Re: Docks causing dot1x failure due to MAB

maggie.26.1989 · ‎06-30-2022

Hello,

I am investigating an issue where i see docks different types like lenovo, dell monitor docks intermittently causing network issue on user machines. Network issue here is loss of connectivity ( no IP assigned , dot1x failure due to MAB, unidentified network on user machine). When I check ISE logs I see the docks trying to MAB with laptop physical address, in some cases I have also seen dock using using its own physical address.The MAB fails and then device cant get IP as a result of it. After some attempts I see the actual device authenticating with user account as its supposed to, following this authentication passes on ISE, user gets IP and is connected.

This does not happen always but intermittently. I have also seen this in the mornings when users just try connecting, they eventually have to reboot laptop or connect ethernet cable directly to laptop for few mins then use the dock and it works.

Anyone seen this issue and been able to fix it? please pour out your suggestions.

On one machine updating drivers worked. But this does not seem to be issue on other machines that have all drivers and still show this issue.

Could it be sleep settings on laptop?

How do I stop the dock from trying to authenticate using mac address?

balaji.bandi · ‎06-30-2022

As per i know docking static ethernet is is just pass through using real Laptop Ethernet address.

You need to look at the Logs working dvs not working ? why this was failing, do you have any example ISE Live log for us to understand the issue ?

what model of laptop and docking station ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo · ‎06-30-2022

Currently, we have HP docking stations and I do not see this happening at all.

We are currently rolling out Lenovo to refresh our laptop fleet but we do not see this issue occurring, yet.

Aref Alsouqi · ‎07-01-2022

It depends on the docking stations, the majority of them should do the pass-through for the L2 frames by default and accordingly you should see the endpoints MAC addresses on the switch port. A way I think could help fixing this issue would be to prioritise the dot1x method over the MAB on the switch ports configs. By doing that, the dot1x will always be preferred, and if there is no dot1x session active at anytime, MAB will kick in, and then once the user logs back into their laptop the supplicant will trigger the dot1x process which will take precedence over MAB. Same would happen when the user connect their laptop.

Mohammed al Baqari · ‎07-01-2022

Hi,

When the laptop tries to connect through dock, it mac address seen by the
switch will be the docking mac rather than the actual laptop. However, this
shouldn't be an issue.

If your laptops through docking are attempting MAB instead of dot1x, I
suggest you look for updating network drivers and see if it fixes the
issue. I have seen many issues related to network drivers which gets fixed
once updated.

**** please remember to rate useful posts

Pete Nowikow · ‎06-28-2023

We have this same issue with Dell docks. In the Dell PC BIOS there is a setting to pass the laptop's MAC address through the dock but if your laptop doesn't default to this behavior, you see the dock's MAC. I'm struggling with this too. One thought is to Profile the docks with a minimal dACL until a user authenticates then dot1x runs.

In my case we have hotel stations with Dell docks and laptops from many vendors (think BYOD). When a laptop connects which doesn't support MAC passthrough or Dot1x, MAB kicks in and tries to profile the dock.

In this thread I started, a couple ideas are to use MDM to allow the laptop or restrict the docks until a user authenticates then grant full access.

maggie.26.1989 · ‎10-01-2024

We are seeing similar issue with lenovo and dell docks, ethernet connection fails on dot1x as the dock mac address is used instead of username to authenticate. Dot1x is prioritised in switch config, however this still occurs. Has updating dock drivers or lan drivers solved this?

Pete Nowikow · ‎10-02-2024

I've seen this behavior across multiple versions of ISE beginning with 2.3 and it continues into 3.2. We have a user base with all makes and models of Windows laptops. We also run Apple computers, mainly MacBooks. Most of the time, MAC address passthrough (has to be enabled on each laptop in the BIOS) allows ISE to see the MAC address of the laptop itself. Unfortunately newer laptops don't ship with an internal wired Ethernet connection so those rely on the docking station MAC address.

We use Ordr which is similar to Palo Alto IOT Guardian and Metagate. These tools are all profiling databases connected to ISE via pXgrid. These tools help identify device types due to the vast profile database they all have but we still have issues profiling docks. The other variable is USB to Ethernet adapters. Many users carry those around and connect them as needed. Each has it's one mfg. and MAC address.

We are in Low-Impact mode at some buildings and Monitor mode at others. We use 802.1x as a primary and fallback to MAB as needed. One way we avoid massive issues is to build a policy called "MAB catchall" that gives the user a redirect to an Internet Only connection (captive portal) that once they agree to the terms, gets them the minimal access necessary. Not ideal but helps reduce the calls. Once they have an Internet connection our HelpDesk can update drivers, troubleshoot, etc.

Updating drivers and dock firmware can help but there are still issues. Modern docks run a minimal version of Linux or other proprietary OS which is basically a mini computer. They don't appear on the network until the USB C is connected to a laptop or we'd be able to add them to the monthly patch cycle. I wish I had a better answer but it's a struggle.