Strange MAC adresses from sharp printers

Janne K. · ‎05-02-2022

Hello,

Not sure if this is the right place to post, but anyways.

We have a fair amount of sharp printerson our network. All are connected to the network on ISE IBNS 2.0 and simultaneous dot1x+MAB is enabled on all ports, and the printers are authenticating with MAB just fine.

On all the Switches with Sharp printers i do however see a lot of "Authentication failed" messages in the log.

All coming from this strange mac beginning with 20:00:ff:11

When i do a "sh mac add" or "sh access-session" only the real mac of the printer is shown on the connected interface.

The macs do however appear in ISE as failed endpoints. As a workaround to not have ISE filled up i have a purge rule that deletes the macs every night.

My initial thought is that the Sharp printers have som network protocol running that generate random macs, but I cant seem to find anything on the printer.

They are all the same model MX-5140N

The switches are all 2960X

I would like to know if anyone has seen something similar to this.

Thanks in advance

Janne

ahollifield · ‎05-02-2022

Could be, do they run a tablet/android based GUI system? I've also seen some switch bugs cause strangeness like this; SVI MAC addresses showing up on access ports for example. What is your switch code? Also, technically simultaneous auth isn't supported by ISE.

Arne Bier · ‎05-02-2022

That MAC address OUI prefix doesn't conform to a randomised (locally administered) address.

Have you tried running a tcpdump on ISE to try capture a RADIUS request from such an event?

Why are you using simultaneous MAB/802.1X - it's kind of ugly because you will always have 50% failures in ISE. In some cases where you have uncooperative endpoints you may need this - but for the most part you could try to do MAB first, then 802.1X (for most fussy non 802.1X devices to play ball).

Lastly - why do you see so many MAB events? You could try to not set a session timeout for those printers - then they would not auth again - rather rely on RADIUS accounting (interim 2880 minutes) to keep the session alive.

Janne K. · ‎05-03-2022

@ahollifield I'm not sure what kind of OS the GUI is running on, but the printers do have a touch screen integrated.

What do you mean with switch code, but the portconfig is attatched.

@Arne Bier I have not tried running a tcp dump yet, will do that as soon as I got the spare time.

The reason for simultaneous MAB/802.1X is because we encounter problems with legacy devices and other MAB only devices where they dont recieve an IP because the 802.1X takes too long to time-out and by the time MAB is tried the device already got an apipa and wont try again.
We tried playing with the timers of dot1x but it was very unstable and generated a lot of unnecessary work for us with getting the user to restart endpoints ect.

Also we want a config that fits all to make deployment ect more streamline.

I'm not sure why i see that many events. The thing is, that the actual mac address of the printer only requests once, and is accepted.
but the 20:00:ff:11 macs continue only to get rejected.

ahollifield · ‎05-03-2022

Software version on the 2960X

Janne K. · ‎05-06-2022

we are running 15.2(2)E9 on our 2960X

tygerdavid1 · ‎11-04-2024

I have this same issue where MAC's on trunk ports will suddenly appear on the port that the HPE printer is connected to, and then I can't reach the GW SVI. The printer 802.1x is disabled. I use 802.1x on the switch authenticating with Aruba Clearpass.

Arne Bier · ‎11-04-2024

I get your point about simultaneous MAB/802.1X - it's not pretty in ISE, but it can get you out of a messy situation.

It's a pity that the switch is so old - I don't suppose it support on-switch packet capture? I'd still want to know what those packets are that are using that strange MAC address. Out of interest, do you have these printers attached to other switch models, and if so, is the behaviour the same?