Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
0
Helpful
4
Replies

dot1x authentication multi-host and open doesn't work as expected

Go to solution
Flavio Boniforti
Level 1
Level 1

‎03-01-2014 04:16 AM - edited ‎03-07-2019 06:28 PM

Hi everybody.

I'm facing a bit of an issue with dot1x authentication on Cisco iOS 15. My knowhow might not be complete in this area (dot1x), so please eventually explain to me what I missed...

Now, the problem is as follows: on a couple of switchports there are some unmanaged 5- or 8-port switches. On all Catalyst switchports, I have following setup.

interface GigabitEthernet0/2

description Client-VLAN

switchport access vlan 10

switchport mode access

switchport voice vlan 40

no logging event link-status

authentication host-mode multi-host

authentication open

authentication order mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout quiet-period 1

dot1x timeout server-timeout 2

dot1x timeout tx-period 1

spanning-tree portfast

end

When more than 1 client is connected behind the tiny unmanaged switch, only the first one gets network connectivity, the others won't. Looking at the MAC address list of that port, I then see this:

vxs00a2#sh mac address-table int gi0/2

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  10    0020.4a01.7302    DROP          Gi0/2

  10    00e0.c552.99c6    DYNAMIC     Gi0/2

  10    0020.4a01.7317    DROP          Gi0/2

Total Mac Addresses for this criterion: 3

My expectation would be, that all 3 devices get connected (Type DYNAMIC) because of the above config statement "authentication host-mode multi-host". Am I wrong with this assumption?

Many thanks for any help/clarifications...

Regards,

Flavio.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amir_slash
Level 1
Level 1

‎03-01-2014 10:31 AM

Hi

Try #authentication host-mode multi-auth

Maybe it works!!

Regards

Amir

View solution in original post

0 Helpful
4 Replies 4

Go to solution
amir_slash
Level 1
Level 1

‎03-01-2014 10:31 AM

Hi

Try #authentication host-mode multi-auth

Maybe it works!!

Regards

Amir

0 Helpful

Go to solution
Flavio Boniforti
Level 1
Level 1
In response to amir_slash

‎03-06-2014 02:21 AM

Hi Amir.

I don't need "multi-auth", I need "multi-host", please see:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/Sw8021x.html#wp1036333

Any other help/suggestions?

Regards,

F.

0 Helpful

Go to solution
hdussa
Level 1
Level 1
In response to Flavio Boniforti

‎03-06-2014 04:20 AM

i´m a bit confused about your port configuration. Are you using IP-Phones ? If so you have 2 possibilities.

authentication host-mode multi-domain. Means 1 IP-Phone and one PC.

authentication host-mode multi-auth. Means 1 IP-Phone and multiple hosts

With multi-hosts you can´t connect a IP-Phone.

Hope ist helps.

0 Helpful

Go to solution
Flavio Boniforti
Level 1
Level 1

‎05-01-2014 02:38 AM

Hey everybody.

Indeed the solution has been to use "multi-auth".

Thanks everybody!

F.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card