cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

141
Views
10
Helpful
2
Replies

Multihost mode and hub

Hello, 

 

I have ISE 2.6 and multi-host mode. 

 

I want, if there is a hub in a port of a switch, the users not to be able to have access to the network.

Is multi-auth a solution? Is there something I must be careful when changing the modes. 

What do you suggest? 

 

Thanks and regards, 

Konstantinos

2 REPLIES 2
Highlighted
VIP Rising star

Re: Multihost mode and hub

Under your interface config you have several options for #authentication host-mode <>. These options are as follows:
single-host = single host can onboard via 8021x on the interface
multi-host = multiple hosts can be authorized after authenticating one single host
multi-domain = allows one voice and one data host to onboard
multi-auth = allows multiple hosts and one voice device to be onboarded via 8021x
If you wish to authenticate/authorize all hosts you should use multi-auth. Something to keep in mind, typically you would not want to use 8021x on something such as interfaces connected to an esxi server with VMs. However, if you had to for VM workstations or something and you utilize vmotion between the cluster you would want to enable #authentication mac-move permit. HTH!
Highlighted
Cisco Employee

Re: Multihost mode and hub


@Mike.Cifelli wrote:
Under your interface config you have several options for #authentication host-mode <>. These options are as follows:
single-host = single host can onboard via 8021x on the interface
multi-host = multiple hosts can be authorized after authenticating one single host
multi-domain = allows one voice and one data host to onboard
multi-auth = allows multiple hosts and one voice device to be onboarded via 8021x
If you wish to authenticate/authorize all hosts you should use multi-auth. Something to keep in mind, typically you would not want to use 8021x on something such as interfaces connected to an esxi server with VMs. However, if you had to for VM workstations or something and you utilize vmotion between the cluster you would want to enable #authentication mac-move permit. HTH!

also check out https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515