow a single host to be authenticated and to pass traffic at a time
Multi-auth—While in this mode, multiple devices are allowed to independently authenticate through the same port.
Multi-domain—While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
Multi-host—While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.

View solution in original post

5 Replies 5

Hi, Each MAC address of a device connected to the switch will be profiled individually and match the appropriate ISE Profile. I assume you are using ISE?

HTH

Hi,

It mean should i use one authentication method in one port? Is not support 802.1x and MAB together with multi-host in one port? When i tested,result is ok ? all device are authenticate .

 

But i would like to know can i use MAB and 802.1x togetther ? Firstly i will check MAB ,if it is passed check 802.1x again.I want to check MAC and 802.1x credential for all devices.

 

Mike.Cifelli
VIP Alumni
VIP Alumni
Keep in mind the following for multi-auth configs on interfaces:
Single-host—This is the default host mode. While in this mode, the switchport will only allow a single host to be authenticated and to pass traffic at a time
Multi-auth—While in this mode, multiple devices are allowed to independently authenticate through the same port.
Multi-domain—While in this mode, the authenticator will allow one host from the data domain and one from the voice domain; this is a typical configuration on switchports with IP phones connected.
Multi-host—While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently; if the authenticated device becomes authorized the switchport will be closed.

Hi,
I just want to know,multi-auth can support 802.1x and MAB together or i need to use one authentication method only in one time MAB or 802.1x?

I feel you are confusing our readers/experts. ;-)

Cisco Flexible Authentication may support MAB and DOT1X in the same switch interface. The following are good references:

Also, please ensure the dumb switch is supporting EAP pass-through.