802.1x MAB and Printers

Jason Mann · ‎06-20-2012

Hello all, I am curious how people are dealing with printers and 802.1x. We are using MAB to authenticate the devices which works fine. We have begun to implement the black hole concept as our next phase. We have built a vlan 86 that is strictly layer 2, we put all of the ports into that vlan and then use dynamic vlan assignment to place them into the correct vlan. That too works fine, the issue we have been running into is when the printer goes into hibernate/sleep mode. I am guessing that causes an up/down event on the switch which will cause the 802.1x authentication process to start over. When that happens the devices end up in vlan 86 and MAB is stuck in the running state because the device is not talking on the network.

I have tried enabling ip device tracking but that didn't help. I am going to setup a ping probe using InterMapper to ping the device and see if that keeps it active but I am curious if anyone out there has ran into issues with printers and if so how have they dealt with them. Thanks!

edondurguti · ‎06-20-2012

maybe STATIC ARP

ssambourg · ‎02-15-2016

Hello,

I've got this problem too (3 years later...).

What I see is that 802.1x state is Authenticated & Authorized:

show authentication sessions int gi 1/0/31 details
Interface: GigabitEthernet1/0/31
IIF-ID: 0x10595C000000337
MAC Address: 0026.7348.d3da
IPv6 Address: Unknown
IPv4 Address: 10.100.13.1
User-Name: 00-26-73-48-D3-DA
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 3600s (local), Remaining: 644s
Timeout action: Reauthenticate
Common Session ID: C0A8FEFE00002BBAA4294690
Acct Session ID: 0x00002B66
Handle: 0x7D0000A1
Current Policy: POLICY_Gi1/0/31

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: 13

Method status list:
Method State
mab Authc Success

the ip device tracking entry for this interface is OK but the related ARP entry shows incomple for the mac-address value.

sho ip device track int gi 1/0/31
--------------------------------------------
Interface GigabitEthernet1/0/31 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IPv6 Device Tracking Client Registered Handle: 23
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_SM
--------------------------------------------
10.100.13.1 0026.7348.d3da 13 GigabitEthernet1/0/31 30 ACTIVE ARP

Here the switchport config :

interface GigabitEthernet1/0/31
switchport access vlan 13
switchport mode access
switchport nonegotiate
authentication control-direction in
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
storm-control broadcast level 70.00
no lldp transmit
no lldp receive
spanning-tree portfast
end

ping 10.100.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.13.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

sh ip arp 10.100.13.1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.100.13.1 114 incomplete ARPA Vlan13

If I add static ARP, the printers become reachable :
arp 10.100.13.1 0026.7348.d3da arpa

ping 10.100.13.1

Sending 5, 100-byte ICMP Echos to 10.100.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

Does anyone already encounter this issue ?

dynamitec1 · ‎06-12-2013

have you tried this WoL command?

"authentication control direction both"

Sent from Cisco Technical Support iPhone App

Jatin Katyal · ‎06-12-2013

I agree with Adam, WoL feature would help you here. Could you please paste the port configuration here?

Most WoL endpoints flap the link when going into hibernation or standby mode, thus clearing any existing MAB authenticated session. By default, traffic through the unauthorized port will be blocked in both directions, and the magic packet will never get to the sleeping endpoint. To support WoL in a MAB environment, you can configure a Cisco Catalyst switch to modify the control direction of the port, allowing traffic to the endpoint while still controlling traffic from the endpoint. This approach allows the hibernating endpoint to receive the WoL packet while still preventing the unauthorized endpoint from sending any traffic to the network. After it is awakened, the endpoint can authenticate and gain full access to the network. Control direction works the same with MAB as it does with IEEE 802.

Configuration example.

Switch(config)# interface fastethernet 5/1
Switch(config-if)# authentication control-direction both

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-wake-lan-supp.html#GUID-E1DF650C-0311-48C4-BEDF-C9A95F74FFCC

Jatin Katyal
- Do rate helpful posts -

~Jatin

Octavian Szolga · ‎06-13-2013

I think that the documentation that you provided is wrong in that specific example.

WoL can be supported by using authentication control-direction in argument, not both (which is the default).

Enables 802.1X authentication with WoL on the port. Use these keywords to configure the port as bidirectional or unidirectional:

both--Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional.
in--Sets the port as unidirectional. The port can send packets to the host but cannot receive packets from the host.

Jatin Katyal · ‎06-13-2013

Hi Oct,

ahhh, My bad, While adding those commands. I forgot to replace both with in.

Jatin Katyal
- Do rate helpful posts -

Ahh, you are

~Jatin