11-13-2013 11:50 AM
I'm trying to MAC auth HP printers with CPPM. By default, the HP comes with the hostname NPIXXXXXX where XX is the last half of the mac address. So, when I set the cisco port to MAB, the printer sends the username NPIXXXXXX and because the service is looking for username=MAC address, service classification fails. If we change the hostname of the printer to the MAC with no delimiter, it sends the hostname as the username, which happens to match the MAC and the service categorization is successful as in my enforcement policy.
I've tried a service with the "Connection:Client-Mac-Address EXISTS" and the request gets classified properly, but I get the following Alert in Access Tracker:
"MAC_AUTH: No password in request. Not attempting MAC authentication
Cannot select appropriate authentication method"
Has anyone seen this before?
11-13-2013 12:52 PM
You don't have any authentication configured on the printer, right? It's odd that you're getting the hostname as the username for MAB.
Can you post your port config and all applicable .1X config?
Also, did you use Start Here under Configuration in ClearPass Policy Manager? There's a MAC authentication wizard that helps configure the service with the appropriate attributes.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
11-14-2013 03:33 AM
All other devices MACAUTH with my service just fine. It was built approiately.
The issue is that the printer switches back and forth from what HP calls "open system" to EAP. This is verifiy by issuing the "show auth session" on the cisco switch. One moment the printer will be dot1x and after a reboot, mab. We've followed the instructions to reset the security settings found here - http://www.experts-exchange.com/Networking/Security/Q_27812096.html
The printer is extremely unreliable. The reset of security settings as noted by experts exchange doesn't stick when you reboot the printer and it just tries to do EAP again.
So in order to get the printer to MACAUTH, I had to add the following to my cisco port config, besides the normal mab commands:
"authentication event fail action next-method"