cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

802.1X EAP-TLS authentication fails on second Canon iR-ADV C3730 – only working with MAC Bypass

stefanlog
Apprentice

Hi all,

we're currently rolling out 802.1X authentication in our environment using EAP-TLS with NPS (Windows Server) and Meraki switches.

We have two identical Canon iR-ADV C3730 devices. Both are configured identically with:

- 802.1X enabled
- "Use TLS" set to On
- A valid client certificate selected (including SAN with UPN)
- Login Name: printername@domain.local (and others like MAC)
- PEAP, TTLS, MSCHAPv2: disabled
- Certificate chain trusted (CA is known and valid)
- Firmware is up to date (as far as we can tell)

Now the issue:

-> Printer A authenticates successfully with MAC bypass (Meraki sends MAC address as username).

-> Printer B, with the same MAC-based configuration, fails.

In the Windows Event Log on the NPS server, we get:

Security ID: NULL SID Failure Reason: Unknown user name or bad password Status: 0xC000006D SubStatus: 0xC000006A


This typically means the account name could not be resolved in Active Directory. However:

- The AD account with MAC-adress (74bfc0de5fa0) exists
- Password is correct and set to never expire
- Account is enabled
- Account name matches the MAC format exactly
- UserPrincipalName and altSecurityIdentities are configured

On the Meraki switch, we see:

802.1X client timeout
Indicating that the printer does not respond to EAPOL packets when MAC bypass is disabled.

What we’ve tried so far:
- Swapped switch ports – the issue follows the printer, not the port
- Re-created the certificate
- Restarted the printer after reconfiguring 802.1X
- Compared all 802.1X settings between both printers – they are identical
- Verified NPS policy (PAP allowed for MAC-based fallback, EAP-TLS otherwise)
- Checked AD replication and DNS – all fine

Questions:
Is there a known issue with 802.1X EAP-TLS on Canon iR-ADV C3730, where the supplicant sometimes doesn't initialize properly?

Is there a debug mode or log within the printer UI or service menu that shows 802.1X authentication status?

Are there firmware builds that improve 802.1X reliability?

Any help would be appreciated – it's extremely frustrating that one device works and the other doesn’t, even though they’re configured the same.

Thanks in advance!

1 REPLY 1

Danny
Moderator
Moderator

Thanks for joining the conversation, stefanlog!

While our forum community members are welcome to chime in, Canon does not provide direct support for imageRUNNER series products. Instead, your dealer will be able to help you! If you don't have a dealer and you're in the United States, please call us at 1-800-OK-CANON (1-800-652-2666) and we will be happy to provide you with the names of dealers in your area.

If you're outside the USA, visit http://global.canon and choose your country or region from the map for local support.

We hope this helps!

Announcements