Wireless Access

I need to have a printer connect up to our wireless and only be accessable by two specific laptops. Our wireless is open with Captive Ports authentication. I already had a rule in place for specific devices to bypass the web authentication by using MAC authentication so getting the printer to connect to the WLAN is not a problem.

 

Any suggestions on how to only allow two specific devices to access it?

 

Thanks is advance!!!

On the basis the printer is probably statically addressed, why not try...

 

1. Add the two laptops in question to the mac auth database too.

2. In the mac auth server group you're using, add role derivation for the two laptops, resulting in role which has all normal rules, plus permit rules to the printer IP.

 

The only challenge you might get is discovering the printer in the first place. Printer discovery methods vary from vendor to vendor. Some operate with multicast, some broadcast etc. So your rules would also have to allow the laptops to discover it however the vendor does it. Recommend running a packet capture to find out if you don't know (probably either on the wired LAN, or when putting both the laptop and printer in "allow-all" roles temporarily to test).

 

Good luck.

 

So I have two test printers set up (hardlined), both on mac based authentication, no worries there. My laptop can connect to them wirelessly and it can print to them (yipee!!) however...

 

Sometimes the print job goes right through in a few seconds and other times it can take as long as 15 minutes for the print job to go through.

 

Any suggestions?

You should do a "show datapath session table <ip address of laptop>" to see what it is doing while it is printing.  It could require more ports than you have open.  Hopefully the printer is allowing all traffic in both directions.

Ok, so when i do so, here is a sample of what I am getting:

 

---

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
172.27.135.63   172.27.255.255  17   17500 17500  0/0     0 24  1   tunnel 39   10   0         0          FTC
172.27.135.63   65.55.25.59     6    61811 80     0/0     0 24  5   tunnel 39   56   0         0          TC
108.160.160.159 172.27.135.63   6    80    61436  0/0     0 24  1   tunnel 39   5b9  33        4363
69.171.246.16   172.27.135.63   6    80    61824  0/0     0 24  1   tunnel 39   a    3         544
69.171.246.16   172.27.135.63   6    80    61818  0/0     0 24  1   tunnel 39   3a   3         177        F
172.27.135.63   192.168.199.26  6    61823 9100   0/0     0 0   0   tunnel 39   5    0         0          FDYC
172.27.255.255  172.27.135.63   17   17500 17500  0/0     0 24  1   tunnel 39   10   0         0          FY
65.55.25.59     172.27.135.63   6    80    61811  0/0     0 24  1   tunnel 39   56   0         0          F
255.255.255.255 172.27.135.63   17   17500 17500  0/0     0 24  1   tunnel 39   10   0         0          FY
172.27.135.63   255.255.255.255 17   17500 17500  0/0     0 24  1   tunnel 39   10   0         0          FTC

---

192.168.199.26 is the printer. It is getting the flags of FDYC - why would it get the Deny flag?

The user's role is blocking port 9100 to the printer, which is essential.  It also could be that the printer's role is blocking return traffic to the printer.

My kids have sucked out most of my brains this week so my apologies but how do I go about UNblocking said port?

 

****edit****

I am actually testing two printers, a Dell and an HP, both were showing the same tags in reference to port 9100

****edit****

You either edit the role the printer is in or the clients are in by going to configuration > security> access control. Edit either or both roles from there.

Well after a little trial and error I got it. You were correct in that port TCP 9100 was being blocked. I got that corrected and ran a few tests that still failed and then ran the data path command again to find that UDP was also being blocked (3000 and 3400) which was appearently also needed. I got those straight in the role policies and Boo-Yaa!! printing like a champ!

 

Thanks a ton for your help Cj and Monkey   :smileyhappy:

Simply Awesome, McNeill!