Manualshelf

Specifications

ManualsBrandsCisco ManualsDocking StationAccess Registrar 3.5
71727374757677787980
2-26
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release IOS XE 3.3.0XO(15.1(1)XO)
OL_28738-01
Chapter 2 Cisco IOS Commands for the Catalyst 4500 Series Switches
authentication host-mode
authentication ho st-mode
To define the classification of a session that will be used to apply the access-policies in host-mode
configuration, use the authenticat ion host -mode c ommand in interface configuration mode. To return
to the default settings, use the no form of this command.
authentication host-mode {single-host | multi- aut h | multi-domain | multi-host} [open]
[no] authentication host -mode {single-host | multi-auth | multi-domain | multi-host} [open]
Syntax Description
Command Default This command has no default settings.
Command Modes Interface configur ation mode
Usage Guidelines Single-host mode classifies the session as an interface session (for example, one MAC per interface).
Only one client is allowed on the port, and any policies that are downloaded for the client are applied to
the whole port. A security violation is triggered if more than one client is detected.
Multi-host mode classifies the session as an interface session, but the difference with this host-mode is
that it allows more than one client to attach to the port. Only the first client that is detected on the port
will be authenticated and the rest will inherit the same access as the first client. The policies that are
downloaded for the first client will be applied to the whole port.
Multi-domain mode classifies the session based on a combination of MAC address and domain, with the
restriction that only one MAC is allowed per domain. The domain in the switching environment refers
to the VLAN, and the two supported doma ins are the DATA domain and the voice domain. Only on e
client is allowed on a particular domain. So, only two clients (MACs) per port are sup ported. Each one
is required to authenticate separately. Any policies that are downloaded for the client will be applied for
that client’s MAC/IP only and will not affect the other on the same port. The clients can be authenticated
using different methods ( such as 802 .1X for PC , MAB for IP phone, or vice versa ). No restric tion exists
on the authentication order.
The only caveat with the above stateme nt is that web-based aut hentication is only availa ble for data
devices because a user is probably operating the device and HTTP ca pability exists. Also, if web-based
authentication is configured in MDA mode, the only form of enforcement for all types of devices is
downloadable ACLs (dACL). The restriction is in place because VLAN assignment is not supported for
single-host Specifies the session as an interface session, and allows one client on the
port only. This is the default host mode when enabling 802.1X.
multi-auth Specifies the session as a MAC-based session. Any number of clients are
allowed on a port in data domain and only one client in voice domain, but
each one is required to authenticate separately.
multi-domain Specifies the session based on a combination of MAC address and domain,
with the restriction that only one MAC is allowed per domain.
multi-host Specifies the session as an interface session, but allows more than one client
on the port.
open (Optional) Configures the host-mode with open policy on the port.