Switches, Hubs, and Modems中的主题 Re: Port-access mac-based Problem

Port-access mac-based Problem

MP2 — Wed, 19 Nov 2008 17:36:54 GMT

Hello,

I'm configuring several 2626 (H.10.45) and 5308xl (E.11.03)switches for mac-based authentication and would be very happy about some hints :)

Scenario:
Multiple thinclients and printers should be authenticated via MAC.
There are several clients and printers on each switch.

Problem:
Thinclients work, Printers don't (mostly HP LJ 1000 - 4000 Series). There's one exception: a
Samsung ML-2550, altough the same model on a differnt switch doesn't work, haven't found any differences yet. As long as a MAC is supplied the client shouldn't matter, or I'm wrong?

Activated Ports with printers connected are shown under *show port-access mac-based* but both "Authenticated Clients" and "Unauthenticated Clients" are 0. Thinclients have "Authenticated Clients" 1.

I have no clue why :(

There are no authentication attempts on IAS-Servers (MS IAS), thinclients are sucessfully logged. Apparently the switches don't send requests for printers.

Summary:
MAC-based authentication works for thinclients, not for printers on the same switch.
Thinclients authenticate sucessfully.
Printers go immediatly offline if authentication is actived - with no requests to IAS send.
Both use the same IAS-policies.

My only hints so far are:

Logging:
"18:02:44 ports: port H1 is Blocked by AAA"
"18:02:47 ports: port H1 is Blocked by STP"

show port-acces mac-based:
Port Access MAC-Based Status

Authenticated Unauthenticated Current RADIUS ACL
Port Clients Clients VLAN ID Applied?
----- ------------- --------------- -------- -----------
H1 0 0 1 No

I've read this guide, but it hasn't given me any pointers:
http://cdn.procurve.com/training/Manuals/2900-ASG-Jan08-3-WebMacAuth.pdf

Hopefully somebody has experience with this behavior :)

Kind regards,

Gernot

Re: Port-access mac-based Problem

Pieter 't Hart — Thu, 20 Nov 2008 10:15:13 GMT

Hi Gernot,

Printers go immediatly offline if authentication is actived - with no requests to IAS send.
Both use the same IAS-policies.

What do you mean? are the printer offline as seen from a printeserver? or does the printer itself goes offline?

Are the printers setup as DHCP or static adress?

As long as a MAC is supplied the client shouldn't matter, or I'm wrong?

in dhcp-requests there can be a "vendor-specific" field (option 43?). wich can result in different handling of the request.

maybe the output from
show port-access mac-based config
and
show port-access mac-based clients
instead of the current status will help.

Re: Port-access mac-based Problem

MP2 — Thu, 20 Nov 2008 11:08:03 GMT

Hello Pieter,

thank you for your reply.

Output *show port-access mac-based config*:

Port Access MAC-Based Configuration

MAC Address Format : no-delimiter
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- -------- ------ ------ --------- --------- -------- -------- -----
H1 Yes 1 No 300 0 0 0 both

###############

Output *show port-access mac-based clients*:

Port Access MAC-Based Client Status

Port MAC Address Session Status Time
----- ------------- --------------------- --------

Yes, it's empty, working clients are shown properly:

Port Access MAC-Based Client Status

Port MAC Address Session Status Time
---- ------------- --------------------- --------
24 0000f0-a345fd authenticated 67,211

###########

Printers are immediatly not reachable per ping. And port is displayed as closed.
Clients have static IPs, no DHCP-Voodoo :)

Kind Regards,

Gernot

Re: Port-access mac-based Problem

MP2 — Mon, 24 Nov 2008 08:50:13 GMT

Has nobody an idea?

Re: Port-access mac-based Problem

MP2 — Mon, 01 Dec 2008 18:47:48 GMT

Still nobody?

Re: Port-access mac-based Problem

Matt Hobbs — Tue, 02 Dec 2008 11:41:39 GMT

There is a controlled directions feature for aaa, try changing that to 'in'. (That way an unauthenticated client will still receive broadcast/multicast traffic from the network which is what the printer might need to see before it sends any return traffic to kick off the mac-auth process).

Also, make sure you update to the latest version firmware.

Re: Port-access mac-based Problem

MP2 — Tue, 09 Dec 2008 07:41:54 GMT

Hello Matt,

i've tried in, out and both, nothing worked. All working clients (Thinclients) have both configured.
Firmware is 10.45 for 2626 and 11.03 for 5308.

Kind regards,

Gernot

Re: Port-access mac-based Problem

Krzysztof Oledzki — Tue, 09 Dec 2008 20:30:22 GMT

H.10.45 is not the latest software, you should rather try H.10.74

Re: Port-access mac-based Problem

DMcCoy_1 — Wed, 10 Dec 2008 22:38:26 GMT

I have been working over the last week to keep my jetdirects authenticated with MAC based auth all the time, and I have been quite sucessful with the following.

Upgraded all jetdirects to their latest firmware, DOWNgraded any jetdirect J7949E on firmware v33.15 to v33.14 (.15 is horribly broken and crashes after a couple of minutes usually).

I have enabled SLP protocol on all the print servers, I have then telneted into the jetdirect to set slp-keep-alive (available with the firmware updates) to a value of 2 (2 minutes between slp anouncments).

I have changed the MAC age time on all the switches to 900 seconds from the default 300.

Jetdirects now announce themselves every 2 minutes stopping the switch forgetting that they exist. I have added a logoff-period of 1800 seconds to a single port with a Xerox printer on it which stops it reauthenticating every 10 minutes (unable to change slp interval on it).

This may or may not help, but I've had the printers on line for the last week now and when I ping, they are still there!

Re: Port-access mac-based Problem

MP2 — Wed, 17 Dec 2008 14:08:06 GMT

Thank you for your input.
I have upgraded my Firmware, but still same behavior.
@DMCCoy: excellent tips :)
Time out problems would be cool, at least I would be one step further...