802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass

stefanlog — Wed, 18 Jun 2025 06:45:45 GMT

Hi all,

we're currently rolling out 802.1X authentication in our environment using EAP-TLS with NPS (Windows Server) and Meraki switches.

We have two identical Canon iR-ADV C3730 devices. Both are configured identically with:

- 802.1X enabled
- "Use TLS" set to On
- A valid client certificate selected (including SAN with UPN)
- Login Name: printername@domain.local (and others like MAC)
- PEAP, TTLS, MSCHAPv2: disabled
- Certificate chain trusted (CA is known and valid)
- Firmware is up to date (as far as we can tell)

Now the issue:

-> Printer A authenticates successfully with MAC bypass (Meraki sends MAC address as username).

-> Printer B, with the same MAC-based configuration, fails.

In the Windows Event Log on the NPS server, we get:

Security ID: NULL SID Failure Reason: Unknown user name or bad password Status: 0xC000006D SubStatus: 0xC000006A

This typically means the account name could not be resolved in Active Directory. However:

- The AD account with MAC-adress (74bfc0de5fa0) exists
- Password is correct and set to never expire
- Account is enabled
- Account name matches the MAC format exactly
- UserPrincipalName and altSecurityIdentities are configured

On the Meraki switch, we see:

802.1X client timeout
Indicating that the printer does not respond to EAPOL packets when MAC bypass is disabled.

What we’ve tried so far:
- Swapped switch ports – the issue follows the printer, not the port
- Re-created the certificate
- Restarted the printer after reconfiguring 802.1X
- Compared all 802.1X settings between both printers – they are identical
- Verified NPS policy (PAP allowed for MAC-based fallback, EAP-TLS otherwise)
- Checked AD replication and DNS – all fine

Questions:
Is there a known issue with 802.1X EAP-TLS on Canon iR-ADV C3730, where the supplicant sometimes doesn't initialize properly?

Is there a debug mode or log within the printer UI or service menu that shows 802.1X authentication status?

Are there firmware builds that improve 802.1X reliability?

Any help would be appreciated – it's extremely frustrating that one device works and the other doesn’t, even though they’re configured the same.

Thanks in advance!

Re: 802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass

Danny — Wed, 18 Jun 2025 12:37:25 GMT

Thanks for joining the conversation, stefanlog!

While our forum community members are welcome to chime in, Canon does not provide direct support for imageRUNNER series products. Instead, your dealer will be able to help you! If you don't have a dealer and you're in the United States, please call us at 1-800-OK-CANON (1-800-652-2666) and we will be happy to provide you with the names of dealers in your area.

If you're outside the USA, visit http://global.canon and choose your country or region from the map for local support.

We hope this helps!

topic Re: 802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass in Production Printing

802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass

Re: 802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass