Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3331
Views
0
Helpful
8
Replies

[ISE]Does Multi-auth work for hub only? How about switch?

yijiework
Level 1
Level 1

‎07-10-2013 06:47 PM - edited ‎03-10-2019 08:38 PM

I need to use 2960s lanlite version as a access switch, but this model can do nothing with posture and web auth.

So I have to use multi-auth instead on compact switch for endpoint auth.

But I noticed only HUB can work with multi-auth.

Is there any solution for my requirement?

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Saurav Lodh
Level 7
Level 7

‎07-10-2013 08:05 PM

Refer "802.1x Multiple  Authentication Mode " from below link

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_53_se/configuration/guide/sw8021x.html

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to Saurav Lodh

‎07-10-2013 09:56 PM

Multi-auth is designed when there are multiple endpoints connected to the same switchport and you want only one endpoint to authenticate. If one endpoint authenticates succesfully then all the other endpoints will enter the network without authentication.

So, when are multiple endpoints connected to a switchport ? Certainly when using a hub, but also when an automous access point, a laptop will multiple virtual machines, or even a switches connects to a switchport configured with 802.1x

Please rate if this helps

0 Helpful

yijiework
Level 1
Level 1
In response to Eduardo Aliaga

‎07-10-2013 11:42 PM 

multi-auth-Allow one client on the voice VLAN and multiple authenticated clients on the data VLAN. Each host is individually authenticated.

A manual said this.

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to yijiework

‎07-10-2013 11:45 PM

Yes you're right, I was thinking of "multi-host" instead of "multi-auth". Sorry for the confusion

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎07-10-2013 09:52 PM

Hi you cannot use dot1x for hosts connected on a switch that is capable of spanning tree. The dot1x supplicant send frames to a reserved destination Mac that falls within the spanning tree range.

Basically any frames for dot1x are dropped from the switch behind the port.


Sent from Cisco Technical Support Android App

0 Helpful

yijiework
Level 1
Level 1
In response to Tarik Admani

‎07-11-2013 08:07 PM

So maybe I can make 802.1x work by disablling STP?

And if my access switchs use default configuration, should I disable STP on vlan1?

0 Helpful

yijiework
Level 1
Level 1

‎07-10-2013 11:45 PM

ADDITION:

I use 2960s as access switch, and haven't changed stock configuration.

Should I configurate it to make it work?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎07-12-2013 10:42 PM

You shouldnt have to worry about your main switch. Just the switch plugged in behind it. Also make sure you have proper protection in place so a loop doesnt affect the rest of your network.


Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents