Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
1
Replies

DOT1X authentication host-mode

Go to solution
Ian Cowley
Level 1
Level 1

‎08-18-2014 02:28 AM - edited ‎03-10-2019 09:56 PM

Question - which to choose?

 

Scenarios with devices attaching to 3850s 150-1.EZ2, ISE v1.2

1. IP Phone with daisy-chained PC

2. dumb hub with IP Phone and multiple PCs

 

authentication host-mode multi-domain

or

authentication host-mode multi-auth

AND

 authentication violation replace

or

 authentication violation restrict

 

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎08-18-2014 05:20 PM

For all of my deployments I have used "authentication host-mode multi-auth" That way I generate a more generic template and not have to go back and touch ports that might have a switch attached to it. So I would recommend using this as well unless there is a driver behing not to. 

Be careful with "dumb hubs" connecting to a 802.1x enabled port. I have ran into situations where the dumb hub/switch would let dot1x authenticatons go through but then would not pass the EAPoL logg-off message, thus causing issues when a new device would connect. I suppose in such situation the "authentication violation replace" might help but then you can run into other unforseen issues. I had a couple of deployments where the EAPoL traffic was completely dropped and never reached the Radius server. Thus, I have been lucky of convincing my customers to replace those with a "compact" version of the Cisco switch family (2960c, 3560c) so I have always used "authentication violation restrict"

I know this doesn't answer your quesitons directly but I hope it helps

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎08-18-2014 05:20 PM

For all of my deployments I have used "authentication host-mode multi-auth" That way I generate a more generic template and not have to go back and touch ports that might have a switch attached to it. So I would recommend using this as well unless there is a driver behing not to. 

Be careful with "dumb hubs" connecting to a 802.1x enabled port. I have ran into situations where the dumb hub/switch would let dot1x authenticatons go through but then would not pass the EAPoL logg-off message, thus causing issues when a new device would connect. I suppose in such situation the "authentication violation replace" might help but then you can run into other unforseen issues. I had a couple of deployments where the EAPoL traffic was completely dropped and never reached the Radius server. Thus, I have been lucky of convincing my customers to replace those with a "compact" version of the Cisco switch family (2960c, 3560c) so I have always used "authentication violation restrict"

I know this doesn't answer your quesitons directly but I hope it helps

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents