802.1X with network printing

Hi, Hi.

I've been reading about 802.1X and have set it up to protect a small (test) wireless network (WinXP supplicant) and all seems to work. I was about to try it with part of our wired (test) network which uses Catalyst 2950 switches when a thought occurred. How do I protect ports which are (normally) connected to printers? Chiefly, how do I protect the network from an interloper who unplugs a printer and connects his own devices?

I considered that all of these ports could be connected to a distinct LAN/VLAN which was firewalled from the main LAN/VLAN but some of the heavier devices have multiple functions printer/copier/scanner/fax with delivery of scans by FTP/SMTP/fax with email notification, so the firewall solution would be non-trivial :-( On a wireless network the problem seems even harder to solve.

How are these devices normally handled?

Steve.

Reply to
Steve Burton
Loading thread data ...

With print servers that support 802,1x authentication

Reply to
Merv

I had a google around and found one such print server (this for

801.11g I haven't checked for wired) but commonly we (as SA's) are stuck with what we already have and a company propensity to continue to buy previously successful printers, often with integral servers. I was rather hoping for a previously overlooked 'silver-bullet'.

Steve.

Reply to
Steve Burton

Hi Steve,

It really comes down to how much effort do you wish to put in. I can think of 3 main ways to start with - 1.The simplest would be to lock it at the device level by applying a simple MAC address filter. 2. Or you could use a PVLAN (a private VLAN) for the printer so that it can ONLY connects to one other port, which is then managed by a Router and then use Layer 3 ACL's so that data only flowed the "right way" to/from that port. 3. Upgrade your printer so that it can participate in your 802.1X environment.

Cheers...............pk.

Reply to
Peter

A number of printers with intergral server ( ie HP) support 802.1X

Reply to
Merv

Thanks for all your replies. The wired case seems reasonably straightforward [!] but the wireless case, where there are no physical ports, less so. I suppose using only

802.1X compliant printers *securely* wired each into its own, cheap, (Linksys ?) AP would work though it'd be fairly unsightly and need two mains supplies. Then, of course, you might argue that if I'm wiring for mains twice perhaps I could run cat5 while I'm at it :-)

Steve.

Reply to
Steve Burton

I don't know if this is reasonable or not. Depending on your AP that you are using, you may be able to set up an additional SSID that does not advertise its SSID, I believe this is called beaconing(?). Then you could configure your printer to get on to the SSID that is not broadcasted. This way will provide some security through obscurity. Of course you will want to set up all appropriate WEP / WPA / WPA2 security on the new SSID. I would also probably recommend that you set up MAC filtering on the new SSID. You may even want to consider doing some filtering based on destination IP and / or port if you can.

I do not claim to be an expert in wireless or Cisco hardware, but I think this may give you a direction to look. For what it's worth, I know that an Airownet

350 is capable of broadcasting 16 SSIDs with only one of them beaconing.

Grant. . . .

Reply to
Taylor, Grant

Out of curiosity, why the requirement to have printers use wireless ?

Reply to
Merv

If you ask my clients, "Because we can!".

Grant. . . .

Reply to
Taylor, Grant

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.