Re: Plugable with ISE

jmorton1 · ‎06-03-2026

We use Cisco Identity Services Engine for MAC Filtering on our switches, and one issue that has come up are devices that use the Plugable Docking Stations. With these docking stations, they do not forward the MAC address of the machine's Ethernet Interface. Instead, the plugables have their own ethernet MAC address, so if a machine is connected to the network using a plugable, then the MAC address of that plugable is what must be allowed through ISE. The problem is that any machine plugged into a plugable device will show up with the same MAC address, so we cannot just whitelist the MAC address of the plugable; we have to use 802.1X authentication, which involves a client and server certificate in order to authenticate the machine.

Now, 802.1X usually works just fine, and I am well aware that it is actually much more secure since MACs can be spoofed, but the problem is, on the occasion that dot1x fails, then we are forced to temporarily whitelist the plugable until the machine has resolved the certificate, and then we can revoke the plugable from ISE again. Of course, this opens up another issue in that if we whitelist a plugable, and forget to follow up, then there is the risk that someone could hook up a rogue device to that plugable and it would be allowed.

Does anyone know of a docking station that passes the MAC address of the machine's ethernet NIC instead of assigning its own? If we could find such an alternative, then that would seem to solve this issue permanently.

beepmeep · ‎06-03-2026

I've encountered this a lot and even experienced so called "smart" docks that keep the link alive and doesn't send an EAP-Logoff message when a workstation disconnect, meaning that a rogue device can "inherit" an 802.1x authenticated session.

The only solution to the problem I've found is to enable a BIOS setting on all managed devices that tell them to use the laptop NIC MAC address when plugged into a dock. On Lenovo the bios option has been available since the T490 series.

It can be set using PowerShell, unfortunately I don't have the script, so you'll have to Google that yourself.

I'm interested to hear any other solutions to the problem.

aleabrahao · ‎06-03-2026

To be perfectly honest, I don't use it that way. For network machines, I usually use 802.1x. I can use Dell's documentation, but I've never worried about it because I prefer 802.1x to MAB.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Amine ZAKARIA · ‎06-04-2026

@jmorton1 ,

@jmorton1 wrote:
Does anyone know of a docking station that passes the MAC address of the machine's ethernet NIC instead of assigning its own? If we could find such an alternative, then that would seem to solve this issue permanently.

Try to enable MAC passthrough on the laptop.

@jmorton1 wrote:
Now, 802.1X usually works just fine, and I am well aware that it is actually much more secure since MACs can be spoofed, but the problem is, on the occasion that dot1x fails, then we are forced to temporarily whitelist the plugable until the machine has resolved the certificate, and then we can revoke the plugable from ISE again. Of course, this opens up another issue in that if we whitelist a plugable, and forget to follow up, then there is the risk that someone could hook up a rogue device to that plugable and it would be allowed.

As the machine joined in active directory, why not create a bottom policy for machine authentication only, with a minimum DACL access to provision certificate instead of relying on MAB?
Make sure in dot1x laptop authentication settings checked for user or machine authentication.

If this resolved your issue, please mark it as "Accepted as a solution"!
Regards!

Singhaam · ‎06-04-2026

@jmorton1 you need to enable MAC passthrough on the laptop from BIOS. we had some similar issues with HP docking stations.

also try and see if manually adding the pc MAC to nic will help.