cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5914
Views
5
Helpful
7
Replies

ISE and Lenovo Thunderbolt docks... ISE will put the laptop user into quarantine after a reboot.

Our ISE implementation project is stalled because our laptop users connect the Lenovo laptops to Lenovo Thunderbolt docks. 

The laptop users remove their devices from sleep or without signing out or shutting down.  Upon returning, they plug into the wired Thunderbolt dock connection and are dropped into the quarantine vlan (172.22.x.x).  Sometimes the laptop may lose connectivity.  We have the user reboot the laptop.  However, ISE may not remove the laptop user from quarantine after the reboot.  We have the MAC passthrough enabled in the Lenovo bios settings.  Also, I understand this may be a Lenovo firmware issue.  We cannot use a Active Directory GPO on the Lenovo Thunderbolt docks.  Obviously, we could remove and get rid of all the Thunderbolt docks.  However, this would require a huge change in the user's behavior.  Also, the costs involved with the money to lease the laptops with the Thunderbolt docks.

The root cause is the Intel I219-LM and I219-V chipsets.  We have had the ongoing issues with Cisco ISE above.  We have found the root cause to be the Intel Firmware version 12.18.9.20 to be problematic. Please use Firmware version 12.18.9.8  20QD0002US X1  Carbon 7th Gen, X1 Extreme 2nd Gen, and the X1 Carbon 6th Gen.

3 Accepted Solutions

Accepted Solutions

Yes, the Lenovo Thunderbolt docks have a different MAC address for the domain.  Please provide some more information or a Cisco technical article on the "authentication host-mode multi-auth" on switch ports.

The root cause is the Intel I219-LM and I219-V chipsets.  We have had the ongoing issues with Cisco ISE above.  We have found the root cause to be the Intel Firmware version 12.18.9.20 to be problematic. Please use Firmware version 12.18.9.8  20QD0002US X1  Carbon 7th Gen, X1 Extreme 2nd Gen, and the X1 Carbon 6th Gen.

View solution in original post

Hi,

 

    Configure authentication host-mode to "multi-host", so that as long as one MAC address is authorised, other MAC addresses are allowed to send traffic unauthenticated; this should no longer end up in quarantine.

 

Regards,

Cristian Matei.

View solution in original post

I have to respectfully disagree with the use of "multi-host" since any MAC address would be allowed to communicate on the network as long as only 1 authenticates.  With "multi-auth", at least you are requiring each MAC address to authenticate before frames from that particular MAC address can pass.  So if the switch sees the docking station MAC address as one Data device and then the PC docks, the switch will see another MAC address.  As long as the PC authenticates, it can get on and pass traffic.  But the docking station will not be able to originate traffic itself onto the network.

View solution in original post

7 Replies 7

Colby LeMaire
VIP Alumni
VIP Alumni

What is ISE seeing and reason for quarantine/deny?  Is the MAC address still different even with the settings in the screenshots?  Is the switch potentially seeing two MAC addresses for the Data domain?  If so, you can try to use "authentication host-mode multi-auth" on the switchports.

Yes, the Lenovo Thunderbolt docks have a different MAC address for the domain.  Please provide some more information or a Cisco technical article on the "authentication host-mode multi-auth" on switch ports.

The root cause is the Intel I219-LM and I219-V chipsets.  We have had the ongoing issues with Cisco ISE above.  We have found the root cause to be the Intel Firmware version 12.18.9.20 to be problematic. Please use Firmware version 12.18.9.8  20QD0002US X1  Carbon 7th Gen, X1 Extreme 2nd Gen, and the X1 Carbon 6th Gen.

Hi,

 

    Configure authentication host-mode to "multi-host", so that as long as one MAC address is authorised, other MAC addresses are allowed to send traffic unauthenticated; this should no longer end up in quarantine.

 

Regards,

Cristian Matei.

What about this issue?  Could be related to AnyConnect NAM bug CSCvc37573.  It was reported for AnyConnect version 4.2(4018). The suggested solution is to download an updated version of Cisco AnyConnect.

 

The root cause is the Intel I219-LM and I219-V chipsets.  We have had the ongoing issues with Cisco ISE above.  We have found the root cause to be the Intel Firmware version 12.18.9.20 to be problematic. Please use Firmware version 12.18.9.8  20QD0002US X1  Carbon 7th Gen, X1 Extreme 2nd Gen, and the X1 Carbon 6th Gen.

Please also review: Network-access-control issue with 802-1x Intel i219LM and Intel i219V and Windows 10 

Hi,

 

   I don't see how that bug fits into your problem description. Using a newer and more stable version of AnyConnect its recommended anyways.

 

Regards,

Cristian Matei.

I have to respectfully disagree with the use of "multi-host" since any MAC address would be allowed to communicate on the network as long as only 1 authenticates.  With "multi-auth", at least you are requiring each MAC address to authenticate before frames from that particular MAC address can pass.  So if the switch sees the docking station MAC address as one Data device and then the PC docks, the switch will see another MAC address.  As long as the PC authenticates, it can get on and pass traffic.  But the docking station will not be able to originate traffic itself onto the network.

Which command on Issue will we use to solved this ussue .

 

Thanks