Security

I'm having problems getting an HP LaserJet Pro 400 Model M401dw to connect to my ClearPass-enabled SSID using 802.1x.  I set the printer to use EAP-PEAP with WPA2-Enterprise and I see it attempting to authenticate against ClearPass, but the Access Tracker shows Authentication Method of "EAP" and gives the following alerts:

Error Code:	9015
Error Category:	RADIUS protocol
Error Message:	Client does not support configured EAP methods
Alerts for this Request   Policy server Failed to get value for attributes=[Owner] RADIUS EAP: Client doesn't support configured EAP methods

I'm trying to get help from HP Support, or at least the folks that sold us the printers, but I'm looking for other ideas from fellow Airheads.  Help appreciated.

Please see the HP 802.1x document here:

 

 http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c00731218-4.pdf

 

to see if it gives you some ideas on how the HP side should be configured.

Do you have your RADIUS certificate common name set for "Server ID"? Also, did you upload the root CA?

 

Thanks Colin and Tim.  I went through the document and also verified I entered the cert name for the CPPM. Since it uses a GoDaddy cert I uploaded the GD root cert for CA in the HP printer web gui.  I also spent over an hour on the phone with HP support yesterday. Once I convinced them that I DIDN'T need help with the settings on the client, but I DID need help getting the printer to connect to wireless, they took a bunch of screen shots and are escalating the issue. While on the phone we also updated the firmware on the printer via the web gui, which turns out is more reliable and recommended over using the touch panel on the printer itself. I'm using an HP LaserJet Pro 400 M401dw with "Firmware Datecode" of 20150410.

 

Any other ideas while I wait for HP support to get back to me? I really DON'T want to have a 3rd SSID with PSK, but will if necessary.

did you get any further with HP helpdesk?

 

it isn't a situation you want permanently, but with this error i usually add all authentication methods (EAP-PEAP / EAP-TLS / EAP-... / ... / ...) possible in the service to see if the printer perhaps uses something different then i expected.

I get that same error as you if I try connecting using a local database user name and password.  

 

If I try and connect with Mac Auth ClearPass complains about the Password being empty which triggers the following error

 

MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication

 

I have tried populating the usename and password with the Mac address and no luck.

 

The error "Client does not support configured EAP methods" I get whether a Certificate is installed or not.  I started with the self signed Aruba Cert then when we got our signed Cert now I am unable to install the Public Cert from GoDaddy into the printer, the printer gives an invalid format error.  I have tried every format I can export.  It Says PEM/base 64 which is what I have tried numerous.   Not sure if there is a bit limit or encryption type limit.

 

If I change the VC to Mac Auth first I can get a valid Mac auth in ClearPass but 3 seconds later it gets a reject.  I really dont want my VC set to Mac Auth first so I put it back.  

 

Same Model of HP Printer have tried 3 different Firmwares currently using the same as you 20150410.

 

The 802.1X documentation on this printer is very limited.

 

Not sure if any info above is of any help I will be working on it all day tomorrow too if I figure it out I will post.

 

Tom

---

@Swack wrote:

I'm having problems getting an HP LaserJet Pro 400 Model M401dw to connect to my ClearPass-enabled SSID using 802.1x.  I set the printer to use EAP-PEAP with WPA2-Enterprise and I see it attempting to authenticate against ClearPass, but the Access Tracker shows Authentication Method of "EAP" and gives the following alerts:

Error Code:	9015
Error Category:	RADIUS protocol
Error Message:	Client does not support configured EAP methods
Alerts for this Request   Policy server Failed to get value for attributes=[Owner] RADIUS EAP: Client doesn't support configured EAP methods

I'm trying to get help from HP Support, or at least the folks that sold us the printers, but I'm looking for other ideas from fellow Airheads.  Help appreciated.

---

Swack,

 

Did you ever get this resolved? ]

 

I am running into the same issue with an HP printer & CPPM.

 

Thanks,

Bruce Osborne

Liberty University

Sorry for replying to my own post, but I got PEAP working.

If you leave the Server Name blank, the printer accepts any certificate from the uploaded Root CA chain. Apparently, one of my coworkers had typoed our server name on the printer, causing the EAP error.

Bruce,

 

Any instructions on the format and method you used to upload the Root cert would be appreciated.

 

I did it using the WenUI on an unauthenticated VLAN, but it might be possible to configure the printer using the HP Web JetAdmin printer management software.

I am starting to look at that free software now.

 

Colin,

Any tips on how to get AirPrint working with a wired printer?

Thats exciting that you got it to work.

 

Bruce,

 

In particular what format and what did your Server and Printer Certificates contain?

MAC Auth or username password?

Controller or Instant?

Printer firmware version?

 

 

In Instant AirPrint works wired to wireless in version 4.1.x.x but not in 4.2.x.x possibly not supposed to work at all in either.

 

 Tom

---

@tomtek wrote:

Thats exciting that you got it to work.

 

Bruce,

 

In particular what format and what did your Server and Printer Certificates contain?

MAC Auth or username password?

Controller or Instant?

Printer firmware version?

 

 

In Instant AirPrint works wired to wireless in version 4.1.x.x but not in 4.2.x.x possibly not supposed to work at all in either.

 

 Tom

---

I am using PEAP which is PEAP -MSCHAPv2 with AD username & password.

The certificate I uploaded (in Base64, I believe) is the Root CA certificate for my RADIUS server certificate chain.

 

Cisco switch (3750G) based.

Model Number:                     J8028E
Firmware Version:            JDI23500067 

  

---

@bosborne@liberty.edu wrote:

I did it using the WenUI on an unauthenticated VLAN, but it might be possible to configure the printer using the HP Web JetAdmin printer management software.

I am starting to look at that free software now.

 

Colin,

Any tips on how to get AirPrint working with a wired printer?

---

Bruce,

 

The VLAN with the printer would have to be trunked to the controller.  It should then show up in the controller's Airgroup table and would be advertised to users.

 

---

@bosborne@liberty.edu wrote:

 

Any tips on how to get AirPrint working with a wired printer?

---

I've been doing a lot of work with Xerox with an OEM'd Lantronix wired-to-wireless bridge device and have had pretty good success. The problem has been that the cheaper model of Xerox printer doesn't yet officially support AirPrint through the bridge device. However, our managed print service guy is getting a Lantronix-brand device that will apparently support WPA2-Enterprise AND AirPrint for any wired printer. I'm excited about the possibility this bridge device may help with other needs in our retail and corporate environments.Hopefully I'll have it in my possession for testing next week.

Thank you for the reply.

Actually I found out we will be using the Pharos client for remote printing on these printers, so AirPrint/AirGroup to a wired printer is a non-issue for me.

 

Thanks again.

Also you have the new AP multicast aggregation feature in 6.4.3 that solves the wired discovery issue.


Thanks,
Tim

Did you ever figure out the solution to this problem? I'm currently struggling with the same thing.

This is an older thread but since we recently encountered this as well and solved it, I thought I'd share.

 

In our case, there was an incorrect CA certificate installed on the printer. It was not the CA that issued the ClearPass Radius server certificate.

I suspect that the printer did fall back to EAP, when it was unsuccessful in validating the server certificate.

 

Once we uploaded the correct CA certificate, the printer properly performed EAP-TLS.