Re: HP laser printer fails to connect to Aironet 1815i AP (ME)

Maurice_ · ‎07-03-2021

I'm trying to connect an HP Laser 107w printer to an Aironet 1815i AP. The AP is running latest Mobility Express Firmware 8.10.151.0. The WLAN is configured with basic settings (WPA2 PSK). The printer won't connect. Other devices have no issues connecting to this WLAN. And the printer does connect to a non-Cisco consumer AP just fine.

On the ME client dashboard, the printer's status is shown as "Excluded". Since the printer has no advanced WLAN settings at all, I'm trying to figure out which AP settings might work. The PSK has no special characters. See event log below for details.

Thanks for any hints!

21:53:55	Dot11	INFO	ASSOC_REQ	  MESSAGE_RECEIVED	                                        None
21:53:55	Dot11	INFO	ASSOC_REQ	  INVALID_RSN_IE	                                        None
21:53:55	PEM	INFO	PEM_EVENT_MSG	  IP_ACQUIRED_AND_AUTH_NOT_REQ_OR_STATIC_DYNAMIC_WEP_SUPPORTED	None
21:53:55	Dot11	INFO	ASSOC_REQ	  CLIENT_MOVED_TO_ASSOCIATED_STATE	                        None
21:53:55	Dot1x	ERROR	AUTH_DOT1X	  WLAN_REQUIRES_802_1X_AUTH	                                None
21:53:55	Dot1x	ERROR	EAPOL_KEY	  UNABLE_TO_ALLOW_USER	                                        None
21:53:55	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_HS_TIMEOUT
21:53:55	Dot1x	ERROR	EAPOL_KEY	  UNABLE_TO_ALLOW_USER	                                        None
21:53:55	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_HS_TIMEOUT
21:53:55	Dot11	ERROR	AUTH_RES	  NOT_FROM_RELAY	                                        slot 0 (claller 1x_ptsm.c:693)
21:53:55	Dot1x	ERROR	EAPOL_KEY	  RETRANSMITTING_EAPOL_KEY	                                None
21:53:55	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_4WAY_TIMEOUT
21:53:55	Dot1x	ERROR	EAPOL_KEY	  IDENTITY_PACKET_RECEIVED	                                None
21:54:00	Dot11	INFO	ASSOC_REQ	  MESSAGE_RECEIVED	                                        None
21:54:00	Dot11	INFO	ASSOC_REQ	  INVALID_RSN_IE	                                        None
21:54:00	PEM	INFO	PEM_EVENT_MSG	  IP_ACQUIRED_AND_AUTH_NOT_REQ_OR_STATIC_DYNAMIC_WEP_SUPPORTED	None
21:54:00	Dot11	INFO	ASSOC_REQ	  CLIENT_MOVED_TO_ASSOCIATED_STATE	                        None
21:54:00	Dot1x	ERROR	AUTH_DOT1X	  WLAN_REQUIRES_802_1X_AUTH	                                None
21:54:05	Dot1x	ERROR	EAPOL_KEY	  UNABLE_TO_ALLOW_USER	                                        None
21:54:05	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_HS_TIMEOUT
21:54:05	Dot1x	ERROR	EAPOL_KEY	  UNABLE_TO_ALLOW_USER	                                        None
21:54:05	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_HS_TIMEOUT
21:54:05	Dot1x	ERROR	EAPOL_KEY	  START_MESSAGE_RECEIVED	                                None
21:54:05	Dot1x	ERROR	EAPOL_KEY	  TIMER_EXPIRES	                                                None
21:54:05	PEM	ERROR	PEM_EVENT_MSG	  DOT_802_1X_AUTH_SUCCESS	                                None
21:54:05	Dot1x	ERROR	EAPOL_KEY	  DUPLICATE_IDENTITY_PACKET_RECEIVED	                        None
21:54:05	Misce	ERROR	MISC_ROAM_EVENTS                                                                00:00:00:00:00:00, 1,18:80:90:fb:98:60, 1, KEY_HS_PSK_MISMATCH

Leo Laohoo · ‎07-03-2021

@Maurice_ wrote:
WLAN_REQUIRES_802_1X_AUTH

Re-check the settings. Error message says something is failing 802.1x authentication.

Maurice_ · ‎07-14-2021

Thanks @Leo Laohoo,

The WLAN is definitely configured with WPA2 PSK AES. I even created a new WLAN for testing. These error messages apparently are not exclusive to 802.1x WLANs [1].

A debug on the CLI shows this relevant section:

Jul 15 01:36:18.816: f8:0d:ac:eb:a1:da Starting key exchange to mobile f8:0d:ac:eb:a1:da, data packets will be dropped
Jul 15 01:36:18.816: f8:0d:ac:eb:a1:da Sending EAPOL-Key Message to mobile f8:0d:ac:eb:a1:da state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
Jul 15 01:36:18.816: f8:0d:ac:eb:a1:da Allocating EAP Pkt for retransmission to mobile f8:0d:ac:eb:a1:da
Jul 15 01:36:19.959: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2
Jul 15 01:36:19.960: f8:0d:ac:eb:a1:da Retransmit 1 of EAPOL-Key M1 (length 99) for mobile f8:0d:ac:eb:a1:da
Jul 15 01:36:20.951: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2
Jul 15 01:36:20.951: f8:0d:ac:eb:a1:da Retransmit 2 of EAPOL-Key M1 (length 99) for mobile f8:0d:ac:eb:a1:da
Jul 15 01:36:21.943: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2
Jul 15 01:36:21.944: f8:0d:ac:eb:a1:da Retransmit failure for EAPOL-Key M1 to mobile f8:0d:ac:eb:a1:da, retransmit count 3, mscb deauth count 0
Jul 15 01:36:21.944: f8:0d:ac:eb:a1:da Resetting MSCB PMK Cache Entry @index 0 for station f8:0d:ac:eb:a1:da
Jul 15 01:36:21.944: f8:0d:ac:eb:a1:da Removing BSSID 18:80:90:fb:98:6a from PMKID cache of station f8:0d:ac:eb:a1:da
Jul 15 01:36:21.944: f8:0d:ac:eb:a1:da Setting active key cache index 0 ---> 8
Jul 15 01:36:21.945: f8:0d:ac:eb:a1:da 4way handshake timeout, send deauth and cleanup the mscb

And this is what it looks like when a different client successfully connects to the same WLAN:

Jul 15 01:52:16.731: d4:f5:47:76:00:3c Starting key exchange to mobile d4:f5:47:76:00:3c, data packets will be dropped
Jul 15 01:52:16.731: d4:f5:47:76:00:3c Sending EAPOL-Key Message to mobile d4:f5:47:76:00:3c state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
Jul 15 01:52:16.731: d4:f5:47:76:00:3c Allocating EAP Pkt for retransmission to mobile d4:f5:47:76:00:3c
Jul 15 01:52:16.733: d4:f5:47:76:00:3c validating eapol pkt: key version = 2
Jul 15 01:52:16.734: d4:f5:47:76:00:3c Received EAPOL-Key from mobile d4:f5:47:76:00:3c
Jul 15 01:52:16.734: d4:f5:47:76:00:3c key Desc Version FT - 0
Jul 15 01:52:16.734: d4:f5:47:76:00:3c Received EAPOL-key in PTK_START state (message 2) from mobile d4:f5:47:76:00:3c
Jul 15 01:52:16.734: d4:f5:47:76:00:3c Encryption Policy: 4, PTK Key Length: 48
Jul 15 01:52:16.734: d4:f5:47:76:00:3c Successfully computed PTK from PMK!!!
Jul 15 01:52:16.734: d4:f5:47:76:00:3c Received valid MIC in EAPOL Key Message M2!!!!!

Some sources (like [2]) suggest tuning eapol-key-timeout (default is 1 second). I tried 5 seconds (config advanced eap eapol-key-timeout 5000), but unfortunately this didn't fix it.

Other ideas?

[1] https://community.cisco.com/t5/wireless/psk-wlan-and-802-1x-auth-failure/td-p/3995673

[2] https://support.hpe.com/hpesc/public/docDisplay?docId=c01785322

Rps-Cheers · ‎07-14-2021

Jul 15 01:36:19.959: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2
Jul 15 01:36:19.960: f8:0d:ac:eb:a1:da Retransmit 1 of EAPOL-Key M1 (length 99) for mobile f8:0d:ac:eb:a1:da
Jul 15 01:36:20.951: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2
Jul 15 01:36:20.951: f8:0d:ac:eb:a1:da Retransmit 2 of EAPOL-Key M1 (length 99) for mobile f8:0d:ac:eb:a1:da
Jul 15 01:36:21.943: f8:0d:ac:eb:a1:da 802.1x 'timeoutEvt' Timer expired for station f8:0d:ac:eb:a1:da and for message = M2

It feels like the client did not reply to the authentication message.
I think adjusting the EAP parameters on the one hand, on the other hand, you can try an OEPN SSID to see if it is caused by the encryption algorithm and whether it is compatible with the client's network card
?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Maurice_ · ‎07-15-2021

An open SSID works, but is not a viable solution. What other EAP parameters could I adjust?

JPavonM · ‎07-15-2021

Can you share the detailed config of the SSID with a "show wlan id <WLAN_ID>" output?

Maurice_ · ‎07-15-2021

Thanks for your help @JPavonM. This is the WLAN I created for testing:

WLAN Identifier.................................. 2
Profile Name..................................... hp
Network Name (SSID).............................. hp
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
Random MAC Filtering............................. Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 1
Number of Active Random-Mac Clients.............. 0
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... Enabled
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Scope Name.................................. none
Central NAT...................................... Disabled
Central NAT Peer-Peer Blocking................... Disabled
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
Quality of Service............................... Silver
Per-BSSID Rate Limits............................ Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-WLAN Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Enabled
      Interim Update Interval.................... 0
      Framed IPv6 Acct AVP ...................... Prefix
   Authorization ACA............................. Disabled
   Accounting ACA................................ Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2/WPA3)........ Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
      WPA3 (RSN IE).............................. Disabled
      WPA2/WPA3 Encryption Ciphers
         TKIP Cipher............................. Disabled
         CCMP128/AES Cipher...................... Enabled
         CCMP256 Cipher.......................... Disabled
         GCMP128 Cipher.......................... Disabled
         GCMP256 Cipher.......................... Disabled
      OSEN IE.................................... Disabled
      Auth Key Management
         802.1x.................................. Disabled
         802.1x-SHA2............................. Disabled
         PSK..................................... Enabled
         PSK-SHA2................................ Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         OSEN-1X................................. Disabled
         SUITEB-1X............................... Disabled
         SUITEB192-1X............................ Disabled
         OWE..................................... Disabled
         SAE..................................... Disabled
      PMKID in 4way-handshake.................... Disabled
      OWE Transition Mode........................ Disabled
      OWE Transition Mode WLAN id................ 0
      Auto Key PSK .............................. Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Disabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   qrscan-des-key................................
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Flexconnect Post-Auth IPv4 ACL................ Unconfigured
   Flexconnect Post-Auth IPv6 ACL................ Unconfigured
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
Flex Avc Profile Name............................ hp
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... disable
Flow Monitor Name................................ None
Split Tunnel Configuration
    Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Disabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
802.11v BSS Transition Neigh List Dual Band...... Disabled
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled
11ax Downlink MU-MIMO............................ Disabled
11ax Uplink MU-MIMO.............................. Disabled
11ax Downlink OFDMA.............................. Disabled
11ax Uplink OFDMA................................ Disabled
11ax Admin state................................. Enabled
Wifi Alliance Multiband Operation................ Disabled
11ax Target Wake Time............................ Enabled
Advanced Scheduling Requests..................... Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status                             Priority
 -------     ---------------       ------                             --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority  Policy Name
--------  ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

 Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

JPavonM · ‎07-15-2021

Your debug points to a compatibility issue with some security feature in the client side, but this is not the case as you have all of them disabled (PMF, FT), try disabling some features added on latest versions that could cause connectivity problems such as dot11ax (I think device-analytics is not there on AireOS). Additionally, disable 5 GHz radio as most if not all printers works on 2.4 GHz band only.

wlan <PROFILE> id <ID> <SSID>
 no device-analytics
 no dot11ax
 radio dot11bg

HTH

- Jesus

Maurice_ · ‎07-15-2021

The printer indeed doesn't support 5 GHz, but setting the radio policy to 2.4 GHz only doesn't make a difference. I had tried that before.

I checked the Mobility Express Command Reference [1]. Unfortunately, none of your suggested settings seem to be supported.

The embedded radio module (SDGOB-1392) seems to be used by many HP printers and there are quite a few reports about compatibility issues with Aironet APs. Enabling TKIP seems to work for some users, but I really don't want to go there.

[1] https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/810/cmd_ref/me_cr_book-810.html

Leo Laohoo · ‎07-14-2021

@Maurice_ wrote:

Jul 15 01:36:21.944: f8:0d:ac:eb:a1:da Retransmit failure for EAPOL-Key M1 to mobile f8:0d:ac:eb:a1:da, retransmit count 3, mscb deauth count 0

Means the WLC is sending M1 for the 3rd time but no response back.

Maurice_ · ‎07-15-2021

But why? As mentioned, the printer connects to other APs just fine (also with WPA2 PSK). And all my other devices work with the Cisco AP. But there is nothing I could change on the printer side. It has the latest firmware and absolutely no advanced WLAN settings. So I have to find a workaround / compatibility setting on the AP.

Leo Laohoo · ‎07-15-2021

Factory-reset the AP.

JPavonM · ‎07-14-2021

Can you check if 802.11w-PMF is enabled or optional in the SSID? I've suffered this very same behaviour with some devices that state they are PMF-capable but they aren't.

HTH

- Jesus

Maurice_ · ‎07-15-2021

"Client MFP" says "Optional", but "PMF" says "Disabled". Please see full config above.