HP Printers trying to do 802.1x but failing with timeouts
jan hugo prins
jhp at jhprins.org
Mon Mar 9 23:17:01 CET 2015
Hi,
I updated the firmware of the printers last week. That was one of my
first tests.
I have some port statistics for EAP authentication on the switch:
The port that holds the printers:
tc03st01sw1(config-if)#show eapol auth-dia interface 15
Port: 15
EntersConnecting: 1411
EapLogoffsWhileConnecting: 3
EntersAuthenticating: 432
AuthSuccessWhileAuthenticating: 134
AuthTimeoutsWhileAuthenticating: 0
AuthFailWhileAuthenticating: 69
AuthReauthsWhileAuthenticating: 0
AuthEapStartsWhileAuthenticating: 205
AuthEapLogoffWhileAuthenticating: 0
AuthReauthsWhileAuthenticated: 6
AuthEapStartsWhileAuthenticated: 124
AuthEapLogoffWhileAuthenticated: 0
BackendResponses: 1826
BackendAccessChallenges: 1602
BackendOtherRequestsToSupplicant: 1641
BackendNonNakResponsesFromSupplicant: 1324
BackendAuthSuccesses: 134
BackendAuthFails: 69
A different port that holds a Apple workstation.
tc03st01sw1(config-if)#show eapol auth-dia interface 21
Port: 21
EntersConnecting: 12638
EapLogoffsWhileConnecting: 0
EntersAuthenticating: 160
AuthSuccessWhileAuthenticating: 150
AuthTimeoutsWhileAuthenticating: 0
AuthFailWhileAuthenticating: 6
AuthReauthsWhileAuthenticating: 0
AuthEapStartsWhileAuthenticating: 4
AuthEapLogoffWhileAuthenticating: 0
AuthReauthsWhileAuthenticated: 1
AuthEapStartsWhileAuthenticated: 146
AuthEapLogoffWhileAuthenticated: 2
BackendResponses: 1689
BackendAccessChallenges: 1529
BackendOtherRequestsToSupplicant: 1529
BackendNonNakResponsesFromSupplicant: 1458
BackendAuthSuccesses: 150
BackendAuthFails: 6
I think it is very odd that the AuthEapStartsWhileAuthenticating is very
high compared to the port with the Apple workstation.
I have included a debugging log I have created tonight.
Some sidenotes:
- The linux workstations I have tested so far (Fedora 21 and Fedora 18)
on the 802.1x ethernet authenticate using EAP-TLS just fine.
- Apple laptop my co-worker uses can authenticate just fine using
EAP-TLS as well, as long as he can import the certificate I have given
him from a PKCS12 file.
- The Radius certificate and the root certificate I have created about 3
years ago when I needed 802.1x authentication for the wireless network.
- Windows clients authenticate using these certificates in combination
with the Username / Password the user has in LDAP.
- Linux clients and Apple clients do the same. The manual to configure
it on a windows workstation is just 20 pages longer.
- I see a lot of messages telling me something about Certificate
Compatibility but that page has a lot of info about windows, and windows
has been working for several years just fine. The only thing I have
never tested is Windows workstations doing EAP-TLS. But in our
environment we decided a long time ago that we don't want this.
Some information about the certificates is included as well.
For now I have set the authentication on PEAP only and this works just fine.
Would like to have the certificates working though.
Thanks in advance,
Jan Hugo Prins
On 03/08/2015 11:39 PM, Arran Cudbard-Bell wrote:
>> On 8 Mar 2015, at 18:11, jan hugo prins <jhp at jhprins.org> wrote:
>>
>> Hello,
>>
>> I have a working 802.1x setup on the wired network of our office and
>> everything is fine for Linux stations, Apple notebooks and the few
>> windows notebooks we have. The Linux stations and the apple notebooks
>> are doing EAP-TLS. And my idea was to have the printers we use do the
>> same. But with the printers I get a lot of timeouts during
>> authentication and to me it looks like the printer is really having a
>> big issue handling all the certificate things etc.
>>
>> Does anyone here have experience in setting this up? Would it be an idea
>> to get a newer printserver into the printers? I'm looking at the
>> JetDirect 635 (J7961G).
> Just to check, you're using the latest firmware?
>
> The HP supplicant used to implement PEAP incorrectly, they may have gotten
> something wrong in EAP-TLS too.
>
> Could you paste the debug output, and we'll be able to see if it's
> something obvious.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
Root CA Certificate info:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 18349815251215303109 (0xfea7a3bfdebbc1c5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=NL, ST=xxxxxxxxxx, L=xxxxxxxxxxx, O=Bedrijf1 B.V., OU=Infra, CN=ca.bedrijf1.com/emailAddress=it at bedrijf1.com
Validity
Not Before: Feb 1 09:24:35 2012 GMT
Not After : Jan 29 09:24:35 2022 GMT
Subject: C=NL, ST=xxxxxxxxxx, L=xxxxxxxxxxx, O=Bedrijf1 B.V., OU=Infra, CN=ca.bedrijf1.com/emailAddress=it at bedrijf1.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cb:90:73:62:77:c4:de:4e:e2:ab:ed:82:3f:a3:
ec:20:67:44:33:2f:07:14:56:ac:25:c4:8a:92:f1:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3B:7C:0D:D2:08:98:75:B4:59:9C:AA:D4:2D:D1:39:7B:44:5D:54:2F
X509v3 Authority Key Identifier:
keyid:3B:7C:0D:D2:08:98:75:B4:59:9C:AA:D4:2D:D1:39:7B:44:5D:54:2F
DirName:/C=NL/ST=xxxxxxxxxx/L=xxxxxxxxxxx/O=Bedrijf1 B.V./OU=Infra/CN=ca.bedrijf1.com/emailAddress=it at bedrijf1.com
serial:FE:A7:A3:BF:DE:BB:C1:C5
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Alternative Name:
email:it at bedrijf1.com
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
78:fa:b5:92:68:5a:b6:1e:93:37:30:14:89:45:7c:44:04:b3:
d4:85:3e:c1:c7:b3:8b:94:ed:79:ae:8e:a1:62:4c:32:3a:71:
04:55:ee:0d:4e:c4:fa:6a:53:82:49:43:80:61:48:11:00:a8:
Radius Server Certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 37 (0x25)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=NL, ST=xxxxxxxxxx, L=xxxxxxxxxxx, O=Bedrijf1 B.V., OU=Infra, CN=ca.bedrijf1.com/emailAddress=it at bedrijf1.com
Validity
Not Before: Oct 27 11:02:02 2014 GMT
Not After : Oct 27 11:02:02 2015 GMT
Subject: C=NL, ST=xxxxxxxxxx, L=xxxxxxxxxxx, O=Bedrijf1 B.V./emailAddress=it at bedrijf1.com, CN=radius.bedrijf1.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:4d:d8:e5:88:1c:dc:73:59:b9:75:5e:18:11:
f0:b3:4d:99:30:eb:c3:87:33:01:b5:65:b6:45:6d:
a9:0f:46:d6:ba:e8:8f:f5:93:f2:85:47:7a:af:c3:
2c:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
F5:1C:A1:C5:D9:55:58:83:7A:54:2F:B8:C8:3B:C1:06:33:B3:F0:4D
X509v3 Authority Key Identifier:
keyid:3B:7C:0D:D2:08:98:75:B4:59:9C:AA:D4:2D:D1:39:7B:44:5D:54:2F
DirName:/C=NL/ST=xxxxxxxxxx/L=xxxxxxxxxxx/O=Bedrijf1 B.V./OU=Infra/CN=ca.bedrijf1.com/emailAddress=it at bedrijf1.com
serial:FE:A7:A3:BF:DE:BB:C1:C5
X509v3 Issuer Alternative Name:
email:it at bedrijf1.com
X509v3 Subject Alternative Name:
email:it at bedrijf1.com
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
37:20:44:b6:01:0e:2a:c7:7a:9f:48:5d:4f:dd:d5:d5:19:e4:
6a:5b:ea:f9:43:48:7c:b8:44:22:3b:5a:9a:be:f3:1b:e2:f3:
b5:85:3d:6b:2f:76:a9:26:3b:37:00:d6:fc:7b:93:15:f4:89:
4e:fd:75:f4:2a:e4:c2:f2:b7:29:d5:e9:d4:e6:91:31:cb:2a:
d3:ca:2e:0a:8e:42:5e:1c
More information about the Freeradius-Users
mailing list