Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4255
Views
5
Helpful
5
Replies

Printer does not authenticate through MAB

Joris Deprouw
Level 1
Level 1

‎10-10-2012 05:34 AM - edited ‎03-10-2019 07:39 PM

Hi,

We have an issue with our deployment of mab...

We use the global and interface specific configuration below.

3.1. Global commands

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa authorization exec default local if-authenticated
aaa authorization commands 1 default local if-authenticated
aaa authorization commands 15 default local if-authenticated
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxx
radius-server vsa send accounting
radius-server vsa send authentication


3.2. Interface-specific commands

switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 11
authentication event no-response action authorize vlan 20
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x max-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast

                  

Everything worked fine on our pilot switch a 3750x (12.2(55)SE3)switch. No problems at all.

Next we moved on in deploying our mab on 3560 switches (12.2(55)SE).

After configuring the mab, we saw that pc's were behaving correctly. But some printer had a strange behaviour. They don't get authorized and the ports goes in vlan 1 (not connected). The NAC guest server, puts printers in vlan 10, according on the mac address it receives. pc's are put in vlan 11.

After we disable the mab configuration and just configure "switchport access vlan 10" on the ports connected to a printer, they work fine after a reboot.

This is the result we get on the switch...

switch#sh auth sessions int fa 0/7

           Interface: FastEthernet0/7

         MAC Address: Unknown

           IP Address: Unknown

               Status: Running

               Domain: UNKNOWN

     Security Policy: Should Secure

     Security Status: Unsecure

       Oper host mode: single-host

     Oper control dir: both

     Session timeout: N/A

         Idle timeout: N/A

   Common Session ID: AC1045E40000F0501D6334EF

     Acct Session ID: 0x0000F084

               Handle: 0x6900005E

Runnable methods list:

       Method   State

     mab     Running

       dot1x   Not run

 

switch#ping 10.1.7.222 (ip printer)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.7.222, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

switch#sh mac address-table int fa 0/7

         Mac Address Table

-------------------------------------------

Vlan   Mac Address       Type       Ports

----   -----------       --------   -----

After configuring the port back to switchport access vlan 10

switch#sh mac address-table int fa 0/7

         Mac Address Table

-------------------------------------------

Vlan   Mac Address       Type       Ports

----   -----------       --------   -----

10   8887.174e.8557   DYNAMIC     Fa0/7

Total Mac Addresses for this criterion: 1

sibhq-la-b0-ra2#

switch#ping 10.1.7.222

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.5.109, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

We have this issue on several switches. I tried removing the port-security and storm control... But without result.

Can anyone help me?

I've been cracking my head for weeks, but still no solution...

Thanks,

Best Regards,

Joris

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎10-10-2012 06:24 AM

Joris,

Looks like this issue was resolved in the later version of IOS code.

CSCtt37202

If a client switch is authorized using MAC Authentication Bypass (MAB),  and then by using the 802.1x standard and dynamic VLAN assignment, the  MAC address of the switch is not updated in the MAC address table of  slave switches.

The workaround is to not use both the 802.1x and dynamic VLAN assignment configurations for the client switch.

For more information here is the release notes, looks like you will have to upgrade the code:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/release/notes/OL23054.html

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Joris Deprouw
Level 1
Level 1
In response to Tarik Admani

‎10-10-2012 06:34 AM

Hello Tarik,

Thanks for your reply.

I forgot to mention that we already did an IOS upgrade on one of the 3560 switches to IOS 12.2(55)SE6. But without result.

The switch has the same behaviour.

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 26    WS-C3560-24PS      12.2(55)SE6           C3560-IPBASEK9-M

Best Regards,

Joris

0 Helpful

bikespace
Level 1
Level 1

‎09-04-2013 07:43 AM

Did you find the answer to this problem?

0 Helpful

bikespace
Level 1
Level 1
In response to bikespace

‎09-04-2013 09:13 AM

I had similar problem. It seesm that the printer is sat in a dormant  state, not sending any kind of traffic, no ARP, no gratuitous ARP,  nothing. So I'm guessing the switch has nothing to base the  authorization on.

Initially I changed the switchport setting to:

authentication control-direction in

With  this line applied, if I browse to the printer, then presumably the  outbound traffic looking for the IP address of the printer, results in a  ARP response from the printer, the switch gets to see the MAC address  on the port and is able to authorize.

All works well.

I'd rather not have that line in there though, and would be neater if the printer automatically comes up.

This is going to be a printer specific thing, but on my particular printer there was a line:

ARP Broadcast Interval (mins): (0 presumably being off)

which I set to 1, and the printer now authorizes without any other intervention.

Now  I'm guessing that after 10 months you've probably fixed your problem  :-) but I thought I'd post in case anybody can add to this, or suggest  similar issues with other more common printers. I've not seen any other  problems yet.

Evgeniy86
Level 1
Level 1
In response to bikespace

‎11-30-2017 04:49 AM

bikespace, thanks!!!
0 Helpful
Customers Also Viewed These Support Documents