FreeRADIUS with some HP Multifunction printers
hi, I wonder if anyone can help or has seen such behaviour. We are running FreeRADIUS on site extensively - for wireless and wired authentication. the perennial issue of printers + 802.1X has raised its head again - and this time we're trying to hit it head on - configure them to use 802.1X ! (ie dont use 'MAC auth bypass', or sticky-mac with port security etc - treat them like computers) verily, we created userIDs for the printers in the Active Directory (same as normal users - and they happily use 802.1X for wifi and wired). however, we have hit a problem - when configuring some HP printers to use PEAP, it 'just doesnt work(tm)' :-( the devices in question are M5035 and M6040 MFP devices, I've attached the output of the radiusd -X after the 'ready' line - as said, this all works for other devices.... anyway, the 'interesting' line as far as i'm concerned after seeing these debugs for many years is [peap] Session established. Decoding tunneled attributes. [peap] Got something weird. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid hmmm.....I ponder if this is a PEAPv1/v2 thing going on? confirmations welcome! (can I capture the PEAP type via a debug print statement?) alan
hi, <shuffle shuffle, mumble mumble> heres the attachment that I forgot to attach.... alan
A.L.M.Buxey@lboro.ac.uk wrote:
verily, we created userIDs for the printers in the Active Directory (same as normal users - and they happily use 802.1X for wifi and wired).
however, we have hit a problem - when configuring some HP printers to use PEAP, it 'just doesnt work(tm)' :-(
The printers are *claiming* that they're doing PEAPv0. However, the protocol they're running is actually PEAPv2.
the devices in question are M5035 and M6040 MFP devices, I've attached the output of the radiusd -X after the 'ready' line - as said, this all works for other devices.... anyway, the 'interesting' line as far as i'm concerned after seeing these debugs for many years is
[peap] Session established. Decoding tunneled attributes. [peap] Got something weird.
Yes. Arran ran into this, too. He sent me some more detailed packet traces. The contents of the tunnel are wrong for PEAPv0. I believe he fired off a "polite" email to HP about this. :) Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok wrote:
A.L.M.Buxey@lboro.ac.uk wrote:
verily, we created userIDs for the printers in the Active Directory (same as normal users - and they happily use 802.1X for wifi and wired).
however, we have hit a problem - when configuring some HP printers to use PEAP, it 'just doesnt work(tm)' :-(
The printers are *claiming* that they're doing PEAPv0. However, the protocol they're running is actually PEAPv2.
the devices in question are M5035 and M6040 MFP devices, I've attached the output of the radiusd -X after the 'ready' line - as said, this all works for other devices.... anyway, the 'interesting' line as far as i'm concerned after seeing these debugs for many years is
[peap] Session established. Decoding tunneled attributes. [peap] Got something weird.
Yes. Arran ran into this, too. He sent me some more detailed packet traces.
The contents of the tunnel are wrong for PEAPv0. I believe he fired off a "polite" email to HP about this. :) It took me 30 minutes to explain the basic premise.
0: Them: Does the printer get an IP? 1: Me: Yes 2: Them: But it doesn't work on the network ? 3: Me: No, because the developers mis-implemented PEAPv0 and failed authentication 4: Them: But it gets an IP? 5: Me: Yes 6: Them: But it doesn't work on the network ? goto 3; I think it's at 'second level' tech support now.... I'm waiting for a response back. They even tried to transfer me to HP ProCurve at one point: ProCurve: But it's a printer? Me: They said it was a networking problem... ProCurve: But it's a printer? It looks like they actually implemented 802.1X-2004 version as opposed to the ProCurve switches, which appear to implement the earlier standard. That is the supplicant has both 'Controlled' and 'Uncontrolled' ports. Only the Uncontrolled port seems to allow DHCP traffic to pass as well as EAPOL packets... So once you enable authentication and the printer fails to authenticate, it won't let you Telnet into the jetdirect card or use the web interface until you do a cold restart (and clear all the 802.1X settings)... Brilliant ! You're welcome to open a case as well... Arran
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmS+y4ACgkQcaklux5oVKJceQCfbdG3FCDpZ4JuZ7RNx16uu6dT J5YAn2jd0dlpOGHMCrl0zUlmElIGFDVP =tff3 -----END PGP SIGNATURE-----
Hi,
So once you enable authentication and the printer fails to authenticate, it won't let you Telnet into the jetdirect card or use the web interface until you do a cold restart (and clear all the 802.1X settings)...
tell me about it! even if you let it onto via a failed auth = okay it still wont go live because it saw EAPOL stuff and therefore wont play any more
You're welcome to open a case as well...
lets help the world out here then. what is best, for us to be added as parties onto that case or for us to open our own case? If you can, off-list, give me your case number then I could raise a case here and things might just get escalated. any further debugging/packet dumps you have may be handy - I've almost had enough of these ;-) (we can do more ourselves if required!) alan
Hi,
The printers are *claiming* that they're doing PEAPv0. However, the protocol they're running is actually PEAPv2.
..on this note, any update on when/if FR will do PEAPv1 and PEAPv2? (i note more and more devices are coming with such options - eg Nokia S60 smartphones have all the boxes ticked by default on newer devices) alan
A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
The printers are *claiming* that they're doing PEAPv0. However, the protocol they're running is actually PEAPv2.
..on this note, any update on when/if FR will do PEAPv1 and PEAPv2? (i note more and more devices are coming with such options - eg Nokia S60 smartphones have all the boxes ticked by default on newer devices)
PEAPv1 isn't very useful. I think I have patches for an *old* version of FreeRADIUS to make it do PEAPv2. However, at this point... I'm busy enough that I don't really have time for speculative or "interesting" things any more. Alan DeKok.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell