Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9552
Views
9
Helpful
15
Replies

Docking Station Best Practice with 802.1x Authentication and Cisco ISE

Go to solution
latenaite2011
Level 4
Level 4

‎11-09-2022 08:23 PM

Does anyone know what the best practice is for a user undocking and docking his laptop to a docking station (the docking station doesn't have an extra network adapter)?  Customer reported that the 802.1x authentication works fines (connected initially via the docking station) but after disconnected and reconnected, he is still able to access the network but noticed that the 802.1x access-list in not in effect anymore so it appears that there is no authorization from Cisco ISE to restrict traffic.

Just wondering what the best practice is for something like this.  I know there are some re-authentication timer but not sure if that should tuned and so which one (there are re-authentication on ISE too).  This is a greenfield deployment in testing mode.   Upon successful testing in different use cases, they will deploy to production.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-10-2022 09:08 AM

Windows has 2 separate, native 802.1X supplicants - 1 for wireless (WLAN AutoConfig) which is enabled by default and 1 for wired (Wired AutoConfig) which is disabled by default. You will want to verify the supplicant configurations on your endpoint(s).

Windows 10 802.1X Supplicant - Services - Wired AutoConfig.png

It is unclear what you mean by "no authorization from Cisco ISE to restrict traffic":

- what were you expecting?

- what is your ISE Policy?

- is your wired switch configured for 802.1X?

- did you get an ISE LiveLog message about it? What exactly did it say?

View solution in original post

Go to solution
Arne Bier
VIP
VIP

‎11-10-2022 12:43 PM

If you can, enable the MAC Address Passthrough mode on the laptop, so that the Ethernet MAC address of the laptop (in the BIOS) is used, instead of the Ethernet MAC address of the dock. I am not 100% sure if this works with all vendors, but it works well with Dell Docks + Dell Laptops, and also Lenovo Docks + Lenovo Laptops. Ideally you don't want to ever see the dock's LAN Ethernet address on the switch, because it's confusing and it doesn't help.

Check which host-mode you are using on that switch interface. I would start with multi-auth, to force every learned MAC address to go through ISE authentication/authorization.

Have you configured device-tracking on that switch? Device tracking will periodically check whether it gets an ARP response to a MAC address, to see if the endpoint is still there.

Ideally you want to use MAC Passthrough, since that is the cleanest way to operate with a docking solution. When there is no user connected to the end of that USB cable, your switch should indicate that there are no sessions on that switchport.

 

View solution in original post

15 Replies 15

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-09-2022 11:38 PM

Depending on your deployment, make Ethernet a preferred method if not move to wireless.

If the SSO is deployed in the environment, you would not see any disconnection, but if there are some sensitive application which not holds long, then you need to re-authenticate the required. In most cases not required.

there is a good document below (especially when you doing the green field, so its the right time to make all changes as required before putting in production and testing it)

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-10-2022 09:08 AM

Windows has 2 separate, native 802.1X supplicants - 1 for wireless (WLAN AutoConfig) which is enabled by default and 1 for wired (Wired AutoConfig) which is disabled by default. You will want to verify the supplicant configurations on your endpoint(s).

Windows 10 802.1X Supplicant - Services - Wired AutoConfig.png

It is unclear what you mean by "no authorization from Cisco ISE to restrict traffic":

- what were you expecting?

- what is your ISE Policy?

- is your wired switch configured for 802.1X?

- did you get an ISE LiveLog message about it? What exactly did it say?

Go to solution
latenaite2011
Level 4
Level 4
In response to thomas

‎11-10-2022 09:27 AM

Hey Thomas, thanks for your reply. Yes, aware of those wired and wireless and they are using wired now.

First successfully attempt is a regular 5200 Authentication succeeded and hits the authentication and authorization policy as expected.  Then he disconnects and connects back to the docking station almost right away and gets 5400 Authentication failed.

He says he is still able to access everything (ping to internet..etc) and the access-list is not restricted like he wanted it to. The live log shows that it has switched to MAB.  See attached.  

The switch port has it configured with 802.1x and the MAB. What would cause this and what should it be? thanks in advance!

Preview file
121 KB
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-10-2022 12:43 PM

If you can, enable the MAC Address Passthrough mode on the laptop, so that the Ethernet MAC address of the laptop (in the BIOS) is used, instead of the Ethernet MAC address of the dock. I am not 100% sure if this works with all vendors, but it works well with Dell Docks + Dell Laptops, and also Lenovo Docks + Lenovo Laptops. Ideally you don't want to ever see the dock's LAN Ethernet address on the switch, because it's confusing and it doesn't help.

Check which host-mode you are using on that switch interface. I would start with multi-auth, to force every learned MAC address to go through ISE authentication/authorization.

Have you configured device-tracking on that switch? Device tracking will periodically check whether it gets an ARP response to a MAC address, to see if the endpoint is still there.

