Hi,
The problem is that when you set up authentication on a port, the switch blocks the port until the device announce itself (i.e. generate any type of traffic). Most of these devices "do not talk unless talked to", whereas there might be Windows server polling printers, these printers are now isolated as they won't talk back because they don't receive any traffic, and the port stays blocked because the switch is not polling the device either.
There are essentially two solutions:
- you configure the port as described in the ClearPass best practice (it is linked on several threads in here). This WILL NOT work UNLESS you set up something on the end device to poll something at regular intervals. An example is to configure NTP on the printer to poll to NTP server. This is traffic generated from the printer itself, this will keep the port up.
- OR you configure like this, but it is not best practice (this applies config from port 1/1 to 1/10). Do this only on port you know are NOT uplinks:
no port-security 1/1-1/10 eavesdrop-prevention
spanning-tree 1/1-1/10 admin-edge-port
aaa port-access authenticator 1/1-1/10 auth-vid xx
aaa port-access authenticator 1/1-1/10
aaa port-access authenticator 1/1-1/10 client-limit 2
aaa port-access authenticator 1/1-1/10 cached-reauth-period 86400
aaa port-access 1/1-1/10 controlled-direction in
aaa port-access mac-based 1/1-1/10
Aaa port-access mac-based 1/1-1/10 addr-limit 4
aaa port-access mac-based 1/1-1/10 reauth-period 86400
aaa port-access mac-based 1/1-1/10 cached-reauth-period 86400
aaa port-access mac-based 1/1-1/10 logoff-period 9999999
I want to point out that we went on with HPE TAC for MONTHS without them realizing this, I got the answer bumping on a thread on reddit talking more or less matter by pure chance, from there and after couple of hours of testing, i came out with the above config. You dont need to run recent firmware for that to work. Test on a bunch of ports first. If you break **bleep** I am not taking responsability, you do at your own risk.