HPE Community
Switches, Hubs, and Modems
1821080 Members
2862 Online
109631 Solutions
New Discussion

Problem with MAC Authentication and some Printers

 
jowiroe
Occasional Advisor

‎05-26-2010 12:00 PM

‎05-26-2010 12:00 PM

Problem with MAC Authentication and some Printers

Hi all,

i have setup 802.1x and MAC Authentication on our ProCurve 5412zl Switches. (K.13.68)
Authentication for the Workstations, ThinClients, IP- Phones and the most printers works fine. But i have problems with some older Kyocera and Sharp Printers. If I enable authentication on the Ports where these printers are connected the devices are no longer reachable over the network. If I disable the port and enable it a few seconds later, the printer is authenticated succesfull and is reachable for approx 10 minutes. After these 10 minutes the Switch logs "Port is blocked by AAA" and the Printer is not reachable again. Disable / Enable the port again will fix it for the next 10 minutes...

My Setup:

radius-server host x.x.x.x key password
aaa authentication port-access eap-radius
aaa accounting network start-stop radius
aaa port-access authenticator f1-f24
aaa port-access authenticator unauth-vid 99
aaa port-access authenticator client-limit 3
aaa port-access mac-based f1-f24
aaa port-access authenticator active
0 Kudos
1 REPLY 1
haegi
New Member

‎05-26-2010 02:23 PM

‎05-26-2010 02:23 PM

Re: Problem with MAC Authentication and some Printers

Hi Jowiroe,

it seems that the printer's NIC has fallen asleep and it does not send anything. And thus the switch forgets the MAC - normally after 5 mins (300s MAC-Hold Timer). The issue in combination with 802.1X is called eaves-drop prevention and can be disabled on your switch platform, see latest release notes OS V14.

Additionally the other timer defined using "aaa port-access logoff-period" sets the port to unauthenticated as you have seen in the log, also by default after 5 mins. You may change this value to 999999 and it should work fine, see Manual, ASG Chap. 13.

As an alternative use a cron-ping and ping your devices every 240s one time as this timer is not changeable on every platform.

Two things to add is controlled-directions in if you use Wake-on-LAN and aaa...mixed mode, if you look for authenticated phone, but Guest-PC after the phone.

I have no idea why your printers drop off after 10 mins, could be a defect, should be 5 mins.

Cheers


h.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.