cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3958
Views
5
Helpful
7
Replies

Cisco ISE wired with Dell docking station

Freemen
Level 1
Level 1

we have a connection from LAN port to IP phone (Yealink) then to a dell docking station for wired.

 

we have a user using dell docking station, but when he undock to wireless access to meeting, back to desk plug back

to the docking, network connection is not able to establish.

 

i suspect is becuase the Link from Phone to the docking is never down, thus ISE unable to authenticate the session

 

anyway to resolve the issue?

 

 

 

2 Accepted Solutions

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

Sounds like the phone may not be detecting the data port going down.  You can test this out to be sure.  Have your PC docked and authenticated.  On the switch, do a "show auth sess int gig x/y details" and you should see both sessions.  One for the phone and one for the PC.  Undock the PC and then check the switch again.  If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down.  But in that case, the PC should still work when it comes back since the session is still open.  So it may be another issue.

You could use the idle timer on the switchport to bring down any idle sessions.  Maybe after 10 minutes of idle.  Then when the PC comes back, it should attempt to communicate and should trigger a new session.  But if it isn't, then that means the phone is not passing the frames to the switch or something similar.  Try to unplug the cable from the PC to the phone when that happens.  See if that triggers the authentication to work.

It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames.  To test that, you could start a packet capture on the PC and then plug it in.  See what the capture shows.  Also run a capture from the switchport using SPAN.  If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.

View solution in original post

Ideally, you set it on ISE within your authorization profiles.  And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE).  I think the command is "authentication timer inactivity server dynamic".  That way, you can adjust it on ISE if you need to in the future.  Instead of having to touch every switchport manually.  And you can apply different values based on which authorization profile is assigned.

View solution in original post

7 Replies 7

Colby LeMaire
VIP Alumni
VIP Alumni

Sounds like the phone may not be detecting the data port going down.  You can test this out to be sure.  Have your PC docked and authenticated.  On the switch, do a "show auth sess int gig x/y details" and you should see both sessions.  One for the phone and one for the PC.  Undock the PC and then check the switch again.  If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down.  But in that case, the PC should still work when it comes back since the session is still open.  So it may be another issue.

You could use the idle timer on the switchport to bring down any idle sessions.  Maybe after 10 minutes of idle.  Then when the PC comes back, it should attempt to communicate and should trigger a new session.  But if it isn't, then that means the phone is not passing the frames to the switch or something similar.  Try to unplug the cable from the PC to the phone when that happens.  See if that triggers the authentication to work.

It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames.  To test that, you could start a packet capture on the PC and then plug it in.  See what the capture shows.  Also run a capture from the switchport using SPAN.  If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.

Thanks, turn out the session is not able to clear, it worked after configure the idle timeout

@Colby LeMaire can i know the suggestion if the idle timeout should only applied to the docking station port or i should apply on the ISE, that will affect all connection.

Ideally, you set it on ISE within your authorization profiles.  And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE).  I think the command is "authentication timer inactivity server dynamic".  That way, you can adjust it on ISE if you need to in the future.  Instead of having to touch every switchport manually.  And you can apply different values based on which authorization profile is assigned.

@colby could you please give an example how to setup this on ISE. do we have to create a authorization profile in rules?

please do not forget to rate.

Authorization profiles are created under Policy->Policy Elements->Results->Authorization->Authorization Profiles.  Then you reference the authorization profile in a rule.  So if a device/user matches on a particular rule such as "Wired Workstation", then the appropriate authorization profile gets applied to that session.

Timothy Abbott
Cisco Employee
Cisco Employee
We have seen issues with docking stations randomizing the MAC address of the endpoint which can cause problems as ISE uses the MAC address as an index in the database. Contact the TAC to verify if that is the case.

Regards,
-Tim
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: