Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass MAC Policy for Printer

This thread has been viewed 14 times

  • 1.  Clearpass MAC Policy for Printer

    Posted May 09, 2017 02:34 PM

    I have some issues with lexmark printers, which should be authenticated via MAC - address. The authentication works fine, but after after some time (maybe some hours) the printers aren`t available. The printer doesn`t send any packets, and so is a kind of passive client. I also couldn`t see the mac adress of the printer on the switch, so i have changed the session-timeout for the mac auth to 240 seconds, to get more communication. The reauth happens every 240 seconds, but the printer has the same problem, it isn`t available after some time. i have to plug off an on the printer to get the connection working again. we have more different models of lexmark printers and the same problem.

    I think the main problem is, that the printer doesn`t send active packets to the network. So the connected switch loses the mac of the printer..

    I have a procurve switch 2920 with firmware 16.02.18.

    What is the recommended setting for these "passive clients" and mac out?

    i have my clearpass policy attached.



  • 2.  RE: Clearpass MAC Policy for Printer
    Best Answer

    EMPLOYEE
    Posted May 10, 2017 07:16 AM

    Did you changed the default logoff-period? I believe Default is 300 seconds (5 min). For devices like printers or other embedded devices the default logoff-period is too low, because they may 'sleep' for longer periods.

     

    Using a DHCP client can help or setting the logoff timer in the mac-auth config.

     

    Setting the logoff timer:

    aaa port-access mac-based <portnumber> logoff-period 99999

     

    In ClearPass I would use the default session-timeout.



  • 3.  RE: Clearpass MAC Policy for Printer

    Posted May 10, 2017 02:12 PM

    I`ve tested the logoff-period, i had no issues until yet.Is it best practice to set it on 999999 second, or is a smaler count also ok ? could i get any problems ,when i change this account to such a high value?

     

    Thanks a lot

     



  • 4.  RE: Clearpass MAC Policy for Printer

    EMPLOYEE
    Posted May 10, 2017 03:15 PM

    Hi Thomas,

     

    It depends when the printer wakes up. If you sent a printjob to the printer it will wake up. Depending on the frequency of printing this can take a while. Some printers have the ability to schedule a wake up once a day. In those cases the timer can be set to 86400 seconds (24h).

     

    Alternative ways to provision ports can be done with ClearPass Onconnect. It's not based on Radius mac-auth, but uses SNMP to configure the port. Kind off last resort.