This is a wild guess, but maybe the printer doesn't have (or doesn't trust) your CA certificate, so it's terminating the PEAP (and presumably the TLS too) with a NAK. It *should* send an SSL alert over the PEAP link before doing that IMHO
I have my CA imported to the printer. I also made the printer a client cert and imported that as well. The only thing I can think of here is that the printer asks for the "server id" which they define as "The Server ID must match the rightmost portion of the name provided by the
authentication server". Ive tried multiple names here including the hostname from the certs, radius hostname, NAS IP, just about everything that I can think of and nothing seems to matter. Something I could be missing maybe?
have a user setup in the users file, but it still tries to search ldap
So don't configure LDAP.
I *need* ldap for the rest of my setup. The whole user base besides this printer auth's against ldap. Since this printer is an oddball situation, I created a local user in the users file for it. Regardless, even if I do make an ldap account for it, it still fails with the NAK msg.
radtest does not do eap. Google for "eapol_test" for a CLI way to test the EAP setup.
Eh, I have tested with eapol_test as well using the peap-mschapv2 and ttls-eap-mschapv2 and both work fine for that test user.