802.1X Host Modes: What They Control and Why It Matters
The authentication host-mode command on a Cisco IOS XE switchport is one of the most consequential 802.1X configuration decisions you make at the access layer. It determines how many MAC addresses can authenticate on a port, whether the switch treats voice and data domains independently, and what happens when a second device appears on the wire.
Get this wrong in a campus deployment and you end up with one of two failure patterns: either legitimate devices cannot authenticate because only one credential is allowed (too restrictive), or a single authenticated endpoint unlocks the port for any device connected through a hub or unmanaged switch (too permissive). Neither outcome is acceptable in a production environment.
The four modes available on the Cisco Catalyst 9300 running IOS XE 17.9.x are:
| Mode | Command keyword | Simultaneous sessions | Voice + Data separation |
|---|---|---|---|
| Single-Host | single-host |
1 | No |
| Multi-Host | multi-host |
1 authenticated + unlimited unauthenticated | No |
| Multi-Domain | multi-domain |
2 (1 data + 1 voice) | Yes |
| Multi-Auth | multi-auth |
Unlimited authenticated | Yes (optional) |
Each mode applies per physical port, not per VLAN.
Single-Host Mode
Configuration
interface GigabitEthernet1/0/1
description Workstation - Single-Host
switchport mode access
switchport access vlan 10
authentication host-mode single-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
How It Behaves
Single-host mode allows exactly one MAC address to authenticate on the port. Once that MAC address completes authentication — whether through 802.1X or MAB — the port is placed in the authorized state. If a second MAC address appears on the same port (for example, a user plugs a hub into the wall jack), the switch generates a security violation.
The behavior on violation depends on the authentication violation command. The default in IOS XE 17.9.x is restrict, which drops frames from the violating MAC and logs a syslog message. You can also configure shutdown to err-disable the port.
authentication violation restrict
or
authentication violation shutdown
Single-host is appropriate for conference room ports where you want strict enforcement: one device, one credential, full stop. It is also common in high-security areas such as finance departments or server access ports at the campus edge.
Single-host is not appropriate for ports connected to Cisco IP Phones. A phone presents two logical endpoints on one physical port — the phone itself and the PC connected through the phone's downstream switch port. Single-host mode will block the PC entirely.
Multi-Host Mode
Configuration
interface GigabitEthernet1/0/2
description Open Area - Multi-Host
switchport mode access
switchport access vlan 10
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
How It Behaves
Multi-host mode requires only one device to successfully authenticate. Once that first authentication succeeds, the port enters the authorized state and allows traffic from any MAC address learned on that port — without additional authentication.
This is a significant security trade-off. A user authenticates with their corporate laptop, and then plugs in a personal device through a hub. That personal device gets full network access in the same VLAN as the authenticated laptop, without ever presenting credentials.
Multi-host is occasionally used during 802.1X rollout phases or in legacy environments where endpoints cannot authenticate but must still reach the network. It is also used on ports connecting to IP phones where the organization has decided not to enforce phone authentication — the phone authenticates via MAB or 802.1X, and any PC behind the phone rides along.
In practice, multi-host is a stepping stone, not a destination. The security model is weak compared to multi-domain or multi-auth. If you are using multi-host in production for more than a transitional deployment phase, revisit the design. Article 27 (Phased 802.1X Deployment Strategy for Enterprise Networks) covers how multi-host fits into a progressive rollout.
Multi-Domain Authentication (MDA) Mode
Configuration
interface GigabitEthernet1/0/3
description IP Phone + PC - Multi-Domain
switchport mode access
switchport access vlan 10
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
mab
spanning-tree portfast
How It Behaves
Multi-domain authentication (MDA) is purpose-built for the most common access-layer topology in enterprise campus networks: a Cisco IP Phone with a PC connected to the phone's access port. The switch treats the port as having two independent authentication domains:
- Data domain: handles the PC or other data endpoint
- Voice domain: handles the IP phone (detected by CDP or LLDP)
Each domain authenticates independently. The voice domain typically authenticates the phone via MAB using the phone's MAC address, which ISE looks up against an endpoint database or Active Directory. The data domain authenticates the PC via 802.1X (PEAP or EAP-TLS) or MAB if 802.1X fails.
