HP Printers trying to do 802.1x but failing with timeouts
jan hugo prins
jhp at jhprins.org
Mon Mar 9 23:42:11 CET 2015
Log file was missing.
Does this work?
Jan Hugo
On 03/09/2015 11:17 PM, jan hugo prins wrote:
> Hi,
>
> I updated the firmware of the printers last week. That was one of my
> first tests.
>
> I have some port statistics for EAP authentication on the switch:
>
> The port that holds the printers:
> tc03st01sw1(config-if)#show eapol auth-dia interface 15
> Port: 15
> EntersConnecting: 1411
> EapLogoffsWhileConnecting: 3
> EntersAuthenticating: 432
> AuthSuccessWhileAuthenticating: 134
> AuthTimeoutsWhileAuthenticating: 0
> AuthFailWhileAuthenticating: 69
> AuthReauthsWhileAuthenticating: 0
> AuthEapStartsWhileAuthenticating: 205
> AuthEapLogoffWhileAuthenticating: 0
> AuthReauthsWhileAuthenticated: 6
> AuthEapStartsWhileAuthenticated: 124
> AuthEapLogoffWhileAuthenticated: 0
> BackendResponses: 1826
> BackendAccessChallenges: 1602
> BackendOtherRequestsToSupplicant: 1641
> BackendNonNakResponsesFromSupplicant: 1324
> BackendAuthSuccesses: 134
> BackendAuthFails: 69
>
> A different port that holds a Apple workstation.
> tc03st01sw1(config-if)#show eapol auth-dia interface 21
> Port: 21
> EntersConnecting: 12638
> EapLogoffsWhileConnecting: 0
> EntersAuthenticating: 160
> AuthSuccessWhileAuthenticating: 150
> AuthTimeoutsWhileAuthenticating: 0
> AuthFailWhileAuthenticating: 6
> AuthReauthsWhileAuthenticating: 0
> AuthEapStartsWhileAuthenticating: 4
> AuthEapLogoffWhileAuthenticating: 0
> AuthReauthsWhileAuthenticated: 1
> AuthEapStartsWhileAuthenticated: 146
> AuthEapLogoffWhileAuthenticated: 2
> BackendResponses: 1689
> BackendAccessChallenges: 1529
> BackendOtherRequestsToSupplicant: 1529
> BackendNonNakResponsesFromSupplicant: 1458
> BackendAuthSuccesses: 150
> BackendAuthFails: 6
>
> I think it is very odd that the AuthEapStartsWhileAuthenticating is very
> high compared to the port with the Apple workstation.
>
> I have included a debugging log I have created tonight.
>
> Some sidenotes:
> - The linux workstations I have tested so far (Fedora 21 and Fedora 18)
> on the 802.1x ethernet authenticate using EAP-TLS just fine.
> - Apple laptop my co-worker uses can authenticate just fine using
> EAP-TLS as well, as long as he can import the certificate I have given
> him from a PKCS12 file.
> - The Radius certificate and the root certificate I have created about 3
> years ago when I needed 802.1x authentication for the wireless network.
> - Windows clients authenticate using these certificates in combination
> with the Username / Password the user has in LDAP.
> - Linux clients and Apple clients do the same. The manual to configure
> it on a windows workstation is just 20 pages longer.
> - I see a lot of messages telling me something about Certificate
> Compatibility but that page has a lot of info about windows, and windows
> has been working for several years just fine. The only thing I have
> never tested is Windows workstations doing EAP-TLS. But in our
> environment we decided a long time ago that we don't want this.
>
> Some information about the certificates is included as well.
>
> For now I have set the authentication on PEAP only and this works just fine.
> Would like to have the certificates working though.
>
> Thanks in advance,
> Jan Hugo Prins
>
>
>
>
> On 03/08/2015 11:39 PM, Arran Cudbard-Bell wrote:
>>> On 8 Mar 2015, at 18:11, jan hugo prins <jhp at jhprins.org> wrote:
>>>
>>> Hello,
>>>
>>> I have a working 802.1x setup on the wired network of our office and
>>> everything is fine for Linux stations, Apple notebooks and the few
>>> windows notebooks we have. The Linux stations and the apple notebooks
>>> are doing EAP-TLS. And my idea was to have the printers we use do the
>>> same. But with the printers I get a lot of timeouts during
>>> authentication and to me it looks like the printer is really having a
>>> big issue handling all the certificate things etc.
>>>
>>> Does anyone here have experience in setting this up? Would it be an idea
>>> to get a newer printserver into the printers? I'm looking at the
>>> JetDirect 635 (J7961G).
>> Just to check, you're using the latest firmware?
>>
>> The HP supplicant used to implement PEAP incorrectly, they may have gotten
>> something wrong in EAP-TLS too.
>>
>> Could you paste the debug output, and we'll be able to see if it's
>> something obvious.
>>
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS development team
>>
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list