802.1x AAA Authentication Host Modes
authentication host-mode:-
Single-Host Mode:-
1PC----switch
Multiple-Hosts Mode:-
PC1----PCn------HUB----Switch
++If one PC authorizes then everyone will get access.
++If that PC unauthorized then everyone will loose access.
++aditionally we can use port security to manage PC MAC addresses,
Multidomain Authentication Mode:-
1PC---1Phone---Switch
++multidomain=two domains=data+voice
++authentication:- MAB or 802.1x or webauth
Multi-authentication Mode:-
PC1----PCn--1Phone-----Switch
++authentication:- MAB or 802.1x or webauth
++all PC have to authenticate/authorize with radius server
++No vlan assignment
Pre-Authentication:-
PC--unauthorized--Switch----Internet
PC--authorized----switch----Internal access
++PC gets access Pre-auth through some guest ACL or Guest VLAN.
once the PC is authorized it will be placed in Internal VLAN or he can access all internal resources.
++can use preauth with any above authentication modes,
=================================================
authentication open - traffic is allowed even before authentication
The command "authentication open", means that the switch will let traffic through (as per the port ACL) even if the device is not authenticated. So even if devices fail the authentication, they will be able to pass traffic. This mode is used in 2 scenarios : -Sometimes you want to allow a basic access to people who failed the authentication. -You want to monitor if clients are configured correctly for dot1x/mab but you don't want to affect their connectivity. This mode allows to see the authentications on ISE without blocking user access.
========================================================
"Authentication violation restrict" means log the event AND DENY traffic from the new mac address (one of the table of the doc just talks about the log action and not abount the deny) "Authentication violation protect" means Deny traffic from the new mac address without logging anything "Authentication violation replace" means do authenticate the new mac address and clear the old one from mac address table:
0 Response to "802.1x AAA Authentication Host Modes"
Post a Comment