HP JetDirect will not authenticate with NPS

All replies

• 

  

  0

  Sign in to vote

  Hi,

  Thanks for the post.

  On NPS server, please uncheck "Disconnect Clients without Cryptobinding" option.

  On the Settings tab, click Authentication Methods. In EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit. Disconnect Clients Without Cryptobinding is in the Edit Protected EAP Properties dialog box.

  If you enable disconnection of clients without cryptobinding as described above, it will additionally enforce receipt of a cryptobinding response from the client computer. If this is not received, the server will reject the connection attempt. On the client side, enabling the cryptobinding option will require that the server send a cryptobinding TLV, and authentication will fail if this is not received by the client. If the cryptobinding option is not enabled on the client and it receives a cryptobinding TLV from the server, it will reply with a cryptobinding TLV response.

  Hope this helps.

  Miles

   

  ---

  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Friday, October 29, 2010 7:18 AM
• 

  

  0

  Sign in to vote

  Hi,

  It looks like you configured NAP policies when you aren't doing NAP. In addition to removing the setting described by Miles above, you should also use a different wizard to configure your policies. Under Standard Configuration in the drop-down, choose RADIUS for 802.1X wired/wireless instead of a NAP policy. This will start the correct wizard.

  -Greg

  Sunday, October 31, 2010 5:37 AM
• 

  

  0

  Sign in to vote

  This did not fix the problem.

  We were able to get the printers to authenticate by loading a certificate and using EAP-TLS we have been unable to authenticate using PEAP/MS-CHAPv2. Whenever we attempt to use MS-CHAPv2 we receive the 301 "Received Crypto-Binding TLV is invalid". error

  Monday, November 1, 2010 10:02 PM
• 

  

  0

  Sign in to vote

  Greg,

  Thanks for the tip on using the other wizard.I missed that wizard when I first started looking at the NPS.

   

  We were able to get the printers to authenticate by loading a certificate and using EAP-TLS we have been unable to authenticate using PEAP/MS-CHAPv2. Whenever we attempt to use MS-CHAPv2 we receive the 301 "Received Crypto-Binding TLV is invalid". error

   

  We are still attempting to get MS-CHAPv2 working with the printers as my customer is reluctant to go the certificate route.

   

  Mahalo

  Joel

  Monday, November 1, 2010 10:04 PM
• 

  

  0

  Sign in to vote

  Hi Joel,

  I found a document about configuring Jet Direct that indicates MSCHAP is supported, so this should work.

  http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf

  Is there anything in the configuration instructions of this document that is different than what you did? Also see Appendix A, troubleshooting 802.1X. This section might be helpful.

  I assume you have other clients that are authenticating fine with 802.1X and MSCHAP. If you do not, then you should also examine the switch to make sure it is compatible.

  -Greg

  Monday, November 1, 2010 10:53 PM
• 

  

  0

  Sign in to vote

  We used this document for the initial configs.

  It assumes you are using IAS instead of NPS.

  We have tried numerous settings. Using MS-CHAPv2 fails everytime with the 301 error.

  HP has a firmware upgrade that we have not tried yet. I guess that will be next.

  By the way we are using the 635N JetDirect card with the following info:

  --------- General Information ----------        
  Status:                   I/O Card Ready         
                                                   
  Model Number:                     J7961G         
  Hardware Address:           001B78F3C452       
  Firmware Version:                V.38.05         
  LAA:                        001B78F3C452        
  Port Config:                  100TX FULL         
  Auto Negotiation:                     On                          
  Manufacturing ID:         31035032903103                       
  S/N:                       Not Specified                                                 
  Date Manufactured:               08/2010 
   
  

   

  Monday, November 1, 2010 11:05 PM
• 

  

  0

  Sign in to vote

  We have several XP SP3 clients that authenticate with MS-CHAPv2 no problem. Also Win 7 clients so the switch is configured properly.
  

  Monday, November 1, 2010 11:07 PM
• 

  

  0

  Sign in to vote

  Something else that I have found which might cause this issue is the NIC driver. Specifically, there are reports that a Broadcom based driver can cause this problem.

  Monday, November 1, 2010 11:32 PM
• 

  

  0

  Sign in to vote

  I have seen these reports also. Unfortunately I have no idea what chip or driver the HP JetDirect cards use. I am trying to engage HP tech support on this issue.

   

   

  Tuesday, November 2, 2010 2:05 PM
• 

  

  0

  Sign in to vote

  We contacted HP Support and they provided a Firmware Upgrade that fixed the problem.

   

  We are now running V.41.01 which according to HP has several 802.1X related fixes.

   

  Thanks for the support

  • Marked as answer by Greg LindsayMicrosoft employee Tuesday, November 9, 2010 6:24 PM

  Tuesday, November 9, 2010 6:01 PM
• 

  

  0

  Sign in to vote

  Excellent news! Thanks for the follow-up.

  Tuesday, November 9, 2010 6:25 PM
• 

  

  0

  Sign in to vote

  Anytime. I get frustrated when individuals don't post validated fixes when the get them.
  

  Tuesday, November 9, 2010 9:28 PM