Thanks for the reply. The AP's are doing both local switching and CAPWAP. With multi-auth is my understanding correct that if the AP is unplugged and another device plugged into the same port, that device will need to pass authentication? While with multi-host if AP unplugged and another device plugged into same port, that device will not need to authenticate? 

Is there any reason then why anyone would choose to use multi-host?

Hi,with authentication host-mode multi auth it will require a every MAC address that switch see on port to authenticate no matter what you will plug on it ,Ap phone endpoint etc . 

In my deployment of never use multi-host it will authenticate first mac address and if there are more it will not care about others

If you are authenticating APs somehow, then single-auth will work when your design is CUWN. If this is the case for you, no need to worry about much else as the AP is the only thing that appears on the wire, and host traffic for clients associated to AP is tunneled to controller. Now, if you are authenticating APs somehow, and your design is something like Flex, you'll need multi-host or multi-auth b/c the MACs from behind APs will appear. Same would hold true if it's someone else's wireless, BTW. So for Flex-type setups, that catch-22 here is multi-auth would make the other MACs appear on the wire due to local-switching. You might not want to make those wireless client MACs authenticate 'again' (like with MAB), so there's multi-host. Thing to remember with multi-host, is .. authenticate the first device .. then, everything else can come in. So, if you plug an AP directly into the switch-port, this will work b/c link will go down if it's ever unplugged. But if you're running Flex, and you have an AP plugged into a hub, and you're running multi-host .. then yes, you might consider that a security hole, but hopefully this doesn't match your setup .. so hope the example helps to explain a little easier.