Zebra Mobile Printer, Microsoft IAS, Cisco Controller TLS and WPA-TLS, Zebra Setup Utility This section of the document illustrates the Microsoft Internet Authentication Service and how TLS and WPA-TLS was configured on this server. This document is meant as an illustration only. Questions on the setup of IAS should be directed to Microsoft. It should be Microsoft that is used to determine if the illustration below is appropriate for your environment. It is important to note that the setup on the IAS server did not differ when using WPA-TLS or TLS. The first series of screenshots shows how a Radius client is added to IAS. In the screenshot below a Cisco controller with the IP address of 10.3.50.50 is added. The IAS server needs to have a client in the clients table to ensure that authentication requests are only being received from valid clients. A secret key is entered on the IAS server. This secret key needs to match the secret key on the radius client ( in this example the Cisco controller).
A Remote access policy is included in the IAS server. The following screenshots illustrate how a remote policy is added.
In the next few screenshots I have illustrated how a policy can be added.
The example that is provided illustrates TLS and WPA-TLS
The next series of screenshots shows how one is able to add a user in the active directory. The username and password that is added in the active directory is the same username and password that is added on the printer.
The following screenshot shows how the properties of the user is modified to grant dial-in permission.
The event log on the IAS server can be used for troubleshooting purposes.
There are three certificates needed for TLS authentication. These certificates are obtained from the IAS server and will be placed onto the printer. In this illustration, I am using a web browser on the IAS server to obtain these certificates. Below is how I obtained the root certificate.
This is how I obtained the client(user certificate and corresponding private key.
In my example I am not using a private key password
You should now have three certificate files. The root certificate, the client or user certificate and the private key for the client. Example below. The printer requires certificates to be in the PEM format. The certificates shown above need to be converted into the PEM format. This is an example of PEM format -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIQXkycNtooCY9Dan4qroszcDANBgkqhkiG9w0BAQUFADAw
MSAwHgYKCZImiZPyLGQBGRYQMjAwM1NlcnZlckRvbWFpbjEMMAoGA1UEAxMDSUFT MB4XDTA5MDkwMjIwMjUwMloXDTE0MDkwMjIwMjUwMlowMDEgMB4GCgmSJomT8ixk ARkWEDIwMDNTZXJ2ZXJEb21haW4xDDAKBgNVBAMTA0lBUzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAI87TCa3RHsp/yeJfOp8hrYDnj3EOcdyz58CfSbL qdepyqu1xrrbdjfckb+5frjvjeudi0/e3r2/ymnfv7sjt5ly6bhvjgfdluumm2ir CJ+YIWX0CiPe1YQbp4mrnmHX6cr+RwEOU25tB+X4VyRnCRkAAsbszvHw7S7BDL2P 9ILtYPBt5f2slXWqbJwlUnpDmkm4JFHkex4x4ekWdaQBr+VwhZi8Hi2TouBtJVfj jmur0j8ngzdu0fngqh/jc+aiy8moisjawohwhfjpmrjpi//t+x3my4cpuhgscnpo knudv+h2aqesep+xlxeibewofkwrtsgdklifgjzpoxs7usmcaweaaaocaygwggge MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSV3+v3e3V2 bwcqr2kdj/nqfrtu8jccaqoga1udhwscaqewgf4wgfuggfiggfwggbvszgfwoi8v L0NOPUlBUyg0KSxDTj1MYWIyMDAzU2VydmVyLENOPUNEUCxDTj1QdWJsaWMlMjBL ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPTIw MDNTZXJ2ZXJEb21haW4/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i amvjdensyxnzpwnsterpc3ryawj1dglvblbvaw50hjtodhrwoi8vbgfimjawm3nl cnzlci4ymdazc2vydmvyzg9tywlul0nlcnrfbnjvbgwvsuftkdqplmnybdasbgkr BgEEAYI3FQEEBQIDBAAEMCMGCSsGAQQBgjcVAgQWBBQ+SW/Qioe4qllHBvPIxmKu cpybljanbgkqhkig9w0baqufaaocaqeazffdsgopmajsdcgujcaqaruxi3homb4a W8yZgSAq1ecYuN4wSy1daOSkoI6GJJYhZENqmdklAPlzzBZ2ezbKHfR1NJvXKCOu Byi4jZZlpWwduWhIQf9P+9bahKSQg0RHPyNu3se8zxTdWfTv738cKBnuFOJaz6Z8 Gr3qtDzfmWnywAG3rp2/LNEdq0nTgiI76ugG148DjtAukjsruVQf7/QBCUwJuJEU mlgsjvhnypbdmj8ojm2/6nln3bij2ohhqxjfyrxf8jiz4tyi+bb26/usethjea+d f8vnk5ll27watr3ftcz3kupehagdfute3y/bh/eenkkquixoju1aqq== -----END CERTIFICATE----- This is an example of the private key in PEM format. -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDDu0oOlA3LtI26ubm9dc0OYLJ+bs+rzfvYI4r5iE2nbdy/Q4ZJ PQMHuiuhv91Dl8KM6D24HLOltxnIMbPGLI6AQgAAGne9GJlwjZ4xvpk3whJYVrWw kegflsxt79vx74cyumsk2yn0ksgdyb4rimlxxyk6xxbr0/nsqpk0yz7irwidaqab AoGBAKjU2nJsvuGhYkdYgKCuBiyKuCxaxQM68CtlrTDEo8bx+uF4C1MNL5nwukYR S3hMZWJJyUMQbt1YbQLD7H/aWydAmt+oMbAMRpzyVvjhf+vN36s2XsjfD/Hx02MP X+xSuoKuVWv2x5AbQO/xGrmPyp+Pbgv2rUrRa0IB+V5ZmZnBAkEA4F+ui2pkNWsn ntibgur9ji5abbcb1phz9g98xu8ijae/k9efwmw0qgpgsnbs2jqdgg6tg+twfgda TzWRNOKHlwJBAN9SFPPhENaLCJPYoQSvqJQUbKt3y4bYVgnZHcG3eEsz0zO/mFWc XtRIGdfvwQaelOtnUjzX6a9hVYB9vyIJUNECQQCehvvrxN/IXk1ACWB+f7G2I0oA 9hTFRDNLhuXCKGEBjvejIlXeI72Ya2pGx4FxRCJrwMcXzeECiXEGhfJySxtBAkAe par78cv9qlxi8zykjnvy29qnlekgnc4ws7npemlm7pvr5d3igtibrmldxef+iiqo SH7gGj/V8GTq3FX9NYoBAkEAmnH326NyghQVwg1JFUHN6U2a49UM94k7HS689xM+ emetcg2r85lyjg/meiehgpmjjvw35p9dz0ocf7wl/muxgg== -----END RSA PRIVATE KEY----- The tools that I will illustrate the conversion are openssl.exe ( http://www.openssl.org ) and pvk.exe (http://www.drh-consultancy.demon.co.uk/pvk.html)
CA (root certificate example below) C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\certnew.cer -out C:\Zebra_TLS_certs\ROOTCERT.pem Client (user certificate below). C:\openssl_pvkfiles\openssl.exe x509 -inform der -in C:\Zebra_TLS_certs\ZEBRA_TLS_CLIENT.cer -out C:\Zebra_TLS_certs\CLIENTCERT.pem
Below is an example of how I converted the private key.
The three files ending in.pem extension here need to be placed onto the printer. (Later in this illustration)
The Event Viewer on the IAS server can be used for troubleshooting purposes. In the screenshots below the event viewer is showing a successful authentication. Additional screenshots from IAS server used in testing. Please consult with Microsoft to see if these settings would be appropriate for your environment. This section of the document illustrates a Cisco Wireless controller. This document is meant as an illustration only. Questions on the setup of your Cisco controller should be directed to Cisco. It should be Cisco that is used to determine if the illustration below is appropriate for your environment This illustration shows how the Cisco Controller was configured for TLS initially and then WPA-TLS. With TLS or WPA-TLS the authentication request is forwarded to a Radius server. The following screenshots illustrate how a radius server can be added.
The example below shows an entry of a radius server with an IP address of 10.3.50.38 and utilizing the port number of 1812. 1645 and 1812 are common port numbers used with the RADIUS protocol. A secret key is also entered. This secret key needs to match the secret key that is entered on the RADIUS server. The first step illustrated here is how an ESSID is created. In this example the ESSID is ZebraTLS1 Please note that ESSID s are case sensitive.
This screenshot shows how to configure 802.1x (TLS)
The next screen is showing where the controller is passing the authentication packets to.
The screenshots below show the advanced eap settings used in the illustration. Please consult with Cisco to determine the appropriate values for your environment.
The screenshots below show what a successful TLS connection appears on the controller.
The next screenshots show how the controller was set for WPA-TLS. In this example that I have enabled both wpa and wpa2 as shown below.
With WPA-TLS, the authentication is often done by an external radius server. In this example I have entered the ip address for the radius server as shown below. Below is an example of what the controller shows for a successful WPA-TLS authentication.
This section of the document illustrates how to configure the printer for TLS and will continue by illustrating how to configure the printer for WPA-TLS. The illustration will use the Zebra Setup Utility as the method for configuring the printer. Please ensure that you are using the most current version of the Zebra Setup Utility before continuing. The most current version of the Zebra Setup Utility can be downloaded at www.zebra.com.
There are three certificate files needed for TLS. These files need to be stored on the printer with specific names. CACERTSV.NRD for the CA root certificate CERTCLN.NRD for the user/client certificate PRIVKEY.NRD for the user/client private key certificate. In my illustration, I have created three files or certificates that are now in the PEM format. THESE ARE THE THREE CERTIFICATES THAT CAN BE STORED. ROOTCERTIFICATE.PEM = CACERTSV.NRD PRIVATEKEY.PEM = PRIVKEY.NRD CLIENTCERT.PEM = CERTCLN.NRD The files that were created earlier in this illustration were renamed CACERTSV.NRD (Rootcertificate.pem), PRIVKEY.NRD (PRIVATEKEY.PEM) and CERTCLN.NRD(CLIENTCERT.PEM) The screenshots below illustrate how the Zebra Setup Utility to configure the printer for both EAP-TLS and WPA-EAP-TLS
In this illustration I am configuring the printer for DHCP. In this example I have chosen the following radio information. Please note that this screen is only available on select printers. It may not be applicable for other printers.
One needs to set the printer to match the ESSID that was previously configured on the Cisco controller. (NPS_TLS) The screenshot below illustrates EAP-TLS The screenshot below illustrates WPA-EAP-TLS
Click Next