cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2149
Views
30
Helpful
6
Replies

802.1x EAP issues with Microsoft Surface docking stations

awinslade
Level 1
Level 1

Hi 

 

Has anyone had an issue with Microsoft Surface docking stations where they stop responding midway through the eap negotiation.

 

It starts okay and I can see from both the ISE logs and a capture of the EAP session that the Microsoft Surface docking station just stops responding; so far we have been unable to find a windows log as to why.

 

Any advice welcome.

 

 

Andy 

6 Replies 6

Hi friend, 
can you longest Auth timeout, I think this is issue here.

Can you perhaps drop a screenshot or two into the discussion - one of the ISE Details pane showing the steps?

 

What EAP method are you processing on ISE (EAP-PEAP, EAP-TLS, etc?) - and does it work when you bypass the docking station?

 

Firmware update available for the docking station?

 

Stab in the dark - if there is a large cert exchange then jumbo MTU somewhere along the line can screw things up. ISE doesn't handle MTU greater than 1500 bytes. Therefore ensure that on the L3 gateway of the ISE VLAN you set the MTU to 1500.

HI 

 

Thanks for your comments

 

i don't have a screen shot of ISE to hand - but it essentially reports that the client stopped responding which aligns  with the pcap image attached.

 

Unfortunately we can not bypass the docking stations as without it there are no Ethernet ports

 

i don't think its an MTU issue as other laptops that do have ethernet ports work.

 

We are leaning towards it being a driver issue but its strange that it gets as far as it does in the process.

 

Andy

 

 

 

 

 

do you check the Auth timeout ? 
are you use Wifi ? if yes then can you disable fast reconnect.

thomas
Cisco Employee
Cisco Employee

Docking stations have been an exceptional use case for the Microsoft native supplicant for years.

Powered docking station ports may trick the switch into thinking the port is up when no physical client is there and if native supplicant does not perform an EAP-Start, the switch cannot know to begin a new EAP session.

If this problem persists, you may need to use Cisco AnyConnect with the NAM module.

 

Without real ISE errors/logs there is nothing else to comment on.

Call TAC.

Hi Thomas 

 

I have made a little progress forward on this issue

 

It seems that the customer had set the Windows supplicant to use the computer's name/Password and not the certificate as was in the HLD -  I suspect that the PC was not allowed to pass the username/PW to the docking station but with the certificate it seems it seems at this  stage to operate as expected. We had a slight issue that the certificate template had an error; but this has been  corrected.

 

About to carry out more testing at scale but will look out for the issue you describe.

Thanks

Andy