Security

Reply
Highlighted

HP printer eap-tls and cppm 6.8.4

Trying to persuade an HP printer to eap-tls to cppm using a cert suplied by a local windows PKI infrastructure. CPPM set up with specific service that OCSP's back to the windows PKI.

 

winPKI CA chain in Trusted CA list for "EAP and other"

 

We don't seem to be having much luck. 

 

Looking at the failure logs I can see the list below, the pertinent bit being

 

TLS_accept:error in SSLv3 read client certificate A

 

Thats all I get, The printer isn't very helpful. ...Downloading a packet trace hasn't been that helpful either. .. can see a batch of Access-Challenge packets followed by a reject being sent  by clearpass. 

 

Access Tracker basically says "Client doesn't support configured EAP methods"

 

Setting printer up to do peap gives the same access-tracker message

 

 

me   Message

2020-02-07 12:39:35,001 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 52:363:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Failed to determine the datatype adding as string into Python Dictionary AttributeID = Radius:IETF:EAP-Message;; DataType = OctetArray;; AttributeValue = 0x0201000f016974736d666430333330 .....itsmfd0330]
2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-IP-Address;; DataType = IPv4Address;; AttributeValue = 10.4.4.87
2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Identifier;; DataType = String;; AttributeValue = xb2st1
2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Port;; DataType = Integer32;; AttributeValue = 16941536
2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Port-Type;; DataType = Integer32;; AttributeValue = 15
2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:Service-Type;; DataType = Integer32;; AttributeValue = 2
2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:User-Name;; DataType = String;; AttributeValue = itsmfd0330
2020-02-07 12:39:35,017 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] INFO Core.ServiceReqHandler - Service classification result = UoY Wired Printing - 040220
2020-02-07 12:39:35,018 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - Service Categorization time = 17 ms
2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "UoY Wired Printing - 040220"
2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_sql: searching for user itsmfd0330 in Local:localhost
2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_sql: found user itsmfd0330 in Local:localhost
2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - SQL User lookup time = 0 ms
2020-02-07 12:39:35,020 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
2020-02-07 12:39:35,020 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:88:EC-8E-B5-C0-87-2A:ACEAXgDEABF3i4kAlhXImj7pHJASQFri/CZMjA==
2020-02-07 12:39:35,169 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 53:488:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 53:1124:EC-8E-B5-C0-87-2A:AGgATwDCAP94i4kAn/Z3vUAQC6KpJysxn+esCQ==
2020-02-07 12:39:35,182 [Th 1023 Req 9014137 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 54:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,183 [Th 1023 Req 9014137 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 54:1120:EC-8E-B5-C0-87-2A:AMMABADdAEh5i4kANPZz0rL8eYcy2ieBlvvz2A==
2020-02-07 12:39:35,190 [Th 1024 Req 9014138 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 55:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,190 [Th 1024 Req 9014138 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 55:1120:EC-8E-B5-C0-87-2A:AIsAmQDrAH16i4kA4qTrTA8GpC/ZMWzdoQsxhg==
2020-02-07 12:39:35,200 [Th 1026 Req 9014139 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 56:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,201 [Th 1026 Req 9014139 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 56:1120:EC-8E-B5-C0-87-2A:AKMA3wA6ANl7i4kAwk8iFwP/3ey+Ro6KIdkNSA==
2020-02-07 12:39:35,210 [Th 1027 Req 9014140 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 57:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,210 [Th 1027 Req 9014140 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 57:1120:EC-8E-B5-C0-87-2A:ANoAGgBOANx8i4kAMT4gLYe71UTyktANFK/1EA==
2020-02-07 12:39:35,217 [Th 1022 Req 9014141 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 58:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,217 [Th 1022 Req 9014141 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:EC-8E-B5-C0-87-2A:AEsALwCIAOh9i4kAFrsq2AkztIJ2HYRLrGO8gA==
2020-02-07 12:39:35,224 [Th 1021 Req 9014142 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 59:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,225 [Th 1021 Req 9014142 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 59:1120:EC-8E-B5-C0-87-2A:AKUAzgAiAE1+i4kAQm45YcMhfq2VHkbyLVwTQA==
2020-02-07 12:39:35,231 [Th 1030 Req 9014143 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 60:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,231 [Th 1030 Req 9014143 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 60:1120:EC-8E-B5-C0-87-2A:AI8A6QDDAKJ/i4kAXXsyRj0Tq0Pxm75YIoMpfg==
2020-02-07 12:39:35,238 [Th 1028 Req 9014144 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 61:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,238 [Th 1028 Req 9014144 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 61:1120:EC-8E-B5-C0-87-2A:AFoAPADeAP6Ai4kA3Tnzv3uc5ITMrGEY+0mz+w==
2020-02-07 12:39:35,244 [Th 1025 Req 9014145 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 62:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,244 [Th 1025 Req 9014145 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 62:691:EC-8E-B5-C0-87-2A:AAcAwgA7APeBi4kA2JtvCsK5Rxqv0nhws7SStQ==
2020-02-07 12:39:35,275 [Th 1029 Req 9014146 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 63:396:EC-8E-B5-C0-87-2A
2020-02-07 12:39:35,275 [Th 1029 Req 9014146 SessId R001476be-40-5e3d5a87] ERROR RadiusServer.Radius - rlm_eap: Client doesn't support any method that we require. Rejecting client.
Highlighted
Aruba

