11-12-2019 06:17 AM - edited 11-12-2019 06:17 AM
we have a connection from LAN port to IP phone (Yealink) then to a dell docking station for wired.
we have a user using dell docking station, but when he undock to wireless access to meeting, back to desk plug back
to the docking, network connection is not able to establish.
i suspect is becuase the Link from Phone to the docking is never down, thus ISE unable to authenticate the session
anyway to resolve the issue?
Solved! Go to Solution.
11-12-2019 07:01 AM
Sounds like the phone may not be detecting the data port going down. You can test this out to be sure. Have your PC docked and authenticated. On the switch, do a "show auth sess int gig x/y details" and you should see both sessions. One for the phone and one for the PC. Undock the PC and then check the switch again. If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down. But in that case, the PC should still work when it comes back since the session is still open. So it may be another issue.
You could use the idle timer on the switchport to bring down any idle sessions. Maybe after 10 minutes of idle. Then when the PC comes back, it should attempt to communicate and should trigger a new session. But if it isn't, then that means the phone is not passing the frames to the switch or something similar. Try to unplug the cable from the PC to the phone when that happens. See if that triggers the authentication to work.
It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames. To test that, you could start a packet capture on the PC and then plug it in. See what the capture shows. Also run a capture from the switchport using SPAN. If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.
11-18-2019 06:49 PM
Ideally, you set it on ISE within your authorization profiles. And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE). I think the command is "authentication timer inactivity server dynamic". That way, you can adjust it on ISE if you need to in the future. Instead of having to touch every switchport manually. And you can apply different values based on which authorization profile is assigned.
11-12-2019 07:01 AM
Sounds like the phone may not be detecting the data port going down. You can test this out to be sure. Have your PC docked and authenticated. On the switch, do a "show auth sess int gig x/y details" and you should see both sessions. One for the phone and one for the PC. Undock the PC and then check the switch again. If the session is still there for the docking station's MAC address, then the phone is not telling the switch that the PC has gone down. But in that case, the PC should still work when it comes back since the session is still open. So it may be another issue.
You could use the idle timer on the switchport to bring down any idle sessions. Maybe after 10 minutes of idle. Then when the PC comes back, it should attempt to communicate and should trigger a new session. But if it isn't, then that means the phone is not passing the frames to the switch or something similar. Try to unplug the cable from the PC to the phone when that happens. See if that triggers the authentication to work.
It could also be possible that the supplicant on the PC is not responding to the switch's EAPOL Request Identity frames. To test that, you could start a packet capture on the PC and then plug it in. See what the capture shows. Also run a capture from the switchport using SPAN. If the switch doesn't see anything coming from the docking station's MAC address, then the switch doesn't know the device is there and won't trigger the new session.
11-13-2019 09:19 PM
Thanks, turn out the session is not able to clear, it worked after configure the idle timeout
11-18-2019 05:27 PM
@Colby LeMaire can i know the suggestion if the idle timeout should only applied to the docking station port or i should apply on the ISE, that will affect all connection.
11-18-2019 06:49 PM
Ideally, you set it on ISE within your authorization profiles. And on the switchports, there is an option of the command that says to use the server value (i.e. from ISE). I think the command is "authentication timer inactivity server dynamic". That way, you can adjust it on ISE if you need to in the future. Instead of having to touch every switchport manually. And you can apply different values based on which authorization profile is assigned.
11-19-2019 12:00 PM
@colby could you please give an example how to setup this on ISE. do we have to create a authorization profile in rules?
11-19-2019 02:42 PM
Authorization profiles are created under Policy->Policy Elements->Results->Authorization->Authorization Profiles. Then you reference the authorization profile in a rule. So if a device/user matches on a particular rule such as "Wired Workstation", then the appropriate authorization profile gets applied to that session.
11-12-2019 08:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide