locked
Problem with 802.1x printers authentication RRS feed

  • Question

  • Hello.

    I have a problem with my MS Windows Server 2008R2 with installed Network Policy and Access Services role.

    All PCs in my network authorized by this server and everything is fine, but i have a problem with authentication MFPs and printers (HP and Kyocera).

    I created users for printers and network policy to assign it to properly VLAN using PEAP (EAP-MS-CHAP-v2) authentication. After specifying at printer domain username and password I set port on my switch in authentication mode, but server told me that there is a error with code 23 - An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors - there is a same error for all printers in my LAN

    There is CA-server in my network, and certificate for NPS-server issued by it. I tried to install certificate of this CA (and NPS-server) on printers, but it does not matter for it. 

    In IASSAM.log there is the next messages about authentication attempts:

    [5140] 11-04 12:49:39:877: NT-SAM Names handler received request with user identity PRINTERUSER@DOMAINNAME
    [5140] 11-04 12:49:39:877: Successfully cracked username.
    [5140] 11-04 12:49:39:877: SAM-Account-Name is "DOMAINNAME\PRINTERUSER".
    [5140] 11-04 12:49:39:877: Successfully created new RAP Based EAP session for user DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:877: No AUTHENTICATION extensions, continuing
    [5140] 11-04 12:49:39:877: NT-SAM Authentication handler received request for DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:877: Validating windows user account DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:877: Sending LDAP search to dc.DOMAINNAME.
    [5140] 11-04 12:49:39:877: Successfully validated windows account DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:877: NT-SAM User Authorization handler received request for DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:877: Using native-mode dial-in parameters.
    [5140] 11-04 12:49:39:877: Sending LDAP search to dc.DOMAINNAME.
    [5140] 11-04 12:49:39:877: Successfully retrieved per-user attributes.
    [5140] 11-04 12:49:39:877: Allowed EAP type: 25
    [5140] 11-04 12:49:39:877: Allowed EAP type: 26
    [5140] 11-04 12:49:39:877: Succesfully created EAP Host session with session id 1218224
    [5140] 11-04 12:49:39:877: Processing output from EAP: action:1
    [5140] 11-04 12:49:39:877: Inserting outbound EAP-Message of length 6.
    [5140] 11-04 12:49:39:877: Issuing Access-Challenge.
    [5140] 11-04 12:49:39:877: No AUTHORIZATION extensions, continuing
    [7224] 11-04 12:49:39:924: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
    [7224] 11-04 12:49:39:924: No AUTHENTICATION extensions, continuing
    [7224] 11-04 12:49:39:924: Processing output from EAP: action:1
    [7224] 11-04 12:49:39:924: Inserting outbound EAP-Message of length 1462.
    [7224] 11-04 12:49:39:924: Issuing Access-Challenge.
    [7224] 11-04 12:49:39:924: No AUTHORIZATION extensions, continuing
    [5140] 11-04 12:49:39:955: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
    [5140] 11-04 12:49:39:955: No AUTHENTICATION extensions, continuing
    [5140] 11-04 12:49:39:955: Processing output from EAP: action:1
    [5140] 11-04 12:49:39:955: Inserting outbound EAP-Message of length 1325.
    [5140] 11-04 12:49:39:955: Issuing Access-Challenge.
    [5140] 11-04 12:49:39:955: No AUTHORIZATION extensions, continuing
    [7224] 11-04 12:49:39:986: Successfully retrieved session (1218224) for user DOMAINNAME\PRINTERUSER
    [7224] 11-04 12:49:39:986: No AUTHENTICATION extensions, continuing
    [7224] 11-04 12:49:39:986: Processing output from EAP: action:2
    [7224] 11-04 12:49:39:986: Translating attributes returned by EAPHost.
    [7224] 11-04 12:49:39:986: EAP authentication failed.
    [7224] 11-04 12:49:39:986: No AUTHORIZATION extensions, continuing
    [7224] 11-04 12:49:39:986: Inserting outbound EAP-Message of length 4.


    Can anybody explain what i need to do to make my printers will authenticated by NPS server?




    Friday, November 4, 2016 11:13 AM

All replies