Radius and silent devices

ChristophW
Here to help

Radius and silent devices

Hello together,

 

unfortunately i do not find any information how meraki handles the vlan association with silent devices.
For example i have an printer which gets send to VLAN 111 on an Port with Radius-Authentication and Access-VLAN 1.

The printer goes into sleep-mode and does not send any packets.
Now someone wants to print something on this printer and needs to contact the printer in vlan 111.
Does the switch forgets the VLAN-Association on the port where the printer got connected with the mac-aging-time?

Thanks everyone.

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal

Have you checked the logs on the Radius server to validate that the device is still authenticated? I could be wrong but I think this is the expected behavior when the printer goes into sleep mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ChristophW
Here to help

Have to check. But the main question is, if arp requests still reaches the printer because it should stay authenticated and associated to the vlan when it was authenticated in the past.

alemabrahao
Kind of a big deal
Kind of a big deal

802.1X Control Direction (Wake-on-LAN support)

802.1X Control Direction is set by default to "both" directions. In this mode, the switch port doesn't allow ingress or egress traffic through the switch port until after the port is authorized via 802.1X or MAB authentication. Control Direction can also be set to "inbound-only", in which case the switch port doesn't allow ingress traffic, but will allow limited egress traffic from the network through the switch port to reach the connected device. This is often used to allow Wake-on-LAN magic packets to wake a sleeping host on the connected port, at which point the host can attempt a normal 802.1X or MAB authentication to authorize the switch port for full ingress and egress traffic.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Depending on the auth mode used , have you configured a re-auth timer ? Else the port stays authenticated until there is a port status change or if the Radius server sends a CoA imo.

ChristophW
Here to help

No re-auth-timer is configured. I know from other vendors, that if the mac-address ages out, the association of the port to the specific vlan is delete also.

I have to test if some problems occur. But maybe someone has some experience in this scenario.

RaphaelL
Kind of a big deal
Kind of a big deal

the association of the port to the specific vlan is delete also

 

Are you doing dynamic vlan ? I wouldn't expect the port to return to it's default vlan unless there's a port status change or CoA.

 

I do expect the MAC flushed from the CAM if it ages out, but that shouldn't really pose a problem.

ChristophW
Here to help

We use dynamic vlan, right. I know alcatel-lucent works in the way that it deletes the vlan from the port when the mac ages out. Thats the whole problem i see if meraki does that too, noone can communicate to the device anymore.

BillyC
Here to help

I have a deployment with 350 Meraki switches using Cisco ISE 3.2 for dynamic VLAN assignment and no issues with VLAN association for silent devices (printers).  

 

In the Access Policy settings I have "802.1x Control Direction" set to "inbound-only". I also have re-authentication set to 12 hours.  The "inbound-only" setting allows the printer to "hear" arp requests and receive print jobs from the printer server.  An authentication, if needed, is only triggered when the printer responds to requests.

 

I have done numerous deployments of ISE with Cisco switches. This is my first deployment of ISE with Meraki devices. Without the "inbound-only" setting, or equivalent on Catalyst switches, the printer never generates traffic to initiate authentication and also never receives traffic.

RaphaelL
Kind of a big deal
Kind of a big deal

Quick question. Multi-auth doesn't support a re-auth timer. In that case , 802.1x Control Direction "inbound-only" wouldn't change anything right ?

 

Also , considering that the end device uses DHCP , having DHCP renews shorter than your re-auth timer would also fix it ? I would assume so

ChristophW
Here to help

Thank you two for the informations. @BillyC Are your printers running DHCP? unfortunately my customer does not run DHCP on their printers. So when they are "silent" there is no traffic from them until they get used.

BillyC
Here to help

The printers have been a mix of DHCP and Static. This is being deployed in a new building with printers initially using DHCP then later they are reconfigured for static.

 

For the re-auth, I have the ISE server send radius-request for 43,200 seconds (12 hours).

Bucket
Getting noticed

The only way do deal with silent devices is by either configure the device to use DHCP or to set the access VLAN to the VLAN the device should be in, and make sure that control direction is only out in the access-policy. This way the traffic should be able to reach the device, and the return traffic should trikker authentication.

Get notified when there are additional replies to this discussion.