VLAN assignment also happens per domain. The voice endpoint is placed in Voice VLAN 20 based on the switchport voice vlan 20 configuration (and optionally ISE RADIUS attributes). The data endpoint is placed in Data VLAN 10 or whatever VLAN ISE returns in the Access-Accept.
If the voice domain authenticates but the data domain does not, the phone works normally and the PC remains in the unauthorized state (or drops into the Auth-Fail VLAN if configured — see Article 15). The two domains are completely independent.
One important constraint: multi-domain allows only one device per domain. You cannot authenticate two PCs in the data domain on an MDA port. If you need to support multiple data endpoints (a softphone client plus a physical phone, or a lab PC with a USB Ethernet adapter showing multiple MACs), you need multi-auth mode.
For full IP phone configuration details, see Article 17 (802.1X with IP Phones: Configuring Multi-Domain Authentication on Cisco IOS XE).
Multi-Auth Mode
Configuration
interface GigabitEthernet1/0/4
description Lab Bench / Shared Workspace - Multi-Auth
switchport mode access
switchport access vlan 10
switchport voice vlan 20
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
mab
spanning-tree portfast
How It Behaves
Multi-auth mode authenticates each MAC address independently. Every device that appears on the port must go through its own authentication cycle — 802.1X or MAB — and receives its own authorization result. There is no concept of "if one authenticates, others ride along."
This is the most granular and most secure host mode for ports that legitimately need to serve multiple devices. Common use cases include:
- Lab benches where multiple test devices connect through an unmanaged switch
- Shared workspaces with docking stations that present multiple MAC addresses (the dock, the laptop, and a USB Ethernet adapter may each appear as distinct MACs)
- Branch offices where a small unmanaged switch serves multiple workstations from a single switchport
- Conference rooms wired for multiple participants who bring their own laptops
Each authenticated session in multi-auth mode can receive a different VLAN assignment from ISE. If MAC-A authenticates as an employee and gets VLAN 10, and MAC-B authenticates as a contractor and gets VLAN 30 (Guest VLAN), the switch handles both sessions on the same physical port. Under the hood, the switch uses 802.1Q tagging internally to maintain VLAN separation per session.
One constraint: multi-auth mode on a port with a voice VLAN still enforces a single authentication in the voice domain. Only one IP phone can be in the voice domain at a time. The data domain is unrestricted.
Verifying Host Mode with Show Commands
The most useful verification command is show authentication sessions:
SW1# show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/1 a4c3.f047.1234 dot1x DATA Auth 0A00630A0000000A
Gi1/0/2 b8ac.6f22.5678 dot1x DATA Auth 0A00630A0000000B
Gi1/0/3 0025.b501.aabb mab VOICE Auth 0A00630A0000000C
Gi1/0/3 c8d9.d2e1.ccdd dot1x DATA Auth 0A00630A0000000D
Gi1/0/4 001c.5804.1122 mab DATA Auth 0A00630A0000000E
Gi1/0/4 0021.a0b3.3344 dot1x DATA Auth 0A00630A0000000F
Gi1/0/4 0050.56a1.5566 mab DATA Auth 0A00630A00000010
Note that GigabitEthernet1/0/3 shows two sessions — one in VOICE domain (the IP phone, authenticated via MAB) and one in DATA domain (the PC, authenticated via 802.1X). This is multi-domain mode working correctly.
GigabitEthernet1/0/4 shows three simultaneous authenticated sessions in the DATA domain — this is multi-auth mode with three independent devices, each with its own RADIUS authentication result.
For per-interface detail:
SW1# show authentication sessions interface GigabitEthernet1/0/3 detail
Interface: GigabitEthernet1/0/3
MAC Address: 0025.b501.aabb
IPv6 Address: Unknown
IPv4 Address: 10.0.20.45
User-Name: 00-25-B5-01-AA-BB
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A00630A0000000C
Acct Session ID: 0x0000000C
Handle: 0x1C000006
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 20
Method status list:
Method State
mab Authc Success
Interface: GigabitEthernet1/0/3
MAC Address: c8d9.d2e1.ccdd
IPv6 Address: Unknown
IPv4 Address: 10.0.10.112
User-Name: DOMAIN\jsmith
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A00630A0000000D
Acct Session ID: 0x0000000D
Handle: 0x1C000007
Current Policy: POLICY_Gi1/0/3
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
dot1x Authc Success
This output confirms both domains on GigabitEthernet1/0/3 are authorized. The VOICE domain session shows MAB authentication and VLAN 20. The DATA domain session shows 802.1X authentication with username DOMAIN\jsmith and VLAN 10.
