Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
0
Helpful
2
Replies

ISE post configuration using command - access-session host-mode

Go to solution
dgaikwad
Level 5
Level 5

‎02-19-2019 01:29 AM - edited ‎03-11-2019 01:56 AM

Hi Experts,

There is this command, access-session host-mode, used while configuring the port for 802.1x authentication.

The command has, option for multi-domain and multi-host...

So, if use multi-domain, then in that case, it will only allow one data and one voice connection on the port, correct?

And if I use multi-host command, then in that case it will allow voice and data, as well as many other clients to connect? (suppose I connect a hub to this interface, and then connect multiple clients to this hub. Will then each of these clients will be authenticated separately?)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-19-2019 04:43 AM

Directly from Cisco docs:
•single-host-Single host (client) on an IEEE 802.1X-authorized port.

•multi-host-Multiple hosts on an 802.1X-authorized port after a authenticating a single host.

•multi-domain-Both a host and a voice device (like an IP phone, Cisco or non-Cisco), to authenticate on an IEEE 802.1X-authorized port.

Note You must configure a voice VLAN for an IP phone when the host mode is set to multi-domain. For more information, see Chapter 37, "Configuring Voice Interfaces."

•multi-auth-Allows multiple hosts and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an IEEE 802.1x-authorized port. This keyword requires Cisco IOS Release 12.2(50)SG.

So, if use multi-domain, then in that case, it will only allow one data and one voice connection on the port, correct?
Yes.
And if I use multi-host command, then in that case it will allow voice and data, as well as many other clients to connect?
Yes.

If you want to authenticate several hosts individually you should use the multi-auth. Typically you would see this configuration if you are authenticating several VMs on a specific port.

HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-19-2019 04:43 AM

Directly from Cisco docs:
•single-host-Single host (client) on an IEEE 802.1X-authorized port.

•multi-host-Multiple hosts on an 802.1X-authorized port after a authenticating a single host.

•multi-domain-Both a host and a voice device (like an IP phone, Cisco or non-Cisco), to authenticate on an IEEE 802.1X-authorized port.

Note You must configure a voice VLAN for an IP phone when the host mode is set to multi-domain. For more information, see Chapter 37, "Configuring Voice Interfaces."

•multi-auth-Allows multiple hosts and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an IEEE 802.1x-authorized port. This keyword requires Cisco IOS Release 12.2(50)SG.

So, if use multi-domain, then in that case, it will only allow one data and one voice connection on the port, correct?
Yes.
And if I use multi-host command, then in that case it will allow voice and data, as well as many other clients to connect?
Yes.

If you want to authenticate several hosts individually you should use the multi-auth. Typically you would see this configuration if you are authenticating several VMs on a specific port.

HTH!
0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to Mike.Cifelli

‎02-19-2019 10:55 PM

Thank you!

This has cleared the usage for these commands.

0 Helpful
Customers Also Viewed These Support Documents