Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
2
Helpful
5
Replies

Cannot authenticate printer via PEAP

Go to solution
lnw-team
Level 1
Level 1

‎10-20-2023 12:42 AM

Hello, 

We have twelve network printers in our remote location. We've recently enabled dot1x authentication on a switch. In order to limit the number of unprotected ports, we would also like to enable authentication on network printers. Since using certifiates creates a lot of administrative overhead (local IT guys would have to generate CSR and certificatesare are valid only for a limited period of time) we've come to the conclusion that PEAP/MS-CHAPv2 would be the most appropriate authentication method. the following policy has been created on Cisco ISE:
Network Access·EapAuthentication equals EAP-MS-CHAPv2
Network Access Network Device Name starts with xxxxxxx
Identity group is external AD group

Unfortunately I do not see any hitcounts, the policy is failing. Obviously, the account is added to AD group, right authentication method and credentials are set up in administrative panel of a printer. In my opinion the issue can be on the end device as previosuly we were having such issue on wireless network (two iPhones were able to authenticate via PEAP, my Samsung Android device was working fine, but the problem was with other Android device)

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to lnw-team

‎10-24-2023 05:08 AM

@lnw-team the clients do not trust the certificate that ISE is using. Add the root certificate used by ISE on to the printers, so the printers trust the certificate or (not secure and not recommended) configure the printer to not trust the ISE certificate.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎10-20-2023 01:29 AM

@lnw-team I assume other devices connected to the same switch are authenticating correctly, so we can rule out the switch configuration?

From the switch run "show authentication session interface x/y/z detail" < replace x/y/z with the actual switchport the printer is connected to.

In the ISE live logs do you see the authentication request come through for the printer? If so which rule does it match? Provide a screenshot.

0 Helpful

Go to solution
lnw-team
Level 1
Level 1
In response to Rob Ingram

‎10-20-2023 01:46 AM

Hello Rob, 

I did that, it hits the last policy (Default - Deny access). 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to lnw-team

‎10-20-2023 01:53 AM - edited ‎10-20-2023 02:19 AM

@lnw-team ok well then you need to determine what conditions it does not match or the device failed authentication or your Policy Set allowed protocols does not permit PEAP/MSCHAPv2, so therefore the request does not match your Policy Set and hits the default policy.

Check the live logs (provide them here if you want us to review).

 

Go to solution
lnw-team
Level 1
Level 1
In response to Rob Ingram

‎10-24-2023 05:00 AM

Hello,

Please take a look at the logs from ISE. As you can see, at some point ISE is recognizing the user.

lnwteam_0-1698148297368.png

lnwteam_1-1698148467908.png

lnwteam_2-1698148736329.png

 

 




0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to lnw-team

‎10-24-2023 05:08 AM

@lnw-team the clients do not trust the certificate that ISE is using. Add the root certificate used by ISE on to the printers, so the printers trust the certificate or (not secure and not recommended) configure the printer to not trust the ISE certificate.

Customers Also Viewed These Support Documents