last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authenticating Laptops connected through USB Mini Docks

  • 1.  Authenticating Laptops connected through USB Mini Docks

    Posted Aug 19, 2020 10:47 AM

    So I recently ran into a new challenge using 802.1x wired authentication with Clear Pass. We are connect our laptops to the network through the a Cisco VoIP phone. So the phone goes through MAC Authentication and the computer connected to the PC port on the phone goes through 802.1x authentication.


    However when testing using a USB Mini Dock, which connects secondary monitors and Ethernet, I am unable to run 802.1x on my laptop and am also forced to authenticate the Dock.


    Profiling is useless with these docks, as they are categorized as Computers or in one case Generic. Also it contains a Virtual Ethernet and the physical Ethernet, both with the same MAC Address. This causes the Virtual Ethernet to be authenticated, but the Physical remains Unidentified. In other words if I use the dock with MAC Authentication, whatever device that connects physically to the dock will be able to connect to the network without authenticating. 


    Is there a way to enforce this more precisely?


    I'm including a screenshot of the ipconfig /all which shows both the Virtual and Physical Ethernet with the same MAC, the Virtual being authenticated and the Physical Unidentified. Also a image of the dock, a J5 Create (JUD380).



  • 2.  RE: Authenticating Laptops connected through USB Mini Docks

    Posted Aug 20, 2020 03:33 AM

    The multiple adapters with the same MAC seem to be related to VMware/Hyper-V which appears to be installed on your system. It creates a virtual switch/bridge to connect the physical adapter to your Windows and the VMs that you are running.


    Do you see the same for laptops that don't have VMWare and Hyper-V installed?


    Then for an 802.1X authenticated device behind an IP-Phone, if the device has been authenticated and you switch another laptop to your dock, it will share the same MAC and stays authenticated. In such a scenario there are two things that I would recommend:

    • Configure your phone to do EAP-Logoff for devices that are on the pass-through port. This feature will signal from the phone to the switch with an EAP-Logoff message when the port to your PC is disconnected, which happens once you disconnect your dock from the PC. The 802.1X authentication for your PC will disappear immediately from the switch in that case.
    • Configure more frequent re-authentication on ports that have these docks. You could do that based on the MAC range of your docks for example or on the switch port number or with some special SQL query on checking if there is also a phone on the same port. In that way, you will reduce the time-window for a rogue device to piggyback on the existing 802.1X authentication.

    And combining these two is a good idea.