topic Re: Printer COA vlan Issue in Network Access Control

Printer COA vlan Issue

hanis2903 — Fri, 28 Nov 2025 17:45:45 GMT

Hello,

I am having a weird issue with ISE 3.4 Patch 3. Printers is not getting vlan changed when it is pushed via COA. It clearly shows on the authentication session that it is pushing the correct vlan but the ip did not change and switch to unknow. I tried to reboot same issue. we tried different printers models like HP Zebra but same behavior. We tried to plug a pc instead and it worked right away. So looks like something related to printers. We are using Cisco sw 9300 models.

we are using IBNS2 and apply template on the port. Any suggestions?

Thank you ,

Hani,

Re: Printer COA vlan Issue

balaji.bandi — Fri, 28 Nov 2025 18:01:34 GMT

What version of code is running on Cat 9300 models? Is this issue after upgrading to ISE 3.4pat3 or after a fresh installation?

What session details are shown for that port? Is this for MAB? Also, what do the radius live logs show?

Re: Printer COA vlan Issue

hanis2903 — Fri, 28 Nov 2025 18:42:23 GMT

Hello,

We are running 17.06.03 version. I can not tell if this is after upgrading because we just have a fresh deploy on this version of ISE.

NA-CAN-MTL-IDF7-ACC-SW1#sho authentication sessions int gi4/0/20 det
Interface: GigabitEthernet4/0/20
IIF-ID: 0x165D8B63
MAC Address: 80e8.2c7a.7ee9
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 80-E8-2C-7A-7E-E9
Device-type: HP-Device
Device-name: MTL-PRN093
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 172798s
Common Session ID: 0C00F00A000025FFCBBEA876
Acct Session ID: 0x0000086c
Handle: 0xc100071f
Current Policy: DOT1X_MAB_POLICY

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Vlan Group: Vlan: 150

Method status list:
Method State
dot1x Stopped
mab Authc Success

Regards,

Hani,

Re: Printer COA vlan Issue

balaji.bandi — Fri, 28 Nov 2025 23:43:43 GMT

How does your configuration look globally and at the port level?

Re: Printer COA vlan Issue

andrewswanson — Sat, 29 Nov 2025 09:39:45 GMT

Is the printer getting an IP prior to authorization? If so, the printer will retain this DHCP lease even if its nic is bounced.

I've seen this behaviour across all printer vendors.

Try reducing the DHCP lease time of the landing VLAN to a matter of minutes so that the printer will request a new IP on its authorization vlan.

hth
Andy

Re: Printer COA vlan Issue

hanis2903 — Sat, 29 Nov 2025 12:09:06 GMT

Hi, but how come it works perfectly with a PC? no need to touch the DHCP. Also if you manually config the new vlan let say 150 on the switchport it gets and ip immediately from that vlan (150) so the same behavior ISE is doing pushing the vlan 150 via COA.

here is the global config:

template WIRED_DOT1X_OPEN

dot1x pae authenticator

mab

access-session host-mode multi-domain

access-session port-control auto

access-session control-direction in

dot1x timeout tx-period 7

dot1x max-reauth-req 2

dot1x timeout quiet-period 300

dot1x timeout held-period 300

authentication periodic

authentication timer reauthenticate server

service-policy type control subscriber DOT1X_MAB_POLICY

interface GigabitEthernet4/0/20
description Printer
switchport access vlan 100
switchport mode access
device-tracking attach-policy IPDT_POLICY
no logging event link-status
storm-control broadcast level 50.00
storm-control multicast level 30.00
storm-control action trap
source template WIRED_DOT1X_OPEN
spanning-tree portfast
ip dhcp snooping limit rate 15

Regards,

Hani,

Re: Printer COA vlan Issue

andrewswanson — Sat, 29 Nov 2025 12:45:22 GMT

the thread below discusses how windows 802.1x supplicant detects a vlan change

https://community.cisco.com/t5/network-access-control/dynamic-vlan-behavor/td-p/4589001

The output you posted shows that you are using mab for the printer - does the printer support 802.1x? If so, maybe the printer's 802.1x supplicant would support detection of a vlan change?

hth
Andy

Re: Printer COA vlan Issue

balaji.bandi — Sat, 29 Nov 2025 18:00:58 GMT

suggest refer -

IBNS 2.0 Policy and Interface Configuration

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: Printer COA vlan Issue

hanis2903 — Mon, 01 Dec 2025 12:14:51 GMT

Hello,

Yes you are right the printer only support MAB, but the policy it doing both, dot1x first then MAB. So is there something special to it should be be excluded from Trying MAB and apply a different policy on the port level to only do MAB?

Regards,

Hani,

Re: Printer COA vlan Issue

balaji.bandi — Mon, 01 Dec 2025 13:48:39 GMT

It's not necessary; you can have the order supplier authenticate, and if it doesn't work in time, move to MAB. Could you make sure you have policies or a trusted MAC address-based authentication in place? What is the version of IOS XE?

Re: Printer COA vlan Issue

hanis2903 — Mon, 01 Dec 2025 14:58:47 GMT

HI,

Version 17.06.03, yes we have policies in places. see attachment.

Regards,

Hani