Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
5
Helpful
2
Replies

802.1x EAP-TLS + laptops with docking stations

Pakellmute
Beginner
Beginner

‎02-09-2022 05:08 AM

Hello,

 

We are having a trouble with 802.1x authentication. Cisco ISE as RADIUS, Aruba switches as authenticators

Time after time different user gets rejected. I checked Wireshark - when laptop is connected to docking station, it receives "Identity request" from Aruba switch (as the interface is configured for aaa authentication and mac-based authentication), but computer does not respond. After short period of time - another "Identity request" from switch, but no response from laptop. When I plug in cable directly to a laptop - Identity request from switch, response from laptop and everything works fine. 
After short period of time (1-2hours) I connect laptop to docking station - and it works.....

Hundreds of users with docking stations - each day 3-5 different users for no reason gets rejected in this manner.

The problem starts for laptops with docking stations that worked for weeks. 

GPO is pushed to all wired interfaces (with Fast Startup disabled) and there should be no problem.

Any suggestions?

Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

‎02-09-2022 12:54 PM

Hello @Pakellmute 

 

When you say "computer does not respond" does that mean that you were at least able to confirm that the RADIUS comms between the Aruba switch and ISE is OK? In other words, ISE replies with an Access-Accept? And is that sufficient to put that switch port into a mode to allow the PC to send traffic? 

You mention 802.1X and then MAC based authentication on the switch - surely the switch is processing the EAPOL frames from the Windows client? Can you see that in ISE? 

The other thing to note is that with docking stations, each time you connect to one, Windows builds a new "Ethernet" interface (e.g. "Ethernet 3") - which means that all of your supplicant configurations will have been lost (if configured on "Ethernet 0") - unless I am mistaken 

0 Helpful

Pakellmute
Beginner
Beginner

‎02-11-2022 12:22 AM

Hello, @Arne Bier,

Thank you for your response.
Yes, communication between Aruba switch and Cisco ISE is okay, ISE replies with an Access-Accept.

When user authentication stops working with docking station (even though it used to work for weeks) - you can see my attached .png file the difference in wireshark. And as I mentioned before - it happens everyday for different users..
Yes, I checked NIC configuration when laptop is connected with docking - GPO configuration is pushed and it should respond with a certificate. 


 

Preview file
75 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents