Network Printer / 802.1x / Radius no connection

Solved
TNNetGuy
Here to help

Network Printer / 802.1x / Radius no connection

Good morning all,

 

I have been working on this for a few days and I just cant figure it out.  I am hoping someone on here might be able to point me in the right direction before I put a ticket in.  I will try and lay this out as completely as possible.

 

I am testing Meraki and 802.1x in a lab environment.  As of right now I have a MS120-24P Meraki Switch connected to a Cisco 887A Router and the switch is pointed at a Radius server.  Now I have successfully created an access policy for 802.1x and successfully tested it on the switch and an MR42 Meraki AP.  I am now trying to test out other devices that we have in our branch offices like printers.  At the moment I have a Lexmark MS410DN printer connected directly to the switch.  When the port is "open" (access port) I can see the printer, it is in the appropriate vlan and we can print from it.  However, my problem is when I apply the access policy to the port then the printer is placed in vlan 10 (guest network) and we can no longer see it.  For some reason it is not communicating with the radius server.  In radius I have added it as a client by both MAC address and static IP, in AD there is a group that has the MAC address of the printer.  I have included one of our systems guys to walk through the radius 802.1x config wizard with me and no matter what we do we can get the printer to go from vlan 10 to vlan 1 and be visible on the network by being authenticated with radius.  If anyone has encountered this problem please let me know what you did to fix it.  Much appreciated.

1 Accepted Solution
Jeff-US
Conversationalist

You may have to do MAC address bypass, and just whitelist the mac address of the printer.

Jeff

View solution in original post

10 Replies 10
jdsilva
Kind of a big deal

What do you have the access policy type set to? It will need to be either MAB or Hybrid.

 

image.png

TNNetGuy
Here to help

Jdsilva,

 

I created a 2nd access policy this one being a Hybrid and placed it on the port with the printer.  It was still rejected by Radius. 

 

Thanks,

 

Jeremy

jdsilva
Kind of a big deal

What do the Event Logs in the Dashboard say? What do the RADIUS logs say?

TNNetGuy
Here to help

Jdsilva,

 

Ok so in the event log for the dashboard it just says Radius authentication rejected

 

On my Radius server I am getting event 6273 reason code 65 so I am investigating that at the moment.  There is some small detail that I am over looking. 

jdsilva
Kind of a big deal

Woohoo progress!

 

It could be something as stupid as the format of the MAC being sent. xx:xx:xx:xx:xx:xx instead of xxxx.xxxx.xxxx for example. I'm not familiar with that RADIUS error so that's just speculation. 

TNNetGuy
Here to help

tell me about it!

 

It looks like it could be the dial-in properties in the AD user account so we are checking this to see if it is set to deny or allow.  I'll let you know if that produces any results.

TNNetGuy
Here to help

That is a no go!
PhilipDAth
Kind of a big deal
Kind of a big deal

FYI, when I do wired 802.1x I make sure the client gets printers with native 802.1x support, so they log in like everything else. It makes life much easier.

Jeff-US
Conversationalist

You may have to do MAC address bypass, and just whitelist the mac address of the printer.

Jeff

TNNetGuy
Here to help

Jeff,

 

So I was working on this problem this morning and created a third access policy...Mac Address Bypass but also I found in my radius server that under client IPv4 address I had put in the IP of my printer instead of my switch.  Now it all works as it should.   Thank you all for your ideas and help...this problem is solved!!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels