MAC Authentication For Printers And Other Headless Devices

By esupport posted Jun 04, 2019 07:55 PM

  
Q:

Why do printers and other headless devices fail to function correctly periodically or over the time when MAC authentication is enabled on the switchport?



A:

Printers and headless devices normally don't speak unless they are spoken to, i.e. The end device does not talk actively on the network and only responds when someone sends a packet to the end device.

This becomes a problem when running MAC authentication as the switch relies on the device to send the first packet so that the switch can use the source MAC address from the packet and use that to trigger MAC authentication. 

This normally works fine for the first time when you plug in device to the network, but over the time when the device is idle the "log-off" period on our switches kicks in and forces the client out of the user table at which point of time the port gets blocked by AAA.

Now, when a user tries to contact the end device the user will be unable to do so since the port is  blocked by AAA and the packet never leaves an "uncontrolled-port".

Log off period is enforced on all the clients that connect to the switch with the default value being 300 seconds.

In order to cope up with this we can use the option "mac pinning" on the port using the below command.

 

aaa port-access mac-based < PORT-LIST> mac-pin

 

Mac pinning basically locks the user to its user table and the MAC table without enforcing the logoff period provided the user does not physically disconnect. 

 

But what happens when the port flaps or if printer goes into sleep mode?

 

When devices go into sleep mode, they flap the port.

This causes the switch to remove the client from the user table and users would not be able to communicate with the end device.

The best option would be to turn on controlled direction in on the switch using the below command.

 

aaa port-access <port-list> controlled-direction in

 

This allows the switch to only enforce a blockage on the port for incoming packets on the port and not outgoing ones. This allows the switch to still forward broadcasts and multicasts on the port including ARP which would help the end device to respond back and inturn trigger MAC authentication again.

1 comment
38 views

Comments

Apr 29, 2020 04:49 PM

The solution provided does not solve the problem at all.  Here is what I have and you still lose contact with the printer.  It's pretty insane actually.  This is completely keeping from being able to deploy NAC with clearpass on my Aruba switches.

aaa port-access authenticator tx-period 10
aaa port-access authenticator supplicant-timeout 10
aaa port-access authenticator client-limit 4
aaa port-access mac-based
aaa port-access mac-based addr-limit 4
aaa port-access mac-based mac-pin
aaa port-access controlled-direction in