MAC Authentication For Printers And Other Headless Devices
Why do printers and other headless devices fail to function correctly periodically or over the time when MAC authentication is enabled on the switchport?
Printers and headless devices normally don't speak unless they are spoken to, i.e. The end device does not talk actively on the network and only responds when someone sends a packet to the end device.
This becomes a problem when running MAC authentication as the switch relies on the device to send the first packet so that the switch can use the source MAC address from the packet and use that to trigger MAC authentication.
This normally works fine for the first time when you plug in device to the network, but over the time when the device is idle the "log-off" period on our switches kicks in and forces the client out of the user table at which point of time the port gets blocked by AAA.
Now, when a user tries to contact the end device the user will be unable to do so since the port is blocked by AAA and the packet never leaves an "uncontrolled-port".
Log off period is enforced on all the clients that connect to the switch with the default value being 300 seconds.
In order to cope up with this we can use the option "mac pinning" on the port using the below command.
aaa port-access mac-based < PORT-LIST> mac-pin
Mac pinning basically locks the user to its user table and the MAC table without enforcing the logoff period provided the user does not physically disconnect.
But what happens when the port flaps or if printer goes into sleep mode?
When devices go into sleep mode, they flap the port.
This causes the switch to remove the client from the user table and users would not be able to communicate with the end device.
The best option would be to turn on controlled direction in on the switch using the below command.
aaa port-access <
port-list> controlled-direction in
This allows the switch to only enforce a blockage on the port for incoming packets on the port and not outgoing ones. This allows the switch to still forward broadcasts and multicasts on the port including ARP which would help the end device to respond back and inturn trigger MAC authentication again.