topic Cannot authenticate printer via PEAP in Network Access Control

Cannot authenticate printer via PEAP

lnw-team — Fri, 20 Oct 2023 07:42:07 GMT

Hello,

We have twelve network printers in our remote location. We've recently enabled dot1x authentication on a switch. In order to limit the number of unprotected ports, we would also like to enable authentication on network printers. Since using certifiates creates a lot of administrative overhead (local IT guys would have to generate CSR and certificatesare are valid only for a limited period of time) we've come to the conclusion that PEAP/MS-CHAPv2 would be the most appropriate authentication method. the following policy has been created on Cisco ISE:
Network Access·EapAuthentication equals EAP-MS-CHAPv2
Network Access Network Device Name starts with xxxxxxx
Identity group is external AD group

Unfortunately I do not see any hitcounts, the policy is failing. Obviously, the account is added to AD group, right authentication method and credentials are set up in administrative panel of a printer. In my opinion the issue can be on the end device as previosuly we were having such issue on wireless network (two iPhones were able to authenticate via PEAP, my Samsung Android device was working fine, but the problem was with other Android device)

Re: Cannot authenticate printer via PEAP

Rob Ingram — Fri, 20 Oct 2023 08:29:46 GMT

@lnw-team I assume other devices connected to the same switch are authenticating correctly, so we can rule out the switch configuration?

From the switch run "show authentication session interface x/y/z detail" < replace x/y/z with the actual switchport the printer is connected to.

In the ISE live logs do you see the authentication request come through for the printer? If so which rule does it match? Provide a screenshot.

Re: Cannot authenticate printer via PEAP

lnw-team — Fri, 20 Oct 2023 08:46:57 GMT

Hello Rob,

I did that, it hits the last policy (Default - Deny access).

Re: Cannot authenticate printer via PEAP

Rob Ingram — Fri, 20 Oct 2023 09:19:13 GMT

@lnw-team ok well then you need to determine what conditions it does not match or the device failed authentication or your Policy Set allowed protocols does not permit PEAP/MSCHAPv2, so therefore the request does not match your Policy Set and hits the default policy.

Check the live logs (provide them here if you want us to review).

Re: Cannot authenticate printer via PEAP

lnw-team — Tue, 24 Oct 2023 12:00:14 GMT

Hello,

Please take a look at the logs from ISE. As you can see, at some point ISE is recognizing the user.

Re: Cannot authenticate printer via PEAP

Rob Ingram — Tue, 24 Oct 2023 12:08:08 GMT

@lnw-team the clients do not trust the certificate that ISE is using. Add the root certificate used by ISE on to the printers, so the printers trust the certificate or (not secure and not recommended) configure the printer to not trust the ISE certificate.