cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4217
Views
15
Helpful
6
Replies
Highlighted
Beginner

Cisco ISE and authentication for 802.1x printer

Hello

What is the best practice to authenticate a 802.1x printer in Cisco ISE?

The printer can store a certificate for authentication and support EAP-TLS.

Thanks for answer.

Marco

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Rising star

Please refer to

Please refer to authentication policies

 www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1146222

View solution in original post

Highlighted

Hi,I use certificates (EAP

Hi,

I use certificates (EAP-TLS) to authenticate Sharp printers. It seems to work. I havn't heard anything else from the printer guys.

 

/Philip

View solution in original post

6 REPLIES 6
Highlighted
Rising star

Please refer to

Please refer to authentication policies

 www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1146222

View solution in original post

Highlighted
Enthusiast

well still MAB is a option

well use MAB  for printers.

Highlighted

Hi,I use certificates (EAP

Hi,

I use certificates (EAP-TLS) to authenticate Sharp printers. It seems to work. I havn't heard anything else from the printer guys.

 

/Philip

View solution in original post

Highlighted
Cisco Employee

ISE Deployment Best


ISE Deployment Best Practices

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=4381

Highlighted
Cisco Employee

EAP-TLS is the way to go. It

EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 

I hope this puts you in the right direction!

 

Thank you for rating helpful posts!

Highlighted
Beginner

I agree with Neno, I would

I agree with Neno, I would suggest MAB with a limited authorization result, only what the printers need to access in the network