RE: Dot1x & MAB issues with PRINTERS

From: Curt Girardin (curt.girardin@chicos.com)
Date: Wed Sep 27 2006 - 23:18:04 ART

• Next message: Kian Seng Goh: "Re: Route Redistribution into ospf"
• Previous message: Chris Broadway: "NBAR"
• Maybe in reply to: fferrer10@vodafone.es: "Dot1x & MAB issues with PRINTERS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've had similar problems with both MAB as well as VMPS (which I was
using before). I found that some printers, (and other statically
addressed devices) do not always play well.

Most devices have some sort of discovery protocol (like DHCP, novell
GNS, appletalk has something too). Most devices also send out a
"gratuitous arp" to help prevent duplicate IP addresses. These
discovery packets are used by mac-based port security mechanisms to help
authenticate a port or assign a vlan.

Anyways, I've found that some printers, even after a power cycle using
the power switch would not ever "speak" until "spoken to". Therefore
the switch would never receive a packet on that port, and never have a
mac-address to use for "authentication". Sometimes completely
unplugging the printer and plugging it back in worked. Some printers
and other devices still remained quite until "spoken to", even after
cold boots.

For those devices, I had to resort to port-security.

HTH,

Curt

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
fferrer10@vodafone.es
Sent: Wednesday, September 27, 2006 1:18 PM
To: ccielab@groupstudy.com
Subject: Dot1x & MAB issues with PRINTERS

Hi all:

I am deploying an IBNS scenario, and i am using dot1x to securize the
users and machines accesses to my network resources.

Everythink is working fine by the moment with the pc and the dot1x
supplicants, but with other machines such as printers, i was planning to
use MAC AUTHENTICATION BYPASS, and my problem is that sometimes works
and sometimes doesn't (obviously the mac-address of the printer is
registered on my ACS).

i am seing that the switch where these printers are connected, it is not
displaying all the time the mac-address of them (if you do a "sh
mac-address-table interface", sometimes you display the mac, sometimes
not, even having all the time the printer connected and up/up). The
static adition of the mac of the printer to the cam of the switch does
not solve the problem.

Anyone is having a similar problem with MAB and can help?

TIA

• Next message: Kian Seng Goh: "Re: Route Redistribution into ospf"
• Previous message: Chris Broadway: "NBAR"
• Maybe in reply to: fferrer10@vodafone.es: "Dot1x & MAB issues with PRINTERS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART