Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
2
Helpful
9
Replies

802.1x issue with printers

Alf31
Level 1
Level 1

‎01-21-2025 08:29 AM

Hello

I have an issue with our printer. We have printer (Xerox) to connect to our network. By default, the 802.1x is configured on all switch ports with vlan assignment by the radius server. We use MAB accounts for our Xerox printer. When we connect a printer on the network, the MAB account are configured. The swith port where the printer is connected has this conf : 

interface GigabitEthernet1/0/15
description PRINTERS
switchport access vlan 90
switchport mode access
switchport voice vlan 42
authentication event fail action authorize vlan 90
authentication event server dead action authorize vlan 20
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 90
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 60
mab
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 10.00
storm-control multicast level 10.00
storm-control action trap
spanning-tree portfast
spanning-tree guard root
!

When we connect the printer on the nework, the printer is on the vlan Guest (90) and not on the VLAN printer. If we change "switchport access vlan 90" to "switchport access vlan 70", the printer is reachable via the correct vlan (vlan printer =70).

Do you know what is our problem ?

Regards

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎01-21-2025 08:38 AM

@Alf31 you would need to configure the RADIUS server to assign the VLAN using dynamic VLAN assignment, otherwise the printer will just be assigned to the VLAN configured on the switchport.

Example https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-21-2025 08:40 AM

authentication open <<- remove this from interface 

MHM

0 Helpful

Alf31
Level 1
Level 1
In response to MHM Cisco World

‎01-21-2025 08:43 AM

Hello

not sure to understand your answer...

0 Helpful

MHM Cisco World
VIP
VIP
In response to Alf31

‎01-21-2025 09:14 AM

This command will open the port and not check 802.1x not mab.

MHM

0 Helpful

Flavio Miranda
VIP
VIP

‎01-21-2025 09:29 AM

@Alf31 

Can you provide the command "show authentication session int GigabitEthernet1/0/15 detail" ?

Are using some kind of port bounce? 

0 Helpful

Jonatan Jonasson
Level 4
Level 4

‎01-21-2025 09:55 AM

Assuming that the MAB authentication is successful, the RADIUS server can either send an "ACCESS_ACCEPT" response, in which case the device(printer) would be assigned to the that's specified with the "switchport access vlan" command, or it can also return additional attributes to specify which VLAN the printer should be assigned to.

If you were using ISE as a RADIUS server, the Attribute Details dialogue could look something like this:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:70
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

So start by verifying that the authentication was successful, and that the correct RADIUS attributes were returned for dynamic VLAN assignment.

0 Helpful

Arne Bier
VIP
VIP

‎01-21-2025 01:14 PM

With MAB authentication you will have an unreliable experience when using dynamic VLAN assignment. Because MAB operates on endpoints that are sending regular Ethernet frames (e.g. DHCP discovery), then the printer will get a DHCP offer from the DHCP server on VLAN 90 (guest), and some milliseconds later, RADIUS server puts that interface into VLAN 70 (printer). Your printer has no idea this just happened and will continue using the IP address from VLAN 90 to transmit. 

I would not recommend dynamic VLAN assignment unless

  • The endpoints are 802.1X, in which case the endpoint only talks layer 3 (IP) AFTER the 802.1X has completed - by this time the interface is in the correct VLAN (or dynamically assigned) and DHCP starts from this point onwards
  • Use a dummy VLAN for the interface's 'access vlan' that does not include an 'ip helper' statement - this means the endpoint will never get a DHCP Offer from its Discovery request -that's good news. it must be patient and keep trying - RADIUS server puts the interface in the correct VLAN, and by now, if you're lucky, the DHCP client software is patient and keeps trying until it receives an Offer on the new VLAN. Viola!

 

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-21-2025 01:36 PM

Printer NICs are stupid and dumb.  To keep the costs down, printer manufacturer put the worst wired NIC in with poorly written NIC drivers.  The "best" that some of them can do is support DHCP and I've seen some which only support static IP address.  

We have Fuji/Xerox, HP, Ricoh, Lexmark and some Zebra and before they are delivered to us, the dealers and manufacturers have to furnish us the MAC addresses which we then use to populate the endpoint DB in ISE.  

Make sure to keep a hard copy of those MAC addresses because ISE endpoint DB can get "lost", like CSCwk94725.

0 Helpful

Aref Alsouqi
VIP
VIP

‎01-22-2025 02:09 AM

Could you please share the RADIUS server policy of the printers for review? assuming the printers traffic is hitting the right authorization rule on the RADIUS server, the RADIUS server should return the VLAN attribute (VLAN 70 in this case) in the RADIUS response back to the switch. Then the switch would place the port into that VLAN. If you are using ISE this attribute is configured in the authorization profile that is tied to the authorization rule of the printers.

0 Helpful
Customers Also Viewed These Support Documents