Security

last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

HP printer eap-tls and cppm 6.8.4

This thread has been viewed 3 times

  • 1.  HP printer eap-tls and cppm 6.8.4

    Posted Feb 07, 2020 07:57 AM

    Trying to persuade an HP printer to eap-tls to cppm using a cert suplied by a local windows PKI infrastructure. CPPM set up with specific service that OCSP's back to the windows PKI.

     

    winPKI CA chain in Trusted CA list for "EAP and other"

     

    We don't seem to be having much luck. 

     

    Looking at the failure logs I can see the list below, the pertinent bit being

     

    TLS_accept:error in SSLv3 read client certificate A

     

    Thats all I get, The printer isn't very helpful. ...Downloading a packet trace hasn't been that helpful either. .. can see a batch of Access-Challenge packets followed by a reject being sent  by clearpass. 

     

    Access Tracker basically says "Client doesn't support configured EAP methods"

     

    Setting printer up to do peap gives the same access-tracker message

     

     

    me   Message

    2020-02-07 12:39:35,001 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 52:363:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Failed to determine the datatype adding as string into Python Dictionary AttributeID = Radius:IETF:EAP-Message;; DataType = OctetArray;; AttributeValue = 0x0201000f016974736d666430333330 .....itsmfd0330]
    2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-IP-Address;; DataType = IPv4Address;; AttributeValue = 10.4.4.87
    2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Identifier;; DataType = String;; AttributeValue = xb2st1
    2020-02-07 12:39:35,009 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Port;; DataType = Integer32;; AttributeValue = 16941536
    2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:NAS-Port-Type;; DataType = Integer32;; AttributeValue = 15
    2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:Service-Type;; DataType = Integer32;; AttributeValue = 2
    2020-02-07 12:39:35,010 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] WARN RL.ScopePyHash - Adding the Attribute into Python Dictionary AttributeID = Radius:IETF:User-Name;; DataType = String;; AttributeValue = itsmfd0330
    2020-02-07 12:39:35,017 [RequestHandler-1-0x7f83f73f9700 r=psauto-1576576467-2849887 h=223 r=R001476be-40-5e3d5a87] INFO Core.ServiceReqHandler - Service classification result = UoY Wired Printing - 040220
    2020-02-07 12:39:35,018 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - Service Categorization time = 17 ms
    2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "UoY Wired Printing - 040220"
    2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_sql: searching for user itsmfd0330 in Local:localhost
    2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_sql: found user itsmfd0330 in Local:localhost
    2020-02-07 12:39:35,019 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - SQL User lookup time = 0 ms
    2020-02-07 12:39:35,020 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2020-02-07 12:39:35,020 [Th 1025 Req 9014135 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:88:EC-8E-B5-C0-87-2A:ACEAXgDEABF3i4kAlhXImj7pHJASQFri/CZMjA==
    2020-02-07 12:39:35,169 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 53:488:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2020-02-07 12:39:35,176 [Th 1029 Req 9014136 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 53:1124:EC-8E-B5-C0-87-2A:AGgATwDCAP94i4kAn/Z3vUAQC6KpJysxn+esCQ==
    2020-02-07 12:39:35,182 [Th 1023 Req 9014137 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 54:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,183 [Th 1023 Req 9014137 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 54:1120:EC-8E-B5-C0-87-2A:AMMABADdAEh5i4kANPZz0rL8eYcy2ieBlvvz2A==
    2020-02-07 12:39:35,190 [Th 1024 Req 9014138 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 55:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,190 [Th 1024 Req 9014138 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 55:1120:EC-8E-B5-C0-87-2A:AIsAmQDrAH16i4kA4qTrTA8GpC/ZMWzdoQsxhg==
    2020-02-07 12:39:35,200 [Th 1026 Req 9014139 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 56:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,201 [Th 1026 Req 9014139 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 56:1120:EC-8E-B5-C0-87-2A:AKMA3wA6ANl7i4kAwk8iFwP/3ey+Ro6KIdkNSA==
    2020-02-07 12:39:35,210 [Th 1027 Req 9014140 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 57:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,210 [Th 1027 Req 9014140 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 57:1120:EC-8E-B5-C0-87-2A:ANoAGgBOANx8i4kAMT4gLYe71UTyktANFK/1EA==
    2020-02-07 12:39:35,217 [Th 1022 Req 9014141 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 58:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,217 [Th 1022 Req 9014141 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:EC-8E-B5-C0-87-2A:AEsALwCIAOh9i4kAFrsq2AkztIJ2HYRLrGO8gA==
    2020-02-07 12:39:35,224 [Th 1021 Req 9014142 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 59:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,225 [Th 1021 Req 9014142 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 59:1120:EC-8E-B5-C0-87-2A:AKUAzgAiAE1+i4kAQm45YcMhfq2VHkbyLVwTQA==
    2020-02-07 12:39:35,231 [Th 1030 Req 9014143 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 60:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,231 [Th 1030 Req 9014143 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 60:1120:EC-8E-B5-C0-87-2A:AI8A6QDDAKJ/i4kAXXsyRj0Tq0Pxm75YIoMpfg==
    2020-02-07 12:39:35,238 [Th 1028 Req 9014144 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 61:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,238 [Th 1028 Req 9014144 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 61:1120:EC-8E-B5-C0-87-2A:AFoAPADeAP6Ai4kA3Tnzv3uc5ITMrGEY+0mz+w==
    2020-02-07 12:39:35,244 [Th 1025 Req 9014145 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 62:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,244 [Th 1025 Req 9014145 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 62:691:EC-8E-B5-C0-87-2A:AAcAwgA7APeBi4kA2JtvCsK5Rxqv0nhws7SStQ==
    2020-02-07 12:39:35,275 [Th 1029 Req 9014146 SessId R001476be-40-5e3d5a87] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "UoY Wired Printing - 040220" - 63:396:EC-8E-B5-C0-87-2A
    2020-02-07 12:39:35,275 [Th 1029 Req 9014146 SessId R001476be-40-5e3d5a87] ERROR RadiusServer.Radius - rlm_eap: Client doesn't support any method that we require. Rejecting client.


