Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
10
Helpful
2
Replies

Multihost mode and hub

kostasthedelegate
Level 4
Level 4

‎01-23-2020 12:55 AM

Hello, 

 

I have ISE 2.6 and multi-host mode. 

 

I want, if there is a hub in a port of a switch, the users not to be able to have access to the network.

Is multi-auth a solution? Is there something I must be careful when changing the modes. 

What do you suggest? 

 

Thanks and regards, 

Konstantinos

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-23-2020 06:16 AM

Under your interface config you have several options for #authentication host-mode <>. These options are as follows:
single-host = single host can onboard via 8021x on the interface
multi-host = multiple hosts can be authorized after authenticating one single host
multi-domain = allows one voice and one data host to onboard
multi-auth = allows multiple hosts and one voice device to be onboarded via 8021x
If you wish to authenticate/authorize all hosts you should use multi-auth. Something to keep in mind, typically you would not want to use 8021x on something such as interfaces connected to an esxi server with VMs. However, if you had to for VM workstations or something and you utilize vmotion between the cluster you would want to enable #authentication mac-move permit. HTH!

Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎01-31-2020 07:32 PM

@Mike.Cifelli wrote:
Under your interface config you have several options for #authentication host-mode <>. These options are as follows:
single-host = single host can onboard via 8021x on the interface
multi-host = multiple hosts can be authorized after authenticating one single host
multi-domain = allows one voice and one data host to onboard
multi-auth = allows multiple hosts and one voice device to be onboarded via 8021x
If you wish to authenticate/authorize all hosts you should use multi-auth. Something to keep in mind, typically you would not want to use 8021x on something such as interfaces connected to an esxi server with VMs. However, if you had to for VM workstations or something and you utilize vmotion between the cluster you would want to enable #authentication mac-move permit. HTH!

also check out https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

0 Helpful
Customers Also Viewed These Support Documents