cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10142
Views
20
Helpful
6
Replies

Cisco ISE and authentication for 802.1x printer

Marco Serato
Level 1
Level 1

Hello

What is the best practice to authenticate a 802.1x printer in Cisco ISE?

The printer can store a certificate for authentication and support EAP-TLS.

Thanks for answer.

Marco

2 Accepted Solutions

Accepted Solutions

Saurav Lodh
Level 7
Level 7

Please refer to authentication policies

 www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1146222

View solution in original post

Hi,

I use certificates (EAP-TLS) to authenticate Sharp printers. It seems to work. I havn't heard anything else from the printer guys.

 

/Philip

View solution in original post

6 Replies 6

Saurav Lodh
Level 7
Level 7

Please refer to authentication policies

 www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1146222

kaaftab
Level 4
Level 4

well use MAB  for printers.

Hi,

I use certificates (EAP-TLS) to authenticate Sharp printers. It seems to work. I havn't heard anything else from the printer guys.

 

/Philip

Venkatesh Attuluri
Cisco Employee
Cisco Employee


ISE Deployment Best Practices

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=4381

nspasov
Cisco Employee
Cisco Employee

EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 

I hope this puts you in the right direction!

 

Thank you for rating helpful posts!

I agree with Neno, I would suggest MAB with a limited authorization result, only what the printers need to access in the network