Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2690
Views
0
Helpful
2
Replies

Cisco ISE 802.1x problem with users - Docking Station

Go to solution
mikiNet
Level 1
Level 1

‎03-29-2022 01:16 AM

Dear Friends,

I am writing to you because I am slowly missing an idea, according to the following:

I started to implement Dot1x for the user VLAN, but there is one very important problem.
It consists in the fact that many PCs have a docking station that after removing the laptop it maintains the port in the UP state, which is associated with the fact that the port is authorized all the time - and a strange situation because after inserting the laptop again, there is no communication and you have to manually unplug the cable from dock station or to put and pick up the port - after that it working - I decided to add two commands to the config:

 

Authentication periodic

Authentication timer reauthentication 32400

 

But after implemented this, users report me that after come to office and plug PC, computer not asking for credentials - it looks that requth not work or port after 9h is going to reauth state and this state is maintain all the time.

Unplug the cable or shutdown and no shutdown only work.....

 

Below my config:

radius server ISE-1

address ipv4 XXXXXXXXX auth-port 1812 acct-port 1813

key xxxxxxx

!

radius server ISE-2

address ipv4 XXXXXXXXX auth-port 1812 acct-port 1813

key xxxxxxxxxx

!

 

aaa group server radius ISE_RADIUS

server name ISE-1

server name ISE-2

!

 

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa authentication dot1x default group ISE_RADIUS

aaa authorization network default group ISE_RADIUS

aaa accounting dot1x default start-stop group ISE_RADIUS

!

!

!

!

!

aaa server radius dynamic-author

client XXXXXXXX server-key XXXXXXXXX

client XXXXXXXX server-key XXXXXXXXXX

!

 

dot1x system-auth-control

!

ip device tracking

radius-server vsa send authentication

radius-server vsa send accounting

 

device-sensor filter-list cdp list TLV-CDP

tlv name device-name

tlv name address-type

tlv name capabilities-type

tlv name version-type

tlv name platform-type

device-sensor filter-spec cdp include list TLV-CDP

device-sensor accounting

device-sensor notify all-changes

 

!

interface GigabitEthernetXXXXXXXX ----- 

sw host

switchport mode access

switchport voice vlan XXXX

ip access-group BLOCK_8021x in

authentication event fail action next-method

authentication event server dead action authorize vlan XXXXX

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 32400

authentication timer inactivity 3600

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout quiet-period 300

dot1x timeout tx-period 10

spanning-tree portfast

 

!

 

ip http server

ip http secure-server

cdp run

snmp-server community XXXXXXXX RO

 

mac address-table notification change interval 0

mac address-table notification change

 

!

!

ip access-list extended BLOCK_8021x

permit udp any any eq bootps

permit udp any any eq bootpc

deny   ip any any

!

ip radius source-interface VlanXXXX

!

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

!

authentication mac-move permit

!

 

Vlan 70 which is user vlan is receiving from ISE (Authorization Profile)

 

Any idea?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mikiNet
Level 1
Level 1
In response to HansK_NL

‎03-31-2022 12:05 AM

Yes, I have implemented IP Device Tracking. SNMP Traps not work becauese please remember that port is always UP (docking station holds up port in UP state).

 

I find workaround - In windows supplicant I check option to remember credentials - and it working

View solution in original post

0 Helpful
2 Replies 2

Go to solution
HansK_NL
Level 1
Level 1

‎03-30-2022 12:00 PM - edited ‎03-30-2022 12:36 PM

Do you have the option to implement IP Device Tracking (IPDT) on your switches?

https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

 

And/or the switch can send SNMP traps for link (up/down) and MAC (add/remove) events, these traps must then be send to ISE.  ISE must be configured to listen to these traps. This way, ISE will be notified immediately that something happened to the endpoint and can send a CoA to the switch to terminate the access-session.

 

Cheers,

Hans

0 Helpful

Go to solution
mikiNet
Level 1
Level 1
In response to HansK_NL

‎03-31-2022 12:05 AM

Yes, I have implemented IP Device Tracking. SNMP Traps not work becauese please remember that port is always UP (docking station holds up port in UP state).

 

I find workaround - In windows supplicant I check option to remember credentials - and it working

0 Helpful
Customers Also Viewed These Support Documents