Situation: a freeradius server (debian stretch, 3.0.12+dfsg-5+deb9u1) binded to a Samba AD domain (so using EAP, PEAP, MSCHAPv2). I've some 'non human' clients that typically i connect via direct password insertion in users and huntgroups, eg: lp_hpcljm452-1 Cleartext-Password := "unknown;-)", MS-CHAP-Use-NTLM-Auth := 0, Expiration := "Dec 31 2030 19:00:00", Huntgroup-Name == "lp_hpcljm452-1" lp_hpcljm452-1 Calling-Station-Id == "60-6D-C7-27-C1-C9" But this client (an HP Color LaserJet M452nw) claim to have support for PEAP, LEAP and EAP-TLS, not explicitly citing MSCHAPv2. If i try to use PEAP i lead to: Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! We requested to use an EAP type as normal. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant rejected that, and requested to use the same EAP type. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! i.e. the supplicant said 'I don't like X, please use X instead. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant software is broken and does not work properly. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! Please upgrade it to software that works. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) Login incorrect (eap: No mutually acceptable types found): [lp_hpcljm452-1] (from client unifi-sv port 0 cli 60-6D-C7-27-C1-C9) There's some way i can force a 'compatible' EAP type for that user and only that? Thanks. -- Ventiquattromilapensierialsecondofluisconoinarrestabili alimentando voglie e necessita`. (CSI)
On Apr 10, 2024, at 6:05 AM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
But this client (an HP Color LaserJet M452nw) claim to have support for PEAP, LEAP and EAP-TLS, not explicitly citing MSCHAPv2.
If the client doesn't do PEAP/MSCHAPv2, then no amount of poking FreeRADIUS will make the client do PEAP/MSCHAPv2.
If i try to use PEAP i lead to:
Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! We requested to use an EAP type as normal. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant rejected that, and requested to use the same EAP type. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! i.e. the supplicant said 'I don't like X, please use X instead. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! The supplicant software is broken and does not work properly. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) eap: WARNING: !!! Please upgrade it to software that works. Apr 10 12:00:07 vdmsv1 radiusd[1283]: (5103) Login incorrect (eap: No mutually acceptable types found): [lp_hpcljm452-1] (from client unifi-sv port 0 cli 60-6D-C7-27-C1-C9)
There's some way i can force a 'compatible' EAP type for that user and only that?
Find out what the printer supports, and configure FreeRADIUS to do that, In this case, likely EAP-TLS. Alan DeKok.
Mandi! Alan DeKok In chel di` si favelave...
But this client (an HP Color LaserJet M452nw) claim to have support for PEAP, LEAP and EAP-TLS, not explicitly citing MSCHAPv2.
If the client doesn't do PEAP/MSCHAPv2, then no amount of poking FreeRADIUS will make the client do PEAP/MSCHAPv2. [...] Find out what the printer supports, and configure FreeRADIUS to do that,
OK, but AFAI've understood well, 'PEAP' is an empty container where a subsequent authentication method need to be nested, like MD5, MSCHAPv2 and so on. So, 'PEAP' support what really mean? PEAP with what? And if i need to 'configure freeradius', how? I need to setup modules, or write passwords in some fancy way? Really, i'm groping in the dark...
In this case, likely EAP-TLS.
See in detail next post. Thanks. -- Il computer è come la morosa: meno ci mettono mano gli altri e meglio è! ;-) (Enrico)
hi, Apparently that's the behaviour when the printer doesn't recognise the RADIUS cert. (I support that EAP type but I dont support that type because I'm not happy with the server cert). You need to import the root (and intermediate certificates) into the HP printer then it will do 802.1X happily alan
Mandi! Alan Buxey In chel di` si favelave...
