Runbook: Brother Printer EAP-TTLS Authentication

Last Updated

2026-02-14

Owner

evanusmodestus

Frequency

As Needed

Purpose

Configure Brother network printer for 802.1X wired authentication using EAP-TTLS with FreeIPA LDAP as external identity source. All configuration performed via netapi CLI (no GUI).

Architecture

Component Configuration

Authentication Method

EAP-TTLS with MSCHAPv2 inner method

Identity Source

FreeIPA LDAP (External Identity Store)

Printer MAC

90:32:4B:B8:FC:FE

Endpoint Group

DOMUS_Printers (static assignment)

Profile

Brother-Device (auto-profiled)

Policy Set

DOMUS_Printers (dedicated policy set)

Authorization

Printer-specific DACL + VLAN assignment
Printer EAP-TTLS Authentication Flow
Figure 1. Authentication Flow

Prerequisites

  • ISE 3.x deployment operational

  • netapi CLI configured with ISE credentials

  • gopass configured for credential storage

  • Switch port configured for 802.1X

  • Printer network accessible for web config

  • FreeIPA deployed and joined to ISE as external LDAP identity source

Procedure

Step 1: Store Printer Credentials in gopass

# Generate secure password
gopass generate v2/DOMUS/printers/brother-mfc-01 24
# Add metadata via heredoc
gopass edit v2/DOMUS/printers/brother-mfc-01 << 'EOF'
device: Brother MFC-L2750DW
mac: 90:32:4B:B8:FC:FE
auth: EAP-TTLS/MSCHAPv2
location: Home Office
created: 2026-02-14
EOF
# Verify
gopass show v2/DOMUS/printers/brother-mfc-01

Step 2: Create Printer Endpoint Group and Register Endpoint

# Check if endpoint group exists first
if netapi ise get-endpoint-groups --size 100 2>/dev/null | grep -q "DOMUS_Printers"; then
  echo "SKIP: DOMUS_Printers already exists"
else
  netapi ise create-endpoint-group "DOMUS_Printers" \
    --description "DOMUS network printers - EAP-TTLS authentication"
fi
# Assign printer to endpoint group with STATIC assignment
# This prevents ISE Profiling from overriding the group
netapi ise update-endpoint-group "90:32:4B:B8:FC:FE" "DOMUS_Printers" --static
Why Static Assignment?

The --static flag sets staticGroupAssignment=true in ISE, which prevents the ISE Profiler from automatically moving the endpoint to a different group based on profiling rules. Without this, a printer might be moved to "Brother-Device" profile group instead of staying in "DOMUS_Printers" identity group.

Step 3: Create FreeIPA Service Account

This step is performed on the FreeIPA server. See FreeIPA Identity Management roadmap for detailed LDAP integration.

# On FreeIPA server - create service account for printer auth
ipa user-add svc-printer-01 \
  --first="Brother" \
  --last="Printer" \
  --email="printers@inside.domusdigitalis.dev" \
  --password

# Set password from gopass
echo "$(gopass show -o v2/DOMUS/printers/brother-mfc-01)" | ipa user-mod svc-printer-01 --password

Step 4: Create Printer DACL

netapi ise create-dacl \
  --name "DACL_CORP_PRINTERS" \
  --description "Corp Printers - Print protocols + management" \
  --rules "
remark ### PRINTER PROTOCOLS ###
permit tcp any any eq 9100
permit tcp any any eq 515
permit tcp any any eq 631
remark ### MANAGEMENT ###
permit tcp any any eq 80
permit tcp any any eq 443
permit udp any any eq 161
remark ### DISCOVERY ###
permit udp any any eq 5353
permit udp any any eq 1900
remark ### INFRASTRUCTURE ###
permit udp any host 10.50.1.90 eq 53
permit udp any host 10.50.1.1 eq 123
permit icmp any any
remark ### DENY ALL ###
deny ip any any log
"

Step 5: Create Authorization Profile

netapi ise create-authz-profile \
  --name "AuthZ_DOMUS_Printers" \
  --description "Corp Printers authorization - VLAN + DACL" \
  --vlan 10 \
  --dacl "DACL_CORP_PRINTERS"

Step 6: Create Printer Policy Set

# Create dedicated policy set for printers
netapi ise create-policy-set \
  --name "DOMUS_Printers" \
  --description "Corporate Printer 802.1X Policy" \
  --condition "EndPoints:EndPointGroup EQUALS DOMUS_Printers" \
  --allowed-protocols "Default Network Access"

Step 7: Add Authentication Rule

netapi ise add-auth-rule \
  --policy-set "DOMUS_Printers" \
  --name "Printers_EAP_TTLS" \
  --condition "Network Access:EapAuthentication EQUALS EAP-TTLS" \
  --identity-source "FreeIPA_LDAP" \
  --rank 1

