Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Using 802.1x and 2 hosts (one physical and one virtual) on the same port


We trying to utilize the following scenario:

BYOD with users' windows based laptops and Apple Mac Books

Virtual machines within each of the physical machines:  For Windows, the VMs will be Windows 7 VMs running within VM Workstation.  For Macs, users will be running Windows 7 VMs within Fusion.

802.1x set for multi-host

Using 802.1x, we have a guest network that places the user's physical machine in once it fails authentication.  The virtual machine runs the corporate image, and we'd like to have this VM connected to our corporate VLAN.

We have been running into this scenario though:

1.     User plugs his BYOD laptop from into the network.  His laptop gets attached to the guest network because it fails the 802.1x check.

2.      The VM is powered on.  It successfully is connected to the corporate network.

3.      Now,  the user unplugs his network cable from his host machine and waits 10 seconds.

4.      He then re-plugs the network cable to his host machine.

5.      The VM is the first to authenticate to the 802.1x network and it gains access to the corporate network.

       6.      Due to the VM being the first to authenticate on 802.1x, the host network connection piggybacks off of the VM, and therefore the host gains access to the corporate network

Obviously this represents a no-go if the user's BYOD computer is able to access the corporate network.  Is there is any specific way that 802.1x can be configured to prevent this from happening?



Everyone's tags (3)
New Member

Using 802.1x and 2 hosts (one physical and one virtual) on the s

Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.

You need to set host-mode to  "multi-auth"

Using 802.1x and 2 hosts (one physical and one virtual) on the s

And i believe VLAN change will be a problem for you, if you use multi auth, as your port only can be in one vlan. You could use dACL's instead.

CreatePlease to create content