02-26-2019 06:18 PM
The ISE Secure Wired Access Prescriptive Deployment Guide has a table (see below) of the Access-session host-mode options, however I am wondering what option is recommended for a port where an Access Point is plugged in? Would "Multi-host" be the only option that is suitable for a AP port where multiple wireless users are connecting to that AP?
Host Mode |
Number of Endpoints |
Interface Command |
Single Host |
1 Voice/Data device |
access-session host-mode single-host |
Multi-Domain Authentication (MDA) |
1 Voice and 1 Data device |
access-session host-mode multi-domain |
Multi-Host Mode |
1 Voice and Unlimited Data (At least one MAC address must authenticate successfully) |
access-session host-mode multi-host |
Multi-Auth Mode |
1 Voice and Unlimited Data (Each MAC address must authenticate) |
access-session host-mode multi-auth |
02-26-2019 07:07 PM
02-26-2019 07:35 PM
Thanks for the reply. The AP's are doing both local switching and CAPWAP. With multi-auth is my understanding correct that if the AP is unplugged and another device plugged into the same port, that device will need to pass authentication? While with multi-host if AP unplugged and another device plugged into same port, that device will not need to authenticate?
Is there any reason then why anyone would choose to use multi-host?
02-26-2019 09:45 PM
Hi,with authentication host-mode multi auth it will require a every MAC address that switch see on port to authenticate no matter what you will plug on it ,Ap phone endpoint etc .
02-26-2019 09:47 PM
In my deployment of never use multi-host it will authenticate first mac address and if there are more it will not care about others
02-26-2019 10:06 PM
02-27-2019 06:48 AM
If you are authenticating APs somehow, then single-auth will work when your design is CUWN. If this is the case for you, no need to worry about much else as the AP is the only thing that appears on the wire, and host traffic for clients associated to AP is tunneled to controller. Now, if you are authenticating APs somehow, and your design is something like Flex, you'll need multi-host or multi-auth b/c the MACs from behind APs will appear. Same would hold true if it's someone else's wireless, BTW. So for Flex-type setups, that catch-22 here is multi-auth would make the other MACs appear on the wire due to local-switching. You might not want to make those wireless client MACs authenticate 'again' (like with MAB), so there's multi-host. Thing to remember with multi-host, is .. authenticate the first device .. then, everything else can come in. So, if you plug an AP directly into the switch-port, this will work b/c link will go down if it's ever unplugged. But if you're running Flex, and you have an AP plugged into a hub, and you're running multi-host .. then yes, you might consider that a security hole, but hopefully this doesn't match your setup .. so hope the example helps to explain a little easier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide