Showing results for 
Search instead for 
Did you mean: 

802.1x EAP-TLS + laptops with docking stations




We are having a trouble with 802.1x authentication. Cisco ISE as RADIUS, Aruba switches as authenticators

Time after time different user gets rejected. I checked Wireshark - when laptop is connected to docking station, it receives "Identity request" from Aruba switch (as the interface is configured for aaa authentication and mac-based authentication), but computer does not respond. After short period of time - another "Identity request" from switch, but no response from laptop. When I plug in cable directly to a laptop - Identity request from switch, response from laptop and everything works fine. 
After short period of time (1-2hours) I connect laptop to docking station - and it works.....

Hundreds of users with docking stations - each day 3-5 different users for no reason gets rejected in this manner.

The problem starts for laptops with docking stations that worked for weeks. 

GPO is pushed to all wired interfaces (with Fast Startup disabled) and there should be no problem.

Any suggestions?

2 Replies 2

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hello @Pakellmute 


When you say "computer does not respond" does that mean that you were at least able to confirm that the RADIUS comms between the Aruba switch and ISE is OK? In other words, ISE replies with an Access-Accept? And is that sufficient to put that switch port into a mode to allow the PC to send traffic? 

You mention 802.1X and then MAC based authentication on the switch - surely the switch is processing the EAPOL frames from the Windows client? Can you see that in ISE? 

The other thing to note is that with docking stations, each time you connect to one, Windows builds a new "Ethernet" interface (e.g. "Ethernet 3") - which means that all of your supplicant configurations will have been lost (if configured on "Ethernet 0") - unless I am mistaken 


Hello, @Arne Bier,

Thank you for your response.
Yes, communication between Aruba switch and Cisco ISE is okay, ISE replies with an Access-Accept.

When user authentication stops working with docking station (even though it used to work for weeks) - you can see my attached .png file the difference in wireshark. And as I mentioned before - it happens everyday for different users..
Yes, I checked NIC configuration when laptop is connected with docking - GPO configuration is pushed and it should respond with a certificate. 


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers