Solved: Laptop. Works perfect on

Michael Grabowski · ‎03-15-2016

My test setup consists of an HP laptop and docking station, connected to a Cisco 7975 IP phone, connected to a 4510 switch.

The phone authenticates using MAB

PC/Laptops using Dot1x

ACS 5.4.0

When I dock and power up, the laptop connects fine with Dot1x. it uses PEAP and authenticates against AD with my Computer name and Username.

This works perfect

When I dock after being undocked for a while it wants to authenticate my laptop with it's MAC address and use "lookup"

then fails and moves to vlan 502

I have tried many combinations with my port config and no luck.

Below is my port config

interface GigabitEthernet1/12
switchport access vlan 5xx
switchport mode access
switchport voice vlan 5xx
ip arp inspection limit rate 75 burst interval 3
authentication event fail action authorize vlan 502
authentication event no-response action authorize vlan 502
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
service-policy input CISCO-IPPHONE
ip dhcp snooping limit rate 50
end

Michael Grabowski · ‎04-28-2016

UPDATE:

Problem was solved by unchecking "Fast Reconnect" in the Windows wired adapter

Apparently if you have "Fast Reconnect" enabled globally in ACS it does not play well with the Windows version of "Fast Reconnect"

You must turn one or the other off. In my case, it was easier to turn it off in the wired adapter under Authentication.

Thanks for your help. This one drove me crazy trying to figure it out !!

View solution in original post

nspasov · ‎03-15-2016

You can try to return the following RADIUS attribute and see if it helps your situation:

AVPair attribute termination-action-modifier=1

Otherwise, I recommend you set both the order and the priority to dot1x mab

I hope this helps!

Thank you for rating helpful posts!

Michael Grabowski · ‎03-17-2016

Hi, Thanks for the quick response.

I added "cisco-AV-Pair attribute termination-action-modifier=1" in policy elements, then added it to the access policy. I also set the order and priority on the switchport.

Still no luck.

I looks like when I dock, it wants to do "lookup" instead of "MsCHAPV2"

This is very frustrating

nspasov · ‎03-17-2016

Hmm, let me ask you this. When you dock, what MAC address do you see in ISE's live authentication log? Is the MAC address of the laptop or the MAC address of the docking station?

Thank you for rating helpful posts!

Michael Grabowski · ‎03-17-2016

Laptop. Works perfect on bootup just not when docking after a period of time.

I am using ACS 5.4.0

nspasov · ‎03-17-2016

OK, one more thing to try. Take a look at the this link. I have seen similar issues in the past and have discovered that some of the relevant hotfixes were not installed. I think in your case you might be hitting KB980295 usually fixed the problem.

Thank you for rating helpful posts!

Michael Grabowski · ‎04-28-2016

UPDATE:

Problem was solved by unchecking "Fast Reconnect" in the Windows wired adapter

Apparently if you have "Fast Reconnect" enabled globally in ACS it does not play well with the Windows version of "Fast Reconnect"

You must turn one or the other off. In my case, it was easier to turn it off in the wired adapter under Authentication.

Thanks for your help. This one drove me crazy trying to figure it out !!

nspasov · ‎04-30-2016

Good job on resolving the issue Michael!! Also, thank you for taking the time to come back and update the thread with the solution (+5 from me)

Now, since your issue is resolved, you should mark the thread as "answered" :)

802.1X and laptop docking. Why does it want to do MAB ?