cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1266
Views
0
Helpful
4
Replies

dot1x authentication multi-host and open doesn't work as expected

Hi everybody.

I'm facing a bit of an issue with dot1x authentication on Cisco iOS 15. My knowhow might not be complete in this area (dot1x), so please eventually explain to me what I missed...

Now, the problem is as follows: on a couple of switchports there are some unmanaged 5- or 8-port switches. On all Catalyst switchports, I have following setup.

interface GigabitEthernet0/2

description Client-VLAN

switchport access vlan 10

switchport mode access

switchport voice vlan 40

no logging event link-status

authentication host-mode multi-host

authentication open

authentication order mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout quiet-period 1

dot1x timeout server-timeout 2

dot1x timeout tx-period 1

spanning-tree portfast

end

When more than 1 client is connected behind the tiny unmanaged switch, only the first one gets network connectivity, the others won't. Looking at the MAC address list of that port, I then see this:

vxs00a2#sh mac address-table int gi0/2

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  10    0020.4a01.7302    DROP          Gi0/2

  10    00e0.c552.99c6    DYNAMIC     Gi0/2

  10    0020.4a01.7317    DROP          Gi0/2

Total Mac Addresses for this criterion: 3

My expectation would be, that all 3 devices get connected (Type DYNAMIC) because of the above config statement "authentication host-mode multi-host". Am I wrong with this assumption?

Many thanks for any help/clarifications...

Regards,

Flavio.

1 Accepted Solution

Accepted Solutions

amir_slash
Level 1
Level 1

Hi

Try #authentication host-mode multi-auth

Maybe it works!!

Regards

Amir

View solution in original post

4 Replies 4

amir_slash
Level 1
Level 1

Hi

Try #authentication host-mode multi-auth

Maybe it works!!

Regards

Amir

Hi Amir.

I don't need "multi-auth", I need "multi-host", please see:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/Sw8021x.html#wp1036333

Any other help/suggestions?

Regards,

F.

i´m a bit confused about your port configuration. Are you using IP-Phones ? If so you have 2 possibilities.

authentication host-mode multi-domain. Means 1 IP-Phone and one PC.

authentication host-mode multi-auth. Means 1 IP-Phone and multiple hosts

With multi-hosts you can´t connect a IP-Phone.

Hope ist helps.

Hey everybody.

Indeed the solution has been to use "multi-auth".

Thanks everybody!

F.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco