Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: a week ago

Adding a Wireless Printer in 8021X environment

Hello Everyone, 

 

First I would like to say thanks to all Experts and Gurus on Aruba community for sharing their experience and knowledge. 

 

I am a Newbie on Aruba Community/Network and have more experience in VoIP domain and currently working for a big enterprise where security is always first . 

 

 As far as wirless network in company its all aruba and  working very well in a secure enviornment with 2 Data Center , DMZ , Master Active/Standby controller and 200 medium and small sites with their local controller present.

 

I recieved a request from CIO to add his personal wireless printer into the existing network. After spending 1 weeks looking for a solution on Airhead I can't find the right answer. My concern is How I can add a HP wireless printer to a local site with 802.1x enable network which has Certiicate installed everywhere.  

 

Short Wirelss Design Summary -- 

 

So Basically, how the traffic is flowing -- When a device get connected to the local site and if its a IPAD,Iphone then it get check through Airwatch and gets certificate/authenticated first. Then it goes to Clearpass and gets a Untrusted role . 

 

After becoming an Untrusted device , it contact the controller which is in DMZ. There is a secure tunnel from the local controller and the controller in DMZ for every site . from there its get an IP address and

all the traffic then goes via a tunnel to Internet . 

 

I tried it doing it one way 

Creating a Host address list on the Clearpass and create services and roles and mapping. But it never hit the clearpass. As soon as I try to connecting to my Corporate SSID , HP printer shows an Error on screen -- Can't connect to this network because of unsuppored authentication and encryption.

 

I also thought  trying to do the split tunneling. But because all the sites has local controller present and connected to datacenter where a Master Controller present and controller in DMZ. I dont know it will be good to add another AP  as Remote AP or Coverting an CAP into RAP.

 

I would really thanks to everyone on the community if you can please give me an idea, how it can be done.

I am happy to answer all the question in case if you need more information. 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Adding a Wireless Printer in 8021X environment

Does the printer support 802.1X?

Do you also have an open network at this site?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: a week ago

Re: Adding a Wireless Printer in 8021X environment

Hi Cappalli,, 

Thanks for the prompt reply. I really appreciate that..

 

No, there is no open network at this site. 

Printer doesn't support 802.1x , the only thing i notice is WPA2-PSK .

I thinks the certifactes we have in our devices installed they all are encrypted thats why when I try to connect on Main SSID, within a microsecond printer pop ups with an error on screen can't connect becasue no Auth. and Ency. supported. 

 

We have only two SSID . One is for the Guest Network and One is for Corporate employees. 

We have a solution for Guests to access the printer in a Guest Environemt but becasue CIO doesn't want to change the SSID only for printing. He likes to have only corporate SSID connecting all the time and print from there . 

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Adding a Wireless Printer in 8021X environment

Use ClearPass's device registration feature to register the device and then modify your guest network policy to allow the registered device(s) to connect into their final authenticated state.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: a week ago

Re: Adding a Wireless Printer in 8021X environment

Hi Cappalli,

Thanks Again,

 

As soons as I try to connect to the local controller , printer is still showing the same error. 

Unable to connect to this network. this network is using unsupported type of encryption and authenticatio. 

Cheers,

Frequent Contributor I
Posts: 99
Registered: ‎02-05-2014

Re: Adding a Wireless Printer in 8021X environment

Are you against using a pre-shared-key? If the printer is only going to be used in one office easy just create a AP-specific profile for that one AP.  Just use a password generator make a long complex key 20 digits long. 

Occasional Contributor I
Posts: 6
Registered: a week ago

Re: Adding a Wireless Printer in 8021X environment

Hi Kell,

Thanks for  joining the discussion and giving your time. 

We have  only 2 SSID throughout the enterprise.One is for Corporate user , which uses certificates if its a corporate laptop with Active Directory. and

if its not laptop and fall under Mobile and IPad category then we all the devices are MDM ( Airwatched)

For all other devices we have Guest Wifi , we manually create username and password and give it to the user. 

Now, 

There is no option for WPA2-PSK.  

When we add new site and bring on board for wireless. We create a new AP group as per the site and add the same SSID and AAA profile in to the picutre. 

Means wherever the device will go and get conncet there will be only one SSID for employees and one for guest. 

I hope that will help you to understand a little bit more. 

 

 

Occasional Contributor I
Posts: 6
Registered: a week ago

Re: Adding a Wireless Printer in 8021X environment

In addition to my last post... 

On DMZ controller we have two VLANS with two different subnets.

One for the Untrusted devices ( IPAD, IPhone coming throug Airwatch)

If i add my printer to the Guest network , it gets connected and remain stable. 

Is there any rule or policy if i add on clearpass or contoller which can all the Untrusted devices to talk and print from the Guest Vlan. 

 

thanks..

 

 

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: Adding a Wireless Printer in 8021X environment

If the DMZ controller is where the user authentication is done, and this is the only device you want to create an exception for, you can create a user derivation rule that automatically puts a device the printer with that mac address into a role that allows internet traffic, so that it does not have to authenticate:   http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/PSK-MAC-Address-based-VLAN-Steering/ta-p/85212

 

In addition, if the CEO wants to print to that printer, he should have a printer that has something like google cloud print, so that printer traffic goes to the internet and the printer receives it from the internet.  That way there does not have to be any direct connection between the printer and the CEO's devices...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: