HP Printers trying to do 802.1x but failing with timeouts

jan hugo prins jhp at jhprins.org
Mon Mar 9 23:42:11 CET 2015 

Log file was missing.
Does this work?

Jan Hugo


On 03/09/2015 11:17 PM, jan hugo prins wrote:
> Hi,
>
> I updated the firmware of the printers last week. That was one of my
> first tests.
>
> I have some port statistics for EAP authentication on the switch:
>
> The port that holds the printers:
> tc03st01sw1(config-if)#show eapol auth-dia interface 15
> Port:  15
>     EntersConnecting:                      1411
>     EapLogoffsWhileConnecting:             3
>     EntersAuthenticating:                  432
>     AuthSuccessWhileAuthenticating:        134
>     AuthTimeoutsWhileAuthenticating:       0
>     AuthFailWhileAuthenticating:           69
>     AuthReauthsWhileAuthenticating:        0
>     AuthEapStartsWhileAuthenticating:      205
>     AuthEapLogoffWhileAuthenticating:      0
>     AuthReauthsWhileAuthenticated:         6
>     AuthEapStartsWhileAuthenticated:       124
>     AuthEapLogoffWhileAuthenticated:       0
>     BackendResponses:                      1826
>     BackendAccessChallenges:               1602
>     BackendOtherRequestsToSupplicant:      1641
>     BackendNonNakResponsesFromSupplicant:  1324
>     BackendAuthSuccesses:                  134
>     BackendAuthFails:                      69
>
> A different port that holds a Apple workstation.
> tc03st01sw1(config-if)#show eapol auth-dia interface 21
> Port:  21
>     EntersConnecting:                      12638
>     EapLogoffsWhileConnecting:             0
>     EntersAuthenticating:                  160
>     AuthSuccessWhileAuthenticating:        150
>     AuthTimeoutsWhileAuthenticating:       0
>     AuthFailWhileAuthenticating:           6
>     AuthReauthsWhileAuthenticating:        0
>     AuthEapStartsWhileAuthenticating:      4
>     AuthEapLogoffWhileAuthenticating:      0
>     AuthReauthsWhileAuthenticated:         1
>     AuthEapStartsWhileAuthenticated:       146
>     AuthEapLogoffWhileAuthenticated:       2
>     BackendResponses:                      1689
>     BackendAccessChallenges:               1529
>     BackendOtherRequestsToSupplicant:      1529
>     BackendNonNakResponsesFromSupplicant:  1458
>     BackendAuthSuccesses:                  150
>     BackendAuthFails:                      6
>
> I think it is very odd that the AuthEapStartsWhileAuthenticating is very
> high compared to the port with the Apple workstation.
>
> I have included a debugging log I have created tonight.
>
> Some sidenotes:
> - The linux workstations I have tested so far (Fedora 21 and Fedora 18)
> on the 802.1x ethernet authenticate using EAP-TLS just fine.
> - Apple laptop my co-worker uses can authenticate just fine using
> EAP-TLS as well, as long as he can import the certificate I have given
> him from a PKCS12 file.
> - The Radius certificate and the root certificate I have created about 3
> years ago when I needed 802.1x authentication for the wireless network.
> - Windows clients authenticate using these certificates in combination
> with the Username / Password the user has in LDAP.
> - Linux clients and Apple clients do the same. The manual to configure
> it on a windows workstation is just 20 pages longer.
> - I see a lot of messages telling me something about Certificate
> Compatibility but that page has a lot of info about windows, and windows
> has been working for several years just fine. The only thing I have
> never tested is Windows workstations doing EAP-TLS. But in our
> environment we decided a long time ago that we don't want this.
>
> Some information about the certificates is included as well.
>
> For now I have set the authentication on PEAP only and this works just fine.
> Would like to have the certificates working though.
>
> Thanks in advance,
> Jan Hugo Prins
>
>
>
>
> On 03/08/2015 11:39 PM, Arran Cudbard-Bell wrote:
>>> On 8 Mar 2015, at 18:11, jan hugo prins <jhp at jhprins.org> wrote:
>>>
>>> Hello,
>>>
>>> I have a working 802.1x setup on the wired network of our office and
>>> everything is fine for Linux stations, Apple notebooks and the few
>>> windows notebooks we have. The Linux stations and the apple notebooks
>>> are doing EAP-TLS. And my idea was to have the printers we use do the
>>> same. But with the printers I get a lot of timeouts during
>>> authentication and to me it looks like the printer is really having a
>>> big issue handling all the certificate things etc.
>>>
>>> Does anyone here have experience in setting this up? Would it be an idea
>>> to get a newer printserver into the printers? I'm looking at the
>>> JetDirect 635 (J7961G).
>> Just to check, you're using the latest firmware?
>>
>> The HP supplicant used to implement PEAP incorrectly, they may have gotten
>> something wrong in EAP-TLS too.
>>
>> Could you paste the debug output, and we'll be able to see if it's
>> something obvious.
>>
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS development team
>>
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list