10-20-2023 12:42 AM
Hello,
We have twelve network printers in our remote location. We've recently enabled dot1x authentication on a switch. In order to limit the number of unprotected ports, we would also like to enable authentication on network printers. Since using certifiates creates a lot of administrative overhead (local IT guys would have to generate CSR and certificatesare are valid only for a limited period of time) we've come to the conclusion that PEAP/MS-CHAPv2 would be the most appropriate authentication method. the following policy has been created on Cisco ISE:
Network Access·EapAuthentication equals EAP-MS-CHAPv2
Network Access Network Device Name starts with xxxxxxx
Identity group is external AD group
Unfortunately I do not see any hitcounts, the policy is failing. Obviously, the account is added to AD group, right authentication method and credentials are set up in administrative panel of a printer. In my opinion the issue can be on the end device as previosuly we were having such issue on wireless network (two iPhones were able to authenticate via PEAP, my Samsung Android device was working fine, but the problem was with other Android device)
Solved! Go to Solution.
10-24-2023 05:08 AM
@lnw-team the clients do not trust the certificate that ISE is using. Add the root certificate used by ISE on to the printers, so the printers trust the certificate or (not secure and not recommended) configure the printer to not trust the ISE certificate.
10-20-2023 01:29 AM
@lnw-team I assume other devices connected to the same switch are authenticating correctly, so we can rule out the switch configuration?
From the switch run "show authentication session interface x/y/z detail" < replace x/y/z with the actual switchport the printer is connected to.
In the ISE live logs do you see the authentication request come through for the printer? If so which rule does it match? Provide a screenshot.
10-20-2023 01:46 AM
Hello Rob,
I did that, it hits the last policy (Default - Deny access).
10-20-2023 01:53 AM - edited 10-20-2023 02:19 AM
@lnw-team ok well then you need to determine what conditions it does not match or the device failed authentication or your Policy Set allowed protocols does not permit PEAP/MSCHAPv2, so therefore the request does not match your Policy Set and hits the default policy.
Check the live logs (provide them here if you want us to review).
10-24-2023 05:00 AM
Hello,
Please take a look at the logs from ISE. As you can see, at some point ISE is recognizing the user.
10-24-2023 05:08 AM
@lnw-team the clients do not trust the certificate that ISE is using. Add the root certificate used by ISE on to the printers, so the printers trust the certificate or (not secure and not recommended) configure the printer to not trust the ISE certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide