Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DOT1X authentication host-mode

Question - which to choose?

 

Scenarios with devices attaching to 3850s 150-1.EZ2, ISE v1.2

1. IP Phone with daisy-chained PC

2. dumb hub with IP Phone and multiple PCs

 

authentication host-mode multi-domain

or

authentication host-mode multi-auth

AND

 authentication violation replace

or

 authentication violation restrict

 

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

For all of my deployments I

For all of my deployments I have used "authentication host-mode multi-auth" That way I generate a more generic template and not have to go back and touch ports that might have a switch attached to it. So I would recommend using this as well unless there is a driver behing not to. 

Be careful with "dumb hubs" connecting to a 802.1x enabled port. I have ran into situations where the dumb hub/switch would let dot1x authenticatons go through but then would not pass the EAPoL logg-off message, thus causing issues when a new device would connect. I suppose in such situation the "authentication violation replace" might help but then you can run into other unforseen issues. I had a couple of deployments where the EAPoL traffic was completely dropped and never reached the Radius server. Thus, I have been lucky of convincing my customers to replace those with a "compact" version of the Cisco switch family (2960c, 3560c) so I have always used "authentication violation restrict"

I know this doesn't answer your quesitons directly but I hope it helps

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
1 REPLY
Cisco Employee

For all of my deployments I

For all of my deployments I have used "authentication host-mode multi-auth" That way I generate a more generic template and not have to go back and touch ports that might have a switch attached to it. So I would recommend using this as well unless there is a driver behing not to. 

Be careful with "dumb hubs" connecting to a 802.1x enabled port. I have ran into situations where the dumb hub/switch would let dot1x authenticatons go through but then would not pass the EAPoL logg-off message, thus causing issues when a new device would connect. I suppose in such situation the "authentication violation replace" might help but then you can run into other unforseen issues. I had a couple of deployments where the EAPoL traffic was completely dropped and never reached the Radius server. Thus, I have been lucky of convincing my customers to replace those with a "compact" version of the Cisco switch family (2960c, 3560c) so I have always used "authentication violation restrict"

I know this doesn't answer your quesitons directly but I hope it helps

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
133
Views
0
Helpful
1
Replies
CreatePlease to create content