Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

What's up with 802.1x port role "multiple authentication" and the open authentication variable

Hello Everyone,

In this post we are going to cover the fundamentals of the port role of multiple authentication and the open authentication variable.

I consider that there is no much documentation regarding this features so let's briefly discuss what they do.

Let's start by defining what does it mean to have a multiple authentication port instead of a multi-host port:

With multiple authentication we are basically telling the authenticator know the following:

"You are going to have more than one device behind this interface (multiple users) some of them will use the regular data VLAN and one voice VLAN"

Hmm.. Okey but that sounds just like multi-host port role. So what's the *&*^#$ difference?

The difference lays in the fact that with multi-host you will authenticate only one host and any device behind the interface will successfully access the network (if the authentication was successful of course)

With multiple authentication mode you are forcing the authenticator to authenticate all of the devices behind that interface (more security)

So here are the most important facts about multiple authentication:

  1. Starting on version 12.2 (55) SE we support dynamic VLAN assignment on the multiple authentication port
  2. When talking about dynamic VLAN assignment on a multiple authentication port we do not support the failed ,critical and guest VLAN options
  3. Starting on version 12.2 (52) SE we support the critical VLAN assignment option
  4. If we are using dynamic VLAN assignment the port will be locked into the VLAN that is provided to the first successfully authenticated user, if any other host connects later and it successfully authenticates it will be locked to that same VLAN that was dynamically assigned to the first user.
  5. If we are using dynamic VLAN assignment and the port is already locked to a specific data VLAN, any user that fails the authentication will not be able to join the network although if we look at the CAM of the Switch it will appear being on the locked VLAN.

As we can see there has been some enhancements on this role-port so we can support dynamic VLAN assignment.

Open Authentication Mode

This particular mode will be equivalent to the Force-Authorized mode on a port (basically you will always have access to the network).

It can be assigned to any role port (single host, multiple host, multi-domain, multi-authentication).

So you connect your laptop to the network and you are able to start sending packets but after some time you send or receive an 802.1x to start the authentication process, if you successfully authenticate you get the policy from the server, if not then you still have access to the network (this is why it's almost the same to Force-Authorized mode).

So bottom line use it only when you want to perform a soft switch over to a 802.1x environment where you want to test the policies applied to each client that supports 802.1x (if it does not support it it will still have access to the network).

For more networking posts visit


Julio Carvajal

Version history
Revision #:
1 of 1
Last update:
‎07-19-2013 01:16 PM
Updated by:
Labels (1)