https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933247#M456745 <P>Every environment is different and there is no one size fits all.&nbsp; Here are some general thoughts:</P><P>- First thing is to try to do 802.1x if at all possible with your printers and if there is a centralized management system to push the configurations for them. You don't want to have to visit each printer to configure them manually.</P><P>- If you have to use MAB, you can use a static identity group for your printers called something like "Corporate_Printers".&nbsp; When you find printers on the network using dynamic profiling and the printers logical profile, have someone verify it is a corporate-approved printer, and then statically assign it to the "Corporate_Printers" identity group.&nbsp; Use that group in your authorization profile.&nbsp; It is a little more secure than just allowing any device that is profiled as a printer.</P><P>- dACL will depend on your environment, what you are using for printer management, and how the users add printers on their machines.&nbsp; Recommendation would be to SPAN a printer port for a while and capture the traffic.&nbsp; Build your dACL from there.&nbsp; And you will likely have to adjust over time based on feedback.</P> Tue, 01 Oct 2019 16:25:22 GMT Colby LeMaire 2019-10-01T16:25:22Z https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933216#M456743 <P>Hello,</P><P>&nbsp;</P><P>&nbsp;</P><P>does anyone have any suggested configurations, ACLs, etc for securing printers, especially HP and giving network access to just their essential functions only?</P><P>&nbsp;</P><P>&nbsp;</P><P>All replies rated,</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in advance!</P> Tue, 01 Oct 2019 15:29:02 GMT https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933216#M456743 angel-moon 2019-10-01T15:29:02Z https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933221#M456744 <P>We use MAB for printers, I send a DACL down so they can't talk on their vlan, then the firewall does the rest of the upstream access.</P> Tue, 01 Oct 2019 15:41:00 GMT https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933221#M456744 Dustin Anderson 2019-10-01T15:41:00Z https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933247#M456745 <P>Every environment is different and there is no one size fits all.&nbsp; Here are some general thoughts:</P><P>- First thing is to try to do 802.1x if at all possible with your printers and if there is a centralized management system to push the configurations for them. You don't want to have to visit each printer to configure them manually.</P><P>- If you have to use MAB, you can use a static identity group for your printers called something like "Corporate_Printers".&nbsp; When you find printers on the network using dynamic profiling and the printers logical profile, have someone verify it is a corporate-approved printer, and then statically assign it to the "Corporate_Printers" identity group.&nbsp; Use that group in your authorization profile.&nbsp; It is a little more secure than just allowing any device that is profiled as a printer.</P><P>- dACL will depend on your environment, what you are using for printer management, and how the users add printers on their machines.&nbsp; Recommendation would be to SPAN a printer port for a while and capture the traffic.&nbsp; Build your dACL from there.&nbsp; And you will likely have to adjust over time based on feedback.</P> Tue, 01 Oct 2019 16:25:22 GMT https://community.cisco.com/t5/network-access-control/ise-for-printer-security/m-p/3933247#M456745 Colby LeMaire 2019-10-01T16:25:22Z