Hello all,
We've got an issue that has caused us to bang our heads for entirely too long. I've used the wonderful Wired Policy Enforcement solution guide that Mr Cappalli put together to help me accomplish the bare minimum of MAC-based authentication for switch ports. In theory it works great, but the reality isn't so rosy...
When a device (PC or printer) goes to power-save/sleep, it flaps the network port. It does not transmit any frames after it flaps the port, so the port remains in an unauthenticated state. This is apparently normal behavior, but it causes a major issue in two specific scenarios:
- Our desktop support staff frequently need to remotely access PCs to perform updates, install software, etc. If the PC has gone to sleep we would not have the mac address in our mac-address table, but at least with port auth off, the ARP frame is flooded until it reaches the right port and the PC then wakes up and responds. With port auth on, the PC is probably not even in the right VLAN for flooding the frame. The only workaround we've found to this has been to schedule the PCs to wake up at regular intervals so that the techs can do their work. It's horribly hokey, but at least we were able to achieve some level of functionality.
- Printers that are offline can't be printed to. We see the same scenario as above where the ARP frame is flooded before we turned on port auth, but now that it's on the print job can't ever reach the printer unless the printer decides of its own accord to start transmitting frames again and get re-authenticated.
We are seeing this all over the place with HP and Lexmark printers alike and we can't figure out a solution....help!!
We are at a point where this massively useful configuration that allows us to sleep soundly knowing that we know what's on our network might as well go in the dumpster if it can't support some of the devices that most frequently move around.
I understand this may not be a common issue in businesses that see every PC and printer used every minute of the workday, but surely other schools have at least seen this? Are y'all in the same boat?
Thanks! - Daniel Hamilton
ACMP, ACCP, ACSA