Installation Guide. MobileLAN secure 802.1x Security Solution

Size: px

Start display at page:

Download "Installation Guide. MobileLAN secure 802.1x Security Solution"

Dulcie Burns
5 years ago
Views:

1 Installation Guide MobileLAN secure 802.1x Security Solution

2 Intermec Technologies Corporation Corporate Headquarters th Ave. W. Everett, WA U.S.A. The information contained herein is proprietary and is provided solely for the purpose of allowing customers to operate and service Intermec-manufactured equipment and is not to be released, reproduced, or used for any other purpose without written permission of Intermec. Information and specifications contained in this document are subject to change without prior notice and do not represent a commitment on the part of Intermec Technologies Corporation by Intermec Technologies Corporation. All rights reserved. The word Intermec, the Intermec logo, Norand, ArciTech, CrossBar, Data Collection Browser, dcbrowser, Duratherm, EasyCoder, EasyLAN, Enterprise Wireless LAN, EZBuilder, Fingerprint, i-gistics, INCA (under license), InterDriver, Intermec Printer Network Manager, IRL, JANUS, LabelShop, Mobile Framework, MobileLAN, Nor*Ware, Pen*Key, Precision Print, PrintSet, RoutePower, TE 2000, Trakker Antares, UAP, Universal Access Point, and Virtual Wedge are either trademarks or registered trademarks of Intermec Technologies Corporation. Wi-Fi is a registered certification mark of the Wi-Fi Alliance. Microsoft, Windows, and the Windows logo are registered trademarks of Microsoft Corporation in the United States and/or other countries. Throughout this manual, trademarked names may be used. Rather than put a trademark ( or ) symbol in every occurrence of a trademarked name, we state that we are using the names only in an editorial fashion, and to the benefit of the trademark owner, with no intention of infringement. There are U.S. and foreign patents pending. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. ( This product includes cryptographic software written by Eric Young (EAY@cryptsoft.com). ii MobileLAN secure 802.1x Security Solution Installation Guide

3 Document Change Record This page records changes to this document. The document was originally released as version 001. Version Date Description of Change /2003 Added information about using third-party certificates, the embedded authentication server (EAS) feature of the MobileLAN access points, the CK30 Handheld Computers, and the printers with EasyLAN Wireless. MobileLAN secure 802.1x Security Solution Installation Guide iii

4 iv MobileLAN secure 802.1x Security Solution Installation Guide

5 Contents Contents Before You Begin...ix Safety Summary...ix Safety Icons...x Global Services and Support...x Warranty Information...x Web Support...xi Telephone Support...xi Who Should Read This Document?...xii Related Documents...xii 1 Understanding 802.1x Security... 1 About This Document... 2 About 802.1x Security... 2 Understanding the 802.1x Authentication Process... 2 Understanding Fast Roaming and Reauthentication (Trakker Antares Terminals Only)... 6 Understanding the Extensible Authentication Protocol (EAP)... 8 Understanding Dynamic WEP Key Rotation... 9 Why Using a Static WEP Key Does Not Work... 9 Why Using Dynamic WEP Key Rotation Works About the MobileLAN secure 802.1x Security Solution Getting Started Installing Certificates About Certificates Preparing Certificates for Installation Using the MobileLAN secure Server Certificates Using Third-Party Server Certificates Importing the Certificates Into the Authentication Server Importing the Certificates Into the Odyssey Server Installing the Odyssey Server and Certificates MobileLAN secure 802.1x Security Solution Installation Guide v

6 Contents Importing the Certificates Into the EAS How to Determine If You Need to Import a Certificate Importing Certificates Copying Root Certificates to End Devices Copying the Root Certificate to a 700 Series Mobile Computer Copying the Root Certificate to a Trakker Antares Terminal Copying the Root Certificate to a Printer With EasyLAN Wireless Copying Client Certificates to End Devices (EAP-TLS) Copying the Client Certificate to a CK30 Handheld Computer Copying the Client Certificate to a 700 Series Mobile Computer Configuring the Authentication Server About the Authentication Servers Configuring the Odyssey Server Configuring the Certificate Trust Tree Defining the Authentication Protocol Order Adding the Authenticators Creating the Odyssey User Database (TTLS/PEAP) Creating the Odyssey User Database (TLS) Configuring the Embedded Authentication Server Enabling the EAS Adding the Authenticators to the EAS Database Creating the EAS Database (TTLS/PEAP/TLS) Using the Rejected List Exporting and Importing EAS Databases Configuring the Authenticator Configuring the MobileLAN access Point Creating a Secure Spanning Tree Configuring the Supplicants Configuring the CK30 Handheld Computer Configuring the CK30 for EAP-PEAP vi MobileLAN secure 802.1x Security Solution Installation Guide

7 Contents Configuring the CK30 for EAP-TLS Configuring the 700 Series Mobile Computer Configuring the 700 Series Mobile Computer for EAP-TTLS Configuring the 700 Series Mobile Computer for EAP-TLS Configuring the Trakker Antares Terminal Configuring the Printers With EasyLAN Wireless Troubleshooting Increasing Security Troubleshooting Using the MobileLAN access Product Using the Trakker Antares Terminal Using the Printers With EasyLAN Wireless MobileLAN secure 802.1x Security Solution Installation Guide vii

8 Contents viii MobileLAN secure 802.1x Security Solution Installation Guide

9 Before You Begin Before You Begin This section provides you with safety information, technical support information, and sources for additional product information. Safety Summary Your safety is extremely important. Read and follow all warnings and cautions in this document before handling and operating Intermec equipment. You can be seriously injured, and equipment and data can be damaged if you do not follow the safety warnings and cautions. Do Not Repair or Adjust Alone Do not repair or adjust energized equipment alone under any circumstances. Someone capable of providing first aid must always be present for your safety. First Aid Always obtain first aid or medical attention immediately after an injury. Never neglect an injury, no matter how slight it seems. Resuscitation Begin resuscitation immediately if someone is injured and stops breathing. Any delay could result in death. To work on or near high voltage, you should be familiar with approved industrial first aid methods. Energized Equipment Never work on energized equipment unless authorized by a responsible authority. Energized electrical equipment is dangerous. Electrical shock from energized equipment can cause death. If you must perform authorized emergency work on energized equipment, be sure that you comply strictly with approved safety regulations. MobileLAN secure 802.1x Security Solution Installation Guide ix

10 Before You Begin Safety Icons This section explains how to identify and understand dangers, warnings, cautions, and notes that are in this document. You may also see icons that tell you when to follow ESD procedures and when to take special precautions for handling optical parts. Global Services and Support A caution alerts you to an operating procedure, practice, condition, or statement that must be strictly observed to prevent equipment damage or destruction, or corruption or loss of data. Attention: Une précaution vous avertit d une procédure de fonctionnement, d une méthode, d un état ou d un rapport qui doit être strictement respecté pour empêcher l endommagement ou la destruction de l équipement, ou l altération ou la perte de données. Note: Notes either provide extra information about a topic or contain special instructions for handling a particular condition or set of circumstances. Warranty Information To understand the warranty for your Intermec product, visit the Intermec web site at and click Service & Support > Service & Support. The Intermec Global Sales & Service page appears. From the Service & Support menu, move your pointer over Support, and then click Warranty. Disclaimer of warranties: The sample code included in this document is presented for reference only. The code does not necessarily represent complete, tested programs. The code is provided as is with all faults. All warranties are expressly disclaimed, including the implied warranties of merchantability and fitness for a particular purpose. x MobileLAN secure 802.1x Security Solution Installation Guide

11 Before You Begin Web Support Visit the Intermec web site at to download our current documents in PDF format. To order printed versions of the Intermec manuals, contact your local Intermec representative or distributor. Visit the Intermec technical knowledge base (Knowledge Central) at to review technical information or to request technical support for your Intermec product. Telephone Support These services are available from Intermec Technologies Corporation. Service Factory Repair and On-site Repair Technical Support Service Contract Status Schedule Site Surveys or Installations Ordering Products Description Request a return authorization number for authorized service center repair, or request an onsite repair technician. Get technical support on your Intermec product. Inquire about an existing contract, renew a contract, or ask invoicing questions. Schedule a site survey, or request a product or system installation. Talk to sales administration, place an order, or check the status of your order. In the U.S.A. and Canada call and choose this option Outside the U.S.A. and Canada, contact your local Intermec representative. MobileLAN secure 802.1x Security Solution Installation Guide xi

12 Before You Begin Who Should Read This Document? Related Documents This guide explains how to install and configure Intermec s MobileLAN secure 802.1x security solution. It is designed to be used by the person who is implementing a MobileLAN secure 802.1x security solution. Before you install and configure the 802.1x security solution, you should be familiar with your Intermec products, your network, and general networking terms, such as IP address. This table contains a list of related Intermec documents and their part numbers. Document Title Part Number MobileLAN access System Manual CK30 Handheld Computer User s Manual Series Color Mobile Computer User s Manual Series Monochrome Mobile Computer User s Manual Trakker Antares 2400 Family System Manual EasyLAN Wireless User s Manual The Intermec web site at contains our current documents that you can download in PDF format. To order printed versions of the Intermec manuals, contact your local Intermec representative or distributor. xii MobileLAN secure 802.1x Security Solution Installation Guide

13 1 Understanding 802.1x Security This chapter provides an overview of how 802.1x security works and explains Intermec s MobileLAN secure 802.1x security solution. This chapter covers these topics: How this document is organized How 802.1x security works How the MobileLAN secure 802.1x security solution works What you need to get started installing your MobileLAN secure 802.1x security solution MobileLAN secure 802.1x Security Solution Installation Guide 1

14 Chapter 1 Understanding 802.1x Security About This Document About 802.1x Security This document explains Intermec s MobileLAN secure 802.1x security solution and provides step-by-step instructions on how to install and configure your 802.1x-enabled network. The IEEE Working Group requires the use of the 802.1x standard for authentication. The 802.1x standard was originally designed as an authentication protocol between wired devices. With minor changes, it was extended so that it can be used for LANs. The 802.1x standard provides strong centralized authentication and some encryption using dynamic WEP key management. Understanding the 802.1x Authentication Process 802.1x authentication has three main components: a supplicant (wireless end device), an authenticator (access point), and an authentication server. The authentication server is usually a Remote Authentication Dial-In User Service (RADIUS) server, although RADIUS is not specifically required by the standard. The authentication process uses the authentication server and authenticators to manage the wireless end device authentication and wireless connection attributes. The process starts with a supplicant requesting permission to communicate with the network. The authenticator forces the supplicant into an unauthorized state. From this unauthorized state, the supplicant can only communicate using Extensible Authentication Protocol over LAN (EAPoL). Next, the authenticator requests an ID from the supplicant, and then forwards the ID to an authentication server. The authentication server and the supplicant negotiate an EAP authentication type and credentials. When the authentication server is done with the authentication, it sends an accept/reject message back to the authenticator. If accepted, the authenticator changes the supplicant s state to authorized and sends it a WEP key, enabling it to communicate with the network. 2 MobileLAN secure 802.1x Security Solution Installation Guide

15 Chapter 1 Understanding 802.1x Security How 802.1x Security Works Successful Authentication Step Supplicant (Wireless End Device) Authenticator (Access Point) 1 Tries to associate with an authenticator. 2 Responds to supplicant association request. 3 Sends an EAPoLstart message to authenticator. 4 Sends EAPoLrequest for identity 5 Sends an EAPoLidentity response. Authentication RADIUS Server 6 Recommends an EAP authentication type (TLS/TTLS/ PEAP). More Information End device is turned on and within range of an access point. EAPoL is the transport protocol that negotiates the EAP authentication type and WEP key. The supplicant can now communicate through the authenticator to the authentication server. The authenticator translates the EAP- TLS, EAP-TTLS, or EAP-PEAP frames into RADIUS frames. MobileLAN secure 802.1x Security Solution Installation Guide 3

16 Chapter 1 Understanding 802.1x Security How 802.1x Security Works Successful Authentication (continued) Step Supplicant (Wireless End Device) 7 Sends an ACK for EAP authentication type or NAK and another EAP authentication type. Authenticator (Access Point) Authentication RADIUS Server 8 Sends an acceptaccept message. 9 Forwards EAPoLsuccess message to the supplicant. 10 Sends EAPoL-key message to supplicant. 11 Begins using the WEP key to communicate with the network. More Information Steps 6 and 7 are repeated until the authentication server is satisfied with the authentication. This message contains an EAPoLsuccess and the session keys negotiated between the authentication server and the supplicant. The authenticator forwards the WEP keys to the supplicant. If in Step 8, the authenticator receives a RADIUS-reject message from the authentication server, the authenticator logs the information to security events log. You may need to periodically review this log, and then approve or add any valid supplicants. For help, see Chapter 6, Troubleshooting. 4 MobileLAN secure 802.1x Security Solution Installation Guide

17 Chapter 1 Understanding 802.1x Security Steps 6-9 Negotiates EAP authentication type. Authentication Server Supplicant Steps 1-4 Uses EAPoL to establish supplicant identity. Step 10 Authentication server provides WEP key. Authenticator Step 5 Provides supplicant identity. Step 11 Supplicant begins communicating with network. Authorizes supplicant to communicate with network. Successful authentication: This illustration shows how 802.1x security works when the authentication of the supplicant is successful. The tables on the previous pages explain this process in more detail. MobileLAN secure 802.1x Security Solution Installation Guide 5

18 Chapter 1 Understanding 802.1x Security Understanding Fast Roaming and Reauthentication (Trakker Antares Terminals Only) When configured to use 802.1x authentication, Intermec s MobileLAN access points use secure Inter Access Point Protocol (IAPP) to communicate with each other. Secure IAPP also allows the root access point to distribute security credentials to all access points in the spanning tree. Since Trakker Antares terminals typically take longer to authenticate than other end devices, the authenticators use the fast roaming feature to reauthenticate the supplicants when they roam to another authenticator. Using fast roaming, when the supplicant tries to reassociate with the authenticator, the root access point transfers the supplicant s security credentials to the new authenticator. Then, the new authenticator sends the supplicant a WEP key. How Fast Roaming Works Successful Reauthentication Supplicant Step (Wireless End Device) 1 Tries to reassociate with the new authenticator. Authenticator (Access Point) 2 Responds to supplicant association request. 3 Sends an EAPoL-start message to authenticator. 4 Sends EAPoL-request for identity. 5 Sends an EAPoL-identity response. 6 Sends EAPoL-success message and EAPoL-key message to supplicant. More Information Fast roaming will only occur if the supplicant reassociates. If the supplicant associates, the authenticator assumes this a first time connection and that the supplicant does not hold the appropriate credentials. When the start is received, the authenticator uses IAPP to obtain the supplicant s credentials. Using the credentials obtained from the IAPP, the authenticator accepts the supplicant. 6 MobileLAN secure 802.1x Security Solution Installation Guide

19 Chapter 1 Understanding 802.1x Security How Fast Roaming Works Successful Reauthentication (continued) Step Supplicant (Wireless End Device) 7 Begins using the WEP key to communicate with the network. Authenticator (Access Point) More Information Authenticator Step 4 Uses IAPP to obtain supplicant's credentials. Authenticator Steps 1-3 Uses EAPoL to associate with authenticator. Supplicant roams to new authenticator. Step 7 Supplicant begins communicating with network. Steps 5-6 Authorizes supplicant to communicate with network and provides WEP key. Successful reauthentication: This illustration shows how 802.1x security works when the authentication of the supplicant is successful. The tables on the previous pages explain this process in more detail. MobileLAN secure 802.1x Security Solution Installation Guide 7

20 Chapter 1 Understanding 802.1x Security Understanding the Extensible Authentication Protocol (EAP) The 802.1x standard is based upon an existing authentication protocol known as the Extensible Authentication Protocol (EAP). EAP provides a standard mechanism for support of different authentication methods. EAP authentication types provide devices with secure connections to the network. They also protect credentials and data privacy. The authentication server supports the different EAP authentication types. The authentication type that is used depends on the supplicant. The most common authentication types are EAP-TTLS (Tunneled Transport Layer Security) and EAP-TLS (Transport Layer Security). EAP-PEAP (Protected EAP) is similar to EAP-TTLS. Differences Between EAP-TTLS/EAP-PEAP and EAP-TLS EAP-TTLS/EAP-PEAP Requires only one digital authentication server certificate on the authentication server. Server side authentication using a digital authentication server certificate. Relies on authentication by something the client knows, which is a user name and password. Intermec clients also provide client side authentication. They verify that the server certificate is properly signed by the root certificate authority. Also, they let you enter the server certificate common name and this name will be compared against the server s credentials. Requires maintenance of user names and passwords. An extension of TLS. Securely tunnels client authentication within TLS frames. Used on Intermec end devices and other end devices that support 802.1x security. Standards-based. TTLS is an authentication mechanism developed by Funk Software and Certicom. Can be used with legacy password protocols. PEAP is employed by Microsoft and Cisco Systems. Supports Microsoft Active Directory, NT domains, token systems, SQL, LDAP. EAP-TLS Requires a certificate on the authentication server and one on the client. Server and client side authentication using digital authentication certificates. Relies on authentication by something the client has, which is a digital authentication certificate. Requires maintenance of client certificates within a public key infrastructure (PKI). Has multi-vendor support. Can run on Windows 98 clients or later. Windows XP and CE.NET clients are shipping with this functionality. Standards-based. The authentication mechanism employed by Microsoft and Cisco Systems. Designed for Microsoft operating systems. Supports the Microsoft Active Directory authentication database. 8 MobileLAN secure 802.1x Security Solution Installation Guide

21 Chapter 1 Understanding 802.1x Security Understanding Dynamic WEP Key Rotation The 802.1x standard provides for encryption using dynamic WEP key rotation. When a wireless end device is authorized to communicate with the network, the authenticator provides it with a WEP key. The end device uses this WEP key to communicate securely with the network. Periodically, the authenticator changes the WEP key and sends the new WEP key to all authorized end devices. Why Using a Static WEP Key Does Not Work The standard provides for optional WEP (Wired Equivalent Privacy) where all access points and end devices use the same encryption key. Using the RC4 algorithm, WEP encrypts each frame. Each frame header includes information about the WEP key that is being used, including a key number and an initialization vector (IV). Both the sending device and receiving device know how to decode the WEP key. Encrypted Header Trailer Transmit Key IV Text Frame Supplicant Authenticator How Static WEP Keys Work MobileLAN secure 802.1x Security Solution Installation Guide 9

22 Chapter 1 Understanding 802.1x Security If you use a static WEP key, an attacker can decrypt the text by using: the WEP key information that is in the frame header. knowledge of the plain text. Because common network protocols are used over LANs, some information within the frames can be deduced. Having some of the plain text, and encrypted frames containing that plain text, is crucial to breaking the keys. a lot of frames. If your network has implemented WEP 128, there are billions of possible keys. Still, if sufficient numbers of frames are captured, high performance computers can be programmed to test each received message against different possible keys. More intelligent WEP attacks use the information gained using a combination of these bulleted items. These attacks can break WEP within a few million packets and take only a few hours. There is no effective (easy) method for network administrators to update a static WEP key. As a result, many companies either do not use WEP at all or they use the same WEP key for weeks, months, and even years. Both cases significantly heighten the LAN s vulnerability. Why Using Dynamic WEP Key Rotation Works The 802.1x standard offers an effective framework for dynamically (not manually) varying the WEP keys. The authenticator automatically creates new WEP keys at specified intervals and sends them to all authorized end devices. Since it takes a large number of captured packets to decrypt WEP keys, if you set the WEP key rotation interval to a shorter duration, you provide an effective deterrent for attackers. Using dynamic WEP key rotation, the frames have the same structure as when using a static WEP key; however, the WEP key that encrypts the text periodically changes. In dynamic WEP key rotation, when an end device initially is authorized to communicate with the network, the authenticator sends it both the current WEP key (Key 1) and the new WEP key (Key 2). The end device begins communicating using Key 2 and the access point continues to use Key 1. When the WEP key rotation interval is half over, the authenticator begins sending 10 MobileLAN secure 802.1x Security Solution Installation Guide

23 Chapter 1 Understanding 802.1x Security the new WEP key (Key 3) to the end devices. As the end devices receive Key 3, they use it. When the WEP key rotation interval is over, the access point is using Key 2 and the end devices are using Key 3. Time Authenticator Supplicant 0 min 0 sec As supplicants are authorized to communicate with the network, they are sent the current WEP key (for example, Key 1) and the new WEP key (for example, Key 2). Encrypts text using Key 1. EAPoL-Key Message Encrypted text Receives both Key 1 and Key 2. Starts encrypting text using Key 2. 2 min 30 sec Creates a new WEP key and sends it to all supplicants. EAPoL-Key Message Encrypted Text 5 min Creates a new WEP key and sends it to all supplicants. EAPoL-Key Message Encrypted Text 7 min 30 sec Creates a new WEP key and sends it to all supplicants. EAPoL-Key Message Encrypted Text Dynamic WEP key rotation: In this illustration, the WEP key rotation period is every 5 minutes. MobileLAN secure 802.1x Security Solution Installation Guide 11

24 Chapter 1 Understanding 802.1x Security About the MobileLAN secure 802.1x Security Solution The MobileLAN secure 802.1x security solution provides an end-to-end 802.1x security solution. It secures the authentication and connection of wireless end devices, ensuring that only authorized wireless end devices can connect to your network, that connection credentials are not compromised, and that data privacy is maintained. It provides data encryption by dynamically rotating the WEP keys. Understanding the MobileLAN secure 802.1x Security Solution Components 802.1x Security Solution MobileLAN secure 802.1x Security Solution A trusted root certificate authority (CA) The CA issues digital authentication certificates. The authentication server, the authenticator, and the end devices (EAP-TLS) must all have certificates installed on them before they can communicate in the 802.1x-secure network. An authentication server (RADIUS server) Software that is installed on a PC, server, or access point in your network. The authentication server accepts or rejects requests from supplicants that want to communicate with the 802.1x-enabled network. Authenticators Access points that are installed in your network. The authenticator receives requests from supplicants that want to communicate with the network and forwards these requests to the authentication server. The authenticator also distributes WEP keys to supplicants that are communicating with it. Intermec can provide the service of acting as a certificate authority (CA) and can issue unique server and unique client certificates. Order one MobileLAN secure Server Certificate CD (P/N ) for each certificate you need. For more security, you can also use a third-party CA. Intermec offers the Funk Odyssey RADIUS server. This installation guide explains how to install the certificate on your Odyssey server and configure the server. For more help installing and configuring the Odyssey server, see the documentation that shipped with your server. Many of Intermec s MobileLAN access points can function as an embedded authentication server (EAS). This installation guide explains how to configure the EAS. For more help installing and configuring the access point, see the MobileLAN access System Manual (P/N ). Intermec s MobileLAN access points can act as the authenticator. This installation guide explains how to configure the access point as an authenticator. For help installing and configuring the access point, see the MobileLAN access System Manual (P/N ). 12 MobileLAN secure 802.1x Security Solution Installation Guide

25 Chapter 1 Understanding 802.1x Security Understanding the MobileLAN secure 802.1x Security Solution Components (continued) 802.1x Security Solution MobileLAN secure 802.1x Security Solution Wireless end devices that are 802.1x-enabled CK30 Handheld Computers with an b/g radio and the 802.1x/WPA security option that includes both EAP-TLS and EAP-PEAP supplicants. These end devices have an b/g, b, or an a radio and a supplicant (EAP- TTLS, EAP-PEAP, or EAP-TLS) loaded on them. Supplicants request communication with the authenticator using a specific EAP authentication type. 700 Series Mobile Computers that include an EAP-TLS or an EAP-TTLS supplicant. The MobileLAN secure solution does not support mobile computers running the EAP-LEAP supplicant. Trakker Antares terminals with an b radio and the 802.1x security option that includes an EAP-TTLS supplicant. The MobileLAN secure solution does not support terminals running the EAP-LEAP supplicant. Printers with the EasyLAN Wireless option that include both EAP-TLS and EAP-TTLS supplicants. For more information on the availability of other 802.1x-enabled end devices, contact your local Intermec representative. MobileLAN secure 802.1x Security Solution Installation Guide 13

26 Chapter 1 Understanding 802.1x Security Getting Started This installation guide provides you with step-by-step instructions on how to implement the Intermec MobileLAN secure 802.1x security solution. WAP 2455 Printer with EasyLAN Wireless 700 CK Authentication server Authenticator Example: MobileLAN secure 802.1x Security Solution 14 MobileLAN secure 802.1x Security Solution Installation Guide

27 Chapter 1 Understanding 802.1x Security To use this guide, it is assumed that you are using these products: A Funk Odyssey server v1.1 or later. You also need a server certificate from either Intermec (MobileLAN secure Server Certificate CD, P/N ) or another third-party CA. Or, a MobileLAN access point (WA22, 2101B, WA21, 2100D, 2106) that can be configured as an embedded authentication RADIUS server (EAS). You may also need a server certificate. For help, see How to Determine If You Need to Import a Certificate on page 30. Any MobileLAN access point. The access point is the authenticator. CK30 Handheld Computers with an b/g radio and the 802.1x/WPA security option. 700 Series Mobile Computers with an b radio and the EAP-TLS or EAP-TTLS supplicant. The 710 must be running Pocket PC 2002 or later. The 750 or 760 must have operating system software build version 1.30 or later. If your 700 with an b radio did not come with the supplicant loaded on it, you can install the supplicant yourself. You need to order a license for each 700 and one security supplicant CD for your installation. If you have a 710, order these CDs: 700 Series Mobile Computer Security License CD (P/N ) 700 Series Mobile Computer Security Supplicant CD (P/N ) If you have a 750 or 760, order these CDs: 700 Series Mobile Computer Security License CD (P/N ) 700 Series Color Mobile Computer Security Supplicant CD (P/N ) MobileLAN secure 802.1x Security Solution Installation Guide 15

28 Chapter 1 Understanding 802.1x Security Trakker Antares terminals (v7.14 or later) with an b radio and the 802.1x security option. If the terminal with an b radio did not come with the supplicant loaded on it and the terminal has the 4MB flash memory option, you can download new firmware and upgrade the terminal. Printers with EasyLAN Wireless (v3.99 or later) 16 MobileLAN secure 802.1x Security Solution Installation Guide

29 2 Installing Certificates This chapter explains how to import the certificates into your authentication server. This chapter covers these topics: About certificates Preparing the certificates for installation Importing the certificates into the authentication server Importing the trusted root CA certificates on wireless end devices MobileLAN secure 802.1x Security Solution Installation Guide 17

30 Chapter 2 Installing Certificates About Certificates Digital server certificates provide identity (authentication) and provide keys for data privacy (encryption). Certificate authorities (CAs) verify that the identity information on the certificate is accurate and provide a signature showing that they checked the information and that the information has not been changed since the last time it was checked. Intermec can provide the service of acting as a CA and can issue unique digital server certificates for the authentication servers. Intermec server certificates provide the same data privacy protection as any other certificates. However, Intermec is not and does not wish to be in the business of verifying identity and therefore does not vigorously check the identity of parties to which it issues certificates. Therefore, Intermec cannot guarantee that the identity information on a certificate is unique or accurate. Also, Intermec certificates are not recognized by standard third-party security software as being issued by a valid CA. For most people, this should pose no risk since all authentication information is encrypted. An advantage of using Intermec server certificates is that if the Intermec wireless end devices are running EAP-TTLS or EAP- PEAP, you do not need to load a trusted root CA certificate on these end devices. The end devices recognize Intermec server certificates as being valid. If the end devices are running EAP- TLS, you need to load a unique client certificate. For more security, you can use a third-party CA, such as VeriSign or Thawte Consulting. If you use a third-party CA, you need to obtain server certificates and a trusted root CA certificate. You need to load the root certificate on each device. The exact procedure for obtaining certificates and proving your identity varies greatly. Follow their instructions carefully. The certificate format that you need varies between authentication servers. For more information, see the documentation that shipped with your server. Note: The Odyssey server can import server certificates in the.p12 format. The embedded authentication server (EAS) can import certificates in the PKCS12 (.P12/.PFX) or.pem format. 18 MobileLAN secure 802.1x Security Solution Installation Guide

31 Preparing Certificates for Installation Chapter 2 Installing Certificates On the authentication server, you need to install a unique digital server certificate, a passphrase, and a trusted root CA certificate. For help, see Importing Certificates Into the Authentication Server on page 20. If you are using a third-party CA, you also need to install trusted root certificates on all authenticators and wireless end devices. For help, see Copying Root Certificates to End Devices on page 34. If the end devices are using the EAP-TLS authentication type, you also need to install unique client certificates on each device. For help, see Copying Client Certificates to End Devices on page 41. Note: The embedded authentication server (EAS) may already have Intermec certificates installed. To determine if you need to install a certificate, see How to Determine If You Need to Import a Certificate on page 30. Before you import certificates into the authentication server, you need to have a unique digital server certificate, a passphrase, and a trusted root CA certificate. You can either use: MobileLAN secure server certificates (from Intermec) Third-party certificates Using the MobileLAN secure Server Certificates You need a unique digital server certificate for each authentication server. Each MobileLAN secure Server Certificate CD provides you with a unique digital server certificate (SERVER.P12 and SERVER.PEM) and a trusted root CA certificate (CACERT.CER). You need to follow these instructions to obtain a passphrase. To prepare the MobileLAN secure certificate for installation Follow the instructions on the MobileLAN secure Server Certificate CD to obtain a passphrase. MobileLAN secure 802.1x Security Solution Installation Guide 19

32 Chapter 2 Installing Certificates Using Third-Party Server Certificates You need a unique digital server certificate and passphrase for each authentication server. You also need a trusted root CA certificate. To prepare the third-party certificate for installation Follow the instructions provided by the CA for obtaining certificates and proving your identity. Importing the Certificates Into the Authentication Server These instructions explain how to import the server certificate into the Funk Odyssey server and into the EAS. If you are using an Odyssey server, the next instructions explain how to import the certificate into the Odyssey server and then how to install it. If you are using an EAS, the instructions explain only how to import the certificate. After you import the certificate, no installation is necessary. Importing the Certificates Into the Odyssey Server Note: To import a server certificate into your Windows 2000/XP machine, you must have administrative privileges on the server. For help, contact your network administrator. 1 Add the Certificates snap-in to the Microsoft Management Console. a b From the Start menu, choose Run. The Run dialog box appears. In the Open field, type: MMC 20 MobileLAN secure 802.1x Security Solution Installation Guide

33 Chapter 2 Installing Certificates c Click OK. The Microsoft Management Console appears. d From the Console menu, choose Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears. MobileLAN secure 802.1x Security Solution Installation Guide 21

34 Chapter 2 Installing Certificates e Click Add. The Add Standalone Snap-in dialog box appears. f From the Snap-in list, choose Certificates > Add. The Certificates Snap-in dialog box appears. 22 MobileLAN secure 802.1x Security Solution Installation Guide

Chapter 2 Installing Certificates g Choose Computer Account > Next. The Select Computer dialog box appears. h Choose Local computer > Finish. You return to the Add Standalone Snap-in dialog box.

35 Chapter 2 Installing Certificates g Choose Computer Account > Next. The Select Computer dialog box appears. h Choose Local computer > Finish. You return to the Add Standalone Snap-in dialog box. i Click Close. You return to the Add/Remove Snap-ins dialog box. j Click OK. You return to the Microsoft Management Console. Verify that the Certificates snap-in is under the Console Root. 2 If you are using an Intermec certificate, insert the MobileLAN secure Server Certificate CD into your PC. If you are using a third-party certificate, know the locations of the CACERT.CER file and the SERVER.P12 file. 3 Import the certificate into the Local Machine certificate store. a In the Console Root tree, click Certificates. b Right-click the Trusted Root Certification Authorities folder. MobileLAN secure 802.1x Security Solution Installation Guide 23

36 Chapter 2 Installing Certificates c Choose All Tasks > Import. The Certificate Import Wizard appears. d Click Next. e In the File name field, enter the location of the CACERT.CER file. For example, if this file is on the MobileLAN secure Server Certificate CD, you might type: D:\CACERT.CER Or, click Browse to browse to the file. 24 MobileLAN secure 802.1x Security Solution Installation Guide

is Trusted Root Certification Authorities. h Click Next. i j Click Finish.

37 Chapter 2 Installing Certificates f Click Next. g Verify that Place all certificates in the following store is selected and that the Certificate store is Trusted Root Certification Authorities. h Click Next. i j Click Finish. A message box appears informing you that the import was successful. Click OK. You return to the Microsoft Management Console. MobileLAN secure 802.1x Security Solution Installation Guide 25

b Right-click the Personal folder. c Choose All Tasks > Import.

38 Chapter 2 Installing Certificates 4 Import the certificate into the Personal certificate store. a In the Console Root tree, click Certificates. b Right-click the Personal folder. c Choose All Tasks > Import. The Certificates Import Wizard appears. d Click Next. 26 MobileLAN secure 802.1x Security Solution Installation Guide

$For example, if this file is on the MobileLAN secure Server Certificate CD, you might type D:\SERVER.P12 Or, click Browse to browse to the file. Click Next.$

39 Chapter 2 Installing Certificates e f In the File name field, enter the location of the SERVER.P12 file. For example, if this file is on the MobileLAN secure Server Certificate CD, you might type D:\SERVER.P12 Or, click Browse to browse to the file. Click Next. g In the Password field, enter the passphrase you received for this certificate. h Click Next. MobileLAN secure 802.1x Security Solution Installation Guide 27

40 Chapter 2 Installing Certificates i j Verify that Place all certificates in the following store is selected and that the Certificate store is Personal. Click Next. k l Click Finish. A message box appears informing you that your import was successful. Click OK. You return to the Microsoft Management Console. 28 MobileLAN secure 802.1x Security Solution Installation Guide

Chapter 2 Installing Certificates Installing the Odyssey Server and Certificates The Funk Odyssey server v1.1 or later runs as a snap-in to the Microsoft Management Console.

41 Chapter 2 Installing Certificates Installing the Odyssey Server and Certificates The Funk Odyssey server v1.1 or later runs as a snap-in to the Microsoft Management Console. Note: To install the Odyssey Server, you must have administrative privileges on the server. For help, contact your network administrator. To install the Odyssey server 1 Insert the Odyssey server CD into your PC. The installation wizard starts automatically. 2 Follow the instructions on the screen to complete the installation. To install the server certificate 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the right pane, double-click TLS/TTLS Settings. The TLS Settings dialog box appears. MobileLAN secure 802.1x Security Solution Installation Guide 29

Chapter 2 Installing Certificates 3 Click Browse. The Select Certificate dialog box appears. 4 Select the server certificate in the Issued To column.

42 Chapter 2 Installing Certificates 3 Click Browse. The Select Certificate dialog box appears. 4 Select the server certificate in the Issued To column. For example, if you are using Intermec certificates, it has the format *-ITC. 5 Click OK. You return to the TLS Settings dialog box. 6 Click OK. Importing the Certificates Into the EAS Before you import a server certificate into the EAS, read the next section to determine if you need to import one. How to Determine If You Need to Import a Certificate If your access point shipped from the factory with software release 1.80 or later preloaded on it, it has a unique digital server certificate (signed by Intermec) with a unique common name and passphrase. It also comes with an Intermec trusted root CA certificate that supports clients running the TLS authentication type. These certificates support the secure web browser interface and provide basic security for all authentication types. You do not need to import any certificates. For more security, you may choose to install certificates from a third-party CA and you will need to import their certificates. 30 MobileLAN secure 802.1x Security Solution Installation Guide

43 Chapter 2 Installing Certificates Also, if you upgrade the access point to software release 1.80 or later, the software only installs a default server certificate (ValidforHTTPSOnly). You should install a unique server certificate. If the EAS needs to support supplicants running EAP-TLS, you also need to install a trusted root CA certificate. You can view the Certificate Details screen to determine which certificates are installed on the access point. To view the certificates 1 Log in to the access point whose EAS you are using. 2 From the main menu, click Security > Certificate Details. The Certificate Details screen appears. The Server Certificate lists the server certificate that is installed and the CA Certificate lists the trusted CA certificate that is installed. MobileLAN secure 802.1x Security Solution Installation Guide 31

Chapter 2 Installing Certificates Importing Certificates Once you have determined that you need to install certificates, use this procedure.

44 Chapter 2 Installing Certificates Importing Certificates Once you have determined that you need to install certificates, use this procedure. To install certificates 1 Log in to the access point whose EAS you are using. 2 From the main menu, click Security > Certificate Details. The Certificate Details screen appears. 3 Click Install certificates in the certificate store. The Import Certificate screen appears. Note: If you are not using the secure web browser, you will be prompted to log in again. Click A secure session is available and log in to the access point. If a Security Alert dialog box appears, click Yes to proceed. Repeat Step 1 and Step MobileLAN secure 802.1x Security Solution Installation Guide

45 Chapter 2 Installing Certificates 4 Click Server Certificate or Trusted CA Certificate. 5 In the Enter or select the name of the certificate file to import field, enter the path and filename of the server certificate. Or, click Browse to locate the certificate. 6 (Server Certificate only) In the Enter the associated passphrase for this certificate field, carefully enter the passphrase for the certificate. 7 Click Import Certificate. MobileLAN secure 802.1x Security Solution Installation Guide 33

46 Chapter 2 Installing Certificates Copying Root Certificates to End Devices You do not need to copy a trusted root certificate to the wireless end devices if you are using MobileLAN secure (Intermec) server certificates. An Intermec root certificate is already loaded on the end devices. You must copy a trusted root certificate to the end devices if you are using a third-party CA and: the end devices are using the EAP-TTLS or the EAP-PEAP authentication type or, the end devices are using EAP-TLS authentication type and you want the end devices to validate the authentication server. The root certificate and the client certificate must be generated by the same CA. Copying the Root Certificate to a 700 Series Mobile Computer 1 Verify that the root certificate is named ROOT.PEM. 2 Connect the mobile computer to your PC using an ActiveSync cable or IrDA. For help, see the user s manual. 3 Copy ROOT.PEM to the \WINDOWS directory on the mobile computer. Copying the Root Certificate to a Trakker Antares Terminal You can download files from a PC or host computer to a terminal using the serial port, DCS 300 (in a UDP Plus network), or a host application (in a TCP/IP network). This procedure explains how to use the serial port and the FileCopy utility. This utility is available at no charge from the Intermec web site at For help using other methods to download files, see the Trakker Antares 2400 Family System Manual (P/N ). To copy the root certificate into the terminal 1 Connect the terminal s serial port to your PC or host computer. For help, see the terminal user s manual. 2 Verify that the root certificate is named CACERT.PEM. 34 MobileLAN secure 802.1x Security Solution Installation Guide

47 Chapter 2 Installing Certificates 3 Run FileCopy on your PC. The Intermec FileCopy Utility dialog box appears. 4 Check the serial port and serial communications parameters to verify that the settings for your PC match the values that are set for the terminal serial port. a b Click the COM Port Setup tab and configure these parameters. PC COM port Trakker Antares COM port Communications protocol File Transfer protocol Baud rate, parity, data bits, and stop bits Click the Serial Setup tab to verify and configure the PC s serial port. c Use the TRAKKER Antares 2400 Menu System to configure the serial port parameters on the terminal. For help, see the configuration chapter in your terminal user s manual. 5 Make sure the terminal is not running an application that will be updated during the file transfer. If you are in the TRAKKER Antares 2400 Menu System, exit the menu system. MobileLAN secure 802.1x Security Solution Installation Guide 35

Chapter 2 Installing Certificates 6 Click the FileCopy tab. 7 In the PC filename and path field, type the path and filename for CACERT.PEM on your PC.

