I have a few WS-C2960S-48FPS-L running IOS 15.0(2)SE6 (in stack), and we have devices (cameras, ipphones, printers, etc) authenticating with MAB.
The issue is only with print server HP JetDirect 150x, 300x and 500x.
The HP print servers is authenticated and answer pings requests (working fine), but suddenly the print stops to answer the ping requests. I checked the logging from the switch and I see the trigger event to the print stop to work.
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-RELEASE Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-WAIT
But, if I perform a clear arp on my Router, a ARP broadcast is send to the entire VLAN, and the print server answer the brodcast, after that I see this event in the C2960 logging.
Aug 13 16:17:34 BRT: %EPM-6-IPEVENT: IP 10.xx.yy.zz| MAC aaaa.bbbb.cccc| AuditSessionID 0A08FC3200001A493E5F3E7C| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
After this event, the print server start to answer pings request again, and works fine for exact 120sec, then the event "IP-RELEASE/IP-WAIT" happens again and the print server stop.
This my topology
The interface configuration:
interface GigabitEthernet1/0/2 switchport access vlan XYZ switchport mode access switchport nonegotiate switchport voice vlan ABC switchport port-security violation protect power inline never authentication event fail action next-method authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast spanning-tree bpduguard enable end
I changed some informations (like IPs, MAC, Vlans) for security reasons.
Were you able to find a resolution for this? I have a customer with the same issue, however, it's with a few Cisco IP Phones and encryption devices. The devices get authorized, the correct dACL is applied to the port, but then a few minutes later, the devices release the IP address and the process starts all over again.
The logs show "EVENT IP-RELEASE" then "EVENT IP-WAIT"
The only workaround I found to this issue was change the configuration on those ports from "authentication host-mode multi-auth" to "authentication host-mode single-host". I Did this only on ports where I have these print servers.
But when you change the host-mode to single-host, only one device can be authenticated. In your case can be a problem because of PCs and Ipphones on same ports.
Another configuration I tried and worked in a few cases, was add the command "Authentication Control-Direction in".
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :