cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1192
Views
0
Helpful
6
Replies
Highlighted

Undocking and docking back puts the PC on the default VLAN

We are using ISE 2.2 patch 5 and AnyConnect 4.5 NAM module as the supplicant for 802.1x authentication. We are using Cisco 3850x switch with 16.6.1 Everest code. 

We have run into a weird issue: When a laptop (WIN 10) is undocked and docked back, wireless adapter gets disabled (which is expected behavior) and the wired adapter takes over, but instead of doing dot1x again, the port does MAB and gets on the default VLAN (ISE policy is configured to put all devices doing MAB on default switch port VLAN and is redirected to a guest portal). We then go the NAM module, select the wired profile which fires the supplicant and puts the PC on correct network doing dot1x authentication.

Has anyone else using the AnyConnect NAM module seen this issue? I did read a discussion about windows supplicant having same issue and disabling fast-reconnect solved the issue. We have tried this with the NAM module too and it does not resolve the issue. We have IP device tracking enabled too.

Any information on this would be really appreciated. I haven't been able to search any bugs related to this too.

6 REPLIES 6
Highlighted
VIP Engager

Re: Undocking and docking back puts the PC on the default VLAN

Highlighted

Re: Undocking and docking back puts the PC on the default VLAN

This is exactly the link I referred in the discussion. We have tried disabling fast reconnect in the AnyConnect NAM profile, but it does not help.

Any other options to try?

Highlighted
Enthusiast

Re: Undocking and docking back puts the PC on the default VLAN

From the Device Manager, disable all power options (hopefully you don't use Wake on Lan).

It's important that you disable all of the options not just wake on lan.

 10_95_237_54.png

Highlighted

Re: Undocking and docking back puts the PC on the default VLAN

Hi @edondurgut

 

Wake on LAN was disabled. So we unchecked that option of  'Allow computer to..' in the power management settings. Rebooted the PC and still no luck. PC still does MAB and falls on the default VLAN of the port.

Highlighted

Re: Undocking and docking back puts the PC on the default VLAN

So, we tried that and that did not help. Also, wake-on-lan was disabled. We had a TAC case open for this and realized that the the priority was set incorrectly. We had configured the ports with a policy. The port was not set to do dot1x and MAB simultaneously.

 

policy-map type control subscriber ISE-POLICY-TEST2

event session-started match-all

  10 class always do-until-failure

   10 authenticate using mab priority 20

   20 authenticate using dot1x priority 10

   30 authenticate using webauth parameter-map WEBAUTH_DEFAULT priority 30

event authentication-failure match-first

  10 class ALL_FAILED do-until-failure

   10 authentication-restart 60

event authentication-success match-all

  10 class DOT1X do-until-failure

   10 terminate mab

   20 terminate webauth

  20 class MAB do-until-failure

   10 terminate webauth

event agent-found match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

 

We applied this through the policy and then it worked. Thank you for all your insights!

Highlighted
Enthusiast

Re: Undocking and docking back puts the PC on the default VLAN

Cool, glad you got it working, do you still see multiple auth from the PCs?

Like always trying MAB first?