Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x MAB and Printers

Hello all, I am curious how people are dealing with printers and 802.1x. We are using MAB to authenticate the devices which works fine. We have begun to implement the black hole concept as our next phase. We have built a vlan 86 that is strictly layer 2, we put all of the ports into that vlan and then use dynamic vlan assignment to place them into the correct vlan. That too works fine, the issue we have been running into is when the printer goes into hibernate/sleep mode. I am guessing that causes an up/down event on the switch which will cause the 802.1x authentication process to start over. When that happens the devices end up in vlan 86 and MAB is stuck in the running state because the device is not talking on the network.

I have tried enabling ip device tracking but that didn't help. I am going to setup a ping probe using InterMapper to ping the device and see if that keeps it active but I am curious if anyone out there has ran into issues with printers and if so how have they dealt with them. Thanks!

Everyone's tags (3)
New Member

802.1x MAB and Printers


New Member



I've got this problem too (3 years later...).

What I see is that 802.1x state is Authenticated & Authorized:

show authentication sessions int gi 1/0/31 details
Interface: GigabitEthernet1/0/31
IIF-ID: 0x10595C000000337
MAC Address: 0026.7348.d3da
IPv6 Address: Unknown
IPv4 Address:
User-Name: 00-26-73-48-D3-DA
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Session timeout: 3600s (local), Remaining: 644s
Timeout action: Reauthenticate
Common Session ID: C0A8FEFE00002BBAA4294690
Acct Session ID: 0x00002B66
Handle: 0x7D0000A1
Current Policy: POLICY_Gi1/0/31

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
Vlan Group: Vlan: 13

Method status list:
Method State
mab Authc Success

the ip device tracking entry for this interface is OK but the related ARP entry shows incomple for the mac-address value.

sho ip device track int gi 1/0/31
Interface GigabitEthernet1/0/31 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
IPv6 Device Tracking Client Registered Handle: 23
IP Device Tracking Enabled Features:
-------------------------------------------- 0026.7348.d3da 13 GigabitEthernet1/0/31 30 ACTIVE ARP

Here the switchport config :  

interface GigabitEthernet1/0/31
switchport access vlan 13
switchport mode access
switchport nonegotiate
authentication control-direction in
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication periodic
dot1x pae authenticator
storm-control broadcast level 70.00
no lldp transmit
no lldp receive
spanning-tree portfast

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 114 incomplete ARPA Vlan13

If I add static ARP, the printers become reachable :
arp 0026.7348.d3da arpa


Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

Does anyone already encounter this issue ?

New Member

Re: 802.1x MAB and Printers

have you tried this WoL command?

"authentication control direction both"

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: 802.1x MAB and Printers

I agree with Adam, WoL feature would help you here. Could you please paste the port configuration here?

Most WoL endpoints flap the link when going into hibernation or standby mode, thus clearing any existing MAB authenticated session. By default, traffic through the unauthorized port will be blocked in both directions, and the magic packet will never get to the sleeping endpoint. To support WoL in a MAB environment, you can configure a Cisco Catalyst switch to modify the control direction of the port, allowing traffic to the endpoint while still controlling traffic from the endpoint. This approach allows the hibernating endpoint to receive the WoL packet while still preventing the unauthorized endpoint from sending any traffic to the network. After it is awakened, the endpoint can authenticate and gain full access to the network. Control direction works the same with MAB as it does with IEEE 802.

Configuration example.

Switch(config)# interface fastethernet 5/1
Switch(config-if)# authentication control-direction both

Jatin Katyal
- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: 802.1x MAB and Printers

I think that the documentation that you provided is wrong in that specific example.

WoL can be supported by using authentication control-direction in argument, not both (which is the default).

Enables 802.1X authentication with WoL on the  port. Use these keywords to configure the port as bidirectional or  unidirectional:

  • both--Sets the port as  bidirectional. The port cannot receive packets from or send packets to  the host. By default, the port is bidirectional.
  • in--Sets the port as unidirectional. The port can send packets to the host but cannot receive packets from the host.

Cisco Employee

Re: 802.1x MAB and Printers

Hi Oct,

ahhh, My bad, While adding those commands. I forgot to replace both with in.

Jatin Katyal
- Do rate helpful posts -

Ahh, you are
~BR Jatin Katyal **Do rate helpful posts**