Solved: Docking Station Best Practice with 802.1x Authentication and Cisco ISE - Page 2

latenaite2011 · ‎11-09-2022

Does anyone know what the best practice is for a user undocking and docking his laptop to a docking station (the docking station doesn't have an extra network adapter)? Customer reported that the 802.1x authentication works fines (connected initially via the docking station) but after disconnected and reconnected, he is still able to access the network but noticed that the 802.1x access-list in not in effect anymore so it appears that there is no authorization from Cisco ISE to restrict traffic.

Just wondering what the best practice is for something like this. I know there are some re-authentication timer but not sure if that should tuned and so which one (there are re-authentication on ISE too). This is a greenfield deployment in testing mode. Upon successful testing in different use cases, they will deploy to production.

Greg Gibbs · ‎11-10-2022

There is not a lot of hard details or evidence to go by here, but the description that the session changes from 802.1x to MAB would lead me to think this might be an issue with FlexAuth with legacy IBNS config on the switch. If the docking station is connected to the switchport, the switch would likely not detect the PC being disconnected and the port would remain active. This could lead to the reauth behaviour where FlexAuth would revert to using MAB.

See this whitepaper that discusses how FlexAuth works and pay particular attention to the footnote on page 3 that references the use of the Cisco AVPair for 'termination-action-modifier=1'

Flexible Authentication Order, Priority, and Failed Authentication

You can see an example of how you would configure this in your Authorization Profile in this guide:

Top Ten mis-configured Cisco IOS Switch settings for ISE integration