Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with MAC Authentication and some Printers

jowiroe
Occasional Advisor

Problem with MAC Authentication and some Printers

Hi all,

i have setup 802.1x and MAC Authentication on our ProCurve 5412zl Switches. (K.13.68)
Authentication for the Workstations, ThinClients, IP- Phones and the most printers works fine. But i have problems with some older Kyocera and Sharp Printers. If I enable authentication on the Ports where these printers are connected the devices are no longer reachable over the network. If I disable the port and enable it a few seconds later, the printer is authenticated succesfull and is reachable for approx 10 minutes. After these 10 minutes the Switch logs "Port is blocked by AAA" and the Printer is not reachable again. Disable / Enable the port again will fix it for the next 10 minutes...

My Setup:

radius-server host x.x.x.x key password
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
aaa port-access authenticator f1-f24
aaa port-access authenticator unauth-vid 99
aaa port-access authenticator client-limit 3
aaa port-access mac-based f1-f24
aaa port-access authenticator active
1 REPLY
haegi
Occasional Visitor

Re: Problem with MAC Authentication and some Printers

Hi Jowiroe,

it seems that the printer's NIC has fallen asleep and it does not send anything. And thus the switch forgets the MAC - normally after 5 mins (300s MAC-Hold Timer). The issue in combination with 802.1X is called eaves-drop prevention and can be disabled on your switch platform, see latest release notes OS V14.

Additionally the other timer defined using "aaa port-access logoff-period" sets the port to unauthenticated as you have seen in the log, also by default after 5 mins. You may change this value to 999999 and it should work fine, see Manual, ASG Chap. 13.

As an alternative use a cron-ping and ping your devices every 240s one time as this timer is not changeable on every platform.

Two things to add is controlled-directions in if you use Wake-on-LAN and aaa...mixed mode, if you look for authenticated phone, but Guest-PC after the phone.

I have no idea why your printers drop off after 10 mins, could be a defect, should be 5 mins.

Cheers


h.