Wednesday, August 7, 2019

802.1X host modes.

802.1X host modes.
  • Single Host mode:
    1. Only one device (MAC address) per port
    2. Second client causes unauthorized port state
  • Multiple Host mode:
    1. One device (first MAC address) authenticated
    2. All subsequent devices get access
  • MDA mode:
    1. One data and one voice VLAN per port
    2. Independent authentication of phone and PC


  • Multiple Authentication mode:
    1. Superset of MDA
    2. Authenticates every MAC address
    3. One VLAN for all devices, per device dACL
    4. Used for hubs, access points, Virtual Machines

The host mode of the 802.1X port determines whether more than one client can be authenticated on the port and how authentication will be enforced. You can configure an 802.1X port to use any of the four host modes that are described below. In addition, each mode may be modified to allow pre-authentication open access.

Single-Host Mode

In single-host mode, only one client can be connected to the 802.1X-enabled port. The switch detects the client when the port changes to the up state and sends out an EAPOL frame. Access is provided for the client after authentication. Packets from other hosts are dropped. If the client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.

Multiple Host Mode

In multiple host mode (often called multi-host mode), you can attach multiple hosts to a single 802.1X-enabled port. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (reauthentication fails or an EAPOL logoff message is received), the authenticator denies network access to all of the attached clients.

Multiple Domain Authentication Mode

MDA mode (often called multi-domain mode) allows an IP phone and a single host behind the IP phone to authenticate independently, using 802.1X, MAB, or (for the host only) web-based authentication. In this application, multidomain refers to two domains (data and voice VLAN), and only one MAC address is allowed per domain. The switch can place the host in the data VLAN and the IP phone in the voice VLAN, but they appear on the same switch port. The data and voice VLAN assignment can be obtained from the VSAs received from the AAA server.

Multiple Authentication Mode

Multiple authentication mode (often called multi-auth mode) allows one 802.1X or MAB client on the voice VLAN and multiple authenticated 802.1X, MAB, or web authorization clients on the data VLAN. When a hub or access point is connected to an 802.1X port, multi-auth mode provides enhanced security over the multi-host mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
In this mode, the first host that is authorized on the port defines the VLAN assignment, and subsequent hosts will be added to the same VLAN. They may either have no VLAN assignment in the RADIUS database, or their configured group VLAN must match the assigned group VLAN on the port. Otherwise they will be denied access to the port.
Also, if the Authentication Server assigns a dACL, the dACL will be modified to use the authenticated host’s IP address as the source address. That is, in multi-auth mode, per-host differentiated dACLs are supported.

No comments:

Post a Comment