Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
2
Helpful
5
Replies

Docking Stations

alliasneo1
Level 1
Level 1

‎12-09-2024 03:58 AM

I have a startech docking station connected to a Mitel phone and in ISE I can see the MAC address of the Dock when a laptop is plugged in. The authentication for the dock fails, which is fine as it can't find a profile for it and comes up as 'Unknown'.

When a laptop is not plugged in to the dock, there is no activity on the network port.

When a laptop is plugged in it starts flashing. If it's a laptop with the correct dot1x settings and a certificate the laptop authenticate fine but ISE logs the docking station MAC against the PC name. This is problem 1.

Problem 2 - If a laptop that is unauthorised comes along and plugs in, the laptop is rejected but the logs in ISE continue to show the docking station MAC over and over even if the laptop has been unplugged. Almost like it's cached or as if because the phone is keeping the authentication alive on the switchport, it continues to try and re-authenticate the dock even though there is no activity light after the laptop has been unplugged.

Any help with these 2 issues?

 

thanks

0 Helpful
5 Replies 5

M02@rt37
VIP
VIP

‎12-09-2024 04:16 AM - edited ‎12-09-2024 04:19 AM

Hello @alliasneo1 

Some adjustments... 

Problem 1:

The issue occurs because the StarTech docking station's MAC address is detected and sent to ISE during the initial 802.1X authentication process. When a compliant laptop is connected and successfully authenticates, the docking station's MAC address is incorrectly logged under the PC's name. This happens because the switch first sees the dock's MAC address before the laptop establishes its 802.1X identity. Additionally, devices like docks and phones can interfere with the normal operation of 802.1X when they don’t authenticate via 802.1X themselves.

You could create an exception for the dock's MAC address using MAC Authentication Bypass (MAB) in ISE. Configure a policy to allow the dock's MAC address in a specific profile, marking it as an "IT-approved device" or similar. This prevents the dock from being logged incorrectly under the PC. Alternatively, you could use profiling in ISE to classify the dock as an "Unknown Device" and assign it a separate policy with limited network access. Another approach is to enable multi-authentication mode on the switchport, which allows the phone, dock, and laptop to authenticate independently, ensuring proper separation of identities in ISE.

 

Problem2:

When an unauthorized laptop is connected, the laptop fails authentication, but ISE continues to log the dock’s MAC address repeatedly, even after the laptop is disconnected. This likely happens because the Mitel phone keeps the switchport link active to maintain connectivity with the network, causing the switch to repeatedly attempt MAB for the dock. Since the dock doesn’t have activity lights without a connected laptop, the issue is exacerbated by the phone maintaining the port's operational state.

You should enable authentication control directions on the switchport. Configure the port to authenticate devices only on the ingress (incoming traffic) direction, ensuring the dock's MAC isn’t repeatedly sent after the laptop is unplugged. Additionally, enable port security to limit the number of MAC addresses allowed on the port. Set a timeout for stale MAC entries so the dock’s MAC address ages out after disconnection. On ISE, you can configure a re-authentication timer to avoid persistent attempts for inactive devices. If the phone requires persistent network access, place the phone in a separate VLAN or use a dedicated authentication policy to distinguish it from other devices.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

alliasneo1
Level 1
Level 1
In response to M02@rt37

‎12-09-2024 05:05 AM

Hi,

 

Problem1:

Alternatively, you could use profiling in ISE to classify the dock as an "Unknown Device" and assign it a separate policy with limited network access. This sounds like it might be a good option. How would I create this?

In regards to the Switchport I have the following config:

switchport access vlan xx
switchport mode access
switchport voice vlan xx
device-tracking attach-policy IPDT_POLICY
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

 

 

Problem2:

Authentication control directions - I have this enabled.

re-authentication timer - Where would I counfigure this in ISE?

 

 

Thank you for your Help

 

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to M02@rt37

‎12-09-2024 06:37 AM

802.1X and Port Security are incompatible and will fight over control of the port. Do NOT enable both at the same time.

0 Helpful

M02@rt37
VIP
VIP
In response to thomas

‎12-09-2024 07:55 AM - edited ‎12-09-2024 07:56 AM

Yes @thomas 

it is generally true that 802.1X and Port Security are incompatible and should not be enabled simultaneously on the same switch port. The reason for this incompatibility lies in the way both features manage the port's state and enforce security policies, leading to conflicts over port control. Thanks.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎12-09-2024 04:19 AM

Refer to this post

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents