Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3117
Views
10
Helpful
4
Replies

Printer using EAP to communicate but 802.1X is disabled in settings

rogersm200602
Level 1
Level 1

‎09-15-2016 01:30 PM - edited ‎03-11-2019 12:04 AM

I have an HP 600 M602 printer trying to authenticate with ISE 2.0.  The authentication is failing.  The report states the following: "Extracted EAP-Response/NAK packet requesting to use unsupported EAP protocol; EAP-negotiation failed"

Root Cause: "Extracted from the RADIUS message an EAP-Response/NAK packet, rejecting the previously-proposed EAP-based protocol, and requesting to use another protocol instead, per the configuration of the client's supplicant.  However, the requested EAP-based protocol is currently not supported by ISE."

HOWEVER, I have 802.1X disabled on the printer.  It's not supposed to be communicating via EAP.  We've installed different drivers on the printer.  Nothing is stopping this printer from using EAP.  How do we resolve this issue other than turning off the printer or turning on 802.1X and see what happens?

3 people had this problem
Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎09-15-2016 01:46 PM

How did you disable dot1x? From the manual, i only see reset and keep as options under 802.1x.

Also, you could just use the "authentication event fail action next-method" on your interface, and the switch will go to MAB if it's configured for it, and you can do mac address authentication instead. Unless the printer actively tries to do dot1x, and isn't just responding to the eap-start frames sent by the switch initially, that should work.

rogersm200602
Level 1
Level 1
In response to jan.nielsen

‎09-16-2016 05:12 AM

Hey Jan,

Thanks for the response.  The printer has a web interface.  Within the Networking>802.1X Authentication page, there are two check boxes to enable PEAP and/or EAP-TLS.  Both of those boxes are clear.  We did not enable either one.

Other than sniffing the network traffic with an analyzer, is there any way to determine how the printer is responding to the switch?

0 Helpful

roncrawford82
Level 1
Level 1
In response to rogersm200602

‎11-15-2019 08:36 AM

I know this is an old article but did you ever find a resolution to this issue? I am having this same problem. The printers fail 802.1x authentication then roll over to MAB which they are then successfully authenticated by ISE but then they try to actively re-authenticate 60 seconds later.

0 Helpful

Robert Sutton
Level 1
Level 1
In response to roncrawford82

‎02-24-2020 10:56 AM

Just ran into this same situation. It was an annoyance and a red herring in the switch logs to real issues we were looking for. Since it doesn't appear you can disable dot1x on the printer side, I flipped my auth order on the printer switch port so it auths as MAB and never gets to dot1x:

authentication order mab dot1x
authentication priority mab dot1x

Customers Also Viewed These Support Documents