cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

193
Views
5
Helpful
7
Replies
Beginner

Cisco ISE wired with Dell docking station

we have a connection from LAN port to IP phone (Yealink) then to a dell docking station for wired.

 

we have a user using dell docking station, but when he undock to wireless access to meeting, back to desk plug back

to the docking, network connection is not able to establish.

 

i suspect is becuase the Link from Phone to the docking is never down, thus ISE unable to authenticate the session

 

anyway to resolve the issue?

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Participant

Re: Cisco ISE wired with Dell docking station

Sounds like the phone may not be detecting the data port going down.  You can test this out to be sure.  Have your PC docked and authenticated.  On the switch, do a "show auth sess int gig x/y details" and you should see both sessions.  One for the phone and one for the PC.  Undock the PC and then check the switch again.  If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down.  But in that case, the PC should still work when it comes back since the session is still open.  So it may be another issue.

You could use the idle timer on the switchport to bring down any idle sessions.  Maybe after 10 minutes of idle.  Then when the PC comes back, it should attempt to communicate and should trigger a new session.  But if it isn't, then that means the phone is not passing the frames to the switch or something similar.  Try to unplug the cable from the PC to the phone when that happens.  See if that triggers the authentication to work.

It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames.  To test that, you could start a packet capture on the PC and then plug it in.  See what the capture shows.  Also run a capture from the switchport using SPAN.  If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.

View solution in original post

Participant

Re: Cisco ISE wired with Dell docking station

Ideally, you set it on ISE within your authorization profiles.  And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE).  I think the command is "authentication timer inactivity server dynamic".  That way, you can adjust it on ISE if you need to in the future.  Instead of having to touch every switchport manually.  And you can apply different values based on which authorization profile is assigned.

View solution in original post

7 REPLIES 7
Participant

Re: Cisco ISE wired with Dell docking station

Sounds like the phone may not be detecting the data port going down.  You can test this out to be sure.  Have your PC docked and authenticated.  On the switch, do a "show auth sess int gig x/y details" and you should see both sessions.  One for the phone and one for the PC.  Undock the PC and then check the switch again.  If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down.  But in that case, the PC should still work when it comes back since the session is still open.  So it may be another issue.

You could use the idle timer on the switchport to bring down any idle sessions.  Maybe after 10 minutes of idle.  Then when the PC comes back, it should attempt to communicate and should trigger a new session.  But if it isn't, then that means the phone is not passing the frames to the switch or something similar.  Try to unplug the cable from the PC to the phone when that happens.  See if that triggers the authentication to work.

It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames.  To test that, you could start a packet capture on the PC and then plug it in.  See what the capture shows.  Also run a capture from the switchport using SPAN.  If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.

View solution in original post

Beginner

Re: Cisco ISE wired with Dell docking station

Thanks, turn out the session is not able to clear, it worked after configure the idle timeout

Beginner

Re: Cisco ISE wired with Dell docking station

@Colby.LeMaire can i know the suggestion if the idle timeout should only applied to the docking station port or i should apply on the ISE, that will affect all connection.

Participant

Re: Cisco ISE wired with Dell docking station

Ideally, you set it on ISE within your authorization profiles.  And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE).  I think the command is "authentication timer inactivity server dynamic".  That way, you can adjust it on ISE if you need to in the future.  Instead of having to touch every switchport manually.  And you can apply different values based on which authorization profile is assigned.

View solution in original post

Rising star

Re: Cisco ISE wired with Dell docking station

@colby could you please give an example how to setup this on ISE. do we have to create a authorization profile in rules?

please do not forget to rate.
Participant

Re: Cisco ISE wired with Dell docking station

Authorization profiles are created under Policy->Policy Elements->Results->Authorization->Authorization Profiles.  Then you reference the authorization profile in a rule.  So if a device/user matches on a particular rule such as "Wired Workstation", then the appropriate authorization profile gets applied to that session.

Cisco Employee

Re: Cisco ISE wired with Dell docking station

We have seen issues with docking stations randomizing the MAC address of the endpoint which can cause problems as ISE uses the MAC address as an index in the database. Contact the TAC to verify if that is the case.

Regards,
-Tim