Zebra Mobile Printer, Microsoft IAS, Cisco Controller TLS and WPA-TLS, Zebra Setup

Utility

This section of the document illustrates the Microsoft Internet Authentication Service and how TLS and

WPA-TLS was configured on this server.

This document is meant as an illustration only. Questions on the setup of IAS should be directed to

Microsoft. It should be Microsoft that is used to determine if the illustration below is appropriate for

your environment.

It is important to note that the setup on the IAS server did not differ when using WPA-TLS or TLS.

The first series of screenshots shows how a Radius client is added to IAS. In the screenshot below a

Cisco controller with the IP address of 10.3.50.50 is added. The IAS server needs to have a client in

the clients table to ensure that authentication requests are only being received from valid clients.

A secret key is entered on the IAS server. This secret key needs to match the secret key on the radius

client ( in this example the Cisco controller).

A Remote access policy is included in the IAS server. The following screenshots illustrate how a remote policy is added.

In the next few screenshots I have illustrated how a policy can be added.

The example that is provided illustrates TLS and WPA-TLS

The next series of screenshots shows how one is able to add a user in the active directory. The

username and password that is added in the active directory is the same username and password that is

added on the printer.

The following screenshot shows how the properties of the user is modified to grant dial-in permission.

The event log on the IAS server can be used for troubleshooting purposes.

There are three certificates needed for TLS authentication. These certificates are obtained from the IAS server and will be placed onto the printer. In this illustration, I am using a web browser on the

IAS server to obtain these certificates.

Below is how I obtained the root certificate.

This is how I obtained the client(user certificate and corresponding private key.

In my example I am not using a private key password

You should now have three certificate files. The root certificate, the client or user certificate and the

private key for the client.

Example below.

The printer requires certificates to be in the PEM format.

The certificates shown above need to be converted into the PEM format.

This is an example of PEM format

-----BEGIN CERTIFICATE-----

MIIEdDCCA1ygAwIBAgIQXkycNtooCY9Dan4qroszcDANBgkqhkiG9w0BAQUFADAw

MSAwHgYKCZImiZPyLGQBGRYQMjAwM1NlcnZlckRvbWFpbjEMMAoGA1UEAxMDSUFT

MB4XDTA5MDkwMjIwMjUwMloXDTE0MDkwMjIwMjUwMlowMDEgMB4GCgmSJomT8ixk

ARkWEDIwMDNTZXJ2ZXJEb21haW4xDDAKBgNVBAMTA0lBUzCCASIwDQYJKoZIhvcN

AQEBBQADggEPADCCAQoCggEBAI87TCa3RHsp/yeJfOp8hrYDnj3EOcdyz58CfSbL qdepYQu1xrRBDJFckb+5frjVJeUDI0/E3r2/YmnFv7sJT5ly6BhVjgfDLUumm2iR

CJ+YIWX0CiPe1YQbp4mrnmHX6cr+RwEOU25tB+X4VyRnCRkAAsbszvHw7S7BDL2P

9ILtYPBt5f2slXWqbJwlUnpDmkm4JFHkex4x4ekWdaQBr+VwhZi8Hi2TouBtJVfj

jMUR0J8Ngzdu0FngQh/JC+aIy8MOisjaWOhWHfJpMrjPi//T+x3MY4cpUHgScNPo

kNudV+H2aqeSep+xlXEIBeWOfkWrtSGDKliFgjzPOxS7USMCAwEAAaOCAYgwggGE

MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSV3+v3e3V2

bWCqR2KDj/NqfRtU8jCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGgbVsZGFwOi8v

L0NOPUlBUyg0KSxDTj1MYWIyMDAzU2VydmVyLENOPUNEUCxDTj1QdWJsaWMlMjBL

ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPTIw

MDNTZXJ2ZXJEb21haW4/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i

amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hjtodHRwOi8vbGFiMjAwM3Nl cnZlci4yMDAzc2VydmVyZG9tYWluL0NlcnRFbnJvbGwvSUFTKDQpLmNybDASBgkr

BgEEAYI3FQEEBQIDBAAEMCMGCSsGAQQBgjcVAgQWBBQ+SW/Qioe4qllHBvPIxmKu

cpyBLjANBgkqhkiG9w0BAQUFAAOCAQEAZFfDSgOPMajsDcgUjCaQaRuXI3HOmb4A

W8yZgSAq1ecYuN4wSy1daOSkoI6GJJYhZENqmdklAPlzzBZ2ezbKHfR1NJvXKCOu

Byi4jZZlpWwduWhIQf9P+9bahKSQg0RHPyNu3se8zxTdWfTv738cKBnuFOJaz6Z8

Gr3qtDzfmWnywAG3rp2/LNEdq0nTgiI76ugG148DjtAukjsruVQf7/QBCUwJuJEU

mLGsJvhNypbdmj8OJm2/6Nln3bIJ2oHHQXJFyRXF8Jiz4tyi+BB26/USeThjea+d

f8vNk5ll27wAtr3fTCz3kupehAgDfUtE3y/Bh/eeNkkQuIXojU1AQQ==

-----END CERTIFICATE-----

This is an example of the private key in PEM format.

