topic Re: 802.1x issue with printers in Network Access Control

802.1x issue with printers

Alf31 — Tue, 21 Jan 2025 16:29:13 GMT

Hello

I have an issue with our printer. We have printer (Xerox) to connect to our network. By default, the 802.1x is configured on all switch ports with vlan assignment by the radius server. We use MAB accounts for our Xerox printer. When we connect a printer on the network, the MAB account are configured. The swith port where the printer is connected has this conf :

interface GigabitEthernet1/0/15
description PRINTERS
switchport access vlan 90
switchport mode access
switchport voice vlan 42
authentication event fail action authorize vlan 90
authentication event server dead action authorize vlan 20
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 90
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 60
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control action trap
spanning-tree portfast
spanning-tree guard root
!

When we connect the printer on the nework, the printer is on the vlan Guest (90) and not on the VLAN printer. If we change "switchport access vlan 90" to "switchport access vlan 70", the printer is reachable via the correct vlan (vlan printer =70).

Do you know what is our problem ?

Regards

Re: 802.1x issue with printers

Rob Ingram — Tue, 21 Jan 2025 16:38:55 GMT

@Alf31 you would need to configure the RADIUS server to assign the VLAN using dynamic VLAN assignment, otherwise the printer will just be assigned to the VLAN configured on the switchport.

Example https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

Re: 802.1x issue with printers

MHM Cisco World — Tue, 21 Jan 2025 16:40:28 GMT

authentication open <<- remove this from interface

MHM

Re: 802.1x issue with printers

Alf31 — Tue, 21 Jan 2025 16:43:35 GMT

Hello

not sure to understand your answer...

Re: 802.1x issue with printers

MHM Cisco World — Tue, 21 Jan 2025 17:14:51 GMT

This command will open the port and not check 802.1x not mab.

MHM

Re: 802.1x issue with printers

Flavio Miranda — Tue, 21 Jan 2025 17:29:16 GMT

@Alf31

Can you provide the command "show authentication session int GigabitEthernet1/0/15 detail" ?

Are using some kind of port bounce?

Re: 802.1x issue with printers

Jonatan Jonasson — Tue, 21 Jan 2025 17:55:14 GMT

Assuming that the MAB authentication is successful, the RADIUS server can either send an "ACCESS_ACCEPT" response, in which case the device(printer) would be assigned to the that's specified with the "switchport access vlan" command, or it can also return additional attributes to specify which VLAN the printer should be assigned to.

If you were using ISE as a RADIUS server, the Attribute Details dialogue could look something like this:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:70
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

So start by verifying that the authentication was successful, and that the correct RADIUS attributes were returned for dynamic VLAN assignment.

Re: 802.1x issue with printers

Arne Bier — Tue, 21 Jan 2025 21:14:41 GMT

With MAB authentication you will have an unreliable experience when using dynamic VLAN assignment. Because MAB operates on endpoints that are sending regular Ethernet frames (e.g. DHCP discovery), then the printer will get a DHCP offer from the DHCP server on VLAN 90 (guest), and some milliseconds later, RADIUS server puts that interface into VLAN 70 (printer). Your printer has no idea this just happened and will continue using the IP address from VLAN 90 to transmit.

I would not recommend dynamic VLAN assignment unless

The endpoints are 802.1X, in which case the endpoint only talks layer 3 (IP) AFTER the 802.1X has completed - by this time the interface is in the correct VLAN (or dynamically assigned) and DHCP starts from this point onwards
Use a dummy VLAN for the interface's 'access vlan' that does not include an 'ip helper' statement - this means the endpoint will never get a DHCP Offer from its Discovery request -that's good news. it must be patient and keep trying - RADIUS server puts the interface in the correct VLAN, and by now, if you're lucky, the DHCP client software is patient and keeps trying until it receives an Offer on the new VLAN. Viola!

Re: 802.1x issue with printers

Leo Laohoo — Tue, 21 Jan 2025 21:36:30 GMT

Printer NICs are stupid and dumb. To keep the costs down, printer manufacturer put the worst wired NIC in with poorly written NIC drivers. The "best" that some of them can do is support DHCP and I've seen some which only support static IP address.

We have Fuji/Xerox, HP, Ricoh, Lexmark and some Zebra and before they are delivered to us, the dealers and manufacturers have to furnish us the MAC addresses which we then use to populate the endpoint DB in ISE.

Make sure to keep a hard copy of those MAC addresses because ISE endpoint DB can get "lost", like CSCwk94725.

Re: 802.1x issue with printers

Aref Alsouqi — Wed, 22 Jan 2025 10:09:48 GMT

Could you please share the RADIUS server policy of the printers for review? assuming the printers traffic is hitting the right authorization rule on the RADIUS server, the RADIUS server should return the VLAN attribute (VLAN 70 in this case) in the RADIUS response back to the switch. Then the switch would place the port into that VLAN. If you are using ISE this attribute is configured in the authorization profile that is tied to the authorization rule of the printers.