Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
132
Views
0
Helpful
3
Replies

ISE Authentication not working on Thunderbolt 4 connected ports

royce.varughese.1984
Level 1
Level 1

‎05-26-2025 10:25 PM

I am trying to get some answers on 2 different networks with Thunderbolt 4 docks being used.

SDA Network - Here if i connect my laptop, machine gets authenticated and also granted access. Even though i can see on network port multiple MAC belonging to this unit which has support for IOT. Network ports are configured using templates, which in turn uses policy maps with nested lines before and end point is authenticated.

SDA switch has this additional line in radius - radius-server attribute 6 support-multiple

Non -SDA Network - Here, if i connect laptop, machine shows denied. Port is configured with "multi-domain". configuring to "multi-auth" does authenticate machine. But with no network access. Dock stays on wired vlan instead of laptop. Authentication config for port is directly applied and no template used.

Anyone got idea why this behaviour?

 

0 Helpful
3 Replies 3

Azizi123
Level 1
Level 1

‎05-26-2025 11:12 PM

To resolve the issue on the non-SDA network, configure the switch to support multiple MAC addresses by enabling radius-server attribute 6 support-multiple, and change the port authentication mode from multi-domain to multi-auth to allow both the laptop and Thunderbolt dock MACs to authenticate independently. Additionally, ensure your RADIUS server has policies to correctly identify and authorize both the laptop and dock MAC addresses, assigning them the appropriate VLANs or access permissions. Unlike the SDA network which uses dynamic templates and policy maps, you must manually define the needed access policies to ensure proper VLAN placement and network access for all connected devices through the dock.

0 Helpful

royce.varughese.1984
Level 1
Level 1
In response to Azizi123

‎05-26-2025 11:23 PM

hi Azizi,

Thanks for pointing to that config which i will enable for radius. on SDA network there are no additional policy authenticating docks in general. Do you reckon i should create appropriate policy for these docks so they are at least added and secured against swaps on dock end. Both SDA and non SDA ports drop dock in to profiling policy which we have in place. Will share update once i test after this config. Will this influence already authenticated endpoints?

0 Helpful

Azizi123
Level 1
Level 1
In response to royce.varughese.1984

‎05-26-2025 11:35 PM

Yes, it’s a good idea to create specific policies for Thunderbolt docks in your SDA network to properly identify, profile, and secure dock devices, preventing unauthorized access or spoofing through the dock’s multiple MACs. Although your current profiling drops docks into a general policy, having dedicated policies improves security and network control by applying appropriate VLANs or restrictions tailored to docks. Adding these policies typically won’t affect already authenticated endpoints immediately, as changes usually take effect on new authentications or re-auth events, but it’s best to roll out changes carefully and monitor for any impact.

0 Helpful
Customers Also Viewed These Support Documents