48 Chapter 2 Installing Certificates 6 Click the FileCopy tab. 7 In the PC filename and path field, type the path and filename for CACERT.PEM on your PC. 8 In the Terminal filename and path field, type: C:CACERT.PEM. 9 Click Download. 10 Click Exit to close the utility. Copying the Root Certificate to a Printer With EasyLAN Wireless 1 On your PC, start Internet Explorer. 2 Choose Tools > Internet Options > Content tab. 3 Click Certificates > Trusted Root Certification Authorities tab. 36 MobileLAN secure 802.1x Security Solution Installation Guide

49 Chapter 2 Installing Certificates 4 Select the root certificate you wish to use, and then click View > Details tab. MobileLAN secure 802.1x Security Solution Installation Guide 37

50 Chapter 2 Installing Certificates 5 From the list of fields, select Public key. 6 Place the cursor in the bottom frame. 7 Press Ctrl-A to select all the hexadecimal digits in the key, and then press Ctrl-C to copy the key. 8 Open Microsoft Notepad, and press Ctrl-V to paste the key. 9 Delete the last five pairs of hexadecimal digits (usually ) in the key. 10 From the beginning of the key, delete all hexadecimal pairs up to and including the first 00. For example, in the above key, you would delete Delete all the spaces, press Ctrl-A, and then press Ctrl-C. 12 Connect your PC serial port to the EasyLAN Wireless. For help, see the EasyLAN Wireless User s Manual (P/N ). 13 Enable Console mode. a On your PC, start Internet Explorer. b In the Address field, enter the IP address for the EasyLAN Wireless and press Enter. The Server Access Password page appears. 38 MobileLAN secure 802.1x Security Solution Installation Guide

51 Chapter 2 Installing Certificates c d In the Server Access Password field, enter the password. The default password is Intermec. Click Submit. The Configuration and Management page appears. MobileLAN secure 802.1x Security Solution Installation Guide 39

52 Chapter 2 Installing Certificates e Click PortSettings. The Configure Port page appears. f Click S1. The following page appears. g In the Port Type field, click Console. 40 MobileLAN secure 802.1x Security Solution Installation Guide

53 Chapter 2 Installing Certificates h Click Submit. A page appears letting you know that your changes were successful. 14 On your PC, start a HyperTerminal session, and press Enter to get the Local> prompt. 15 Type set en ttkey \x. 16 Choose Edit > Paste To Host to paste the key, and then press Enter. 17 To make sure that the authentication is set, type sh en ttkey, and then press Enter. 18 To save the changes, type save, press Enter, type ini, and press Enter. 19 Type exit and press Enter. Copying Client Certificates to End Devices (EAP-TLS) You need to copy a unique client certificate to each wireless end device if it is using the EAP-TLS authentication type. If you are using MobileLAN secure (Intermec) certificates, each MobileLAN secure Server Certificate CD provides one client certificate (SERVER.PEM). If you are using the Odyssey server, you also need to configure two nodes in the certificate trust tree: one node for the root certificate and an any node below it, which represents any user with a certificate signed by the root certificate. For help, see the Odyssey Server Administration Guide. Note: If you are using the Microsoft Certificate Authority to create client certificates, make sure that you add the User Signature Only policy to the Policy Settings folder in the Microsoft Certificate Authority. MobileLAN secure 802.1x Security Solution Installation Guide 41

54 Chapter 2 Installing Certificates Copying the Client Certificate to a CK30 Handheld Computer The CK30 has a certificate enrollment program that makes it easy to import the trusted root certificate and client certificate from a third-party CA. The CK30 must have an active network connection. To get a client certificate for the CK30 1 Go to the command prompt. 2 Type enroll sservername. where servername is the name or IP address of the CA server. The Network Password dialog box appears. 3 In the User Name field, enter the user name that is used to log in to the CA server. 4 In the Password field, enter the password that is used to log in to the CA server. 5 (Optional) In the Domain field, enter the domain that you need to access to obtain the certificates. 6 Press Enter. A message box appears asking if you want to load the root certificate. 7 Press Y. The root certificate and the client certificate are automatically loaded. 42 MobileLAN secure 802.1x Security Solution Installation Guide

55 Chapter 2 Installing Certificates Copying the Client Certificate to a 700 Series Mobile Computer You can copy a client certificate to the mobile computer. Verify that the name of the certificate is *.PEM and that you copy it to the \WINDOWS directory. The mobile computer also has a certificate enrollment program that helps you get a free client certificate from the Microsoft Certificate Authority. The mobile computers need to have an active network connection. To get a client certificate for the Tap Start > Settings > Intermec CORE icon. The CORE screen appears. 2 Tap the Details tab and then tap the Configuration button. 3 In the Security field, choose 802.1x. MobileLAN secure 802.1x Security Solution Installation Guide 43

Chapter 2 Installing Certificates 4 Tap the Certificates button. 5 In the CA Name/IP field, enter the name or IP address of the PC or server that contains the Microsoft Certificate Authority.

56 Chapter 2 Installing Certificates 4 Tap the Certificates button. 5 In the CA Name/IP field, enter the name or IP address of the PC or server that contains the Microsoft Certificate Authority. Note: If you enter the name, you must have a DNS server that can resolve the name/ip address. 6 In the Enroll File Name field, enter the name of the certificate that you want to install on the mobile computer. For example, enter CLIENTCERT.PEM 7 In the Store Location field, enter \WINDOWS 8 Tap Enroll. You are prompted to enter a password for the certificate. 9 Enter a password. You will also need to enter this password when you configure the mobile computer for EAP-TLS. 10 Tap OK twice to save your changes. 44 MobileLAN secure 802.1x Security Solution Installation Guide

57 Chapter 2 Installing Certificates To get a client certificate for the 750 or Tap Start > Settings > System tab > Wireless Network icon. The Profile Wizard starts. 2 Add or edit a profile. For help, see the user s manual. 3 Tap the Advanced tab. 4 Tap the Certificates button. 5 In the CA Name/IP field, enter the name or IP address of the PC or server that contains the Microsoft Certificate Authority. Note: If you enter the name, you must have a DNS server that can resolve the name/ip address. 6 In the Enroll File Name field, enter the name of the certificate that you want to install on the mobile computer. For example, enter CLIENTCERT.PEM 7 In the Store Location field, enter \WINDOWS 8 Tap Enroll. You are prompted to enter a password for the certificate. 9 Enter a password. You will also need to enter this password when you configure the mobile computer for EAP-TLS. 10 Tap OK twice to save your changes. MobileLAN secure 802.1x Security Solution Installation Guide 45

58 Chapter 2 Installing Certificates 46 MobileLAN secure 802.1x Security Solution Installation Guide

59 3 Configuring the Authentication Server This chapter explains how to configure the authentication server in your MobileLAN secure 802.1x security solution. This chapter covers these topics: About the authentication server Configuring the Odyssey server Configuring the embedded authentication server MobileLAN secure 802.1x Security Solution Installation Guide 47

60 Chapter 3 Configuring the Authentication Server About the Authentication Servers The authentication server is usually a Remote Authentication Dial-In User Service (RADIUS) server, although RADIUS is not specifically required by the standard. Intermec offers these two RADIUS servers: Funk Odyssey Server. For help configuring the Odyssey server, see Configuring the Odyssey Server in the next section. Access point (WA22, 2101B, WA21, 2100D, 2106) with software release 1.90 or later. For help configuring the embedded authentication server, see Configuring the Embedded Authentication Server on page 57. This chapter explains how to configure both of these RADIUS servers to work in your MobileLAN secure 802.1x security solution. Configuring the Odyssey Server Before you configure the Odyssey server, it should already be installed and have a certificate. Use the Odyssey Server Administrator to configure the Odyssey server. The following instructions provide you with the minimum steps you need to perform for the Odyssey server to work in this network. The instructions cover these steps: 1 Configure the certificate trust tree. 2 Define the authentication protocol order. 3 Add the authenticators. 4 Configure the Odyssey user database (TTLS or TLS). For more help, see the Odyssey Server Administration Guide. This guide shipped with the software or you can download it in PDF format for free from 48 MobileLAN secure 802.1x Security Solution Installation Guide

Chapter 3 Configuring the Authentication Server Configuring the Certificate Trust Tree 1 Open the Odyssey Server Administrator and click the Settings folder.

61 Chapter 3 Configuring the Authentication Server Configuring the Certificate Trust Tree 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the right pane, double-click User Trust. The User Certificate Trust dialog box appears. MobileLAN secure 802.1x Security Solution Installation Guide 49

6 Select the Intermec Technologies Corporation certificate and then click Add Identity. The Add Identity dialog box appears.

62 Chapter 3 Configuring the Authentication Server 3 Click Add Certificate. The Select Certificate dialog box appears. 4 In the Trusted Root Certification Authorities tab, choose the certificate issued by Intermec Technologies Corporation. 5 Click OK. You return to the User Certificate Trust dialog box. 6 Select the Intermec Technologies Corporation certificate and then click Add Identity. The Add Identity dialog box appears. 7 Check the Any user or CA certificate issued by parent check box. This check box authorizes anyone who has a certificate from Intermec Technologies Corporation to communicate with the Odyssey server. 8 Click OK. You return to the Microsoft Management Console. 50 MobileLAN secure 802.1x Security Solution Installation Guide

Chapter 3 Configuring the Authentication Server Defining the Authentication Protocol Order 1 Open the Odyssey Server Administrator and click the Settings folder.

63 Chapter 3 Configuring the Authentication Server Defining the Authentication Protocol Order 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the right pane, double-click Authentication Settings. The Authentication Settings dialog box appears. Adding the Authenticators 3 Use the up and down arrows to arrange the authentication protocol order. When the authenticator suggests an EAP authentication type, it will choose the first protocol in the list. 4 Click OK. You return to the Microsoft Management Console. Note: Intermec recommends that you configure a unique shared secret key between the server and each authenticator. You must also enter the shared secret key in each authenticator. To add the authenticators 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the left pane, right-click Access Points. MobileLAN secure 802.1x Security Solution Installation Guide 51

64 Chapter 3 Configuring the Authentication Server 3 From the drop-down menu, choose Add Access Point. The Add Access Point dialog box appears. 4 In the Name field, enter the unique name for this access point. This name must match the name that is entered in the AP Name field in the Spanning Tree Settings screen in the access point. 5 In the Description field, enter a useful description for this access point. 6 In the Address field, enter the IP address for this access point. 7 In the Model field, use this table to help you choose an access point model. If you have this MobileLAN access point Choose WA22 Intermec MobileLAN access Intermec MobileLAN access 2101 WA21 Intermec MobileLAN access Intermec MobileLAN access Intermec MobileLAN access MobileLAN secure 802.1x Security Solution Installation Guide

65 Chapter 3 Configuring the Authentication Server 8 Click Enter. The Enter Shared Secret dialog box appears. 9 In the Enter shared secret field, enter the secret key that the Odyssey server and the access point share. You must also enter this secret key in the access point. 10 Click OK. You return to the Add Access Point dialog box. 11 Click OK. You return to the Microsoft Management Console. Creating the Odyssey User Database (TTLS/PEAP) Note: To verify that the Odyssey server can authenticate the end devices using TTLS or PEAP, you may want to add a user name of anonymous and password of anonymous to the Odyssey user database. After you verify the end devices can authenticate, Intermec recommends that you delete this entry. The Odyssey user database contains a list of users that you want to have access to the wireless network. Before you can create the Odyssey user database, you need to use the Windows Users and Passwords application (usually in the Control Panel) to add the users to the PC or server that contains the Odyssey server. To create the Odyssey user database 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the left pane, right-click Users. MobileLAN secure 802.1x Security Solution Installation Guide 53

66 Chapter 3 Configuring the Authentication Server 3 From the drop-down menu, choose Add User(s). The Add User(s) dialog box appears. If you get a message box informing you that you cannot browse the domains if you don t have your PC set up to log in to a domain, click OK. 4 In the Domain field, select the domain (usually the local machine) that contains the users that you want to have access to the wireless network. 5 In the Users box, select the users that you want to have access to the wireless network and click Add. 6 Click OK. You return to the Microsoft Management Console. 54 MobileLAN secure 802.1x Security Solution Installation Guide

67 Chapter 3 Configuring the Authentication Server Creating the Odyssey User Database (TLS) The Odyssey user database contains a list of users that have certificates and are authorized to access to the wireless network. Before you can create the Odyssey user database, you need to create a domain for your certificate server. To create a domain for your certificate server 1 Right-click the My Computer icon. 2 From the drop-down menu, choose Properties. The System Properties dialog box appears. 3 Click the Network Identification tab and then click Properties. The Identification Changes dialog box appears. 4 Choose Domain and then enter the name of the domain on your certificate server. 5 When you are prompted for a password, enter a password. This password lets you log in to your certificate server domain. 6 Choose the Administrator account. 7 Choose OK and then reboot your PC or server. 8 When you are prompted to log in to the PC or server, in the Log on to field, select the certificate server domain with the administrator account (not the local machine). 9 Log in to the certificate server domain using your user name and the password from Step 5. To create the Odyssey user database 1 Open the Odyssey Server Administrator and click the Settings folder. 2 In the left pane, right-click Users. MobileLAN secure 802.1x Security Solution Installation Guide 55

68 Chapter 3 Configuring the Authentication Server 3 From the drop-down menu, choose Add User(s). The Add User(s) dialog box appears. 4 In the Domain field, select the certificate server domain that you configured in the previous procedure. 5 In the Users box, select the users that you want to have access to the wireless network and click Add. 6 Click OK. You return to the Microsoft Management Console. 56 MobileLAN secure 802.1x Security Solution Installation Guide

69 Chapter 3 Configuring the Authentication Server Configuring the Embedded Authentication Server An embedded authentication server (EAS) supports up to 128 database entries. If you need more database entries, you may be able to use the EAS on different access points for different purposes. For example, you can use the EAS on one access point as a password server and another EAS on another access point as the authentication server. However, you cannot use multiple EAS to support more of the same type of database entries. Note: The maximum number of Trakker Antares terminals that an EAS supports if you turn on the end devices at the same time is 60. However, if you turn on the terminals in groups, the EAS can support all 128 clients with unique security credentials. Before you configure the embedded authentication server (EAS), the access point whose EAS you are using should already have a certificate, be installed, and be configured to communicate with your network and wireless end devices. The following instructions provide you with the minimum steps you need to perform for the EAS to work in this network. The instructions cover these steps: 1 Enable the EAS. 2 Add the authenticators to the EAS database. 3 Create the EAS database. For more help, see the MobileLAN access System Manual. You can download it in PDF format for free from Enabling the EAS In all MobileLAN access points, the default secret key is the same. By having the same default secret key, you can verify that all authenticators can communicate with the EAS. Then, for more security, you should change the secret key to prevent unauthorized authenticators from communicating with your network. MobileLAN secure 802.1x Security Solution Installation Guide 57

Chapter 3 Configuring the Authentication Server If you want to use the same secret key for communications between the EAS and all authenticators, in the Embedded Authentication Server screen, enter

70 Chapter 3 Configuring the Authentication Server If you want to use the same secret key for communications between the EAS and all authenticators, in the Embedded Authentication Server screen, enter the default secret key. For each authenticator, in the RADIUS Server List screen, enter the EAS IP address, enter the default secret key and check the 802.1x check box. If you want to use a unique secret key for communications between the EAS and each authenticator, you need to add each authenticator to the EAS database as a RADIUS client. For each authenticator, in the RADIUS Server List, enter the EAS IP address, enter the unique secret key and check the 802.1x check box. To enable the EAS 1 Log in to the access point whose EAS you are enabling. 2 From the main menu, click Security > Embedded Authentication Server. The Embedded Authentication Server screen appears. 3 Check the Enable Server check box. 4 Click Submit Changes to save your changes. 58 MobileLAN secure 802.1x Security Solution Installation Guide

71 Chapter 3 Configuring the Authentication Server 5 (Optional) In the Default Secret Key field, enter a default secret key that is used between the EAS and all access points. This secret key can be from 1 to 32 characters in ASCII or in hexadecimal. To enter a hexadecimal key, it must start with 0x. If you change this field, you also need to enter the EAS IP address and default secret key in the RADIUS Server List of each authenticator. For help, see Configuring the MobileLAN access Point on page In the UDP Port field, enter the UDP port number on which the EAS listens. Port number assignments are administered by the Internet Assigned Number Authority (IANA). If you change this value you should choose a number between and In the Authorization Time field, enter the amount of time that RADIUS clients (access points) remain authorized by the server before they need to be reauthorized. The format is d:hh:mm, where d is days, hh is hours, and mm is minutes. If you enter 0s, the RADIUS server will only authenticate a RADIUS client the first time it connects. 8 Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. Adding the Authenticators to the EAS Database The authenticator receives requests from end devices that want to communicate with the network and forwards these requests to the authentication server. It also distributes the WEP keys to end devices that are communicating with it. Note: To verify that the EAS can communicate with the authenticators, use the default value in the Default Secret Key field. After you verify communication, you should at least change the default secret key. MobileLAN secure 802.1x Security Solution Installation Guide 59

Chapter 3 Configuring the Authentication Server You do not need to perform this procedure if you want to use the same shared secret key between the EAS and all authenticators.

72 Chapter 3 Configuring the Authentication Server You do not need to perform this procedure if you want to use the same shared secret key between the EAS and all authenticators. For more security, Intermec recommends that you use a unique shared secret key between the EAS and each authenticator. To add the authenticators 1 Log in to the access point whose EAS you are using. 2 From the main menu, click Security > Embedded Authentication Server > Database. The Database screen appears. 3 In the Type field, choose RADIUS. 4 In the User Name field, enter the IP address or DNS name of the authenticator (RADIUS client). User names can be from 1 to 32 characters. 5 In the Password field, enter the unique secret key that is shared by the authenticator (RADIUS client) and the embedded authentication server. Passwords can be from 1 to 32 characters. 6 Click Submit Changes to save your changes. 60 MobileLAN secure 802.1x Security Solution Installation Guide

73 Chapter 3 Configuring the Authentication Server 7 Repeat Steps 3 through 6 for each authenticator. 8 Click Save/Discard changes, and then click Save Changes without Reboot. Creating the EAS Database (TTLS/PEAP/TLS) The EAS database contains up to 128 clients that this access point authorizes for RADIUS clients and 802.1x clients. Whenever you make changes to the database, you can activate the change, you click Save/Discard changes, and then click Save Changes without Reboot. You do not need to reboot the access point. For help entering information for RADIUS clients, see Adding the Authenticators to the EAS Database on page 59. You can also create a database (using Microsoft Excel or Notepad) and then import it. Or, you can configure one database, export it, and import it to an EAS in another access point. For help, see Exporting and Importing EAS Databases on page 65. Note: Intermec recommends that when you are done configuring the database, you export it and save the file in a safe place. If you restore the access point to its default configuration, the database is not saved. To create the EAS database 1 Log in to the access point whose EAS you are using. 2 From the main menu, click Security > Embedded Authentication Server > Database. The Database screen appears. MobileLAN secure 802.1x Security Solution Installation Guide 61

74 Chapter 3 Configuring the Authentication Server 3 In the Type field, choose the type of supplicant you are entering in the database. For help, see the next table. 4 Click Submit Changes to save your changes. 5 Enter the appropriate user name and password, if applicable. User names and passwords can be from 1 to 32 characters. For help, see the next table. 6 Click Submit Changes to save your changes. 7 Repeat Steps 3 through 6 for each client. 8 Click Save/Discard changes, and then click Save Changes without Reboot. 62 MobileLAN secure 802.1x Security Solution Installation Guide

75 Chapter 3 Configuring the Authentication Server 802.1x Entry Descriptions Type Description User Name 802.1x (TTLS/PEAP) Enter the login name and password of all end devices that are authorized to communicate with the 802.1x-enabled network. For more security, you should delete the user name anonymous and the password anonymous x (TLS) Enter the client certificate common name of all end devices that are authorized to communicate with the 802.1x-enabled network. End device login name Client certificate common name Password End device login password None Using the Rejected List The Rejected List screen displays the users and devices that have been rejected by the EAS. You can use this list to discover which users and devices may need to be added to the database. When using the web browser interface, you can immediately add previously rejected end devices to the database. You do not need to click Submit Changes or reboot the access point. Note: When you reboot the access point, the rejected list is cleared. To view the rejected list 1 Log in to the access point whose EAS you are using. 2 From the main menu, click Security > Embedded Authentication Server > Rejected List. The Rejected List screen appears. 3 Determine which users and devices you need to add to the database. For help understanding the list, see the next table. 4 Add users and devices to the database. For help see Adding Entries to the EAS Database on page 64. MobileLAN secure 802.1x Security Solution Installation Guide 63

76 Chapter 3 Configuring the Authentication Server Rejected List Values Column Type User Name Last Time Count NAS IP Address Description Lists the type of authentication that failed. The type can be: Login, ACL, TTLS/PAP, TTLS/CHAP, TTLS/EAP, TTLS/MSCHAP, TTLS/MSCHAP-V2, PEAP/MSCHAP-V2, PEAP/GTC, or TLS. Lists the value that was passed in the User Name field of the RADIUS server database during the failed attempt. Indicates how long ago the last authentication was attempted. Indicates how many times the authentication failed. Displays the IP address of the RADIUS server that rejected the client. Adding Entries to the EAS Database When you accept TTLS/PAP and PEAP/GTC entries, they are added to the database and require no further configuration. If the authentication type does not allow the EAS to learn the password of the rejected client (such as TTLS/CHAP), only the user name is added to the database. You need to manually enter the password into the database, click Submit Changes > Save/Discard Changes > Save Changes without Reboot. To add all entries to the EAS database 1 Click Select All Entries. A check box appears next to all entries. 2 Click Accept Selected Entries. To add one entry to the EAS database 1 Check the check box next to the entry you want to add to the database. 2 Click Accept Selected Entries. Clearing the Rejected List 1 Click Select All Entries. A check box appears next to all entries. 2 Click Clear Selected Entries. Rebooting the access point will also clear the rejected list. 64 MobileLAN secure 802.1x Security Solution Installation Guide

77 Chapter 3 Configuring the Authentication Server Exporting and Importing EAS Databases Note: Intermec recommends that you use the secure web browser interface (HTTPS) when you export and import databases. Otherwise, the information in the databases is sent in the clear. The EAS database is simply a comma-separated text file. You can create the database offline (using Microsoft Excel or Notepad) and then import it. The file must have the following format: RADIUS, , secretkey TTLS, username, password TLS, commonname Note: PEAP entries are imported and exported as TTLS entries, since they require the same parameters. You should export the database so you have a backup version. You may also want to create the database in the primary RADIUS server, and then export it to a file that you can import to a backup RADIUS server. To export an EAS database 1 Log in to the access point whose EAS you are using. 2 From the menu bar, click File Import/Export > Read or write the EAS RADIUS database. The EAS Database Import/Export screen appears. 3 If you are not using the secure web browser, click A secure session is available. Repeat Step 1 and Step 2. MobileLAN secure 802.1x Security Solution Installation Guide 65

A File Download dialog box appears. 5 Click Save.

78 Chapter 3 Configuring the Authentication Server 4 Click Export the EAS database from this access point. A File Download dialog box appears. 5 Click Save. The Save As dialog box appears. 66 MobileLAN secure 802.1x Security Solution Installation Guide

79 Chapter 3 Configuring the Authentication Server 6 Choose the location and filename of the database. If you use the *.CSV extension, you can import it into Microsoft Excel, which recognizes it as a comma separated text file. 7 Click Save. To import an EAS database Note: As soon as you import the database, it is active. 1 Log in to the access point whose EAS you are using. 2 From the menu bar, click File Import/Export > Read or write the EAS RADIUS database. The EAS Database Import/Export screen appears. 3 If you are not using the secure web browser, click A secure session is available. Repeat Step 1 and Step 2. 4 Enter the path and filename of the database. Or, click Browse to locate the file. 5 Click Import Database. MobileLAN secure 802.1x Security Solution Installation Guide 67

80 Chapter 3 Configuring the Authentication Server 68 MobileLAN secure 802.1x Security Solution Installation Guide

81 4 Configuring the Authenticator This chapter explains how to configure the authenticator for your MobileLAN secure 802.1x security solution. This chapter covers these topics: Configuring the access point Creating a secure spanning tree MobileLAN secure 802.1x Security Solution Installation Guide 69

82 Chapter 4 Configuring the Authenticator Configuring the MobileLAN access Point Before you configure the MobileLAN access point as an authenticator, the access point should already be installed and configured to communicate with the wireless end devices. For help installing, configuring, and upgrading access points, see the MobileLAN access System Manual (P/N ). The access point must be running software release 1.80 or later. To download free software upgrades, you can go to and then click Service & Support > Downloads. Choose the access point you have. A list of the available software downloads appears. To configure the authenticator Note: If you are using the EAS, you can use the default values in the shared secret key fields to verify that the authenticator can communicate with the authentication server. After you verify communication, you should at least change the default secret key. For more security, Intermec recommends that you use a unique shared secret key between the authentication server and each authenticator. 1 Log in to the authenticator. 2 From the main menu, click Security and then click the radio security that you are configuring. This screen appears. 70 MobileLAN secure 802.1x Security Solution Installation Guide

83 Chapter 4 Configuring the Authenticator 3 Check the WEP/802.1x Authentication check box. 4 Click Submit Changes to save your changes. 5 In the WEP Key Rotation Period field, enter how often (in minutes) the access point generates a new WEP key to distribute to the end devices. 6 Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. 7 Configure the RADIUS server list by clicking Select a RADIUS server for 802.1x authentication. The RADIUS Server List screen appears. MobileLAN secure 802.1x Security Solution Installation Guide 71

Chapter 4 Configuring the Authenticator 8 For each authentication server, enter the IP address or DNS name, enter the shared secret key, port number, and check the 802.1x check box.

84 Chapter 4 Configuring the Authenticator 8 For each authentication server, enter the IP address or DNS name, enter the shared secret key, port number, and check the 802.1x check box. Note: If you enter more than one authentication server, the other authentication servers simply serve as backup servers. The access point uses the first authentication server (starting with Server 1) whose IP address/dns name and secret key are the same as one in the list. 72 MobileLAN secure 802.1x Security Solution Installation Guide

85 Chapter 4 Configuring the Authenticator Creating a Secure Spanning Tree When you configure a radio to use 802.1x security, you automatically enable spanning tree security, which can be used for both wired and wireless access points. A secure spanning tree has two functions: 1 To require authentication of any MobileLAN access point attempting to join the spanning tree. 2 To provide encryption of critical Inter-Access Point Protocol (IAPP) frames. There are three authentication methods that you can use to secure the spanning tree: Simple Wireless Authentication Protocol (SWAP), TTLS, or TLS. SWAP is an Intermec proprietary protocol that is based on the EAP-MD5 challenge. Since it requires less processing power, it requires less memory and you can use it on all access points. Also, SWAP does not require an authentication server so it is easier to configure. With these advantages, SWAP is sufficient for most users. TTLS and TLS are industry standard protocols. However, since they are more complex and require additional processing power and memory, they are only supported on newer access points (WA22, 2101B, WA21, 2100D, and the 2106). Also, TTLS and TLS require more administrative support. When deciding on which type of spanning tree security to use, the supplicant access point and the authenticator will negotiate an authentication method that can be used by both. If the Allow SWAP check box is checked on both access points, SWAP will always be used. If the Allow SWAP check box is cleared on one or both of the access points, either TTLS or TLS will be used, depending on the setting of the Preferred Protocol field of the supplicant access point. MobileLAN secure 802.1x Security Solution Installation Guide 73

Chapter 4 Configuring the Authenticator To create a secure spanning tree 1 Log in to an authenticator. 2 From the main menu, click Security > Spanning Tree Security.

86 Chapter 4 Configuring the Authenticator To create a secure spanning tree 1 Log in to an authenticator. 2 From the main menu, click Security > Spanning Tree Security. The Spanning Tree Security screen appears. 3 In the IAPP Secret Key field, enter a secret key. This secret key must be between 16 and 32 bytes. 4 Choose which authentication methods you want to use to authorize the access point to communicate with the network. For help, see the next table. 5 (Optional) Check the Verify CA Certificate check box and enter the authentication server common names if you want to verify the access point is connecting to the correct authentication server. 6 Click Submit Changes to save your changes. To activate your changes, from the menu bar click Save/Discard Changes, and then click Save Changes and Reboot. 7 Repeat Steps 1 through 6 for each authenticator in your spanning tree. All authenticators must have the same IAPP secret key to communicate with each other. 74 MobileLAN secure 802.1x Security Solution Installation Guide

87 Chapter 4 Configuring the Authenticator Spanning Tree Security Authentication Method Descriptions Parameter Allow SWAP Allow TLS Allow TTLS (MSCHAPv2) Preferred Protocol User Name (TTLS) Password (TTLS) Verify CA Certificate Authentication Server 1 Common Name Authentication Server 2 Common Name Description Determines if this access point authenticates to other access points using SWAP. If the authentication server offers the TLS protocol for the authentication method, this check box determines if this access point can use its client certificate to authenticate to the network. If the authentication server offers the TTLS protocol for the authentication method, this check box determines if this access point uses a login to authenticate to the network. This login must be in the authentication server database. If TLS and TTLS are enabled, this field specifies which protocol is sent to the authentication server when it sends an unsupported protocol. Enter the user name of the access point when it uses TTLS to authenticate to the network. Enter the password of the access point when it uses TTLS to authenticate to the network. Determines if you want to verify that the access point is connected to the correct authentication server. The server certificate signature is verified against the CA certificate and the server common name is verified against the authentication server common names that are configured in the access point. Enter the common name of the authentication server. Enter the common name of the backup authentication server. MobileLAN secure 802.1x Security Solution Installation Guide 75

88 Chapter 4 Configuring the Authenticator 76 MobileLAN secure 802.1x Security Solution Installation Guide

89 5 Configuring the Supplicants This chapter explains how to configure the supplicants for your MobileLAN secure 802.1x security solution. This chapter covers these topics: Configuring the CK30 Handheld Computer Configuring the 700 Series Mobile Computer Configuring the Trakker Antares terminals Configuring the printers with EasyLAN wireless MobileLAN secure 802.1x Security Solution Installation Guide 77

90 Chapter 5 Configuring the Supplicants Configuring the CK30 Handheld Computer Configuring the CK30 for EAP-PEAP Before you configure the CK30 Handheld Computer to communicate in an 802.1x-enabled network, it should already be configured to communicate with the network and the access point. For help configuring the mobile computer, see the CK30 Handheld Computer User s Manual (P/N ). The CK30 with an b/g radio can be configured to use one of these authentication methods: EAP-PEAP or EAP-TLS. Note: The CK30 also supports WPA and WPA-PSK. However, these authentication methods are not currently available in the MobileLAN secure 802.1x security solution. For availability, contact your local Intermec representative. 1 Press C and then B to open the System Main Menu. 2 Choose Configuration Utility > Communications > Radio > Security. 3 For Network Authentication, choose Open 4 For Data Encryption, choose WEP. 5 For 802.1X Authentication, choose PEAP. 6 Select Properties and then clear the Validate Server check box by tabbing to it and then pressing V. 7 Press Enter. Once the radio starts to authenticate, the Network Password dialog box appears. 8 Enter a user name and password for the CK30 and then select the Save password check box by tabbing to it and then pressing S. 78 MobileLAN secure 802.1x Security Solution Installation Guide

91 Configuring the CK30 for EAP-TLS Chapter 5 Configuring the Supplicants 9 Press Enter. You return to the Communications menu. 10 For Network Key Setting, choose Automatic. 11 Exit the Configuration Utility. 1 Press C and then B to open the System Main Menu. 2 Choose Configuration Utility > Communications > Radio > Security. 3 For Network Authentication, choose Open 4 For Data Encryption, choose WEP. 5 For 802.1X Authentication, choose TLS. 6 Select Properties and then choose the Select button. 7 From the certificates list, select your client certificate and then press Enter. You return to the Communications menu. 8 For Network Key Setting, choose Automatic. 9 Exit the Configuration Utility. MobileLAN secure 802.1x Security Solution Installation Guide 79

92 Chapter 5 Configuring the Supplicants Configuring the 700 Series Mobile Computer Before you configure the 700 Series Mobile Computer to communicate in an 802.1x-enabled network, it should already be configured to communicate with the network and the access point. For help configuring the mobile computer, see either the 700 Series Mobile Computer User s Manual (P/N ) or the 700 Series Color Mobile Computer User s Manual (P/N ). The 710 must have an b radio and be running Pocket PC 2002 or later. It must also have the EAP-TTLS or the EAP-TLS supplicant. The 750 or 760 must have an b radio and have operating system software build version 1.30 or later. To verify your build version, start Pocket Internet Explorer, and then click the Intermec icon. The 750 or 760 must also have the EAP-TTLS or the EAP-TLS supplicant. If the mobile computer does not have one of these supplicants loaded on it, you may need to order a supplicant CD and license. For help, see Getting Started on page 14. To load the supplicant on the mobile computer 1 Connect the mobile computer to your PC using an ActiveSync cable or IrDA. For help, see the user s manual. 2 Insert the supplicant CD into your PC. 3 For the 710, copy the 700MSECURE100.CAB file from the CD to the mobile computer. For the 750 or 760, copy the 700CSECURE100.CAB file from the CD to the mobile computer. Note: If you copy the cab file to the CabFiles subdirectory of the storage card, the cab file is not lost if you cold boot the mobile computer. If AutoRun system is also installed, the cab file is automatically reinstalled if you cold boot the mobile computer. 4 Install the cab file by tapping on it. 80 MobileLAN secure 802.1x Security Solution Installation Guide

93 Configuring the 700 Series Mobile Computer for EAP-TTLS Chapter 5 Configuring the Supplicants Note: To verify that the mobile computer can authenticate to the authentication server, you can use the default user name of anonymous, use the default password of anonymous, and leave the server certificate common name blank. After you have verified that the mobile computer can authenticate, Intermec recommends that you configure the user name, the password, and the server certificate common name. To configure the 710 for EAP-TTLS 1 Tap Start > Settings > Intermec CORE icon. The CORE screen appears. 2 Tap the Details tab and then tap the Configuration button. 3 In the Security field, choose 802.1x. 4 Configure the 802.1x parameters. a Tap the Configure 802.1x button. b In the EAP Type field, choose TTLS. MobileLAN secure 802.1x Security Solution Installation Guide 81

94 Chapter 5 Configuring the Supplicants c d e In the Username field and User Password field, enter the logon the mobile computer uses when it is trying to authenticate to the 802.1x-enabled network. This name must be in the authentication server database. Check the Save Password check box. In the Supplicant Identity field, enter anonymous. Your network administrator may tell you to enter a different value. f In the Server Certificate Common Name field, enter the name of the certificate that is on the primary authentication server. If you are using Intermec certificates, the certificate has the format *-ITC. Or, leave this field blank and the mobile computer will try to authenticate to any authentication server that has an Intermec certificate. g Verify the CA List field contains this path and filename: \WINDOWS\ROOT.PEM 5 Tap OK twice to save your changes. To verify that the mobile computer is authenticated, open the Intermec CORE application and tap the Details tab. 82 MobileLAN secure 802.1x Security Solution Installation Guide

95 Chapter 5 Configuring the Supplicants To configure the 750 or 760 for EAP-TTLS 1 Tap Start >Settings > System tab > Wireless Network icon. The Profile Wizard starts. 2 Add or edit a profile. For help, see the user s manual. 3 Tap the Security tab. 4 In the Security Method field, choose 802.1x TTLS. The TTLS parameters appear. Note: The list shows the supplicants that are loaded on the mobile computer. 5 Configure the 802.1x parameters. a In the Username field and Password field, enter the logon the mobile computer uses when it is trying to authenticate to the 802.1x-enabled network. This name must be in the authentication server database. b In the Supplicant ID field, enter anonymous. Your network administrator may tell you to enter a different value. c In the Server Cert CN field, enter the name of the certificate that is on the primary authentication server. Or, leave this field blank and the mobile computer will try to authenticate to any authentication server that has an Intermec certificate. MobileLAN secure 802.1x Security Solution Installation Guide 83

96 Chapter 5 Configuring the Supplicants d Verify the CA List field contains this path and filename: \WINDOWS\ROOT.PEM 6 Tap OK to save your changes. To verify that the mobile computer is authenticated, open the Intermec CORE application and tap the Details tab. Configuring the 700 Series Mobile Computer for EAP-TLS Before you configure the 700 Series Mobile Computer for TLS, you need to get a client certificate (*.PEM) from a certificate authority (CA) and copy it to the Windows directory on the mobile computer. For help, see Copying the Client Certificate to a 700 Series Mobile Computer on page 43. To configure the 710 for EAP-TLS 1 Tap Start > Settings > Intermec CORE icon. The CORE screen appears. 2 Tap the Details tab and then tap the Configuration button. 3 In the Security field, choose 802.1x. 4 Configure the 802.1x parameters. a Tap the Configure 802.1x button. b In the EAP Type field, choose TLS. 84 MobileLAN secure 802.1x Security Solution Installation Guide

$Chapter 5 Configuring the Supplicants c In the Client Key File field, enter the path and filename of the client certificate on the mobile computer. For example, enter \WINDOWS\CLIENTCERT.$

97 Chapter 5 Configuring the Supplicants c In the Client Key File field, enter the path and filename of the client certificate on the mobile computer. For example, enter \WINDOWS\CLIENTCERT.PEM d In the Client Password field, enter the password for the client certificate. e In the Supplicant Identity field, enter anonymous. Your network administrator may tell you to enter a different value. f In the Server Certificate Common Name field, enter the name of the certificate that is on the primary authentication server. If you are using Intermec certificates, the certificate has the format *-ITC. Or, leave this field blank and the mobile computer will try to authenticate to any authentication server that has an Intermec certificate. g Verify the CA List field contains this path and filename: \WINDOWS\ROOT.PEM 5 Tap OK twice to save your changes. To verify that the mobile computer is authenticated, open the Intermec CORE application and tap the Details tab. MobileLAN secure 802.1x Security Solution Installation Guide 85

User's Manual Addendum. CK30 Handheld Computer

User's Manual Addendum. CK30 Handheld Computer User's Manual Addendum CK30 Handheld Computer Intermec Technologies Corporation Corporate Headquarters 6001 36th Ave. W. Everett, WA 98203 U.S.A. www.intermec.com The information contained herein is proprietary