FreeRADIUS with some HP Multifunction printers
Arran Cudbard-Bell
a.cudbard-bell at sussex.ac.uk
Wed Feb 11 17:22:06 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alan DeKok wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> verily, we created userIDs for the printers in the Active
>> Directory (same as normal users - and they happily use 802.1X
>> for wifi and wired).
>>
>> however, we have hit a problem - when configuring some HP
>> printers to use PEAP, it 'just doesnt work(tm)' :-(
>
> The printers are *claiming* that they're doing PEAPv0. However,
> the protocol they're running is actually PEAPv2.
>
>> the devices in question are M5035 and M6040 MFP devices, I've
>> attached the output of the radiusd -X after the 'ready' line -
>> as said, this all works for other devices.... anyway, the
>> 'interesting' line as far as i'm concerned after seeing these
>> debugs for many years is
>>
>> [peap] Session established. Decoding tunneled attributes. [peap]
>> Got something weird.
>
> Yes. Arran ran into this, too. He sent me some more detailed
> packet traces.
>
> The contents of the tunnel are wrong for PEAPv0. I believe he
> fired off a "polite" email to HP about this. :)
It took me 30 minutes to explain the basic premise.
0: Them: Does the printer get an IP?
1: Me: Yes
2: Them: But it doesn't work on the network ?
3: Me: No, because the developers mis-implemented PEAPv0 and failed
authentication
4: Them: But it gets an IP?
5: Me: Yes
6: Them: But it doesn't work on the network ?
goto 3;
I think it's at 'second level' tech support now.... I'm waiting for a
response back.
They even tried to transfer me to HP ProCurve at one point:
ProCurve: But it's a printer?
Me: They said it was a networking problem...
ProCurve: But it's a printer?
It looks like they actually implemented 802.1X-2004 version as opposed
to the ProCurve switches, which appear to implement the earlier standard.
That is the supplicant has both 'Controlled' and 'Uncontrolled' ports.
Only the Uncontrolled port seems to allow DHCP traffic to pass as well
as EAPOL packets...
So once you enable authentication and the printer fails to
authenticate, it won't let you Telnet into the jetdirect card or use
the web interface until you do a cold restart (and clear all the
802.1X settings)...
Brilliant !
You're welcome to open a case as well...
Arran
>
> Alan DeKok. - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmS+y4ACgkQcaklux5oVKJceQCfbdG3FCDpZ4JuZ7RNx16uu6dT
J5YAn2jd0dlpOGHMCrl0zUlmElIGFDVP
=tff3
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list