Apparently that's the behaviour when the printer doesn't recognise the RADIUS cert. (I support that EAP type but I dont support that type because I'm not happy with the server cert). You need to import the root (and intermediate certificates) into the HP printer then it will do 802.1X happily
Printer have a self-signed certiifcate (the default HP one); i've loaded the CA certificate (an internal one) into the printer, CA certificate that was used to sign the cert the freeradius server use. I need also to create, sign and load to the printer a client certificate signed by the same CA? Also, i was sure that EAP-TLS mean 'auth by the way of certificates'; but if i choose EAP-TLS, still the printer ask me to input user and password. I'm a bit confused... -- Fino a quando il colore della pelle sarà più importante del colore degli occhi, sarà sempre guerra. (Bob Marley)
On Apr 10, 2024, at 5:03 PM, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
Printer have a self-signed certiifcate (the default HP one); i've loaded the CA certificate (an internal one) into the printer, CA certificate that was used to sign the cert the freeradius server use.
I need also to create, sign and load to the printer a client certificate signed by the same CA?
Also, i was sure that EAP-TLS mean 'auth by the way of certificates'; but if i choose EAP-TLS, still the printer ask me to input user and password.
This is really a "how to configure the printer" issue. We can't help much there, unfortunately. Either the printer is sane, and has good documentation, or it doesn't. Once you've figured out what the printer does, we can help you configure FreeRADIUS. Alan DeKok.
Mandi! Alan DeKok In chel di` si favelave...
This is really a "how to configure the printer" issue. We can't help much there, unfortunately. Either the printer is sane, and has good documentation, or it doesn't. Once you've figured out what the printer does, we can help you configure FreeRADIUS.
Manual is here: https://h10032.www1.hp.com/ctg/Manual/c04628719.pdf but don't have info about PEAP or so. There's another doc 'HP Printers - Certificate-based authentication for data security (whitepaper)' that point to a dead link; i've found on internet archive: https://web.archive.org/web/20240411135917/http://h10032.www1.hp.com/ctg/Man... but still no clue on PEAP, seems only a generic cert handling paper. Probably it is not specific to these models, but for a (generic) set of HP printers firmwares; i'll give a try on loosing the search. But, there's some way to debug what the printer (try to) do server side? Thanks. -- Molti italiani sognavano di vedere Berlusconi in un cellulare, prima o poi... (Stardust®, da i.n.n-a)
hi,
But, there's some way to debug what the printer (try to) do server side?
you've kind-of seen all you'll see already - the client starts a connection, EAP starts, server says heres a PEAP with cert, client says no, I can't do that but I can do 'this' instead where 'this' is actually the previously suggested method - because its the printers way of saying it isnt happy with the servers cert. so it can do PEAP but it cant do the PEAP offered due to the not happy with the provided cert. its a naff implementation. as previously said, install the servers CA/server certs onto the printer. regards alan
Mandi! Alan Buxey In chel di` si favelave...
But, there's some way to debug what the printer (try to) do server side? you've kind-of seen all you'll see already - the client starts a connection, EAP starts, server says heres a PEAP with cert, client says no, I can't do that but I can do 'this' instead where 'this' is actually the previously suggested method - because its the printers way of saying it isnt happy with the servers cert. so it can do PEAP but it cant do the PEAP offered due to the not happy with the provided cert. its a naff implementation. as previously said, install the servers CA/server certs onto the printer.
As just stated, local CA certificates (the one used to sign the freeradius server certificate) was just loaded on the printer. I've tried to generate and sign with the same CA a server certificate for the printer, but (in PCK#12 formatas requested) the printer refuse it (invalid format, wrong password, ... no a meaningfull error at all). Still trying... -- Ci sono 3 professori di statistica che vanno a caccia di lepri. ad un tratto ne vedono una. il primo spara... un metro a destra. il secondo spara... un metro a sinistra. il terzo esclama: "l'abbiamo presa". (Gino)
Mandi! Marco Gaiarin In chel di` si favelave...
As just stated, local CA certificates (the one used to sign the freeradius server certificate) was just loaded on the printer.
OK, today printer connect as expected to the wireless network. I was sure i've power cycled the printer between config, but... evidently some other things confuse me. Sorry to the list. ;( -- Bisogna saper scegliere il tempo non arrivarci per contrarieta` (F. Guccini)
participants (3)
-
Alan Buxey -
Alan DeKok -
Marco Gaiarin