Re: Undocking and docking back puts the PC on the default VLAN

abhishek.marat1 · ‎01-27-2018

We are using ISE 2.2 patch 5 and AnyConnect 4.5 NAM module as the supplicant for 802.1x authentication. We are using Cisco 3850x switch with 16.6.1 Everest code.

We have run into a weird issue: When a laptop (WIN 10) is undocked and docked back, wireless adapter gets disabled (which is expected behavior) and the wired adapter takes over, but instead of doing dot1x again, the port does MAB and gets on the default VLAN (ISE policy is configured to put all devices doing MAB on default switch port VLAN and is redirected to a guest portal). We then go the NAM module, select the wired profile which fires the supplicant and puts the PC on correct network doing dot1x authentication.

Has anyone else using the AnyConnect NAM module seen this issue? I did read a discussion about windows supplicant having same issue and disabling fast-reconnect solved the issue. We have tried this with the NAM module too and it does not resolve the issue. We have IP device tracking enabled too.

Any information on this would be really appreciated. I haven't been able to search any bugs related to this too.

marce1000 · ‎01-28-2018

https://supportforums.cisco.com/t5/aaa-identity-and-nac/802-1x-and-laptop-docking-why-does-it-want-to-do-mab/td-p/2857868

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

abhishek.marat1 · ‎01-28-2018

This is exactly the link I referred in the discussion. We have tried disabling fast reconnect in the AnyConnect NAM profile, but it does not help.

Any other options to try?

edondurguti · ‎02-01-2018

From the Device Manager, disable all power options (hopefully you don't use Wake on Lan).

It's important that you disable all of the options not just wake on lan.

abhishek.marat1 · ‎02-06-2018

Hi @edondurgut

Wake on LAN was disabled. So we unchecked that option of 'Allow computer to..' in the power management settings. Rebooted the PC and still no luck. PC still does MAB and falls on the default VLAN of the port.

abhishek.marat1 · ‎02-09-2018

So, we tried that and that did not help. Also, wake-on-lan was disabled. We had a TAC case open for this and realized that the the priority was set incorrectly. We had configured the ports with a policy. The port was not set to do dot1x and MAB simultaneously.

policy-map type control subscriber ISE-POLICY-TEST2

event session-started match-all

10 class always do-until-failure

10 authenticate using mab priority 20

20 authenticate using dot1x priority 10

30 authenticate using webauth parameter-map WEBAUTH_DEFAULT priority 30

event authentication-failure match-first

10 class ALL_FAILED do-until-failure

10 authentication-restart 60

event authentication-success match-all

10 class DOT1X do-until-failure

10 terminate mab

20 terminate webauth

20 class MAB do-until-failure

10 terminate webauth

event agent-found match-all

10 class always do-until-failure

10 authenticate using dot1x priority 10

We applied this through the policy and then it worked. Thank you for all your insights!

edondurguti · ‎02-25-2018

Cool, glad you got it working, do you still see multiple auth from the PCs?

Like always trying MAB first?