2-30
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release IOS XE 3.4.0SG and IOS 15.1(2)SG)
OL-27596 -01
Chapter 2 Cisco IOS Commands for the Catalyst 4500 Series Switches
authentication host-mode
authentication host-mode
To define the classification of a session that will be used to apply the access-policies in host-mode
configuration, use the authentication host-mode command in interface configuration mode. To return
to the default settings, use the no form of this command.
authentication host-mode {single-host | multi-auth | multi-domain | multi-host} [open]
[no] authentication host-mode {single-host | multi-auth | multi-domain | multi-host} [open]
Syntax Description
Command Default This command has no default settings.
Command Modes Interface configuration mode
Command History
Usage Guidelines Single-host mode classifies the session as an interface session (for example, one MAC per interface).
Only one client is allowed on the port, and any policies that are downloaded for the client are applied to
the whole port. A security violation is triggered if more than one client is detected.
Multi-host mode classifies the session as an interface session, but the difference with this host-mode is
that it allows more than one client to attach to the port. Only the first client that is detected on the port
will be authenticated and the rest will inherit the same access as the first client. The policies that are
downloaded for the first client will be applied to the whole port.
Multi-domain mode classifies the session based on a combination of MAC address and domain, with the
restriction that only one MAC is allowed per domain. The domain in the switching environment refers
to the VLAN, and the two supported domains are the DATA domain and the voice domain. Only one
client is allowed on a particular domain. So, only two clients (MACs) per port are supported. Each one
is required to authenticate separately. Any policies that are downloaded for the client will be applied for
that client’s MAC/IP only and will not affect the other on the same port. The clients can be authenticated
using different methods (such as 802.1X for PC, MAB for IP phone, or vice versa). No restriction exists
on the authentication order.
single-host Specifies the session as an interface session, and allows one client on the
port only. This is the default host mode when enabling 802.1X.
multi-auth Specifies the session as a MAC-based session. Any number of clients are
allowed on a port in data domain and only one client in voice domain, but
each one is required to authenticate separately.
multi-domain Specifies the session based on a combination of MAC address and domain,
with the restriction that only one MAC is allowed per domain.
multi-host Specifies the session as an interface session, but allows more than one client
on the port.
open (Optional) Configures the host-mode with open policy on the port.
Release Modification
12.2(50)SG Support for this command was introduced.
To Next Page
Loading...
Need help?
General
