Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1531
Views
5
Helpful
3
Replies

802.1x Wired - Printers not getting MAB'ed by switch

Go to solution
Ralphy006
Level 1
Level 1

‎06-18-2019 12:19 PM

We have a 3850 running 16.3.5b talking to ISE (2.3.0.298). We have wired 802.1x working with Windows supplicants, MAC supplicants, and MAB for most devices (ie security cameras).

Our general template for MAB is something like this:
interface GigabitEthernet1/0/XX
description dot1x - secvid - camera
switchport access vlan 398
switchport mode access
authentication event fail retry 1 action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable

 

However, with this doesn't work for some of our printers. The printers don't seem to even get a chance to fail and the switch doesn't try MAB. But If I add "authentication open", the dot1x process kicks off properly, fails, and then switches to MAB.

 

Is there anything that can be done to fix this? We would expect the "dot1x timeout tx-period 1" to cause dot1x to fail after 1 second and start the MAB process.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ralphy006
Level 1
Level 1
In response to nspasov

‎06-19-2019 09:35 AM

I ended up fixing this with this command: " authentication control-direction in" It allows pings to hit the printer and forces the printer to talk back, which initiates the MAB

View solution in original post

3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎06-18-2019 07:17 PM

Hi there. A few questions:

1. What is the output from the "show authentication session interface interface_name_number detail" ?

2. Does the affected device obtain an IP address

3. What does ISE show in the "live authentication logs" ?

Thank you for rating helpful posts!

0 Helpful

Go to solution
Ralphy006
Level 1
Level 1
In response to nspasov

‎06-19-2019 09:35 AM

I ended up fixing this with this command: " authentication control-direction in" It allows pings to hit the printer and forces the printer to talk back, which initiates the MAB

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Ralphy006

‎06-19-2019 11:04 AM

Fantastic! Glad you were able to resolve your own issue! And thank you for taking the time to come back and update the thread with the solution!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents