Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Zebra Mobile Printer, Microsoft IAS, Cisco Controller TLS and WPA-TLS, Zebra Setup
Utility
This section of the document illustrates the Microsoft Internet Authentication Service and how TLS and
WPA-TLS was configured on this server.
This document is meant as an illustration only. Questions on the setup of IAS should be directed to
Microsoft. It should be Microsoft that is used to determine if the illustration below is appropriate for
your environment.
It is important to note that the setup on the IAS server did not differ when using WPA-TLS or TLS.
The first series of screenshots shows how a Radius client is added to IAS. In the screenshot below a
Cisco controller with the IP address of 10.3.50.50 is added. The IAS server needs to have a client in
the clients table to ensure that authentication requests are only being received from valid clients.
A secret key is entered on the IAS server. This secret key needs to match the secret key on the radius
client ( in this example the Cisco controller).
A Remote access policy is included in the IAS server. The following screenshots illustrate how a remote policy is added.
In the next few screenshots I have illustrated how a policy can be added.
The example that is provided illustrates TLS and WPA-TLS
The next series of screenshots shows how one is able to add a user in the active directory. The
username and password that is added in the active directory is the same username and password that is
added on the printer.
The following screenshot shows how the properties of the user is modified to grant dial-in permission.
The event log on the IAS server can be used for troubleshooting purposes.
There are three certificates needed for TLS authentication. These certificates are obtained from the IAS server and will be placed onto the printer. In this illustration, I am using a web browser on the
IAS server to obtain these certificates.
Below is how I obtained the root certificate.
This is how I obtained the client(user certificate and corresponding private key.
In my example I am not using a private key password
You should now have three certificate files. The root certificate, the client or user certificate and the
private key for the client.
Example below.
The printer requires certificates to be in the PEM format.
The certificates shown above need to be converted into the PEM format.
This is an example of PEM format
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIQXkycNtooCY9Dan4qroszcDANBgkqhkiG9w0BAQUFADAw
MSAwHgYKCZImiZPyLGQBGRYQMjAwM1NlcnZlckRvbWFpbjEMMAoGA1UEAxMDSUFT
MB4XDTA5MDkwMjIwMjUwMloXDTE0MDkwMjIwMjUwMlowMDEgMB4GCgmSJomT8ixk
ARkWEDIwMDNTZXJ2ZXJEb21haW4xDDAKBgNVBAMTA0lBUzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAI87TCa3RHsp/yeJfOp8hrYDnj3EOcdyz58CfSbL qdepYQu1xrRBDJFckb+5frjVJeUDI0/E3r2/YmnFv7sJT5ly6BhVjgfDLUumm2iR
CJ+YIWX0CiPe1YQbp4mrnmHX6cr+RwEOU25tB+X4VyRnCRkAAsbszvHw7S7BDL2P
9ILtYPBt5f2slXWqbJwlUnpDmkm4JFHkex4x4ekWdaQBr+VwhZi8Hi2TouBtJVfj
jMUR0J8Ngzdu0FngQh/JC+aIy8MOisjaWOhWHfJpMrjPi//T+x3MY4cpUHgScNPo
kNudV+H2aqeSep+xlXEIBeWOfkWrtSGDKliFgjzPOxS7USMCAwEAAaOCAYgwggGE
MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSV3+v3e3V2
bWCqR2KDj/NqfRtU8jCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGgbVsZGFwOi8v
L0NOPUlBUyg0KSxDTj1MYWIyMDAzU2VydmVyLENOPUNEUCxDTj1QdWJsaWMlMjBL
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPTIw
MDNTZXJ2ZXJEb21haW4/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
amVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hjtodHRwOi8vbGFiMjAwM3Nl cnZlci4yMDAzc2VydmVyZG9tYWluL0NlcnRFbnJvbGwvSUFTKDQpLmNybDASBgkr
BgEEAYI3FQEEBQIDBAAEMCMGCSsGAQQBgjcVAgQWBBQ+SW/Qioe4qllHBvPIxmKu
cpyBLjANBgkqhkiG9w0BAQUFAAOCAQEAZFfDSgOPMajsDcgUjCaQaRuXI3HOmb4A
W8yZgSAq1ecYuN4wSy1daOSkoI6GJJYhZENqmdklAPlzzBZ2ezbKHfR1NJvXKCOu
Byi4jZZlpWwduWhIQf9P+9bahKSQg0RHPyNu3se8zxTdWfTv738cKBnuFOJaz6Z8
Gr3qtDzfmWnywAG3rp2/LNEdq0nTgiI76ugG148DjtAukjsruVQf7/QBCUwJuJEU
mLGsJvhNypbdmj8OJm2/6Nln3bIJ2oHHQXJFyRXF8Jiz4tyi+BB26/USeThjea+d
f8vNk5ll27wAtr3fTCz3kupehAgDfUtE3y/Bh/eeNkkQuIXojU1AQQ==
-----END CERTIFICATE-----
This is an example of the private key in PEM format.
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDDu0oOlA3LtI26ubm9dc0OYLJ+bs+rzfvYI4r5iE2nbdy/Q4ZJ
PQMHuiuhv91Dl8KM6D24HLOltxnIMbPGLI6AQgAAGne9GJlwjZ4xvpk3whJYVrWw
keGFLSxT79Vx74cYuMSK2Yn0KSgDYb4RImlXXYk6XXBr0/NsQPK0yZ7iRwIDAQAB
AoGBAKjU2nJsvuGhYkdYgKCuBiyKuCxaxQM68CtlrTDEo8bx+uF4C1MNL5nwukYR
S3hMZWJJyUMQbt1YbQLD7H/aWydAmt+oMbAMRpzyVvjhf+vN36s2XsjfD/Hx02MP
X+xSuoKuVWv2x5AbQO/xGrmPyp+Pbgv2rUrRa0IB+V5ZmZnBAkEA4F+ui2pkNWsn ntIBGuR9ji5abbCB1PhZ9g98xu8IjAe/K9efwmW0QgpGsNbS2JQDGG6tg+twFGdA
TzWRNOKHlwJBAN9SFPPhENaLCJPYoQSvqJQUbKt3y4bYVgnZHcG3eEsz0zO/mFWc
XtRIGdfvwQaelOtnUjzX6a9hVYB9vyIJUNECQQCehvvrxN/IXk1ACWB+f7G2I0oA
9hTFRDNLhuXCKGEBjvejIlXeI72Ya2pGx4FxRCJrwMcXzeECiXEGhfJySxtBAkAe
pAR78cV9qlXi8zYkjnVy29qNLEKgnc4wS7npemLm7pVr5D3igTIBrmLdXef+IIQO
SH7gGj/V8GTq3FX9NYoBAkEAmnH326NyghQVwg1JFUHN6U2a49UM94k7HS689xM+
eMetCG2r85lYjG/meiEHGPMjjvw35P9DZ0Ocf7WL/muXGg==
-----END RSA PRIVATE KEY-----
The tools that I will illustrate the conversion are openssl.exe ( http://www.openssl.org ) and pvk.exe (http://www.drh-consultancy.demon.co.uk/pvk.html)
http://www.openssl.org/http://www.drh-consultancy.demon.co.uk/pvk.html
CA (root certificate example below)
C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\certnew.cer -out C:\Zebra_TLS_certs\ROOTCERT.pem
Client (user certificate below).
C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\ZEBRA_TLS_CLIENT.cer
-out C:\Zebra_TLS_certs\CLIENTCERT.pem
Below is an example of how I converted the private key.
The three files ending in .pem extension here need to be placed onto the printer. (Later in this
illustration)
The Event Viewer on the IAS server can be used for troubleshooting purposes. In the screenshots
below the event viewer is showing a successful authentication.
Additional screenshots from IAS server used in testing. Please consult with Microsoft to see if these
settings would be appropriate for your environment.
This section of the document illustrates a Cisco Wireless controller.
This document is meant as an illustration only. Questions on the setup of your Cisco controller should
be directed to Cisco. It should be Cisco that is used to determine if the illustration below is
appropriate for your environment
This illustration shows how the Cisco Controller was configured for TLS initially and then WPA-TLS.
With TLS or WPA-TLS the authentication request is forwarded to a Radius server.
The following screenshots illustrate how a radius server can be added.
The example below shows an entry of a radius server with an IP address of 10.3.50.38 and utilizing the
port number of 1812. 1645 and 1812 are common port numbers used with the RADIUS protocol. A
secret key is also entered. This secret key needs to match the secret key that is entered on the
RADIUS server.
The first step illustrated here is how an ESSID is created.
In this example the ESSID is “ZebraTLS1” Please note that ESSID’s are case sensitive.
This screenshot shows how to configure 802.1x (TLS)
The next screen is showing where the controller is passing the authentication packets to.
The screenshots below show the advanced eap settings used in the illustration.
Please consult with Cisco to determine the appropriate values for your environment.
The screenshots below show what a successful TLS connection appears on the controller.
The next screenshots show how the controller was set for WPA-TLS. In this example that I have
enabled both wpa and wpa2 as shown below.
With WPA-TLS, the authentication is often done by an external radius server.
In this example I have entered the ip address for the radius server as shown below.
Below is an example of what the controller shows for a successful WPA-TLS authentication.
This section of the document illustrates how to configure the printer for TLS and will continue by
illustrating how to configure the printer for WPA-TLS. The illustration will use the Zebra Setup
Utility as the method for configuring the printer. Please ensure that you are using the most current version of the Zebra Setup Utility before continuing. The most current version of the Zebra Setup
Utility can be downloaded at www.zebra.com.
http://www.zebra.com/
There are three certificate files needed for TLS . These files need to be stored on the printer with
specific names.
CACERTSV.NRD for the CA root certificate
CERTCLN.NRD for the user/client certificate PRIVKEY.NRD for the user/client private key certificate.
In my illustration, I have created three files or certificates that are now in the PEM format. THESE ARE THE THREE CERTIFICATES THAT CAN BE STORED.
ROOTCERTIFICATE.PEM = CACERTSV.NRD PRIVATEKEY.PEM = PRIVKEY.NRD CLIENTCERT.PEM = CERTCLN.NRD
The files that were created earlier in this illustration were renamed CACERTSV.NRD (Rootcertificate.pem), PRIVKEY.NRD (PRIVATEKEY.PEM) and
CERTCLN.NRD(CLIENTCERT.PEM)
‘The screenshots below illustrate how the Zebra Setup Utility to configure the printer for both EAP-TLS and WPA-EAP-TLS
In this illustration I am configuring the printer for DHCP.
In this example I have chosen the following radio information. Please note that this screen is only available on
select printers. It may not be applicable for other printers.
One needs to set the printer to match the ESSID that was previously configured on the Cisco controller.
(NPS_TLS)
The screenshot below illustrates EAP-TLS
The screenshot below illustrates WPA-EAP-TLS
Click Next