locked
HP JetDirect will not authenticate with NPS RRS feed

  • Question

  • I am unable to get my HP LaserJet 4600 to successfully authenticate and access the network using 802.1x. I am trying to use username and password not certificate based authentication.

    I have configured the network policy to "Disconnect Clients without Cryptobinding"

    We are using NPS only to authenticate machines to the network. We are not doing any health checks at this time.

    I get the following event log message:

    Authentication Details:
        Proxy Policy Name:        NAP 802.1X (Wired)
        Network Policy Name:        NAP 802.1X (Wired) Non NAP-Capable
        Authentication Provider:        Windows
        Authentication Server:        NPS.NNC.local
        Authentication Type:        PEAP
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            301
        Reason:                Received Crypto-Binding TLV is invalid.
    Thursday, October 28, 2010 8:47 PM

Answers

  • We contacted HP Support and they provided a Firmware Upgrade that fixed the problem.

     

    We are now running V.41.01 which according to HP has several 802.1X related fixes.

     

    Thanks for the support

    Tuesday, November 9, 2010 6:01 PM

All replies

  • Hi,

    Thanks for the post.

    On NPS server, please uncheck "Disconnect Clients without Cryptobinding" option.

    On the Settings tab, click Authentication Methods. In EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit. Disconnect Clients Without Cryptobinding is in the Edit Protected EAP Properties dialog box.

    If you enable disconnection of clients without cryptobinding as described above, it will additionally enforce receipt of a cryptobinding response from the client computer. If this is not received, the server will reject the connection attempt. On the client side, enabling the cryptobinding option will require that the server send a cryptobinding TLV, and authentication will fail if this is not received by the client. If the cryptobinding option is not enabled on the client and it receives a cryptobinding TLV from the server, it will reply with a cryptobinding TLV response.

    Hope this helps.

    Miles

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 29, 2010 7:18 AM
  • Hi,

    It looks like you configured NAP policies when you aren't doing NAP. In addition to removing the setting described by Miles above, you should also use a different wizard to configure your policies. Under Standard Configuration in the drop-down, choose RADIUS for 802.1X wired/wireless instead of a NAP policy. This will start the correct wizard.

    -Greg

    Sunday, October 31, 2010 5:37 AM
  • This did not fix the problem.

    We were able to get the printers to authenticate by loading a certificate and using EAP-TLS we have been unable to authenticate using PEAP/MS-CHAPv2. Whenever we attempt to use MS-CHAPv2 we receive the 301 "Received Crypto-Binding TLV is invalid". error

    Monday, November 1, 2010 10:02 PM
  • Greg,

    Thanks for the tip on using the other wizard.I missed that wizard when I first started looking at the NPS.

     

    We were able to get the printers to authenticate by loading a certificate and using EAP-TLS we have been unable to authenticate using PEAP/MS-CHAPv2. Whenever we attempt to use MS-CHAPv2 we receive the 301 "Received Crypto-Binding TLV is invalid". error

     

    We are still attempting to get MS-CHAPv2 working with the printers as my customer is reluctant to go the certificate route.

     

    Mahalo

    Joel

    Monday, November 1, 2010 10:04 PM
  • Hi Joel,

    I found a document about configuring Jet Direct that indicates MSCHAP is supported, so this should work.

    http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf

    Is there anything in the configuration instructions of this document that is different than what you did? Also see Appendix A, troubleshooting 802.1X. This section might be helpful.

    I assume you have other clients that are authenticating fine with 802.1X and MSCHAP. If you do not, then you should also examine the switch to make sure it is compatible.

    -Greg

    Monday, November 1, 2010 10:53 PM
  • We used this document for the initial configs.

    It assumes you are using IAS instead of NPS.

    We have tried numerous settings. Using MS-CHAPv2 fails everytime with the 301 error.

    HP has a firmware upgrade that we have not tried yet. I guess that will be next.

    By the way we are using the 635N JetDirect card with the following info:

    --------- General Information ----------        
    Status:                   I/O Card Ready         
                                                     
    Model Number:                     J7961G         
    Hardware Address:           001B78F3C452       
    Firmware Version:                V.38.05         
    LAA:                        001B78F3C452        
    Port Config:                  100TX FULL         
    Auto Negotiation:                     On                          
    Manufacturing ID:         31035032903103                       
    S/N:                       Not Specified                                                 
    Date Manufactured:               08/2010 
     

     

    Monday, November 1, 2010 11:05 PM
  • We have several XP SP3 clients that authenticate with MS-CHAPv2 no problem. Also Win 7 clients so the switch is configured properly.
    Monday, November 1, 2010 11:07 PM
  • Something else that I have found which might cause this issue is the NIC driver. Specifically, there are reports that a Broadcom based driver can cause this problem.

    Monday, November 1, 2010 11:32 PM
  • I have seen these reports also. Unfortunately I have no idea what chip or driver the HP JetDirect cards use. I am trying to engage HP tech support on this issue.

     

     

    Tuesday, November 2, 2010 2:05 PM
  • We contacted HP Support and they provided a Firmware Upgrade that fixed the problem.

     

    We are now running V.41.01 which according to HP has several 802.1X related fixes.

     

    Thanks for the support

    Tuesday, November 9, 2010 6:01 PM
  • Excellent news! Thanks for the follow-up.
    Tuesday, November 9, 2010 6:25 PM
  • Anytime. I get frustrated when individuals don't post validated fixes when the get them.
    Tuesday, November 9, 2010 9:28 PM