Step 8: Add Authorization Rule

netapi ise add-authz-rule \
  --policy-set "DOMUS_Printers" \
  --name "Corp_Printer_Access" \
  --condition "EndPoints:EndPointGroup EQUALS DOMUS_Printers" \
  --profile "AuthZ_DOMUS_Printers" \
  --rank 1

Step 9: Add Default Deny Rule

netapi ise add-authz-rule \
  --policy-set "DOMUS_Printers" \
  --name "Default_Deny" \
  --condition "Network Access:AuthenticationStatus EQUALS Success" \
  --profile "DenyAccess" \
  --rank 99

Step 10: Verify Policy Configuration

# Verify policy set created
netapi ise get-policy-set --name "DOMUS_Printers"
# Verify auth rules
netapi ise get-auth-rules --policy-set "DOMUS_Printers"
# Verify authz rules
netapi ise get-authz-rules --policy-set "DOMUS_Printers"
# Verify endpoint is in DOMUS_Printers group with static assignment
netapi ise get-endpoint "90:32:4B:B8:FC:FE"

Step 11: Configure Printer

Access printer web interface at <printer-ip>/:

Setting Value

Wired 802.1x

Enabled

Authentication Method

EAP-TTLS

Inner Authentication

MSCHAPv2

User ID

svc-printer-01

Password

<from gopass>

Server Cert Verification

Disabled

Step 12: Connect and Verify

# Monitor live authentications
netapi ise mnt live-sessions --mac "90:32:4B:B8:FC:FE"
# Check via DataConnect
netapi ise dc query "
SELECT
    USER_NAME,
    CALLING_STATION_ID as MAC,
    AUTHENTICATION_PROTOCOL,
    SELECTED_AUTHORIZATION_PROFILES,
    PASSED,
    TIMESTAMP_TIMEZONE
FROM RADIUS_AUTHENTICATIONS
WHERE CALLING_STATION_ID = '90-32-4B-B8-FC-FE'
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 5 ROWS ONLY
"

Verification

Full Policy Audit

netapi ise audit --policy-set "DOMUS_Printers"

Test Authentication

# Verify printer accessible
ping <printer-ip>
# Verify print port open
nc -zv <printer-ip> 9100

Troubleshooting

Authentication Fails - User Not Found

# Verify FreeIPA LDAP connectivity from ISE
netapi ise get-external-identity-stores

# Test LDAP bind
ldapwhoami -H ldap://freeipa.inside.domusdigitalis.dev -D "uid=svc-printer-01,cn=users,cn=accounts,dc=inside.domusdigitalis.dev" -W

Endpoint Not In Correct Group

# Check current endpoint group and static assignment
netapi ise get-endpoint "90:32:4B:B8:FC:FE"

# Re-apply static assignment if needed
netapi ise update-endpoint-group "90:32:4B:B8:FC:FE" "DOMUS_Printers" --static

Wrong Policy Set Selected

# Check policy set conditions
netapi ise get-policy-sets
# Verify endpoint group assignment in profiling
netapi ise dc query "
SELECT ENDPOINT_PROFILE, ENDPOINT_ID, ENDPOINT_STATIC_ASSIGNMENT
FROM PROFILED_ENDPOINTS_SUMMARY
WHERE ENDPOINT_ID LIKE '%B8:FC:FE'
"

DACL Not Applied

# Check session details
netapi ise mnt session-details --mac "90:32:4B:B8:FC:FE"
# Verify DACL exists
netapi ise get-dacl --name "DACL_CORP_PRINTERS"

Rollback

Complete removal via API:

# Delete authorization rules
netapi ise delete-authz-rule --policy-set "DOMUS_Printers" --name "Corp_Printer_Access"
netapi ise delete-authz-rule --policy-set "DOMUS_Printers" --name "Default_Deny"

# Delete authentication rules
netapi ise delete-auth-rule --policy-set "DOMUS_Printers" --name "Printers_EAP_TTLS"

# Delete policy set
netapi ise delete-policy-set --name "DOMUS_Printers"

# Delete authorization profile
netapi ise delete-authz-profile --name "AuthZ_DOMUS_Printers"

# Delete DACL
netapi ise delete-dacl --name "DACL_CORP_PRINTERS"

# Delete endpoint group (if empty)
netapi ise delete-endpoint-group --name "DOMUS_Printers"

# FreeIPA user cleanup (on FreeIPA server)
ipa user-del svc-printer-01

Notes

  • Brother printers support EAP-FAST, EAP-TTLS, PEAP - but NOT EAP-TLS

  • Dedicated policy set ensures printers don’t interfere with workstation policies

  • Static endpoint group assignment prevents ISE Profiler from overriding group

  • Credentials stored in gopass at v2/DOMUS/printers/

  • FreeIPA LDAP provides centralized identity management

Related

  • FreeIPA Identity Management (infra-ops)

  • 802.1X EAP-TLS Troubleshooting (infra-ops)