CLI Guide
Security Commands 1077
Default Configuration
By default, the interface port-control mode is multi-domain-multi-host.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Changing the host mode on an interface causes any currently authenticated
client sessions on the interface to be terminated.
The host modes are implemented as follows:
• multi-auth—Allow multiple hosts to authenticate individually on the
interface. Hosts may authenticate to the data VLAN or the voice VLAN.
Port access is enforced by examining the source MAC address of the
incoming packets.
A typical use case is a wireless access point which is connected to an
access-controlled port of a NAS, the wireless clients connected to the
access point also authenticate using the switch resources. The access point
must be configured to transparently pass EAPOL traffic.
Use switchport mode general to support RADIUS VLAN assignment for
hosts.
• multi-domain—In this mode, exactly one data client and one voice client
may be authenticated. The switch enforces this restriction by examining
the source MAC address of incoming packets.
The typical use case is an IP phone connected to a NAS port and a laptop
connected to the hub port of the IP phone. Both the devices must
authenticate to access the network. The voice and data domains are
typically segregated by VLANs. The RADIUS server attribute “Cisco-
AVPair = "device-traffic-class=voice" is used to identify a voice client. Use
switchport mode general to support RADIUS VLAN assignment for hosts.
• multi-host—Allow multiple hosts access to the network on an
authenticated interface. A host must authenticate on the interface before
network access is granted. However once authentication succeeds, access is
granted to all hosts connected to the port.