Host Mode Selection by Deployment Scenario
| Scenario | Recommended Mode | Rationale |
|---|---|---|
| Executive office, one PC only | single-host | Strictest enforcement, one credential |
| Open office, PC only | single-host or multi-auth | multi-auth if docking stations are in use |
| IP Phone + PC (standard campus) | multi-domain | Industry standard for this topology |
| Lab bench with unmanaged switch | multi-auth | Each device authenticates independently |
| Branch office small switch | multi-auth | Multiple devices, each authenticated |
| Legacy printer or IoT (MAB only) | single-host with MAB | One device, MAC-based auth |
| Transitional deployment (no supplicant) | multi-host | Temporary — plan migration to multi-auth |
| Conference room, occasional use | multi-auth | Multiple guests with different credentials |
Troubleshooting
Symptom: PC behind IP phone fails to authenticate, phone works fine
Cause: Host mode is configured as single-host. The phone authenticates first. When the PC appears on the downstream port of the phone, the switch sees a second MAC address and generates a violation.
Fix: Change the host mode to multi-domain.
interface GigabitEthernet1/0/3
authentication host-mode multi-domain
Verify with show authentication sessions interface GigabitEthernet1/0/3 detail. You should see two separate domain entries (VOICE and DATA).
Symptom: Second device on multi-host port not reaching network even though first device authenticated
Cause: Although multi-host allows unauthenticated devices once one device authenticates, the authentication violation command may be set to shutdown, and the switch err-disabled on a MAC count threshold, or there is a port security configuration (switchport port-security) conflicting with the 802.1X session.
Fix: Check for port security conflicts:
show port-security interface GigabitEthernet1/0/2
show interfaces GigabitEthernet1/0/2 status
Port security and 802.1X should not be configured together on the same interface in IOS XE. Remove any switchport port-security commands from 802.1X-enabled ports.
Symptom: In multi-auth mode, all devices authenticate but only receive the same VLAN regardless of ISE policy
Cause: The port has a static switchport access vlan configured and either ISE is not returning a VLAN attribute, or the VLAN assignment is not being applied per-session. This happens when the 802.1X policy does not include RADIUS attributes Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID.
Fix: Verify the ISE authorization profile includes dynamic VLAN assignment. In ISE, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Select the profile and confirm the VLAN field under the Common Tasks section is populated. Also verify:
SW1# show authentication sessions interface GigabitEthernet1/0/4 detail
Look for Vlan Group: Vlan: XX under Server Policies for each session. If the VLAN Group line is absent, ISE is not returning the VLAN attribute. Check ISE Live Logs (Operations > RADIUS > Live Logs) and inspect the Authentication Detail for the affected endpoint — confirm the authorization profile being applied includes the VLAN assignment. Dynamic VLAN assignment is covered in full in Article 14 (Dynamic VLAN Assignment with 802.1X and Cisco ISE).
Symptom: authentication host-mode multi-domain configured but ISE shows only one RADIUS request for the port
Cause: The IP phone is connected but not using CDP or LLDP to signal its presence. Without CDP/LLDP, the switch cannot classify the phone's traffic to the voice domain and the phone's MAB request is not sent. Alternatively, MAB is not enabled on the interface.
Fix: Ensure mab is configured on the interface alongside dot1x pae authenticator. Verify the phone is sending CDP:
SW1# show cdp neighbors GigabitEthernet1/0/3 detail
If the phone does not appear in CDP output, check whether CDP is enabled on the phone and on the switchport:
interface GigabitEthernet1/0/3
cdp enable
Also confirm switchport voice vlan 20 is configured — the voice VLAN assignment is required for the switch to create the voice domain on the port.
What's Next
Article 14 — Dynamic VLAN Assignment with 802.1X and Cisco ISE: Once you have host modes configured correctly, the next step is having ISE push the right VLAN per endpoint at authentication time. Article 14 covers the full RADIUS attribute configuration on the switch and ISE authorization profile setup required to make dynamic VLAN assignment work reliably.