Ideally you want to use MAC Passthrough, since that is the cleanest way to operate with a docking solution. When there is no user connected to the end of that USB cable, your switch should indicate that there are no sessions on that switchport.

 

Go to solution
latenaite2011
Level 4
Level 4
In response to Arne Bier

‎11-10-2022 04:03 PM

Thanks Arne for all your suggestions. 

Concerning the MAC Address Passthrough in the BIOS, does it still apply if there is no network adapter in the Docking station? He uses a network adapter that is connected to USB-C connector during all times.

 

0 Helpful

Go to solution
Mukesh-Kumar
Level 1
Level 1
In response to Arne Bier

‎05-28-2024 10:16 AM

@Arne Bier Thank you for providing the option for "MAC Address Passthrough".    However, do I still need to whitelist or add the mac address of docking station manually in the "End Point Group for MAB, so that in the 802.1x runs successfully.  

We have IBNS 2.0, with IOS-XE 17.09.05 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mukesh-Kumar

‎05-28-2024 03:28 PM

@Mukesh-Kumar - when MAC Address Passthrough is enabled, then the Ethernet MAC address of the docking station is NOT presented in the Ethernet frames. Instead, the factory installed Ethernet MAC addresses of the laptop is used.  In my experience this only works with docks from the same vendor - not 100% sure if this would work if mixing laptop and dock vendors.

If you're doing 802.1X then you should not be considering the MAC address for authentication or authorization.  The certificate is your authentication. And your authorization can be whatever you like (e.g. successful AD Group membership)

Go to solution
Mukesh-Kumar
Level 1
Level 1
In response to Arne Bier

‎05-28-2024 03:54 PM

Thank you @Arne Bier for your quick update and response.

correct, for 802.1x, we are using certificates.   We have Lenovo laptops and their provided docket stations. 

However, authentications gets successful only for the docket stations, which is  whitelisted .

I have configured the laptop BIOS for MAC Address Passthrough. Now I see the Machine/laptop mac address on the switch and ISE log hence. However, authentication happens for only whitelisted docket station , somehow.

Is there any Cisco documentation ?? Could you please help on the matter ??

Thanks and regards,

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mukesh-Kumar

‎05-28-2024 04:01 PM

@Mukesh-Kumar you must share your ISE Authentication and Authorization Policies.  If you see the PC MAC address on the switch then the passthrough is working. That means you are no longer using the docking Eth MAC.  What happens next (in ISE) is a matter of how you configured the ISE Policy Set.

0 Helpful

Go to solution
Mukesh-Kumar
Level 1
Level 1
In response to Arne Bier

‎05-30-2024 07:27 AM

Thank you @Arne Bier .   Actually, came across another issue that I am not observing "End points"  in the context visibility.  .  I do not see any phone like Avaya etc in the context visibility.     

Once this resolves, that would carry out the testing.  I had another docking stations, and it worked without adding that or white listing .   But further testing would be carried out as the issue of devices not showing up in the context visibility resolves.

Thank you very much. @Arne Bier 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mukesh-Kumar

‎05-30-2024 01:19 PM

You can clear the Context Visibility, and then re-populate it from the Oracle DB. Have a look at the procedure.

Go to solution
Mukesh-Kumar
Level 1
Level 1
In response to Arne Bier

‎06-04-2024 10:11 AM

Thank you @Arne Bier .  Thank you for your quick support. By enabling "MAC address Pass through" , getting successful authentication. 

Thank you very much.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-10-2022 04:16 PM

Oh right. The dock has no Ethernet connection to the switch?  Then I am confused. Not sure what the docking/undocking has to do with the 802.1X then if the USB-C dongle is always attached to the laptop. The USB dongle would create a Windows Ethernet adapter with which you connect to the switch. And that should never change. Unless the user keeps swapping the USB/Ethernet dongle - that would generate a new Ethernet adapter in Windows (and a different MAC address).

 

MAC passthrough is an enterprise feature that most good vendors support (because this is a well known issue since USB docking stations came onto the market).

Not sure what is causing your particular issue though.

0 Helpful

Go to solution
latenaite2011
Level 4
Level 4
In response to Arne Bier

‎11-10-2022 08:32 PM

Hey Arne,
 
I think it is a built-in USB-C on the docking station and the laptop doesn't have any physical network adapter.  Here is the exact details:
It’s just a laptop docking station that connects to the laptop using USB C. The connection worked with the docking station at first then when I reconnected it the wouldn’t work anymore. This laptop does not have a physical network port so I use the docking station to connect. "
 
So he remove the laptop from the docking station temporarily as a test and re-connected and see if the access-list would still apply but he says after re-connecting, internet still works and the ACL restriction is not in place and he is getting 5400 Authentication failed message on MAB (not 802.1x anymore). So not sure why it switched to MAB instead of continuing with 802.1x is the question.
 
thanks in advance!
0 Helpful
Customers Also Viewed These Support Documents