04-27-2016 11:33 PM
Hi
I'm setting up a 2960S (WWS-C2960S-48FPS-L) with IOS image 152-2.E4 for ISE-based wired authentication. I have all the global commands and my RADIUS server (ISE 2.0) is reachable and RADIUS shared secret is verified at both ends. dot1x or mab auth on PC works fine, but stucked with problems with HP printer. Here is my config on port in closed mode. As I said - work fine with PC (MAB and dotx1) - with printer dont.
interface GigabitEthernet1/0/13
switchport access vlan 5
switchport mode access
ip device tracking maximum 3
authentication event fail action next-method
authentication event server dead action reinitialize vlan 5
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer restart 10
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 1
I've got
sh authentication sessions interface gigabitEthernet 1/0/13
No Auth Manager contexts match supplied criteria
and NO messages at debugging aaa, radius or on ISE Radius Livelog, just nothing.
BUT if i config port on the OPEN or LOW-INPACT mode by adding this
authentication open
ip access-group ACL-PREISE in
Extended IP access list ACL-PREISE
10 deny ip any any
Voila - we have a session. Its working as it does.
sh auth session interface gigabitEthernet 1/0/13 details
Interface: GigabitEthernet1/0/13
MAC Address: x.x.x.x
IPv6 Address: Unknown
IPv4 Address: 10.x.x.x.x
User-Name: <MAC>
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 1059s
Common Session ID: 0A6401090000004C0905C7D2
Acct Session ID: 0x00000060
Handle: 0xD500002E
Current Policy: POLICY_Gi1/0/13
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 5
ACS ACL: xACSACLx-IP-WIRED-INSIDE-56c57a49
Method status list:
Method State
mab Authc Success
Am I missing something obvious or hitting a bug? I thought I'd ask here before opening a TAC case.
Solved! Go to Solution.
04-28-2016 10:00 PM
MAB requires traffic from the endpoint to work. Typically devices without IP will request IP address which triggers MAB. For static IP devices, it may be a long wait till the printer sends a packet to the network. With that in mind, the result depends on how you are testing the printers. Interesting fact about many printers including HP printers is that they do not renew IP on interface link up/down. This is the case whether the printer is using DHCP or static IP. So when testing printers always power recycle the device or you will be waiting for a long time.
The 'authentication control-direction in' command will often expedite the process as it is possible for the printer to respond to broadcast and print requests. If you want to see 'authentication control-direction in' in action, simply send a directed broadcast (ping x.x.x.255, assuming router allows it) to the VLAN 5 subnet and you will notice that the MAB happens immediately for the printer.
Hosuk
04-28-2016 09:11 AM
Maxim, I highly recommend that you read our best practices for 802.1X switch configuration in the ISE Design Guide HowTo: Universal Switch Config. It explains all of the individual commands, best practice settings and why you need authentication open.
This is our best practice Universal Switch Configuration for Low-Impact (change VLANs per your deployment!):
description ACCESS (Multi-Auth w/ Low-Impact Mode) switchport mode access switchport access vlan 10 switchport voice vlan 11 ip access-group ACL-DEFAULT in authentication open authentication event fail action next-method authentication event server dead action reinitialize vlan 10 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth mab authentication violation restrict authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic dot1x timeout tx-period 10 spanning-tree portfast authentication port-control auto
We do not recommend a default port ACL of only deny ip any any since this will explicitly prevent basic network services like DHCP & DNS which are required for most endpoints to be profiled or be URL-redirected to ISE for additional profiling, Guest Services or Device Registration.
04-28-2016 08:39 PM
Tnanks for your answer. You are talking about Low-Impact Mode. We are want to use a Closed mode.
As I said my switch port config works normal with Windows PC via MAB or dot1x. I know about default preauth ACL in Low-Impact mode, so I just demostrate that using ACL with deny ip any any do a trick - printer is authorized via MAB. I have problem now just with printer.
I 've tried authentication control-direction in command in closed mode from the doc's that you show me - no luck...
04-28-2016 10:00 PM
MAB requires traffic from the endpoint to work. Typically devices without IP will request IP address which triggers MAB. For static IP devices, it may be a long wait till the printer sends a packet to the network. With that in mind, the result depends on how you are testing the printers. Interesting fact about many printers including HP printers is that they do not renew IP on interface link up/down. This is the case whether the printer is using DHCP or static IP. So when testing printers always power recycle the device or you will be waiting for a long time.
The 'authentication control-direction in' command will often expedite the process as it is possible for the printer to respond to broadcast and print requests. If you want to see 'authentication control-direction in' in action, simply send a directed broadcast (ping x.x.x.255, assuming router allows it) to the VLAN 5 subnet and you will notice that the MAB happens immediately for the printer.
Hosuk
04-29-2016 05:09 AM
Thanks for ypur answer.
I thinkning about it too. I will try to power off printer and on. I will let you know about result.
05-10-2016 12:11 AM
I have cheched this supposition and so I can tell you that you were right! Switching power off and on was resolved my problem. Printer is auth via MAB in closed mode. Many thanks.
04-03-2023 06:42 AM
Hi Thomas, how can I access the how to guide?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide