Cisco ISE 802.1x problem with users - Docking Station

mikiNet — Tue, 29 Mar 2022 08:16:19 GMT

Dear Friends,

I am writing to you because I am slowly missing an idea, according to the following:

I started to implement Dot1x for the user VLAN, but there is one very important problem.
It consists in the fact that many PCs have a docking station that after removing the laptop it maintains the port in the UP state, which is associated with the fact that the port is authorized all the time - and a strange situation because after inserting the laptop again, there is no communication and you have to manually unplug the cable from dock station or to put and pick up the port - after that it working - I decided to add two commands to the config:

Authentication periodic

Authentication timer reauthentication 32400

But after implemented this, users report me that after come to office and plug PC, computer not asking for credentials - it looks that requth not work or port after 9h is going to reauth state and this state is maintain all the time.

Unplug the cable or shutdown and no shutdown only work.....

Below my config:

radius server ISE-1

address ipv4 XXXXXXXXX auth-port 1812 acct-port 1813

key xxxxxxx

radius server ISE-2

address ipv4 XXXXXXXXX auth-port 1812 acct-port 1813

key xxxxxxxxxx

aaa group server radius ISE_RADIUS

server name ISE-1

server name ISE-2

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa authentication dot1x default group ISE_RADIUS

aaa authorization network default group ISE_RADIUS

aaa accounting dot1x default start-stop group ISE_RADIUS

aaa server radius dynamic-author

client XXXXXXXX server-key XXXXXXXXX

client XXXXXXXX server-key XXXXXXXXXX

dot1x system-auth-control

ip device tracking

radius-server vsa send authentication

radius-server vsa send accounting

device-sensor filter-list cdp list TLV-CDP

tlv name device-name

tlv name address-type

tlv name capabilities-type

tlv name version-type

tlv name platform-type

device-sensor filter-spec cdp include list TLV-CDP

device-sensor accounting

device-sensor notify all-changes

interface GigabitEthernetXXXXXXXX -----

sw host

switchport mode access

switchport voice vlan XXXX

ip access-group BLOCK_8021x in

authentication event fail action next-method

authentication event server dead action authorize vlan XXXXX

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 32400

authentication timer inactivity 3600

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout quiet-period 300

dot1x timeout tx-period 10

spanning-tree portfast

ip http server

ip http secure-server

cdp run

snmp-server community XXXXXXXX RO

mac address-table notification change interval 0

mac address-table notification change

ip access-list extended BLOCK_8021x

permit udp any any eq bootps

permit udp any any eq bootpc

deny ip any any

ip radius source-interface VlanXXXX

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

authentication mac-move permit

Vlan 70 which is user vlan is receiving from ISE (Authorization Profile)

Any idea?

Re: Cisco ISE 802.1x problem with users - Docking Station

HansK_NL — Wed, 30 Mar 2022 19:36:49 GMT

Do you have the option to implement IP Device Tracking (IPDT) on your switches?

https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

And/or the switch can send SNMP traps for link (up/down) and MAC (add/remove) events, these traps must then be send to ISE. ISE must be configured to listen to these traps. This way, ISE will be notified immediately that something happened to the endpoint and can send a CoA to the switch to terminate the access-session.

Cheers,

Hans

Re: Cisco ISE 802.1x problem with users - Docking Station

mikiNet — Thu, 31 Mar 2022 07:05:37 GMT

Yes, I have implemented IP Device Tracking. SNMP Traps not work becauese please remember that port is always UP (docking station holds up port in UP state).

I find workaround - In windows supplicant I check option to remember credentials - and it working

topic Cisco ISE 802.1x problem with users - Docking Station in Network Access Control

Cisco ISE 802.1x problem with users - Docking Station

Re: Cisco ISE 802.1x problem with users - Docking Station

Re: Cisco ISE 802.1x problem with users - Docking Station