Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
5
Helpful
3
Replies

Single host mode authentication issue

Jun123123
Level 1
Level 1

‎09-11-2018 07:00 PM - edited ‎09-11-2018 07:02 PM

Currently, the SW is a LAN LITE model and only supports single host mode
Using single-host mode,
If it is connected as shown below

  SW -> (single-host mode setting, mab, dot1x authentication setting)
   |
   |
IP Phone -> (mab authentication, specific vlan assignment)
   |
   |
User PC -> (dot1x authentication, VLAN assignment according to user ID / PW)


As a result,

Using single-host mode, I wonder if both the phone and the user's PC can be authenticated.

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎09-11-2018 08:39 PM

Hi

With single host mode, nope you won't have both devices authenticated and authorized.
I don't have any switch close to me with the same ios version. Can you add check if you can use multiple domain? With this you'll be able to get 1 authentication in the voice domain and 1 for data domain.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Jun123123
Level 1
Level 1

‎09-12-2018 05:30 PM

The current lan lite model is WS-C2960X-24TS-LL. The authentication methods are single-host, multidomain, and multi-host.
 It is the second site to build using WS-C2960X-24TS-LL model.
 The site that we built the first time used the multi-auth authentication method using the Lan base-based model to authenticate the phone and the user's PC.
 First, the lan base model of the site that we built has been tested with multi-host authentication method, and the authentication process with the desired condition could not be performed.
  So I chose Multi-auth, and the lan lite device of the second building site did not support multi-auth, so I chose single-host.
 When connecting to a single host, the IP phone receives mab authentication processing and allocates a specific vlan band, and the IP phone can not handle the dot1x authentication processing sent from the SW
 I wonder if the authentication process is done by bypassing to the user pc side.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Jun123123

‎09-12-2018 08:10 PM

Not sure i understand what you want to achieve. In single host mode, only 1 authentication is allowed per port.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents