Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Help with MAB for print servers HP Jetdirect

Hi all,

I have a few WS-C2960S-48FPS-L running IOS 15.0(2)SE6 (in stack), and we have devices (cameras, ipphones, printers, etc) authenticating with MAB.

The issue is only with print server HP JetDirect 150x, 300x and 500x.

 

The HP print servers is authenticated and answer pings requests (working fine), but suddenly the print stops to answer the ping requests. I checked the logging from the switch and I see the trigger event to the print stop to work.

Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-RELEASE
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-WAIT

But, if I perform a clear arp on my Router, a ARP broadcast is send to the entire VLAN, and the print server answer the brodcast, after that I see this event in the C2960 logging.

Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT

After this event, the print server start to answer pings request again, and works fine for exact 120sec, then the event "IP-RELEASE/IP-WAIT" happens again and the print server stop.

This my topology

Router------>C2960----->Print Server

 

The interface configuration:

interface GigabitEthernet1/0/2
 switchport access vlan XYZ
 switchport mode access
 switchport nonegotiate
 switchport voice vlan ABC
 switchport port-security violation protect
 power inline never
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

I changed some informations (like IPs, MAC, Vlans) for security reasons.

 

Have somebody ever see an issue like that?

Sorry for my bad English.

Thank you

 

6 REPLIES
Cisco Employee

Hmm that is an interesting

Hmm that is an interesting one. Let me ask you a few quesitons:

1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands

2. Are you returning an ACL with the authorization profile

3. When the issue occurs issue "show authentication session interface interface_name_number"

4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)

5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.

 

Thank you for rating helpful posts!

New Member

Hi Neno,1. Does the issue

Hi Neno,

1. Does the issue occur if you remove dot1x from the port? To test this you just have to issue "no authentication port-control auto" You can leave the rest of the commands

If I remove all the authentication configuration from the port, the print works fine.

2. Are you returning an ACL with the authorization profile

Yes, but is a permit ip any any

3. When the issue occurs issue "show authentication session interface interface_name_number"

F220-1A#sh authentication sessions int gigabitEthernet 1/0/2
            Interface:  GigabitEthernet1/0/2
          MAC Address:  aaaa.bbbb.cccc
           IP Address: 10.xx.yy.zz
            User-Name:  aaaa.bbbb.cccc
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
         Per-User ACL:  permit ip any any
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A08FC32000057E79C285797
      Acct Session ID:  0x000087A2
               Handle:  0x40000A5E

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

4. Can you post the rest of the related switch configs (AAA, Radius, DHCP Snooping, etc)

No DHCP Snooping is configurated in the switch

aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common

ip radius source-interface VlanABCD
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key 7 ABDCEFG
radius-server vsa send authentication

 

5. I would get rid of the "switchport port-security violation protect" command. I try not to configure standard port-security and dot1x on a port/switch.

I don´t use the "switchport port-security violation protec", I inserted this command only to do a test. I forgot to remove this command before to post the configuration here.

 

 

New Member

Hi Neno,I think there is

Hi Neno,

I think there is something related to the "ip device tracking".

The event "IP-RELEASE/WAIT" happens every  2min, then the printer stops to work.

So, I executed the command "clear ip device tracking int gi 1/0/2" and the event "IP-RELEASE/WAIT" happens.

Is there any "ip device tracking" default configuration where it try to clear the informations from "ip device tracking" table every 2min?

I´m looking to the 802.1x and "ip device tracking" documentation from Cisco, but until now I don´t see nothing to explain this behavior.

 

Thank You

Cisco Employee

Can you:1. Post the whole

Can you:

1. Post the whole switch config

2. Use the "Evaluate Configuration Validator" located under "Operations > Diagnostic Tools" It is not 100% accurate but it will tell you if you are missing some commands.

Overall though, things look ok so my guess is that you are running into some incompatibility with that printer/printer OS and dot1x. I have had this happen to me before with some devices.

 

Thank you for rating helpful posts!

New Member

Were you able to find a

Were you able to find a resolution for this?  I have a customer with the same issue, however, it's with a few Cisco IP Phones and encryption devices.  The devices get authorized, the correct dACL is applied to the port, but then a few minutes later, the devices release the IP address and the process starts all over again.

The logs show "EVENT IP-RELEASE" then "EVENT IP-WAIT"

 

Thanks,

 

Steve

New Member

Hi Steve,The only workaround

Hi Steve,

The only workaround I found to this issue was change the configuration on those ports from "authentication host-mode multi-auth" to "authentication host-mode single-host". I Did this only on ports where I have these print servers.

But when you change the host-mode to single-host, only one device can be authenticated. In your case can be a problem because of PCs and Ipphones on same ports.

Another configuration I tried and worked in a few cases, was add the command "Authentication Control-Direction in".

Best Regards

 

 

 

 

525
Views
0
Helpful
6
Replies
CreatePlease to create content