08-13-2014 01:34 PM - edited 03-10-2019 09:56 PM
Hi all,
I have a few WS-C2960S-48FPS-L running IOS 15.0(2)SE6 (in stack), and we have devices (cameras, ipphones, printers, etc) authenticating with MAB.
The issue is only with print server HP JetDirect 150x, 300x and 500x.
The HP print servers is authenticated and answer pings requests (working fine), but suddenly the print stops to answer the ping requests. I checked the logging from the switch and I see the trigger event to the print stop to work.
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-RELEASE
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-WAIT
But, if I perform a clear arp on my Router, a ARP broadcast is send to the entire VLAN, and the print server answer the brodcast, after that I see this event in the C2960 logging.
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
After this event, the print server start to answer pings request again, and works fine for exact 120sec, then the event "IP-RELEASE/IP-WAIT" happens again and the print server stop.
This my topology
Router------>C2960----->Print Server
The interface configuration:
interface GigabitEthernet1/0/2
switchport access vlan XYZ
switchport mode access
switchport nonegotiate
switchport voice vlan ABC
switchport port-security violation protect
power inline never
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
end
I changed some informations (like IPs, MAC, Vlans) for security reasons.
Have somebody ever see an issue like that?
Sorry for my bad English.
Thank you
08-14-2014 02:13 PM
Hmm that is an interesting one. Let me ask you a few quesitons:
1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands
2. Are you returning an ACL with the authorization profile
3. When the issue occurs issue "show authentication session interface interface_name_number"
4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)
5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.
Thank you for rating helpful posts!
08-15-2014 08:24 AM
Hi Neno,
1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands
If I remove all the authentication configuration from the port, the print works fine.
2. Are you returning an ACL with the authorization profile
Yes, but is a permit ip any any
3. When the issue occurs issue "show authentication session interface interface_name_number"
F220-1A#sh authentication sessions int gigabitEthernet 1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: aaaa.bbbb.cccc
IP Address: 10.xx.yy.zz
User-Name: aaaa.bbbb.cccc
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
Per-User ACL: permit ip any any
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A08FC32000057E79C285797
Acct Session ID: 0x000087A2
Handle: 0x40000A5E
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)
No DHCP Snooping is configurated in the switch
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
ip radius source-interface VlanABCD
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key 7 ABDCEFG
radius-server vsa send authentication
5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.
I don´t use the "switchport port-security violation protec", I inserted this command only to do a test. I forgot to remove this command before to post the configuration here.
08-15-2014 08:33 AM
Hi Neno,
I think there is something related to the "ip device tracking".
The event "IP-RELEASE/WAIT" happens every 2min, then the printer stops to work.
So, I executed the command "clear ip device tracking int gi 1/0/2" and the event "IP-RELEASE/WAIT" happens.
Is there any "ip device tracking" default configuration where it try to clear the informations from "ip device tracking" table every 2min?
I´m looking to the 802.1x and "ip device tracking" documentation from Cisco, but until now I don´t see nothing to explain this behavior.
Thank You
08-18-2014 09:02 PM
Can you:
1. Post the whole switch config
2. Use the "Evaluate Configuration Validator" located under "Operations > Diagnostic Tools" It is not 100% accurate but it will tell you if you are missing some commands.
Overall though, things look ok so my guess is that you are running into some incompatibility with that printer/printer OS and dot1x. I have had this happen to me before with some devices.
Thank you for rating helpful posts!
03-17-2015 04:58 PM
Were you able to find a resolution for this? I have a customer with the same issue, however, it's with a few Cisco IP Phones and encryption devices. The devices get authorized, the correct dACL is applied to the port, but then a few minutes later, the devices release the IP address and the process starts all over again.
The logs show "EVENT IP-RELEASE" then "EVENT IP-WAIT"
Thanks,
Steve
03-18-2015 08:11 AM
Hi Steve,
The only workaround I found to this issue was change the configuration on those ports from "authentication host-mode multi-auth" to "authentication host-mode single-host". I Did this only on ports where I have these print servers.
But when you change the host-mode to single-host, only one device can be authenticated. In your case can be a problem because of PCs and Ipphones on same ports.
Another configuration I tried and worked in a few cases, was add the command "Authentication Control-Direction in".
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide