Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17611
Views
36
Helpful
3
Replies

Cisco ISE Multi Auth or Multi Host

Go to solution
jm.virtual01
Level 1
Level 1

‎11-20-2018 07:29 PM

I am confuse, between multi auth. and multi host arrangement. Can someone help to face this situation?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-21-2018 08:55 AM

A quick overivew of multi-host, multi-domain, multi-auth

 

multi-host: Multiple mac addresses can be in DATA domain. Only first mac is authenticated.

multi-domain: Only 1 mac address can be in DATA domain and only 1 mac address can be in VOICE domain

multi-auth: Multiple mac addresses can be in DATA domain (all authenticated individually) and only 1 MAC address can be in Voice domain.

View solution in original post

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to jm.virtual01

‎11-27-2018 05:26 AM

I suggest you go through this reference document -  https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html

Guidelines for Configuring IEEE 802.1X Multiple Authentication

Assign a RADIUS-server-supplied VLAN in multiple authentication mode, under these conditions:

  • The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  • Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
  • A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
  • The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
  • Only one voice VLAN assignment is supported on a multi-auth port .
  • After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
  • You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
  • The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.

View solution in original post

3 Replies 3

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-21-2018 08:55 AM

A quick overivew of multi-host, multi-domain, multi-auth

 

multi-host: Multiple mac addresses can be in DATA domain. Only first mac is authenticated.

multi-domain: Only 1 mac address can be in DATA domain and only 1 mac address can be in VOICE domain

multi-auth: Multiple mac addresses can be in DATA domain (all authenticated individually) and only 1 MAC address can be in Voice domain.

Go to solution
jm.virtual01
Level 1
Level 1
In response to pan

‎11-27-2018 05:17 AM

One more question, if i need to go with the Multi Auth. What the factors should i need to consider and how can i start the thing?

 

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to jm.virtual01

‎11-27-2018 05:26 AM

I suggest you go through this reference document -  https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html

Guidelines for Configuring IEEE 802.1X Multiple Authentication

Assign a RADIUS-server-supplied VLAN in multiple authentication mode, under these conditions:

  • The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  • Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
  • A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
  • The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
  • Only one voice VLAN assignment is supported on a multi-auth port .
  • After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
  • You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
  • The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
Customers Also Viewed These Support Documents