Re: Docks causing dot1x failure due to MAB

maggie.26.1989 · ‎06-30-2022

Hello,

I am investigating an issue where i see docks different types like lenovo, dell monitor docks intermittently causing network issue on user machines. Network issue here is loss of connectivity ( no IP assigned , dot1x failure due to MAB, unidentified network on user machine). When I check ISE logs I see the docks trying to MAB with laptop physical address, in some cases I have also seen dock using using its own physical address.The MAB fails and then device cant get IP as a result of it. After some attempts I see the actual device authenticating with user account as its supposed to, following this authentication passes on ISE, user gets IP and is connected.

This does not happen always but intermittently. I have also seen this in the mornings when users just try connecting, they eventually have to reboot laptop or connect ethernet cable directly to laptop for few mins then use the dock and it works.

Anyone seen this issue and been able to fix it? please pour out your suggestions.

On one machine updating drivers worked. But this does not seem to be issue on other machines that have all drivers and still show this issue.

Could it be sleep settings on laptop?

How do I stop the dock from trying to authenticate using mac address?

balaji.bandi · ‎06-30-2022

As per i know docking static ethernet is is just pass through using real Laptop Ethernet address.

You need to look at the Logs working dvs not working ? why this was failing, do you have any example ISE Live log for us to understand the issue ?

what model of laptop and docking station ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo · ‎06-30-2022

Currently, we have HP docking stations and I do not see this happening at all.

We are currently rolling out Lenovo to refresh our laptop fleet but we do not see this issue occurring, yet.

Aref Alsouqi · ‎07-01-2022

It depends on the docking stations, the majority of them should do the pass-through for the L2 frames by default and accordingly you should see the endpoints MAC addresses on the switch port. A way I think could help fixing this issue would be to prioritise the dot1x method over the MAB on the switch ports configs. By doing that, the dot1x will always be preferred, and if there is no dot1x session active at anytime, MAB will kick in, and then once the user logs back into their laptop the supplicant will trigger the dot1x process which will take precedence over MAB. Same would happen when the user connect their laptop.

Mohammed al Baqari · ‎07-01-2022

Hi,

When the laptop tries to connect through dock, it mac address seen by the
switch will be the docking mac rather than the actual laptop. However, this
shouldn't be an issue.

If your laptops through docking are attempting MAB instead of dot1x, I
suggest you look for updating network drivers and see if it fixes the
issue. I have seen many issues related to network drivers which gets fixed
once updated.

**** please remember to rate useful posts

Pete Nowikow · ‎06-28-2023

We have this same issue with Dell docks. In the Dell PC BIOS there is a setting to pass the laptop's MAC address through the dock but if your laptop doesn't default to this behavior, you see the dock's MAC. I'm struggling with this too. One thought is to Profile the docks with a minimal dACL until a user authenticates then dot1x runs.

In my case we have hotel stations with Dell docks and laptops from many vendors (think BYOD). When a laptop connects which doesn't support MAC passthrough or Dot1x, MAB kicks in and tries to profile the dock.

In this thread I started, a couple ideas are to use MDM to allow the laptop or restrict the docks until a user authenticates then grant full access.