Re: HP printer eap-tls and cppm 6.8.4

Do you have TLS 1.0 disabled on CPPM?    What model of HP printer is it; and does it support versions greater than 1.0?

 

cppm_tls10.png

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted

Re: HP printer eap-tls and cppm 6.8.4

FutureSMART 4 4.10

Printer should be sending TLS 1.2

 

Disabled 1.0 and 1.1 for Admin on cppm

 

Highlighted
Aruba

Re: HP printer eap-tls and cppm 6.8.4

My next question would be around the cert on CPPM: is it fully trusted by the printer's supplicant?   Is this the only device that has the issue?

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted

Re: HP printer eap-tls and cppm 6.8.4

As far as i can see it is, I have uloaded the CA chain onto cppm. But its worse than that, the printer can also do PEAP .. and its failing with the same error message so not convinced that its client cert specific. Did wonder if it was more basic

 

Get error

 

SSL/TLS Handshake error [lib(20) func(321), reason(338)]

 

on the printer. Did wonder if it was the cipers available . This is whats set up on the printer...

 

image (3).png

Aruba

Re: HP printer eap-tls and cppm 6.8.4

The ciphers look fine.  Does the printer have a section to trust ClearPass' certificate?   If PEAP is also failing, it seems as though the printer is not trusting the identity of ClearPass.

 

I am not familiar with the FutureSmart platform, so not sure on exactly where this is set.   Look for Certificate Management; both Certificates installed/trusted and also Certificate Validation.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted

Re: HP printer eap-tls and cppm 6.8.4

That's exactly what is happening. Did a wireshark and I can see the printer rejecting our radius.york.ac.uk cert 

 

My colleague that configuring the printer set up a test lab with the printer, a switch and a Windows CA/radius server and printer does auth with a less secure cert. so we know it works .

ng sent fr

Current plan is to use this test lab to "tweak" the cert being sent from the Windoze radius server and then use that on clearpass specifying it as specific to the cppm printing authentication service I've set up. 

 

We did go through the printer making sure all the certs and appropriate ciphers were there 

Highlighted

Re: HP printer eap-tls and cppm 6.8.4

So here is a (possibly) strange thing.

 

Over the years we have had various CA suppliers providing "radius.york.ac.uk" for use on our RADIUS infrastructure. This means that if you look at the clearpass trust list there are a larger number  of enabled CA chains instead of just the ones we use.

 

Looking at a wireshark trace of an attempted eap-tls auth from the printer to clearpass, we can see clearpass sending all the enabled trust list certs to the printer so

 

1). The specific service that does printer dot1x has its own internally generated server cert that it sends out .. with its own Ca chain

2). All our other cppm services use an AddTrust External Root  generated cert

3). In a lab where the printer is talking to a microsoft RADIUS server with 1 CA chain, auth works 

 

I'm now wondering if the printer is bleating because clearpass is sending too many CA chains.

 

Don't know enough about the eap dialogue but should cppm be sending all the trust list enabled certs in an Acces-Challenge packet?

 

Now pruning down the list of enabled certs in the trust list

 

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: