ello, I am looking for solution or best practice how to deal with printers and MFUs in 802.1x environment.
I use MAB for them and put them in a separate vlan for security reasons, vlan number is provided from radius.
I also enabled the ip device tracking and inactivity timer to track connected printers and deauthentificate them in case the port will be up but the printer will be deattached (someone put a hub/small switch between a 802.1x port and a printer)
At this stage I cant understand the behavior of idle timeout because it is allways decreasing and then reauthentiication begins, even if I constantly ping the printer. Does it have to trigger only if there is no traffic from the device?
sw3560-test#sh authentication sessions int fa0/1
Interface: FastEthernet0/1
MAC Address: f4ce.4648.6626
IP Address: 192.168.251.2
User-Name: f4ce46486626
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 25
Session timeout: N/A
Idle timeout: 60s (local), Remaining: 26s
Common Session ID: C0A8A5920000001100564C94
Acct Session ID: 0x00000015
Handle: 0x46000011
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
the port config:
interface FastEthernet0/1
description MFU test
switchport mode access
switchport voice vlan 7
ip device tracking maximum 10
authentication event fail action authorize vlan 4094
authentication event server dead action authorize vlan 4094
authentication event no-response action authorize vlan 4094
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 60
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
spanning-tree portfast
spanning-tree bpduguard enable
end
