Learning In Detail – The Explanation of 802.1x Host Mode.
In the previous blog, we learned about the 802.1X & Packet flow and in this blog we will learn about 802.1X Host mode. The host mode is being configured on the NAD BOX’s interface which is facing end-users. If the supplicant services are running on the end-user machine, then it will use username and password as identity. Mac address for MAB.
Host mode is dependent on the NAD BOX, more precisely on the interface, it is a command.
Let’s understand all host modes in detail
SINGLE HOST Mode (single-host):
- If there is an authorized client, the port is authorized. On a port, only one host can be permitted.
- The unauthorized port condition is caused by the second client.
Untagged and tagged traffic from the permitted host is bridged based on the static/dynamic VLAN membership port configuration when a port is authorized. Other hosts’ traffic is dropped.
In production, you should connect as a single host; there should be no other hosts connected. When a second host connects, that port (NAS Port) should be marked as unauthorized; only one device should be added. This is known as the single-host mode.
Multiple Host Mode (multi-host):
If there is at least one authorized client, a port is authorized.
Untagged traffic is remapped to the guest VLAN when a port is unauthorized and a guest VLAN is enabled. Unless it belongs to the guest VLAN or an unauthenticated VLAN, tagged communication is dropped. Only tagged traffic belonging to unauthenticated VLANs is bridged if the guest VLAN is not configured on a port.
Untagged and tagged traffic from all hosts connected to the port is bridged when the port is authorized, based on the static/Dynamic VLAN membership port configuration.
For example, if I have configured a switch port as multiple host mode and any one VM proves its validity on this port, then all subsequent VMs get a piggyback (Automatically authenticated).
Multiple Domain Mode (multi-domain)
When only one data and voice VLAN is present behind a single port, and you want independent authentication for both the phone and the workstation, this scenario is referred to as MDA (Multiple domain mode)
Note: – Only for a voice and a data device.
Multiple Authentication Mode (Multi-auth)
A port in the multi-session mode does not have an authentication status, unlike the single-host and multi-host modes. Each client connected to the port is assigned this status.
Unauthenticated VLAN tagged traffic is always bridged, regardless of whether the host is authorized or not.
In summary
- Multi-auth: – Every supplicant authenticates individually.
- Multi-Domain: – One voice and one data VLAN allowed.
- Multi-Host: – If one gets authenticated, the remaining will get authenticated.
- Single Mode: – One on one, only data VLAN (No Voice VLAN is allowed)
Zindagi Technologies is a leading IT Consulting Services provider in Delhi that implements security, Enterprise network, cloud security, data center, hybrid cloud, Campus networks, server devices, and much more in the public and private sectors, as well as develops network architecture and provides DevOps services. If you are seeking for SD-Access, SD-WAN, or ACI migration, planning, design, implementation, or proof-of-concept services, look no further. Please get in touch with us or call us at +91-9773973971.
Author
Ravi Kumar Singh
Consultant – Network Security
Kefayath
January 27, 2023Hi brother,
Nice explanation. However, with regards to single host mode, it will allow one IP telephone in the voice vlan if it is Cisco phone by using CDP bypass. I have tested and worked charm.
Sandeep
August 31, 2023Great explanation with images.