  • 2.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 07, 2020 09:34 AM

    Do you have TLS 1.0 disabled on CPPM?    What model of HP printer is it; and does it support versions greater than 1.0?

     

    cppm_tls10.png

     

     



  • 3.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 07, 2020 09:46 AM
      |   view attached

    FutureSMART 4 4.10

    Printer should be sending TLS 1.2

     

    Disabled 1.0 and 1.1 for Admin on cppm

     



  • 4.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 07, 2020 02:53 PM

    My next question would be around the cert on CPPM: is it fully trusted by the printer's supplicant?   Is this the only device that has the issue?



  • 5.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 10, 2020 03:52 AM

    As far as i can see it is, I have uloaded the CA chain onto cppm. But its worse than that, the printer can also do PEAP .. and its failing with the same error message so not convinced that its client cert specific. Did wonder if it was more basic

     

    Get error

     

    SSL/TLS Handshake error [lib(20) func(321), reason(338)]

     

    on the printer. Did wonder if it was the cipers available . This is whats set up on the printer...

     

    image (3).png



  • 6.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 13, 2020 06:20 AM

    The ciphers look fine.  Does the printer have a section to trust ClearPass' certificate?   If PEAP is also failing, it seems as though the printer is not trusting the identity of ClearPass.

     

    I am not familiar with the FutureSmart platform, so not sure on exactly where this is set.   Look for Certificate Management; both Certificates installed/trusted and also Certificate Validation.



  • 7.  RE: HP printer eap-tls and cppm 6.8.4

    Posted Feb 13, 2020 06:38 AM

    That's exactly what is happening. Did a wireshark and I can see the printer rejecting our radius.york.ac.uk cert 

     

    My colleague that configuring the printer set up a test lab with the printer, a switch and a Windows CA/radius server and printer does auth with a less secure cert. so we know it works .

    ng sent fr

    Current plan is to use this test lab to "tweak" the cert being sent from the Windoze radius server and then use that on clearpass specifying it as specific to the cppm printing authentication service I've set up. 

     

    We did go through the printer making sure all the certs and appropriate ciphers were there 



  • 8.  RE: HP printer eap-tls and cppm 6.8.4
    Best Answer

    Posted Feb 17, 2020 06:23 AM

    So here is a (possibly) strange thing.

     

    Over the years we have had various CA suppliers providing "radius.york.ac.uk" for use on our RADIUS infrastructure. This means that if you look at the clearpass trust list there are a larger number  of enabled CA chains instead of just the ones we use.

     

    Looking at a wireshark trace of an attempted eap-tls auth from the printer to clearpass, we can see clearpass sending all the enabled trust list certs to the printer so

     

    1). The specific service that does printer dot1x has its own internally generated server cert that it sends out .. with its own Ca chain

    2). All our other cppm services use an AddTrust External Root  generated cert

    3). In a lab where the printer is talking to a microsoft RADIUS server with 1 CA chain, auth works 

     

    I'm now wondering if the printer is bleating because clearpass is sending too many CA chains.

     

    Don't know enough about the eap dialogue but should cppm be sending all the trust list enabled certs in an Acces-Challenge packet?

     

    Now pruning down the list of enabled certs in the trust list

     

    A



  • 9.  RE: HP printer eap-tls and cppm 6.8.4
    Best Answer

    Posted Feb 19, 2020 04:16 AM

    Sorted !

    down to the trust list on cppm and the number of CA chains you have in it. More than 1 and the printer terminates the  eap transaction

     

    Solution ?

    Get clearpass to proxy the eap-tls request to a dinky freeradius server that only deals with tls with a specific CN=.... and sends back bare minimum in trust list.

     

    Would be nice if cppm could let you select what gets sent back from the trust list ... especialy if you're using a single cert for a service