Hey,

i've installed ISE 2.7 with Wireless & Wired NAC. 

Goal is to have a global Port Configuration which is the same on every device.

switchport access vlan 332
 switchport mode access
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x timeout tx-period 5
 dot1x max-reauth-req 1
 dot1x pae authenticator
 spanning-tree portfast

The config works fine and we configured it on about 200 Switches. (yes, dot1x timers are little aggressive but it works! )

My customer uses AeroHive as AccessPoints. Also Client Authentication over these APs ("Flexconnect") works pefect. But the Port on which the AccessPoints are connectet have a "traditional" configuration (trunk, native vlan etc.)

Now my im trying to get the AccessPoints also authenticated. (Profiling AeroHive Device -> MAB Policy). I use the config above and working with templates. So when an AccessPoint connects it gets the following template as result:

template AP
switchport mode trunk
switchport trunk native vlan 299
spanning-tree portfast edge trunk

This also works fine. AP is reachable. 

BUT now im facing the Problem that the host-mode is "multi-auth", but here i would need "multi-host". 

Unfortunately "authentication host-mode" is not avaiable in templates. so i have to configure "multi-host" manually on the AP Ports which isnt the goal i want to achive what i mentioned earlier

And no, we cant change host-mode on every of these Ports and we wont change to IBNS2 (i think here it is possible right?)

Any thoughts? 

Thanks in advance!