01-23-2020 12:55 AM
Hello,
I have ISE 2.6 and multi-host mode.
I want, if there is a hub in a port of a switch, the users not to be able to have access to the network.
Is multi-auth a solution? Is there something I must be careful when changing the modes.
What do you suggest?
Thanks and regards,
Konstantinos
01-23-2020 06:16 AM
01-31-2020 07:32 PM
@Mike.Cifelli wrote:
Under your interface config you have several options for #authentication host-mode <>. These options are as follows:
single-host = single host can onboard via 8021x on the interface
multi-host = multiple hosts can be authorized after authenticating one single host
multi-domain = allows one voice and one data host to onboard
multi-auth = allows multiple hosts and one voice device to be onboarded via 8021x
If you wish to authenticate/authorize all hosts you should use multi-auth. Something to keep in mind, typically you would not want to use 8021x on something such as interfaces connected to an esxi server with VMs. However, if you had to for VM workstations or something and you utilize vmotion between the cluster you would want to enable #authentication mac-move permit. HTH!
also check out https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide