cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8007
Views
4
Helpful
6
Replies

Problems with connecting Printers via MAB

Maxim Bezzubov
Level 1
Level 1

Hi

I'm setting up a 2960S (WWS-C2960S-48FPS-L) with IOS image 152-2.E4 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 2.0) is reachable and RADIUS shared secret is verified at both ends. dot1x or mab auth on PC works fine, but stucked with problems with HP printer. Here is my config on port in closed mode. As I said - work fine with PC (MAB and dotx1) - with printer dont.

interface GigabitEthernet1/0/13

switchport access vlan 5

switchport mode access

ip device tracking maximum 3

authentication event fail action next-method

authentication event server dead action reinitialize vlan 5

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication timer restart 10

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-reauth-req 1

I've got

sh authentication sessions interface gigabitEthernet 1/0/13

No Auth Manager contexts match supplied criteria

and NO messages at debugging aaa, radius or on ISE Radius Livelog, just nothing.

BUT if i config port on the OPEN or LOW-INPACT mode by adding this

authentication open

ip access-group ACL-PREISE in

Extended IP access list ACL-PREISE

    10 deny ip any any

Voila - we have a session. Its working as it does.

sh auth session interface gigabitEthernet 1/0/13 details

            Interface:  GigabitEthernet1/0/13

          MAC Address:  x.x.x.x

         IPv6 Address:  Unknown

         IPv4 Address:  10.x.x.x.x

            User-Name:  <MAC>

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  1059s

    Common Session ID:  0A6401090000004C0905C7D2

      Acct Session ID:  0x00000060

               Handle:  0xD500002E

       Current Policy:  POLICY_Gi1/0/13

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

           Vlan Group:  Vlan: 5

              ACS ACL:  xACSACLx-IP-WIRED-INSIDE-56c57a49

Method status list:

       Method           State

       mab              Authc Success

Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.

1 Accepted Solution

Accepted Solutions

MAB requires traffic from the endpoint to work. Typically devices without IP will request IP address which triggers MAB. For static IP devices, it may be a long wait till the printer sends a packet to the network. With that in mind, the result depends on how you are testing the printers. Interesting fact about many printers including HP printers is that they do not renew IP on interface link up/down. This is the case whether the printer is using DHCP or static IP. So when testing printers always power recycle the device or you will be waiting for a long time.


The 'authentication control-direction in' command will often expedite the process as it is possible for the printer to respond to broadcast and print requests. If you want to see 'authentication control-direction in' in action, simply send a directed broadcast (ping x.x.x.255, assuming router allows it) to the VLAN 5 subnet and you will notice that the MAB happens immediately for the printer.


Hosuk

View solution in original post

6 Replies 6

thomas
Cisco Employee
Cisco Employee

Maxim, I highly recommend that you read our best practices for 802.1X switch configuration in the ISE Design Guide HowTo: Universal Switch Config.  It explains all of the individual commands, best practice settings and why you need authentication open.

This is our best practice Universal Switch Configuration for Low-Impact (change VLANs  per your deployment!):

description ACCESS (Multi-Auth w/ Low-Impact Mode)
switchport mode access
switchport access vlan 10
switchport voice vlan 11
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
mab
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
dot1x timeout tx-period 10
spanning-tree portfast
authentication port-control auto

We do not recommend a default port ACL of only deny ip any any since this will explicitly prevent basic network services like DHCP & DNS which are required for most endpoints to be profiled or be URL-redirected to ISE for additional profiling, Guest Services or Device Registration.

Tnanks for your answer. You are talking about Low-Impact Mode. We are want to use a Closed mode.

As I said my switch port config works normal with Windows PC via MAB or dot1x. I know about default preauth ACL in Low-Impact mode, so I just demostrate that using ACL with deny ip any any  do a trick - printer is authorized via MAB. I have problem now just with printer.

I 've tried authentication control-direction in command in closed mode from the doc's that you show me - no luck...

MAB requires traffic from the endpoint to work. Typically devices without IP will request IP address which triggers MAB. For static IP devices, it may be a long wait till the printer sends a packet to the network. With that in mind, the result depends on how you are testing the printers. Interesting fact about many printers including HP printers is that they do not renew IP on interface link up/down. This is the case whether the printer is using DHCP or static IP. So when testing printers always power recycle the device or you will be waiting for a long time.


The 'authentication control-direction in' command will often expedite the process as it is possible for the printer to respond to broadcast and print requests. If you want to see 'authentication control-direction in' in action, simply send a directed broadcast (ping x.x.x.255, assuming router allows it) to the VLAN 5 subnet and you will notice that the MAB happens immediately for the printer.


Hosuk

Thanks for ypur answer.

I thinkning about it too. I will try to power off printer and on. I will let you know about result.

I have cheched this supposition and so I can tell you that you were right! Switching power off and on was resolved my problem. Printer is auth via MAB in closed mode. Many thanks.

Hi Thomas, how can I access the how to guide?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: