topic Re: Mab authentication loses connection to printer after days/weeks in Network Access Control

Mab authentication loses connection to printer after days/weeks

Rainer Woerthwein — Thu, 05 Nov 2020 13:33:45 GMT

Hi everybody,

I'm facing a really strange problem with NAC.

We use a NAC software (not ISE) to perform port authentication. Windows Clients use dot1x, printers and phones Mab.

From time to time our Xerox printers are losing the connection, no ping etc. Windows clients and phones are fine.

On the switches and in the NAC tool everything looks fine.

We are using 2960X with 15.2(4)E8.

sh auth sess:

Gi1/0/19 9c93.1234.5678 mab DATA Auth AC163FA000000xxxxxxxxxxx

Port config as following:

interface GigabitEthernet1/0/19
switchport access vlan xx
switchport mode access
switchport voice vlan xx
queue-set 2
authentication control-direction in
authentication event server dead action authorize
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication violation replace
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
spanning-tree portfast edge
spanning-tree bpduguard enable
end

sh inter statu

Gi1/0/19 connected VID a-full a-1000 10/100/1000BaseTX

Where VID is issued correctly.

shut, no shut doesn't help. Only thing that helps is removing NAC config from switchport and reboot the printer.

After that I can reenable NAC config and it's still fine.

Any ideas what's going on here? Please let me know if I should provide more information.

Thanks in advance.

Re: Mab authentication loses connection to printer after days/weeks

Colby LeMaire — Thu, 05 Nov 2020 15:28:27 GMT

Sounds like the printer may be going to sleep and then your reauthentication is not able to complete because the printer's MAC address timed out due to no activity for a while. For MAB to work, the switch has to see some traffic from the device to grab the source MAC address. During the time when the issue is happening, do the "show authentication session int gx/y detail" and see what is shown for the MAC address or username. It is likely showing "unknown". And if it is unknown, the switch cannot even attempt authentication to your NAC system. So in your NAC system logs, you probably don't see any of the reauthentication attempts once it is in that state. If that is the issue, then check the printer for any settings related to going to sleep and turning the NIC off.

Re: Mab authentication loses connection to printer after days/weeks

Rainer Woerthwein — Fri, 06 Nov 2020 09:37:47 GMT

Thanks for your quick reply. I also had that thought.

The weird thing is show auth sess int g1/0/19 det shows this. Only thing which is different from other ports is, that IPv4 address is empty.

Interface: GigabitEthernet1/0/19
MAC Address: 9c93.1234.5678
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 9c9312345678
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: 28800s (local), Remaining: 966s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: AC163FA000000470DE5E0AFA
Acct Session ID: Unknown
Handle: 0x28000464
Current Policy: POLICY_Gi1/0/19

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: <correct VID>

Method status list:
Method State

dot1x Stopped
mab Authc Success

Also MAC is shown with show mac command.

Log from NAC:

Mac User Radius Access granted Access time Access type Authentification Switch NAS IP NAS Port NAS Port ID VLAN

9C-93-12-34-56-78 9c9312345678 localhost yes 2020-11-05 16:06:56 LOW PAP authentication 172.22.xx.xxx 172.22.xx.xxx 50119 GigabitEthernet1/0/19 <correct VID>
9C-93-12-34-56-78 9c9312345678 localhost yes 2020-11-05 08:05:47 LOW PAP authentication 172.22.xx.xxx 172.22.xx.xxx 50119 GigabitEthernet1/0/19 <correct VID>
9C-93-12-34-56-78 9c9312345678 localhost yes 2020-11-05 00:04:35 LOW PAP authentication 172.22.xx.xxx 172.22.xx.xxx 50119 GigabitEthernet1/0/19 <correct VID>

When I remove the NAC config and shut no shut the Port the MAC is gone. Then you need to reboot the printer (true, printer is in sleep mode at that time) to get it back online. After that you can apply the NAC config again and everything is fine.

Current state after reboot and applying NAC again:

Interface: GigabitEthernet1/0/19
MAC Address: 9c93.1234.5678
IPv6 Address: Unknown
IPv4 Address: 172.22.x.xxx
User-Name: 9c9312345678

Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: 28800s (local), Remaining: 28428s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: AC163FA00000047DE920BE37
Acct Session ID: Unknown
Handle: 0x14000469
Current Policy: POLICY_Gi1/0/19

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: <correct VID>

Method status list:
Method State

dot1x Stopped
mab Authc Success

Re: Mab authentication loses connection to printer after days/weeks

Colby LeMaire — Fri, 06 Nov 2020 15:46:49 GMT

Check for firmware/software updates for your printer. See if there are any settings that tell the printer to sleep and turn networking off. My guess is that the issue is with the printer and how it handles network connectivity or wake events. What specific model printer is the Xerox?

Re: Mab authentication loses connection to printer after days/weeks

Nicolai Borchorst — Fri, 06 Nov 2020 17:35:19 GMT

If you don't find any options on the printer try lowering the DHCP Lease time causing the printer to renew it's IP-Address and therefore not go into silent mode. If it doesn't run DHCP try configuring your switchports to reauthenticate once in a while causing the device to generate some traffic as well.

Re: Mab authentication loses connection to printer after days/weeks

thomas — Sun, 08 Nov 2020 17:12:24 GMT

Also consider configuring 802.1X on your printers so they can authenticate properly when they do wake up rather than relying on MAB.

Re: Mab authentication loses connection to printer after days/weeks

Rainer Woerthwein — Thu, 07 Jan 2021 10:51:34 GMT

Sorry for my late reply was ooo for a while.

Thanks for all your suggestions - now I'm sure it's only a printer issue. All other MAB devices like Cisco phones are working.

I'll try both - lowering DHCP lease time and switching to dot1x.