Hi, Here's some repsonses to your questions:
How does the Enforcer differentiate between an external laptop connecting to the network with no 802.1x client enabled and a printer for example
Your 802.1x switch should challenge any connecting device. Because printers will not respond to the 802.1x challenge, the LAN enforcer will direct the switch to assign that device to the VLAN of your choice. This will likely be the quarantine VLAN. If that device is whitelisted (Configure this on the enforcer by using the SEPM console), the LAN enforcer will also direct the switch to assign it to the VLAN of your choice (usually Production network).
If a laptop connects, it will also be challanged. With no response to the 802.1x challenge from the switch, it will be assigned the quarantined VLAN.
The LAN Enforcer pulls together information from the 802.1x authentication process, SNAC agent, RADIUS server (if installed), and Active Directory (if configured). On the SEPM console, the LAN Enforcer's action table allows you to define which critera will determine which action. Example:
No 802.1x at all, send to quarantine VLAN (or block port)
802.1x only (no SNAC agent), assign to a VLAN if authenticated by RADIUS server
SNAC agent and passes Host Integrity, assign to VLAN
I want to use the MAB option to list all my printers (I understand this option is like a whitelist for MACs) - I have tried to add a MAC address to the local database (a laptop for testing) but it is still put into quarantine, ie all the checks are done...so it isn't working - why not??
Need more info on this to help you. Either post a separate forum thread or call support and they will be able to figure out where the hangup is.
What is the difference between the MAB option and the Ignore-Check option?
MAB is for systems with no ability to respond to 802.1x challenges. The ignore check option is for systems with the SNAC agent installed. It is directing your enforcer to ignore the Host Integrity status reported by that agent. This setting is often used for troubleshooting and initial deployments.
Is there any way to view the MAC list on the Enforcer or does it have to be exported and viewed externally? From what I have seen it is not a very user friendly setup!?
Exporting it is the most efficient way, IMO. The Enforcer shell has severely reduced command-support in order to be locked-down/function as a security appliance.
Let me know if this helps or if you need more info