Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4098
Views
0
Helpful
5
Replies

Configuring Multi-auth host mode for IP Phones and APs / switches

Go to solution
SMD28316
Level 1
Level 1

‎07-16-2021 05:36 AM

Is it possible to authenticate APs / small switches and also Voice on the same port as clients?

 

as far as I know:

* APs and switches : authentication host-mode multi-host

* IP Phone + PC on the same port: authentication host-mode multi-auth.

 

Is it possible to have the same configuration on all ports? Can I use multi-auth to authenticate the phones and the APs / switches as well?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-06-2021 06:32 PM

Yes. That is the goal for consistency and we call that the universal switchport configuration.

Please read the ISE Secure Wired Access Prescriptive Deployment Guide which has our best practice configurations to handle all types of endpoints. Always use Multi-Auth.

Host Modes.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
IsmailDandashi1800
Level 1
Level 1

‎07-16-2021 05:44 AM

Hi 

yes you can since APs will use MAB as authentication method and DATA as a domain, using authentication host-mode multi-auth. will allow only one voice domain and multiple data domain.

 

 

0 Helpful

Go to solution
SMD28316
Level 1
Level 1
In response to IsmailDandashi1800

‎07-16-2021 06:13 AM

So I can apply a port template that has "authentication host-mode multi-auth" for both AP / Switches ports and for ports connected to IP Phones?

 

What if the port is configured as trunk? what will be the affect?

0 Helpful

Go to solution
IsmailDandashi1800
Level 1
Level 1
In response to SMD28316

‎07-16-2021 06:48 AM

yes you can use "authentication host-mode multi-auth", I don't recommend to apply dot1x configuration on trunk port 

 

 

0 Helpful

Go to solution
SMD28316
Level 1
Level 1

‎07-16-2021 05:43 AM

Is it possible to authenticate APs / small switches and also Voice on the same port as clients?

 

as far as I know:

* APs and switches : authentication host-mode multi-host

* IP Phone + PC on the same port: authentication host-mode multi-auth.

 

Is it possible to have the same configuration on all ports? Can I use multi-auth to authenticate the phones and the APs / switches as well?

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-06-2021 06:32 PM

Yes. That is the goal for consistency and we call that the universal switchport configuration.

Please read the ISE Secure Wired Access Prescriptive Deployment Guide which has our best practice configurations to handle all types of endpoints. Always use Multi-Auth.

Host Modes.png

0 Helpful
Customers Also Viewed These Support Documents