-----BEGIN RSA PRIVATE KEY-----

MIICXgIBAAKBgQDDu0oOlA3LtI26ubm9dc0OYLJ+bs+rzfvYI4r5iE2nbdy/Q4ZJ

PQMHuiuhv91Dl8KM6D24HLOltxnIMbPGLI6AQgAAGne9GJlwjZ4xvpk3whJYVrWw

keGFLSxT79Vx74cYuMSK2Yn0KSgDYb4RImlXXYk6XXBr0/NsQPK0yZ7iRwIDAQAB

AoGBAKjU2nJsvuGhYkdYgKCuBiyKuCxaxQM68CtlrTDEo8bx+uF4C1MNL5nwukYR

S3hMZWJJyUMQbt1YbQLD7H/aWydAmt+oMbAMRpzyVvjhf+vN36s2XsjfD/Hx02MP

X+xSuoKuVWv2x5AbQO/xGrmPyp+Pbgv2rUrRa0IB+V5ZmZnBAkEA4F+ui2pkNWsn ntIBGuR9ji5abbCB1PhZ9g98xu8IjAe/K9efwmW0QgpGsNbS2JQDGG6tg+twFGdA

TzWRNOKHlwJBAN9SFPPhENaLCJPYoQSvqJQUbKt3y4bYVgnZHcG3eEsz0zO/mFWc

XtRIGdfvwQaelOtnUjzX6a9hVYB9vyIJUNECQQCehvvrxN/IXk1ACWB+f7G2I0oA

9hTFRDNLhuXCKGEBjvejIlXeI72Ya2pGx4FxRCJrwMcXzeECiXEGhfJySxtBAkAe

pAR78cV9qlXi8zYkjnVy29qNLEKgnc4wS7npemLm7pVr5D3igTIBrmLdXef+IIQO

SH7gGj/V8GTq3FX9NYoBAkEAmnH326NyghQVwg1JFUHN6U2a49UM94k7HS689xM+

eMetCG2r85lYjG/meiEHGPMjjvw35P9DZ0Ocf7WL/muXGg==

-----END RSA PRIVATE KEY-----

The tools that I will illustrate the conversion are openssl.exe ( http://www.openssl.org ) and pvk.exe (http://www.drh-consultancy.demon.co.uk/pvk.html)

http://www.openssl.org/http://www.drh-consultancy.demon.co.uk/pvk.html

CA (root certificate example below)

C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\certnew.cer -out C:\Zebra_TLS_certs\ROOTCERT.pem

Client (user certificate below).

C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\ZEBRA_TLS_CLIENT.cer

-out C:\Zebra_TLS_certs\CLIENTCERT.pem

Below is an example of how I converted the private key.

The three files ending in .pem extension here need to be placed onto the printer. (Later in this

illustration)

The Event Viewer on the IAS server can be used for troubleshooting purposes. In the screenshots

below the event viewer is showing a successful authentication.

Additional screenshots from IAS server used in testing. Please consult with Microsoft to see if these

settings would be appropriate for your environment.

This section of the document illustrates a Cisco Wireless controller.

This document is meant as an illustration only. Questions on the setup of your Cisco controller should

be directed to Cisco. It should be Cisco that is used to determine if the illustration below is

appropriate for your environment

This illustration shows how the Cisco Controller was configured for TLS initially and then WPA-TLS.

With TLS or WPA-TLS the authentication request is forwarded to a Radius server.

The following screenshots illustrate how a radius server can be added.

The example below shows an entry of a radius server with an IP address of 10.3.50.38 and utilizing the

port number of 1812. 1645 and 1812 are common port numbers used with the RADIUS protocol. A

secret key is also entered. This secret key needs to match the secret key that is entered on the

RADIUS server.

The first step illustrated here is how an ESSID is created.

In this example the ESSID is “ZebraTLS1” Please note that ESSID’s are case sensitive.

This screenshot shows how to configure 802.1x (TLS)

The next screen is showing where the controller is passing the authentication packets to.

The screenshots below show the advanced eap settings used in the illustration.

Please consult with Cisco to determine the appropriate values for your environment.

The screenshots below show what a successful TLS connection appears on the controller.

The next screenshots show how the controller was set for WPA-TLS. In this example that I have

enabled both wpa and wpa2 as shown below.

With WPA-TLS, the authentication is often done by an external radius server.

In this example I have entered the ip address for the radius server as shown below.

Below is an example of what the controller shows for a successful WPA-TLS authentication.

This section of the document illustrates how to configure the printer for TLS and will continue by

illustrating how to configure the printer for WPA-TLS. The illustration will use the Zebra Setup

Utility as the method for configuring the printer. Please ensure that you are using the most current version of the Zebra Setup Utility before continuing. The most current version of the Zebra Setup

Utility can be downloaded at www.zebra.com.

http://www.zebra.com/

There are three certificate files needed for TLS . These files need to be stored on the printer with

specific names.

CACERTSV.NRD for the CA root certificate

CERTCLN.NRD for the user/client certificate PRIVKEY.NRD for the user/client private key certificate.

In my illustration, I have created three files or certificates that are now in the PEM format. THESE ARE THE THREE CERTIFICATES THAT CAN BE STORED.

ROOTCERTIFICATE.PEM = CACERTSV.NRD PRIVATEKEY.PEM = PRIVKEY.NRD CLIENTCERT.PEM = CERTCLN.NRD

The files that were created earlier in this illustration were renamed CACERTSV.NRD (Rootcertificate.pem), PRIVKEY.NRD (PRIVATEKEY.PEM) and

CERTCLN.NRD(CLIENTCERT.PEM)

‘The screenshots below illustrate how the Zebra Setup Utility to configure the printer for both EAP-TLS and WPA-EAP-TLS

In this illustration I am configuring the printer for DHCP.

In this example I have chosen the following radio information. Please note that this screen is only available on

select printers. It may not be applicable for other printers.

One needs to set the printer to match the ESSID that was previously configured on the Cisco controller.

(NPS_TLS)

The screenshot below illustrates EAP-TLS

The screenshot below illustrates WPA-EAP-TLS

Click Next