802.1x with MAB loses printers

We have implemented a dot1x secured network with 3750 switches, MAB is configured for HP printers.
This works well, but we recently shut down the network core switches and when the core switches were brought back up,
the printers stay offline, they have gone into standby mode and ACS does not show them re-authenticating.
The printers will lose contact with the print server and go into standby and the access switches lose contact with the ACS
I suspect that there is no network traffic from the printers and therefore no mac address captured and sent by the acess switches.
A reload of the switches brings them back online.
My question is,  does this sound the right conclusion? I have not done much PD on this, but if it is, do we have to reload the
printers when this happens or is there a way to get MAB to restart (the access switches and their ports stay up)
Any help on this much appreciated.

Just noticed a typo with my previous post, it was reloading the
printer that brings it back online not the switch.

Similar Messages

  • ASK THE EXPERTS - Update on 802.11n with Fred Niehaus

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on 802.11n with Cisco expert Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
    Remember to use the rating system to let  Fred know if you have received an adequate response.
    Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Mobility Subjects discussion forum shortly after the event. This event lasts through March 25, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

    So there are two parts of this question, the latter part I cannot address as it is a future question.  Cisco does not comment on products that have not been released or on the strategy of next generation products.
    That said, Cisco was first to market with an 802.11n Access Point and well (we didn't all go on vacation after we did that)
    So let's talk a little about spatial streams in general and how it relates to what customers are doing today.
    The Cisco 1040, 1140, 1250, 1260 and 3500 Series Access Points are all two spatial streams (2SS).
    As of the time of this writing, a critical mass of 3SS and 4SS compatible clients have yet to be deployed, and the vast majority of WiFi clients that will be deployed over the next 18 months will be 1SS and 2SS clients.
    The higher SS clients are likely only show up in some higher end notebooks -- Why? well it is a given that smartphones and tablets are likely to continue to be 1SS and in some rare cases 2SS.
    This is because additional radios used in this technology consume battery life, add to the physical size of the device and increase the cost. Also many devices leverage the same single antenna for cellular as well as WiFi.  Therefore, it is my opinion that 3SS Access Points provide little if any performance benefit for smartphones or tablets in the enterprise today, and any real throughput gain is likely to occur with high end notebooks in close proximity to the Access Point and those are rolling out very slowly and we are monitoring this.
    Now we get to my favorite part of this..  I get to ask myself a question and then answer it..
    So Fred are you saying that there is no value in 3SS and 4SS?
    Of course not, 3SS performs similar to 2SS beyond a short distance, and with any multi-SS product RF interference must be addressed to capture the performance benefits of higher SS Access Points. Actual throughput in any WiFi environment is highly dependent on the presence of interferers and obstacles.
    Without the ability to mitigate the impact of interference, 3SS solutions will "downshift" to 2SS of 1SS and lose all the performance benefits anyway IMHO.
    I don't want to sound like a commercial, but you really do need Cisco cleanair technology in the AP and Cisco innovations deliver more and will go beyond the simple 3SS aspects of the 802.11n standard.
    IMHO it's more about CleanAir, good RF system design, and what we put into the AP with regard to performance "in the environment" and not what is on some spec sheet today.
    For more on Cisco CleanAir see the following URL http://www.cisco.com/en/US/netsol/ns1070/index.html
    Fred

  • FlexConnect Access Point - Wired 802.1X or MAB Authentication

    Hi all,
    We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
    I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
    Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
    Thanks in advance.
    Regards,
    Stephen.

    Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
    1. AP, authenticates via MAB and profiling
    2. Client authenticates via PEAP/EAP-TLS, etc
    3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
    So I have ran into this issue in my deployments and you have the following options (listed in preference order):
    1. Eliminate FlexConnect :)
    2. Utilize AutoSmartPorts where:
    - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
    - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
    More info on auto smart ports:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
    3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
    Hope this helps!
    Thank you for rating helpful posts!

  • Cisco ip phones authenticate 802.1x with cisco ise 1.3

    Dear all,
    I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
    How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
    Thanks

    following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

  • Wired 802.1x with PEAP

    I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
    Setup:
    C3750 switch - Cisco ACS 3.2 - Windows AD
    Sequence of events:
    1. 802.1x machine authentication
    2. User logs in to domain
    3. 802.1x with user credentials
    But, I have the following issues:
    i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
    ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
    Any solution for this?
    Tks

    2 issues here:
    *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
    * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

  • Cisco ip phones authenticate 802.1x with cisco ise

    Dears,
    I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
    I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
    Thanks. 

