Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
0
Helpful
6
Replies

Help with MAB for print servers HP Jetdirect

lucas Maciel
Level 1
Level 1

‎08-13-2014 01:34 PM - edited ‎03-10-2019 09:56 PM

Hi all,

I have a few WS-C2960S-48FPS-L running IOS 15.0(2)SE6 (in stack), and we have devices (cameras, ipphones, printers, etc) authenticating with MAB.

The issue is only with print server HP JetDirect 150x, 300x and 500x.

 

The HP print servers is authenticated and answer pings requests (working fine), but suddenly the print stops to answer the ping requests. I checked the logging from the switch and I see the trigger event to the print stop to work.

Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-RELEASE
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-WAIT

But, if I perform a clear arp on my Router, a ARP broadcast is send to the entire VLAN, and the print server answer the brodcast, after that I see this event in the C2960 logging.

Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT

After this event, the print server start to answer pings request again, and works fine for exact 120sec, then the event "IP-RELEASE/IP-WAIT" happens again and the print server stop.

This my topology

Router------>C2960----->Print Server

 

The interface configuration:

interface GigabitEthernet1/0/2
 switchport access vlan XYZ
 switchport mode access
 switchport nonegotiate
 switchport voice vlan ABC
 switchport port-security violation protect
 power inline never
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

I changed some informations (like IPs, MAC, Vlans) for security reasons.

 

Have somebody ever see an issue like that?

Sorry for my bad English.

Thank you

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎08-14-2014 02:13 PM

Hmm that is an interesting one. Let me ask you a few quesitons:

1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands

2. Are you returning an ACL with the authorization profile

3. When the issue occurs issue "show authentication session interface interface_name_number"

4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)

5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.

 

Thank you for rating helpful posts!

0 Helpful

lucas Maciel
Level 1
Level 1
In response to nspasov

‎08-15-2014 08:24 AM

Hi Neno,

1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands

If I remove all the authentication configuration from the port, the print works fine.

2. Are you returning an ACL with the authorization profile

Yes, but is a permit ip any any

3. When the issue occurs issue "show authentication session interface interface_name_number"

F220-1A#sh authentication sessions int gigabitEthernet 1/0/2
            Interface:  GigabitEthernet1/0/2
          MAC Address:  aaaa.bbbb.cccc
           IP Address: 10.xx.yy.zz
            User-Name:  aaaa.bbbb.cccc
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
         Per-User ACL:  permit ip any any
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A08FC32000057E79C285797
      Acct Session ID:  0x000087A2
               Handle:  0x40000A5E

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)

No DHCP Snooping is configurated in the switch

aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common

ip radius source-interface VlanABCD
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key 7 ABDCEFG
radius-server vsa send authentication

 

5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.

I don´t use the "switchport port-security violation protec", I inserted this command only to do a test. I forgot to remove this command before to post the configuration here.

 

 

0 Helpful

lucas Maciel
Level 1
Level 1
In response to nspasov

‎08-15-2014 08:33 AM

Hi Neno,

I think there is something related to the "ip device tracking".

The event "IP-RELEASE/WAIT" happens every  2min, then the printer stops to work.

So, I executed the command "clear ip device tracking int gi 1/0/2" and the event "IP-RELEASE/WAIT" happens.

Is there any "ip device tracking" default configuration where it try to clear the informations from "ip device tracking" table every 2min?

I´m looking to the 802.1x and "ip device tracking" documentation from Cisco, but until now I don´t see nothing to explain this behavior.

 

Thank You

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to lucas Maciel

‎08-18-2014 09:02 PM

Can you:

1. Post the whole switch config

2. Use the "Evaluate Configuration Validator" located under "Operations > Diagnostic Tools" It is not 100% accurate but it will tell you if you are missing some commands.

Overall though, things look ok so my guess is that you are running into some incompatibility with that printer/printer OS and dot1x. I have had this happen to me before with some devices.

 

Thank you for rating helpful posts!

0 Helpful

Steve Sewa
Level 1
Level 1

‎03-17-2015 04:58 PM

Were you able to find a resolution for this?  I have a customer with the same issue, however, it's with a few Cisco IP Phones and encryption devices.  The devices get authorized, the correct dACL is applied to the port, but then a few minutes later, the devices release the IP address and the process starts all over again.

The logs show "EVENT IP-RELEASE" then "EVENT IP-WAIT"

 

Thanks,

 

Steve

0 Helpful

lucas Maciel
Level 1
Level 1
In response to Steve Sewa

‎03-18-2015 08:11 AM

Hi Steve,

The only workaround I found to this issue was change the configuration on those ports from "authentication host-mode multi-auth" to "authentication host-mode single-host". I Did this only on ports where I have these print servers.

But when you change the host-mode to single-host, only one device can be authenticated. In your case can be a problem because of PCs and Ipphones on same ports.

Another configuration I tried and worked in a few cases, was add the command "Authentication Control-Direction in".

Best Regards

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents