Dear community,
I connected the Printer to the switch port, ISE reads its MAC via Probing. I assigned a static group that I created named "Printers" to that MAC, and created a rule with AuthC(if MAB) and AuthZ(if MAB and if part of the Printers static group), to allow access to Printers VLAN. However, what I noticed is that the Printer gets AuthC successfull, and in "show auth session int f0/2" I see MAB authenticated successful. However, AuthZ shows Failed.
In Logs, I see the printer going in the rule of AuthZ for printers and it tells successfully Authorized, however, the printer does not get communication with the network that is allowed in that VLAN. And also in switch the show Auth Session also shows AuthZ failed.
So my question is: what is the best practice to configure the Printers to allow access to the network via MAB, whilst integrating with Cisco ISE?
All blogs tell to just configure MAB and that is all, but sounds that am missing something in the end to end process of AuthC and AuthZ for printers!
Please find the switch port config for Printers, which is a practice for all other ports:
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 15
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Here the port fails to MAB, and it authenticated with MAB, however, AuthZ fails. The session finds the Domain, MAC, and IP.
Looking forward to hearing from you.
Thank you,
Laura