    802.1x configuration for IP Phones
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

  • Wireless 802.1x with Window 7

    I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

    This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
    The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    https://sourceforge.net/projects/su1x/
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
    Features include:
    - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
    - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
    - Installation of a certificate (silent)
    - Checks for WPA2 compatibility and falls back to a WPA profile
    - Third party supplicant check -SSID removal and priority setting
    - Support tab: (checks: adapter, wzc service, profile presence, IP)
    - Outputs check results to user with tooltip and/or to file
    - Printer tab to add/remove networked printer
    This tool is very cleverly written by Gareth Ayres at Swansea University

  • 802.1x with ACS and Windows AD

    Hi
    Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
    I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
    Marco

    Hi Marco,
    i guess you've missed a mapping configuration in the Access Policy Section.
    Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
    You'll see the new service click Identity.
    Select the identity source you've created then save.
    Click on authorization
    Select a default authorization rule permit access and save.
    Create a Service Access Rule name it 802.1x
    Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
    then you can try again.
    regards
    alex

  • [WLAN] Use 802.1x with PEAP without Certificates?

    Hello there,
    is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

    On whitch device? You can set the autorithy certifacte to none or choose one from the list.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • 802.1x with Vlan assignment and IP phone and PC

    I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
    For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
    However I have read that I can not enable 802.1x on a trunk port.
    How could I configure this?
    I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
    Thanks

    You should configure the port as an access port with an aux-vlan. Here's an example:
    interface GigabitEthernet2/2
    switchport access vlan 701
    switchport mode access
    switchport voice vlan 702
    load-interval 30
    qos trust device cisco-phone
    qos trust cos
    auto qos voip cisco-phone
    dot1x pae authenticator
    dot1x port-control auto
    tx-queue 3
    bandwidth percent 33
    priority high
    shape percent 33
    spanning-tree portfast
    spanning-tree bpduguard enable
    service-policy output autoqos-voip-policy
    Hope this helps,

  • 802.1x with the 6901 IP Phones

    Hello Experts,
    We  are testing the 802.1x with the 6901 IP Phones. And we can see on ACS  "EAP Session Timeout" In the logs, and cansee that the EAP Username used  by the phone is CP-6901-SEPB8BEBF220041.
    How ever following issues are stopping us to deploy it fully.
    How to enter password in IP Phone since It does not have LCD screen.
    Wetried IVR option, but it gives pin as an option, Is this Pin used as passwordfor 802.1x authentication.
    Dowe use any default password for this to work.
    Thanks in advance for the help.
    Regards
    Ronak Patel

    Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
    I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
    Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
    If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
    Hope this helps,

  • WLC 5508 802.1x with AES

    Hi,
    We have a staff WLAN on Cisco WLC 5508. We use 802.1x with TKIP with authentication from RADIUS server. We deployed new 802.11n APs but on staff WLAN we cannot enable 802.11n because of the TKIP encryption. Can we just simply change the encryption without changing any other configuration to support 802.11n data rates?

    On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
    But you will need to configure AES on the client as well to support N rates.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • 802.1x with VLAN assignment on Catalyst 2950T-48-SI

    I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
    - IEEE 802.1x with VLAN assignment
    - SSHv2
    - SNMPv3
    The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
    If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
    Thanks a lot.

    SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
    802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
    SNMPv3 is supported.
    HTH
    Andy

  • 802.1X with Guest vlan support IOS version ???

    I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
    please reply to my question.

    Tkank for your help.
    Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
    but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
    ex) TW_14F_A_C2950_32.8#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)
    Model number: WS-C2950-24
    please, reply for my question

  • 802.1x with AD support via ACS 4

    Hello ,
    I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
    Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
    Thanks.
    Karthik

    Hi Karthik,
    The SSL handshake will fail in our experience for any of the following reasons:
    - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
    - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
    - CRL checking is enabled and the CRL has expired or is inaccessible
    If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
    Hope that helps
    Andy

Maybe you are looking for